{ stdenv
, fetchFromGitHub
, lib
, MODEL ? "5"
, RELEASE_TYPE ? "RELEASE"
, EDK2_FLAGS ? ""
, python3
, git
, libuuid
, pkgs
, namespace
}:
let
  pname = "edk2";
  version = "stable202511";

  edk2Src = fetchFromGitHub rec {
    owner = "tianocore";
    repo = "edk2";
    name = repo;
    tag = "edk2-${version}";
    hash = "sha256-R/rgz8dWcDYVoiM67K2UGuq0xXbjjJYBPtJ1FmfGIaU=";
    fetchSubmodules = true;
  };

  edk2NonOsiSrc = fetchFromGitHub rec {
    owner = "tianocore";
    repo = "edk2-non-osi";
    name = repo;
    rev = "94d048981116e2e3eda52dad1a89958ee404098d";
    hash = "sha256-6yuvVvmGn4yaEksbbvGDX1ZcKpdWBKnwaNjLGvgAWyk=";
  };

  edk2PlatformsSrc = fetchFromGitHub rec {
    owner = "mjallen18";
    repo = "edk2-platforms";
    name = repo;
    rev = "779690d3316f56e9100949b5daf13d6c2fc0ddf6";
    hash = "sha256-UqvN9p4wXN/TQt47bc2l+pAjhGZRbKwmq0DkBvTV4r0=";
  };
in
stdenv.mkDerivation rec {
  inherit pname version;

  srcs = [
    edk2Src
    edk2NonOsiSrc
    edk2PlatformsSrc
  ];

  # Add required host tools if needed:
  nativeBuildInputs = [
   python3
   git
   libuuid
  ];

  # Don’t force a single root; we keep both dirs side by side
  sourceRoot = ".";

  unpackPhase = ''
    runHook preUnpack

    for src in $srcs; do
      unpackFile "$src"
    done

    chmod -R u+w .

    patchShebangs ./edk2

    runHook postUnpack
  '';

  patchPhase = ''
    runHook prePatch

    echo "Patching edk2"
    (cd edk2 && patch -p1 < ${./patches/0001-SD-fixup.patch})

    echo "Patching edk2-non-osi"
    (cd edk2-non-osi && git apply --binary ${./patches/non-osi/0001-Add-RPi5.patch})
    (cd edk2-non-osi && git apply --binary ${./patches/non-osi/0002-update-bl31.bin-for-new-DTB-address.patch})

    runHook postPatch
  '';

  buildPhase = ''
    export PYTHON_COMMAND=${python3}/bin/python
    export WORKSPACE=$PWD
    export PACKAGES_PATH=$WORKSPACE/edk2:$WORKSPACE/edk2-non-osi:$WORKSPACE/edk2-platforms
    export EDK_TOOLS_PATH=$WORKSPACE/edk2/BaseTools

    make -C ./edk2/BaseTools

    export ATF_BUILD_DIR="${pkgs.${namespace}.arm-trusted-firmware}/rpi${MODEL}/${RELEASE_TYPE}"

    . ./edk2/edksetup.sh BaseTools

    build \
        -a AARCH64 \
        -t GCC \
        -b ${RELEASE_TYPE} \
        -p edk2-platforms/Platform/RaspberryPi/RPi${MODEL}/RPi${MODEL}.dsc \
        -D TFA_BUILD_ARTIFACTS=$ATF_BUILD_DIR \
        --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVersionString=Lunknown \
        ${EDK2_FLAGS}
  '';

  installPhase = ''
    mkdir -p $out
    cp -r /Build/RPi${MODEL}/${RELEASE_TYPE}_GCC/FV/RPI_EFI.fd $out/RPI_EFI.fd
  '';

  meta = with lib; {
    description = "ARM Trusted Firmware-A for Raspberry Pi";
    license = licenses.bsd3;
    platforms = [ "aarch64-linux" ];
    maintainers = with maintainers; [ kazenyuk ];
  };
}