#
# This invokes the nixpkgs expression for arm-trusted-firmware, but
# uses a fixed, known-good commit as a starting point and applies a
# controlled set of patches.
#

{ fetchurl
, fetchpatch
, fetchFromGitHub
, buildArmTrustedFirmware
}:

let
  version = "1.6";
  atf_platform = "rk3399";
in
(buildArmTrustedFirmware {
  extraMakeFlags = [ "bl31" "COREBOOT=1" ];
  inherit version;
  platform = atf_platform;
  filesToInstall = [
    "build/${atf_platform}/release/bl31/bl31.elf"

    # these headers from arm-trusted-firmware are needed by coreboot;
    # we copy them manually since coreboot is cloned without
    # submodules
    "plat/rockchip/common/include/plat_params.h"
    "plat/rockchip/rk3399/include/shared/bl31_param.h"
  ];

}).overrideAttrs (attrs: {

  src = fetchFromGitHub {
    owner = "ARM-software";
    repo = "arm-trusted-firmware";
    rev = "v${version}";
    hash = "sha256-WLFO+loCds6/Ej/8LQGdro8O16c7RhigR05P6tUZACI=";
  };

  # -F3 is needed in order to force the backport patches below to apply to an older atf
  patchFlags = [ "-p1" "-F3" ];

  patches = [

    # backport from atf-2.3: "rockchip: Update BL31_BASE to 0x40000"
    (fetchpatch {
      url = "https://github.com/ARM-software/arm-trusted-firmware/commit/0aad563c74807195cc7fe2208d17e2d889157f1e.patch";
      hash = "sha256-oY2mkt2QlAx3yZfvg/WTHmxgHnNKuczLc+tK6l6k7/s=";
      excludes = [
        "plat/rockchip/px30/include/platform_def.h"
        "plat/rockchip/rk3288/include/shared/bl32_param.h"
      ];
    })

    # backport from atf-2.3: "plat/rockchip: enable power domains of rk3399 before reset"
    (fetchpatch {
      url = "https://github.com/ARM-software/arm-trusted-firmware/commit/b4899041e5f0b8e8b388c6511b5233516b8785ec.patch";
      hash = "sha256-nO4VNBKt+1lXnlycSYWmoW3oskGqtea1RxlY8WX6CoY=";
    })

    # this <nixpkgs/pkgs/misc/arm-trusted-firmware/remove-hdcp-blob.patch> rebased back to atf 1.6
    ./remove-hdcp-blob-atf1.6.patch
  ];

  dontStrip = false;

  enableParallelBuilding = true;

})