arm-trusted-firmware: add unfreeIncludeHDCPBlob?true to control license and blob-removal patch

This change implements @lukegb's idea:

  https://github.gitop.top/NixOS/nixpkgs/issues/148890#issuecomment-1032002903

Specifically, it introduces a new parameter unfreeIncludeHDCPBlob
(defaults to true):

* If unfreeIncludeHDCPBlob==true then the license is changed to
  unfreeRedistributable, which will alert the user to the fact that
  the blob is being included (unless they set NIXPKGS_ALLOW_UNFREE=1).

* If unfreeIncludeHDCPBlob==false then the license is kept as bsd3, but
  a patch is applied to remove the HDCP blob from the build.

pkgs/misc/arm-trusted-firmware/default.nix

@@ -1,4 +1,9 @@
-{ lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages }:
+{ lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
+
+# Warning: this blob runs on the main CPU (not the GPU) at privilege
+# level EL3, which is above both the kernel and the hypervisor.
+, unfreeIncludeHDCPBlob ? true
+}:
 
 let
   buildArmTrustedFirmware = { filesToInstall
@@ -20,7 +25,10 @@ let
       sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
     };
 
-    patches = [ ./remove-hdcp-blob.patch ];
+    patches = lib.optionals (!unfreeIncludeHDCPBlob) [
+      # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
+      ./remove-hdcp-blob.patch
+    ];
 
     depsBuildBuild = [ buildPackages.stdenv.cc ];
 
@@ -52,7 +60,7 @@ let
     meta = with lib; {
       homepage = "https://github.com/ARM-software/arm-trusted-firmware";
       description = "A reference implementation of secure world software for ARMv8-A";
-      license = licenses.bsd3;
+      license = if unfreeIncludeHDCPBlob then licenses.unfreeRedistributable else licenses.bsd3;
       maintainers = with maintainers; [ lopsided98 ];
     } // extraMeta;
   } // builtins.removeAttrs args [ "extraMeta" ]);