feat: add Turing RK1 support

U-Boot has a patch for generating SPI images, which is required for eMMC
when booting from NVMe.

U-Boot also includes a KASLR patch that enables passing a seed to EFI so the
kernel has sufficient entropy at boot to enable KASLR.

DTB is compiled externally (not via `siderolabs/pkgs`) as they still require
DTS patches. See: https://github.com/nberlee/dtb-talos-turing-rk1.

The RKBIN for RK3588 DDR initialization is patched to support a different baud rate
for the internal UART on the Turing Pi. Without this patch, the `tpi uart` command
will not work (i.e., reading the console from the Turing Pi channel with the RK1).

The UART ID is changed to 9 to prevent device name conflicts.

Patching the RKBIN for the RK3588 involves running a closed-source utility,
ddrbin_tool, from the rkbin repository. This tool does not work in BLDR
because BLDR uses musl, while ddrbin_tool is compiled with GLIBC.

To address this, I created the following repository:
https://github.com/nberlee/rkbin-rk3588-ddr-patch, which provides a
container image with the patched rkbin file.

Signed-off-by: Nico Berlee <nico.berlee@on2it.net>

README.md

@@ -6,6 +6,7 @@ This repo provides the overlay for RockChip based Talos image.
 
 | Overlay Name         | Board                 | SoC    | Description                                   |
 | -------------------- | --------------------- | ------ | --------------------------------------------- |
+| helios64             | Kobol Helios64        | RK3399 | Overlay for Kobol Helios64                    |
 | nanopi-r5s           | NanoPi R5S            | RK3568 | Overlay for NanoPi R5S (only WAN, no NVMe)    |
 | nanopi-r4s           | NanoPi R4S            | RK3399 | Overlay for NanoPi R4S                        |
 | orangepi-r1-plus-lts | Orange Pi R1 Plus LTS | RK3328 | Overlay for Orange Pi R1 Plus LTS             |
@@ -14,4 +15,4 @@ This repo provides the overlay for RockChip based Talos image.
 | rockpi4c             | Rock Pi 4C            | RK3399 | Overlay for Rock Pi 4C                        |
 | rock4se              | Rock 4 SE             | RK3399 | Overlay for Rock 4 SE                         |
 | rock4cplus           | Radxa ROCK 4C+        | RK3399 | Overlay for Radxa ROCK 4C+                    |
-| helios64             | Kobol Helios64        | RK3399 | Overlay for Kobol Helios64                    |
+| turingrk1            | Turing Machines RK1   | RK3588 | Overlay for Turing Machines RK1               |

artifacts/arm-trusted-firmware/rk3588/pkg.yaml

@@ -0,0 +1,38 @@
+name: arm-trusted-firmware-rk3588
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/ARM-software/arm-trusted-firmware/archive/{{ .arm_trusted_firmware_nonlts_version }}.tar.gz
+        destination: arm-trusted-firmware.tar.gz
+        sha256: "{{ .arm_trusted_firmware_nonlts_sha256 }}"
+        sha512: "{{ .arm_trusted_firmware_nonlts_sha512 }}"
+    env:
+      SOURCE_DATE_EPOCH: {{ .BUILD_ARG_SOURCE_DATE_EPOCH }}
+    prepare:
+      - |
+        mkdir -p /usr/bin \
+          && ln -sf /toolchain/bin/env /usr/bin/env
+
+        tar xzf arm-trusted-firmware.tar.gz --strip-components=1
+    # rk3588
+    build:
+      - |
+        # https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/getting_started/initial-build.rst
+        export CROSS_COMPILE=/toolchain/bin/aarch64-linux-musl-
+
+        make realclean
+
+        # https://salsa.debian.org/debian/arm-trusted-firmware/-/commit/6424a59e08585af7f8a56f1e16ecc6a6b9e4ad7a
+        # https://salsa.debian.org/debian/arm-trusted-firmware/-/commit/6ed8f61df3b07bb22a68a0fc189ec3b3f7b00dbd
+        CFLAGS=--param=min-pagesize=0 make -j $(nproc) PLAT=rk3588 DEBUG=0 bl31
+    install:
+      - |
+        mkdir -p /rootfs/arm-trusted-firmware/rk3588
+
+        cp build/rk3588/release/bl31/bl31.elf /rootfs/arm-trusted-firmware/rk3588/bl31.elf
+finalize:
+  - from: /rootfs
+    to: /libs

artifacts/rkbin/rk3588/README.md

@@ -0,0 +1,26 @@
+# README for DDR Binary Patching
+
+## Context
+We manually update the patched `rk3588_ddr_lp4_2112MHz_lp5_2400MHz_v1.18.bin` to ensure security, the ddrbin_tool is only downloadable as a compiled executable.
+
+This ELF executable is linked against the GNU C Library (glibc). As the bldr environment is based on musl libc, the executable will not run in the bldr environment. Therefore we use a container image with the patched file.
+
+## The Patch
+The `ddrbin_tool` modifies specific variables in the DDR binary blob as outlined in the `ddrbin_param.txt` file located in the same directory. The current patch updates include:
+- Changing the internal UART blade uart ID from 2 to 9.
+- Modifying the baud rate from 1,500,000 to 115,200.
+
+## Steps to Update the Binary
+To update the DDR firmware binary, follow these steps:
+
+1. **Download Required Tools and Files**:
+   - Download the `ddrbin_tool` and the new DDR firmware from the Rockchip Linux GitHub repository: https://github.com/rockchip-linux/rkbin
+
+2. **Run the Patching Tool**:
+   - Execute the `ddrbin_tool` with the parameters file and the binary: 
+     ```
+     ddrbin_tool rk3588 ddrbin_param.txt rk3588_ddr_lp4_2112MHz_lp5_2400MHz_<version>.bin
+     ```
+
+
+Ensure to replace `<version>` with the specific version number of the DDR firmware you are working with.

artifacts/turingrk1/u-boot/patches/0001-spi-for-mmc-so-nvme-can-boot.patch

@@ -0,0 +1,62 @@
+From: Nico Berlee <nico.berlee@on2it.net>
+
+This patch makes U-Boot compile the spi image. This is the fastest way to 
+make a NVMe drive bootable in the Turing RK1.
+
+The spi image can be flashed on the eMMC, the kernel and DTB will be
+looked up on the NVMe. 
+
+Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
+
+diff --git a/configs/turing-rk1-rk3588_defconfig b/configs/turing-rk1-rk3588_defconfig
+index e6e1bda..05ef5bf 100644
+--- a/configs/turing-rk1-rk3588_defconfig
++++ b/configs/turing-rk1-rk3588_defconfig
+@@ -3,12 +3,17 @@ CONFIG_SKIP_LOWLEVEL_INIT=y
+ CONFIG_SYS_HAS_NONCACHED_MEMORY=y
+ CONFIG_COUNTER_FREQUENCY=24000000
+ CONFIG_ARCH_ROCKCHIP=y
++CONFIG_SF_DEFAULT_SPEED=24000000
++CONFIG_SF_DEFAULT_MODE=0x2000
+ CONFIG_DEFAULT_DEVICE_TREE="rockchip/rk3588-turing-rk1"
+ CONFIG_ROCKCHIP_RK3588=y
++CONFIG_ROCKCHIP_SPI_IMAGE=y
+ CONFIG_SPL_SERIAL=y
+ CONFIG_TARGET_TURINGRK1_RK3588=y
+ CONFIG_DEBUG_UART_BASE=0xFEBC0000
+ CONFIG_DEBUG_UART_CLOCK=24000000
++CONFIG_SPL_SPI_FLASH_SUPPORT=y
++CONFIG_SPL_SPI=y
+ CONFIG_SYS_LOAD_ADDR=0xc00800
+ CONFIG_PCI=y
+ CONFIG_DEBUG_UART=y
+@@ -24,6 +29,8 @@ CONFIG_DISPLAY_BOARDINFO_LATE=y
+ CONFIG_SPL_MAX_SIZE=0x40000
+ CONFIG_SPL_PAD_TO=0x7f8000
+ # CONFIG_SPL_RAW_IMAGE_SUPPORT is not set
++CONFIG_SPL_SPI_LOAD=y
++CONFIG_SYS_SPI_U_BOOT_OFFS=0x60000
+ CONFIG_SPL_ATF=y
+ CONFIG_CMD_GPIO=y
+ CONFIG_CMD_GPT=y
+@@ -57,7 +64,11 @@ CONFIG_MMC_DW_ROCKCHIP=y
+ CONFIG_MMC_SDHCI=y
+ CONFIG_MMC_SDHCI_SDMA=y
+ CONFIG_MMC_SDHCI_ROCKCHIP=y
+-# CONFIG_SPI_FLASH is not set
++CONFIG_SF_DEFAULT_BUS=5
++CONFIG_SPI_FLASH_SFDP_SUPPORT=y
++CONFIG_SPI_FLASH_MACRONIX=y
++CONFIG_SPI_FLASH_XMC=y
++CONFIG_SPI_FLASH_XTX=y
+ CONFIG_PHY_REALTEK=y
+ CONFIG_DWC_ETH_QOS=y
+ CONFIG_DWC_ETH_QOS_ROCKCHIP=y
+@@ -73,6 +84,7 @@ CONFIG_SPL_RAM=y
+ CONFIG_SCSI=y
+ CONFIG_DEBUG_UART_SHIFT=2
+ CONFIG_SYS_NS16550_MEM32=y
++CONFIG_ROCKCHIP_SFC=y
+ CONFIG_SYSRESET=y
+ CONFIG_USB=y
+ CONFIG_USB_XHCI_HCD=y

artifacts/turingrk1/u-boot/patches/0002-uboot-rng-for-KASLR-seed.patch

@@ -0,0 +1,27 @@
+From: Nico Berlee <nico.berlee@on2it.net>
+
+This patch addresses an issue where Kernel Address Space Layout Randomization
+(KASLR) fails on RK3588 systems due to insufficient entropy during the boot
+process. The root cause is that the hardware Random Number Generator (RNG)
+within the kernel is not initialized early enough to provide the necessary
+seed for KASLR.
+
+To resolve this, the patch enables the Rockchip RNG driver in the U-Boot
+bootloader. This approach allows the system to gather sufficient entropy
+early in the boot process. The seed generated by the RNG is then passed to
+the kernel using the EFI_RNG_PROTOCOL, ensuring that KASLR can function
+correctly.
+
+Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
+
+diff --git a/configs/turing-rk1-rk3588_defconfig b/configs/turing-rk1-rk3588_defconfig
+index 289f2da..44c1155 100644
+--- a/configs/turing-rk1-rk3588_defconfig
++++ b/configs/turing-rk1-rk3588_defconfig
+@@ -108,3 +108,6 @@ 
+ CONFIG_USB_GADGET_DOWNLOAD=y
+ CONFIG_USB_FUNCTION_ROCKUSB=y
+ CONFIG_ERRNO_STR=y
++CONFIG_EFI_RNG_PROTOCOL=y
++CONFIG_DM_RNG=y
++CONFIG_RNG_ROCKCHIP=y

artifacts/turingrk1/u-boot/patches/README.md

@@ -0,0 +1,5 @@
+
+| Patch file                                                     | Description                                                                                       | Upstream status | Link                                                                                                       |
+|----------------------------------------------------------------|---------------------------------------------------------------------------------------------------|-----------------|-----------------------|
+| 0001-spi-for-mmc-so-nvme-can-boot.patch                        | Enable SPI image creation on for flashing on eMMC so NVMe can boot                                | not upstreamed  | Talos Linux Exclusive |
+| 0002-uboot-rng-for-KASLR-seed.patch                            | Make KASLR in kernel possible by initializing RNG in U-BOOT and passing randomness using EFI-vars | not upstreamed  | Talos Linux Exclusive |

artifacts/turingrk1/u-boot/pkg.yaml

@@ -0,0 +1,49 @@
+# References:
+#   U-Boot:
+#     - https://u-boot.readthedocs.io/en/latest
+name: u-boot-turingrk1
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+  - stage: arm-trusted-firmware-rk3588
+  - image: ghcr.io/nberlee/rkbin-rk3588-ddr-patch:56379ce589f3beeffd92894f36026a76ebab1e53
+    platform: linux/amd64
+    from: /rk3588_ddr_lp4_2112MHz_lp5_2400MHz_v1.18.bin
+    to: /libs/rkbin/rk3588_ddr_lp4_2112MHz_lp5_2400MHz_v1.18.bin
+
+steps:
+  - sources:
+      - url: https://ftp.denx.de/pub/u-boot/u-boot-{{ .uboot_version }}.tar.bz2
+        destination: u-boot.tar.bz2
+        sha256: "{{ .uboot_sha256 }}"
+        sha512: "{{ .uboot_sha512 }}"
+    env:
+      SOURCE_DATE_EPOCH: {{ .BUILD_ARG_SOURCE_DATE_EPOCH }}
+    prepare:
+      # turing-rk1-rk3588
+      - |
+        mkdir -p /usr/bin
+        ln -sf /toolchain/bin/env /usr/bin/env
+        ln -sf /toolchain/bin/python3 /toolchain/bin/python
+
+        pip3 install pyelftools setuptools
+
+        tar xf u-boot.tar.bz2 --strip-components=1
+
+        for patch in $(find /pkg/patches -type f -name "*.patch" | sort); do
+          echo "Applying $patch"
+          patch -p1 < $patch || (echo "Failed to apply patch $patch" && exit 1)
+        done
+      - |
+        make turing-rk1-rk3588_defconfig
+    build:
+      - |
+        make -j $(nproc) HOSTLDLIBS_mkimage="-lssl -lcrypto" BL31=/libs/arm-trusted-firmware/rk3588/bl31.elf ROCKCHIP_TPL=/libs/rkbin/rk3588_ddr_lp4_2112MHz_lp5_2400MHz_v1.18.bin
+    install:
+      - |
+        mkdir -p /rootfs/artifacts/arm64/u-boot/turingrk1
+        cp -v -t /rootfs/artifacts/arm64/u-boot/turingrk1 u-boot-rockchip.bin u-boot-rockchip-spi.bin
+finalize:
+  - from: /rootfs
+    to: /rootfs

go.work

@@ -10,4 +10,5 @@ use (
 	./installers/rockpi4c/src
 	./installers/rock4cplus/src
 	./installers/rock4se/src
+	./installers/turingrk1/src
 )

installers/pkg.yaml

@@ -11,6 +11,7 @@ dependencies:
   - stage: rockpi4c
   - stage: rock4cplus
   - stage: rock4se
+  - stage: turingrk1
   - stage: profiles
   - stage: u-boot-helios64
     platform: linux/arm64
@@ -30,6 +31,8 @@ dependencies:
     platform: linux/arm64
   - stage: u-boot-rock4se
     platform: linux/arm64
+  - stage: u-boot-turingrk1
+    platform: linux/arm64
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/kernel:{{ .BUILD_ARG_PKGS }}"
     platform: linux/arm64
     from: /dtb/rockchip/rk3399-kobol-helios64.dtb
@@ -66,6 +69,9 @@ dependencies:
     platform: linux/arm64
     from: /dtb/rockchip/rk3399-rock-4se.dtb
     to: /rootfs/artifacts/arm64/dtb/rockchip/rk3399-rock-4se.dtb
+  - image: ghcr.io/nberlee/dtb-talos-turing-rk1:db62b12
+    from: /dtb/rockchip/rk3588-turing-rk1.dtb
+    to: /rootfs/artifacts/arm64/dtb/rockchip/rk3588-turing-rk1.dtb
 finalize:
   - from: /rootfs
     to: /

installers/turingrk1/pkg.yaml

@@ -0,0 +1,25 @@
+name: turingrk1
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - env:
+      GOPATH: /go
+    cachePaths:
+      - /.cache/go-build
+      - /go/pkg
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+
+        cd /pkg/src
+        CGO_ENABLED=0 go build -o ./turingrk1 .
+    install:
+      - |
+        mkdir -p /rootfs/installers/
+
+        cp -p /pkg/src/turingrk1 /rootfs/installers/turingrk1
+finalize:
+  - from: /rootfs
+    to: /rootfs

installers/turingrk1/src/go.mod

@@ -0,0 +1,11 @@
+module turingrk1
+
+go 1.22.6
+
+require (
+	github.com/siderolabs/go-copy v0.1.0
+	github.com/siderolabs/talos/pkg/machinery v1.7.6
+	golang.org/x/sys v0.27.0
+)
+
+require gopkg.in/yaml.v3 v3.0.1 // indirect

installers/turingrk1/src/go.sum

@@ -0,0 +1,10 @@
+github.com/siderolabs/go-copy v0.1.0 h1:OIWCtSg+rhOtnIZTpT31Gfpn17rv5kwJqQHG+QUEgC8=
+github.com/siderolabs/go-copy v0.1.0/go.mod h1:4bF2rZOZAR/ags/U4AVSpjFE5RPGdEeSkOq6yR9YOkU=
+github.com/siderolabs/talos/pkg/machinery v1.7.6 h1:+tONHv8JuW46/mTWNgDAUkdfYvWBZ/Ai1mlK1SSQzZU=
+github.com/siderolabs/talos/pkg/machinery v1.7.6/go.mod h1:8H8geXAcGN0DvMOL70p4sC5gZUCxdoZmtLbuoKigFZI=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=