diff --git a/pkgs/misc/arm-trusted-firmware/default.nix b/pkgs/misc/arm-trusted-firmware/default.nix
index d0b0ae118443..49fdc7a829c5 100644
--- a/pkgs/misc/arm-trusted-firmware/default.nix
+++ b/pkgs/misc/arm-trusted-firmware/default.nix
@@ -1,4 +1,9 @@
-{ lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages }:
+{ lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
+
+# Warning: this blob runs on the main CPU (not the GPU) at privilege
+# level EL3, which is above both the kernel and the hypervisor.
+, unfreeIncludeHDCPBlob ? true
+}:
 
 let
   buildArmTrustedFirmware = { filesToInstall
@@ -20,6 +25,11 @@ let
       sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
     };
 
+    patches = lib.optionals (!unfreeIncludeHDCPBlob) [
+      # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
+      ./remove-hdcp-blob.patch
+    ];
+
     depsBuildBuild = [ buildPackages.stdenv.cc ];
 
     # For Cortex-M0 firmware in RK3399
@@ -50,7 +60,7 @@ let
     meta = with lib; {
       homepage = "https://github.com/ARM-software/arm-trusted-firmware";
       description = "A reference implementation of secure world software for ARMv8-A";
-      license = licenses.bsd3;
+      license = (if unfreeIncludeHDCPBlob then [ licenses.unfreeRedistributable ] else []) ++ [ licenses.bsd3 ];
       maintainers = with maintainers; [ lopsided98 ];
     } // extraMeta;
   } // builtins.removeAttrs args [ "extraMeta" ]);
diff --git a/pkgs/misc/arm-trusted-firmware/remove-hdcp-blob.patch b/pkgs/misc/arm-trusted-firmware/remove-hdcp-blob.patch
new file mode 100644
index 000000000000..7f99fbdcabfd
--- /dev/null
+++ b/pkgs/misc/arm-trusted-firmware/remove-hdcp-blob.patch
@@ -0,0 +1,47 @@
+diff --git a/plat/rockchip/rk3399/drivers/dp/cdn_dp.c b/plat/rockchip/rk3399/drivers/dp/cdn_dp.c
+index a8773f4f6..8e28c4830 100644
+--- a/plat/rockchip/rk3399/drivers/dp/cdn_dp.c
++++ b/plat/rockchip/rk3399/drivers/dp/cdn_dp.c
+@@ -13,17 +13,6 @@
+ 
+ #include <cdn_dp.h>
+ 
+-__asm__(
+-	".pushsection .text.hdcp_handler, \"ax\", %progbits\n"
+-	".global hdcp_handler\n"
+-	".balign 4\n"
+-	"hdcp_handler:\n"
+-	".incbin \"" HDCPFW "\"\n"
+-	".type hdcp_handler, %function\n"
+-	".size hdcp_handler, .- hdcp_handler\n"
+-	".popsection\n"
+-);
+-
+ static uint64_t *hdcp_key_pdata;
+ static struct cdn_dp_hdcp_key_1x key;
+ 
+@@ -38,7 +27,7 @@ uint64_t dp_hdcp_ctrl(uint64_t type)
+ 		return 0;
+ 	case HDCP_KEY_DATA_START_DECRYPT:
+ 		if (hdcp_key_pdata == (uint64_t *)(&key + 1))
+-			return hdcp_handler(&key);
++			return PSCI_E_DISABLED;
+ 		else
+ 			return PSCI_E_INVALID_PARAMS;
+ 		assert(0); /* Unreachable */
+diff --git a/plat/rockchip/rk3399/platform.mk b/plat/rockchip/rk3399/platform.mk
+index a658fb286..5edb6a25b 100644
+--- a/plat/rockchip/rk3399/platform.mk
++++ b/plat/rockchip/rk3399/platform.mk
+@@ -88,11 +88,6 @@ $(eval $(call add_define_val,RK3399M0PMUFW,\"$(RK3399M0PMUFW)\"))
+ ifdef PLAT_RK_DP_HDCP
+ BL31_SOURCES	+= ${RK_PLAT_SOC}/drivers/dp/cdn_dp.c
+ 
+-HDCPFW=${RK_PLAT_SOC}/drivers/dp/hdcp.bin
+-$(eval $(call add_define_val,HDCPFW,\"$(HDCPFW)\"))
+-
+-${BUILD_PLAT}/bl31/cdn_dp.o: CCACHE_EXTRAFILES=$(HDCPFW)
+-${RK_PLAT_SOC}/drivers/dp/cdn_dp.c: $(HDCPFW)
+ endif
+ 
+ # CCACHE_EXTRAFILES is needed because ccache doesn't handle .incbin