boards: Consolidate all TFM signing code

Place the new signing code in the TFM module CMakeLists.txt.
Make some small tweaks and add a sentence to the docs.

In the process, make a few changes to the signing code:
- Change some names of files created.
- Minimize the number of files created.
- Use hex files instead of bin files. This is so we don't need to know
  the offset when creating hex files from bin files.

Also add signing for MCUBOOT_IMAGE_NUMBER=1 based on the code from the
v2m_musca_b1 board, though, this board does not build with =1 now
because of (I assume) some flash aliasing which places the S and NS
images 0x10000000 apart, where the manual algorithm places them next to
each other. It builds with =2, though.

Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
This commit is contained in:
Øyvind Rønningstad 2021-02-05 11:53:03 +01:00 committed by Ioannis Glaropoulos
commit 5137135ead
9 changed files with 110 additions and 488 deletions

View file

@ -11,93 +11,6 @@ if(CONFIG_PINMUX_MCUX_LPC)
zephyr_library_sources(pinmux.c) zephyr_library_sources(pinmux.c)
endif() endif()
if (CONFIG_BUILD_WITH_TFM)
# Set default image versions if not defined elsewhere
if (NOT DEFINED TFM_IMAGE_VERSION_S)
set(TFM_IMAGE_VERSION_S 0.0.0+0)
endif()
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
endif()
if (CONFIG_TFM_BL2)
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
endif()
# Configure which format (full or hash) to include the public key in
# the image manifest
set(TFM_PUBLIC_KEY_FORMAT "full")
# Set srec_cat binary name
find_program(SREC_CAT srec_cat)
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
endif()
if (NOT CONFIG_TFM_BL2)
#merge tfm_s and zephyr_ns to a single image
#offset needs to be the same value as flash_layout.h in TFM
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
COMMAND ${SREC_CAT}
ARGS $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE> -Binary
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary
-offset ${CONFIG_FLASH_LOAD_OFFSET}
-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
)
else()
#Create and sign for concatenated binary image, should align with the TF-M BL2
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
#Sign secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_S}
-k ${CONFIG_TFM_KEY_FILE_S}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_S}
--pad
--pad-header
${ADD_NS_IMAGE_MIN_VER}
-s auto
-H ${CONFIG_ROM_START_OFFSET}
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
#Sign non-secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_NS}
-k ${CONFIG_TFM_KEY_FILE_NS}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_NS}
-s auto
${ADD_S_IMAGE_MIN_VER}
-H ${CONFIG_ROM_START_OFFSET}
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
#Create concatenated binary image from the two independently signed binary file
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
--layout ${PREPROCESSED_FILE_S}
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
#Copy mcuboot.bin
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
#Merge mcuboot.bin and tfm_sign.bin for flashing
COMMAND ${SREC_CAT}
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
-offset 0x8000 #slot0_partition
-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
)
endif()
endif()
if (CONFIG_SECOND_CORE_MCUX) if (CONFIG_SECOND_CORE_MCUX)
# Set srec_cat binary name # Set srec_cat binary name

View file

@ -7,83 +7,3 @@
zephyr_library() zephyr_library()
zephyr_library_sources(pinmux.c) zephyr_library_sources(pinmux.c)
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers) zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
if (CONFIG_BUILD_WITH_TFM)
# Set default image versions if not defined elsewhere
if (NOT DEFINED TFM_IMAGE_VERSION_S)
set(TFM_IMAGE_VERSION_S 0.0.0+0)
endif()
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
endif()
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
# Configure which format (full or hash) to include the public key in
# the image manifest
set(TFM_PUBLIC_KEY_FORMAT "full")
# Set srec_cat binary name
find_program(SREC_CAT srec_cat)
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
endif()
#Create and sign for concatenated binary image, should align with the TF-M BL2
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
#Sign secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_S}
-k ${CONFIG_TFM_KEY_FILE_S}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_S}
--pad
--pad-header
${ADD_NS_IMAGE_MIN_VER}
-s auto
-H 0x400
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
#Sign non-secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_NS}
-k ${CONFIG_TFM_KEY_FILE_NS}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_NS}
-s auto
${ADD_S_IMAGE_MIN_VER}
-H 0x400
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
#Create concatenated binary image from the two independently signed binary file
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
--layout ${PREPROCESSED_FILE_S}
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
#Copy mcuboot.bin
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
#Merge mcuboot.bin and tfm_sign.bin for QEMU
COMMAND ${SREC_CAT}
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
-offset 0x80000
-o ${CMAKE_BINARY_DIR}/tfm_qemu.bin -Binary
#Convert tfm_qemu.bin to .hex with an appropriate offset
COMMAND ${SREC_CAT}
ARGS ${CMAKE_BINARY_DIR}/tfm_qemu.bin -binary
-offset 0x10000000
-o ${CMAKE_BINARY_DIR}/tfm_qemu.hex -intel --line-length=44
)
endif()

View file

@ -6,103 +6,3 @@ if ((CONFIG_BOARD_NRF5340DK_NRF5340_CPUAPP OR CONFIG_BOARD_NRF5340DK_NRF5340_CPU
zephyr_library() zephyr_library()
zephyr_library_sources(nrf5340_cpunet_reset.c) zephyr_library_sources(nrf5340_cpunet_reset.c)
endif() endif()
if (CONFIG_BUILD_WITH_TFM)
# Set default image versions if not defined elsewhere
if (NOT DEFINED TFM_IMAGE_VERSION_S)
set(TFM_IMAGE_VERSION_S 0.0.0+0)
endif()
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
endif()
if (CONFIG_TFM_BL2)
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
endif()
# Configure which format (full or hash) to include the public key in
# the image manifest
if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
set(TFM_PUBLIC_KEY_FORMAT "full")
endif()
if(CONFIG_BOARD_NRF5340DK_NRF5340_CPUAPPNS)
set(TFM_INSTALL_DIR ${CMAKE_BINARY_DIR}/tfm/install/outputs/NORDIC_NRF/NRF5340DK_NRF5340_CPUAPP)
endif()
# Set srec_cat binary name
find_program(SREC_CAT srec_cat)
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
endif()
if (NOT CONFIG_TFM_BL2)
# Merge tfm_s and zephyr (NS) image to a single binary.
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
COMMAND ${SREC_CAT}
ARGS $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE> -Binary
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary
-offset ${CONFIG_FLASH_LOAD_OFFSET}
-o ${CMAKE_BINARY_DIR}/tfm_merged.hex -intel
)
else()
#Create and sign for concatenated binary image, should align with the TF-M BL2
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
#Sign secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_S}
-k ${CONFIG_TFM_KEY_FILE_S}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_S}
--pad
--pad-header
${ADD_NS_IMAGE_MIN_VER}
-s auto
-H 0x400
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
#Sign non-secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_NS}
-k ${CONFIG_TFM_KEY_FILE_NS}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_NS}
-s auto
${ADD_S_IMAGE_MIN_VER}
-H 0x400
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
#Create concatenated binary image from the two independently signed binary files
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
--layout ${PREPROCESSED_FILE_S}
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
#Copy mcuboot.bin
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
# Generate an intel hex file from the signed output binary
COMMAND ${SREC_CAT} ${CMAKE_BINARY_DIR}/tfm_sign.bin
-binary
-offset 0x10000
-o ${CMAKE_BINARY_DIR}/tfm_sign.hex
-intel
)
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
${CMAKE_BINARY_DIR}/tfm_sign.bin
${CMAKE_BINARY_DIR}/tfm_sign.hex
)
endif()
endif()

View file

@ -5,86 +5,3 @@ if(CONFIG_BOARD_NRF52840_GPIO_RESET)
zephyr_library() zephyr_library()
zephyr_library_sources(nrf52840_reset.c) zephyr_library_sources(nrf52840_reset.c)
endif() endif()
if (CONFIG_BUILD_WITH_TFM)
# Set default image versions if not defined elsewhere
if (NOT DEFINED TFM_IMAGE_VERSION_S)
set(TFM_IMAGE_VERSION_S 0.0.0+0)
endif()
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
endif()
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
# Configure which format (full or hash) to include the public key in
# the image manifest
if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
set(TFM_PUBLIC_KEY_FORMAT "full")
endif()
# Set srec_cat binary name
find_program(SREC_CAT srec_cat)
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
endif()
#Create and sign for concatenated binary image, should align with the TF-M BL2
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
#Sign secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_S}
-k ${CONFIG_TFM_KEY_FILE_S}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_S}
--pad
--pad-header
${ADD_NS_IMAGE_MIN_VER}
-s auto
-H 0x400
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
#Sign non-secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_NS}
-k ${CONFIG_TFM_KEY_FILE_NS}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_NS}
-s auto
${ADD_S_IMAGE_MIN_VER}
-H 0x400
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
#Create concatenated binary image from the two independently signed binary files
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
--layout ${PREPROCESSED_FILE_S}
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
#Copy mcuboot.bin
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
# Generate an intel hex file from the signed output binary
COMMAND ${SREC_CAT} ${CMAKE_BINARY_DIR}/tfm_sign.bin
-binary
-offset 0x10000
-o ${CMAKE_BINARY_DIR}/tfm_sign.hex
-intel
)
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
${CMAKE_BINARY_DIR}/tfm_sign.bin
${CMAKE_BINARY_DIR}/tfm_sign.hex
)
endif()

View file

@ -7,65 +7,3 @@
zephyr_library() zephyr_library()
zephyr_library_sources(pinmux.c) zephyr_library_sources(pinmux.c)
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers) zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
if (CONFIG_BUILD_WITH_TFM)
# Set default image versions if not defined elsewhere
if (NOT DEFINED TFM_IMAGE_VERSION_S)
set(TFM_IMAGE_VERSION_S 0.0.0+0)
endif()
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
endif()
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
# Configure which format (full or hash) to include the public key in
# the image manifest
set(TFM_PUBLIC_KEY_FORMAT "full")
# Set srec_cat binary name
find_program(SREC_CAT srec_cat)
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
endif()
# Create and sign for concatenated binary image should align with the TF-M BL2
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
# Create concatenated binary image from the two binary files
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
--layout ${PREPROCESSED_FILE_NS}
-s $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
-n ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
-o ${CMAKE_BINARY_DIR}/tfm_full.bin
#Sign concatenated binary image with default public key in mcuboot folder
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_NS}
-k ${CONFIG_TFM_KEY_FILE_NS}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_NS}
--pad
--pad-header
${ADD_NS_IMAGE_MIN_VER}
-s auto
-H 0x400
${CMAKE_BINARY_DIR}/tfm_full.bin
${CMAKE_BINARY_DIR}/tfm_sign.bin
#Copy mcuboot.bin
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
#srec_cat to combine images into hex for drag and drop
COMMAND ${SREC_CAT}
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
-offset 0xA000000
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
-offset 0xA020000
-o ${CMAKE_BINARY_DIR}/tfm_zephyr.hex -intel --line-length=44
)
endif()

View file

@ -7,79 +7,3 @@
zephyr_library() zephyr_library()
zephyr_library_sources(pinmux.c) zephyr_library_sources(pinmux.c)
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers) zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
if (CONFIG_BUILD_WITH_TFM)
# Set default image versions if not defined elsewhere
if (NOT DEFINED MCUBOOT_IMAGE_VERSION_S)
set(MCUBOOT_IMAGE_VERSION_S 0.0.0+0)
endif()
if (NOT DEFINED MCUBOOT_IMAGE_VERSION_NS)
set(MCUBOOT_IMAGE_VERSION_NS 0.0.0+0)
endif()
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
# Configure which format (full or hash) to include the public key in
# the image manifest
set(TFM_PUBLIC_KEY_FORMAT "full")
# Set srec_cat binary name
find_program(SREC_CAT srec_cat)
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
endif()
# Create and sign for concatenated binary image, should align with the TF-M BL2
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
# Sign secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_S}
-k ${CONFIG_TFM_KEY_FILE_S}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${MCUBOOT_IMAGE_VERSION_S}
--pad
--pad-header
${ADD_NS_IMAGE_MIN_VER}
-s auto
-H 0x400
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
#Sign non-secure binary image with public key
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_NS}
-k ${CONFIG_TFM_KEY_FILE_NS}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${MCUBOOT_IMAGE_VERSION_NS}
--pad
${ADD_S_IMAGE_MIN_VER}
-s auto
-H 0x400
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
#Create concatenated binary image from the two independently signed binary file
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
--layout ${PREPROCESSED_FILE_S}
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
#Copy mcuboot.bin
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
#srec_cat to combine images into hex for drag and drop
COMMAND ${SREC_CAT}
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
-offset 0xA000000
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
-offset 0xA020000
-o ${CMAKE_BINARY_DIR}/tfm_zephyr.hex -Intel --line-length=44
)
endif()

View file

@ -256,4 +256,110 @@ if (CONFIG_BUILD_WITH_TFM)
) )
zephyr_link_libraries(tfm_api) zephyr_link_libraries(tfm_api)
# Set default image versions if not defined elsewhere
if (NOT DEFINED TFM_IMAGE_VERSION_S)
set(TFM_IMAGE_VERSION_S 0.0.0+0)
endif()
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
endif()
if (CONFIG_TFM_BL2)
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
endif()
# Configure which format (full or hash) to include the public key in
# the image manifest
if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
set(TFM_PUBLIC_KEY_FORMAT "full")
endif()
function(tfm_sign OUT_ARG SUFFIX PAD INPUT_FILE OUTPUT_FILE)
if(PAD)
set(pad_args --pad --pad-header)
endif()
set (${OUT_ARG}
${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
--layout ${PREPROCESSED_FILE_${SUFFIX}}
-k ${CONFIG_TFM_KEY_FILE_${SUFFIX}}
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
--align 1
-v ${TFM_IMAGE_VERSION_${SUFFIX}}
${pad_args}
${ADD_${SUFFIX}_IMAGE_MIN_VER}
-s auto
-H ${CONFIG_ROM_START_OFFSET}
${INPUT_FILE}
${OUTPUT_FILE}
PARENT_SCOPE)
endfunction()
set(MERGED_FILE ${CMAKE_BINARY_DIR}/tfm_merged.hex)
set(S_NS_FILE ${CMAKE_BINARY_DIR}/tfm_s_zephyr_ns.hex)
set(S_NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/tfm_s_zephyr_ns_signed.hex)
set(NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/zephyr_ns_signed.hex)
set(S_SIGNED_FILE ${CMAKE_BINARY_DIR}/tfm_s_signed.hex)
if (NOT CONFIG_TFM_BL2)
# Merge tfm_s and zephyr (NS) image to a single binary.
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
-o ${MERGED_FILE}
$<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME}
)
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
${MERGED_FILE}
)
elseif(CONFIG_TFM_MCUBOOT_IMAGE_NUMBER STREQUAL "1")
tfm_sign(sign_cmd NS TRUE ${S_NS_FILE} ${S_NS_SIGNED_FILE})
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
-o ${S_NS_FILE}
$<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME}
COMMAND ${sign_cmd}
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
-o ${MERGED_FILE}
$<TARGET_PROPERTY:tfm,BL2_HEX_FILE>
${S_NS_SIGNED_FILE}
)
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
${S_NS_FILE}
${S_NS_SIGNED_FILE}
${MERGED_FILE}
)
else()
tfm_sign(sign_cmd_ns NS FALSE ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME} ${NS_SIGNED_FILE})
tfm_sign(sign_cmd_s S TRUE $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE> ${S_SIGNED_FILE})
#Create and sign for concatenated binary image, should align with the TF-M BL2
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
COMMAND ${sign_cmd_ns}
COMMAND ${sign_cmd_s}
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
-o ${MERGED_FILE}
$<TARGET_PROPERTY:tfm,BL2_HEX_FILE>
${S_SIGNED_FILE}
${NS_SIGNED_FILE}
)
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
${S_SIGNED_FILE}
${NS_SIGNED_FILE}
${MERGED_FILE}
)
endif()
endif() endif()

View file

@ -25,6 +25,7 @@ menuconfig BUILD_WITH_TFM
depends on TRUSTED_EXECUTION_NONSECURE depends on TRUSTED_EXECUTION_NONSECURE
depends on TFM_BOARD != "" depends on TFM_BOARD != ""
depends on ARM_TRUSTZONE_M depends on ARM_TRUSTZONE_M
select BUILD_OUTPUT_HEX
imply INIT_ARCH_HW_AT_BOOT imply INIT_ARCH_HW_AT_BOOT
help help
When enabled, this option instructs the Zephyr build process to When enabled, this option instructs the Zephyr build process to

View file

@ -167,5 +167,8 @@ Zephyr application folder, and reference them in the ``prj.conf`` file via the
lose this key file, you will be unable to sign any future firmware images, lose this key file, you will be unable to sign any future firmware images,
and it will no longer be possible to update your devices in the field! and it will no longer be possible to update your devices in the field!
After the built-in signing code has run, it creates a tfm_merged.hex file that
contains all the binaries, bl2, tfm_s, and the zephyr app.
.. _PSA Certified Level 1: .. _PSA Certified Level 1:
https://www.psacertified.org/security-certification/psa-certified-level-1/ https://www.psacertified.org/security-certification/psa-certified-level-1/