boards: Consolidate all TFM signing code
Place the new signing code in the TFM module CMakeLists.txt. Make some small tweaks and add a sentence to the docs. In the process, make a few changes to the signing code: - Change some names of files created. - Minimize the number of files created. - Use hex files instead of bin files. This is so we don't need to know the offset when creating hex files from bin files. Also add signing for MCUBOOT_IMAGE_NUMBER=1 based on the code from the v2m_musca_b1 board, though, this board does not build with =1 now because of (I assume) some flash aliasing which places the S and NS images 0x10000000 apart, where the manual algorithm places them next to each other. It builds with =2, though. Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
This commit is contained in:
parent
d96c517bab
commit
5137135ead
9 changed files with 110 additions and 488 deletions
|
@ -11,93 +11,6 @@ if(CONFIG_PINMUX_MCUX_LPC)
|
||||||
zephyr_library_sources(pinmux.c)
|
zephyr_library_sources(pinmux.c)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
if (CONFIG_BUILD_WITH_TFM)
|
|
||||||
# Set default image versions if not defined elsewhere
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_S)
|
|
||||||
set(TFM_IMAGE_VERSION_S 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
|
|
||||||
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (CONFIG_TFM_BL2)
|
|
||||||
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
|
|
||||||
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
|
|
||||||
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Configure which format (full or hash) to include the public key in
|
|
||||||
# the image manifest
|
|
||||||
set(TFM_PUBLIC_KEY_FORMAT "full")
|
|
||||||
|
|
||||||
# Set srec_cat binary name
|
|
||||||
find_program(SREC_CAT srec_cat)
|
|
||||||
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
|
|
||||||
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT CONFIG_TFM_BL2)
|
|
||||||
#merge tfm_s and zephyr_ns to a single image
|
|
||||||
#offset needs to be the same value as flash_layout.h in TFM
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
COMMAND ${SREC_CAT}
|
|
||||||
ARGS $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE> -Binary
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary
|
|
||||||
-offset ${CONFIG_FLASH_LOAD_OFFSET}
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
|
|
||||||
)
|
|
||||||
else()
|
|
||||||
#Create and sign for concatenated binary image, should align with the TF-M BL2
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
|
|
||||||
#Sign secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_S}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_S}
|
|
||||||
--pad
|
|
||||||
--pad-header
|
|
||||||
${ADD_NS_IMAGE_MIN_VER}
|
|
||||||
-s auto
|
|
||||||
-H ${CONFIG_ROM_START_OFFSET}
|
|
||||||
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
|
|
||||||
#Sign non-secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_NS}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_NS}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_NS}
|
|
||||||
-s auto
|
|
||||||
${ADD_S_IMAGE_MIN_VER}
|
|
||||||
-H ${CONFIG_ROM_START_OFFSET}
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
|
|
||||||
#Create concatenated binary image from the two independently signed binary file
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
|
|
||||||
#Copy mcuboot.bin
|
|
||||||
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
|
|
||||||
|
|
||||||
#Merge mcuboot.bin and tfm_sign.bin for flashing
|
|
||||||
COMMAND ${SREC_CAT}
|
|
||||||
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
|
|
||||||
-offset 0x8000 #slot0_partition
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
|
|
||||||
)
|
|
||||||
endif()
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (CONFIG_SECOND_CORE_MCUX)
|
if (CONFIG_SECOND_CORE_MCUX)
|
||||||
# Set srec_cat binary name
|
# Set srec_cat binary name
|
||||||
|
|
|
@ -7,83 +7,3 @@
|
||||||
zephyr_library()
|
zephyr_library()
|
||||||
zephyr_library_sources(pinmux.c)
|
zephyr_library_sources(pinmux.c)
|
||||||
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
|
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
|
||||||
|
|
||||||
if (CONFIG_BUILD_WITH_TFM)
|
|
||||||
# Set default image versions if not defined elsewhere
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_S)
|
|
||||||
set(TFM_IMAGE_VERSION_S 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
|
|
||||||
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
|
|
||||||
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
|
|
||||||
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
|
|
||||||
|
|
||||||
# Configure which format (full or hash) to include the public key in
|
|
||||||
# the image manifest
|
|
||||||
set(TFM_PUBLIC_KEY_FORMAT "full")
|
|
||||||
|
|
||||||
# Set srec_cat binary name
|
|
||||||
find_program(SREC_CAT srec_cat)
|
|
||||||
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
|
|
||||||
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
#Create and sign for concatenated binary image, should align with the TF-M BL2
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
|
|
||||||
#Sign secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_S}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_S}
|
|
||||||
--pad
|
|
||||||
--pad-header
|
|
||||||
${ADD_NS_IMAGE_MIN_VER}
|
|
||||||
-s auto
|
|
||||||
-H 0x400
|
|
||||||
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
|
|
||||||
#Sign non-secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_NS}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_NS}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_NS}
|
|
||||||
-s auto
|
|
||||||
${ADD_S_IMAGE_MIN_VER}
|
|
||||||
-H 0x400
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
|
|
||||||
#Create concatenated binary image from the two independently signed binary file
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
|
|
||||||
#Copy mcuboot.bin
|
|
||||||
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
|
|
||||||
|
|
||||||
#Merge mcuboot.bin and tfm_sign.bin for QEMU
|
|
||||||
COMMAND ${SREC_CAT}
|
|
||||||
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
|
|
||||||
-offset 0x80000
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_qemu.bin -Binary
|
|
||||||
|
|
||||||
#Convert tfm_qemu.bin to .hex with an appropriate offset
|
|
||||||
COMMAND ${SREC_CAT}
|
|
||||||
ARGS ${CMAKE_BINARY_DIR}/tfm_qemu.bin -binary
|
|
||||||
-offset 0x10000000
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_qemu.hex -intel --line-length=44
|
|
||||||
)
|
|
||||||
endif()
|
|
||||||
|
|
|
@ -6,103 +6,3 @@ if ((CONFIG_BOARD_NRF5340DK_NRF5340_CPUAPP OR CONFIG_BOARD_NRF5340DK_NRF5340_CPU
|
||||||
zephyr_library()
|
zephyr_library()
|
||||||
zephyr_library_sources(nrf5340_cpunet_reset.c)
|
zephyr_library_sources(nrf5340_cpunet_reset.c)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
if (CONFIG_BUILD_WITH_TFM)
|
|
||||||
# Set default image versions if not defined elsewhere
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_S)
|
|
||||||
set(TFM_IMAGE_VERSION_S 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
|
|
||||||
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (CONFIG_TFM_BL2)
|
|
||||||
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
|
|
||||||
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
|
|
||||||
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Configure which format (full or hash) to include the public key in
|
|
||||||
# the image manifest
|
|
||||||
if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
|
|
||||||
set(TFM_PUBLIC_KEY_FORMAT "full")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if(CONFIG_BOARD_NRF5340DK_NRF5340_CPUAPPNS)
|
|
||||||
set(TFM_INSTALL_DIR ${CMAKE_BINARY_DIR}/tfm/install/outputs/NORDIC_NRF/NRF5340DK_NRF5340_CPUAPP)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Set srec_cat binary name
|
|
||||||
find_program(SREC_CAT srec_cat)
|
|
||||||
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
|
|
||||||
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT CONFIG_TFM_BL2)
|
|
||||||
# Merge tfm_s and zephyr (NS) image to a single binary.
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
COMMAND ${SREC_CAT}
|
|
||||||
ARGS $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE> -Binary
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary
|
|
||||||
-offset ${CONFIG_FLASH_LOAD_OFFSET}
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_merged.hex -intel
|
|
||||||
)
|
|
||||||
else()
|
|
||||||
#Create and sign for concatenated binary image, should align with the TF-M BL2
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
|
|
||||||
#Sign secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_S}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_S}
|
|
||||||
--pad
|
|
||||||
--pad-header
|
|
||||||
${ADD_NS_IMAGE_MIN_VER}
|
|
||||||
-s auto
|
|
||||||
-H 0x400
|
|
||||||
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
|
|
||||||
#Sign non-secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_NS}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_NS}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_NS}
|
|
||||||
-s auto
|
|
||||||
${ADD_S_IMAGE_MIN_VER}
|
|
||||||
-H 0x400
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
|
|
||||||
#Create concatenated binary image from the two independently signed binary files
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
|
|
||||||
#Copy mcuboot.bin
|
|
||||||
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
|
|
||||||
|
|
||||||
# Generate an intel hex file from the signed output binary
|
|
||||||
COMMAND ${SREC_CAT} ${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
-binary
|
|
||||||
-offset 0x10000
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_sign.hex
|
|
||||||
-intel
|
|
||||||
)
|
|
||||||
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.hex
|
|
||||||
)
|
|
||||||
endif()
|
|
||||||
endif()
|
|
||||||
|
|
|
@ -5,86 +5,3 @@ if(CONFIG_BOARD_NRF52840_GPIO_RESET)
|
||||||
zephyr_library()
|
zephyr_library()
|
||||||
zephyr_library_sources(nrf52840_reset.c)
|
zephyr_library_sources(nrf52840_reset.c)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
if (CONFIG_BUILD_WITH_TFM)
|
|
||||||
# Set default image versions if not defined elsewhere
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_S)
|
|
||||||
set(TFM_IMAGE_VERSION_S 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
|
|
||||||
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
|
|
||||||
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
|
|
||||||
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
|
|
||||||
|
|
||||||
# Configure which format (full or hash) to include the public key in
|
|
||||||
# the image manifest
|
|
||||||
if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
|
|
||||||
set(TFM_PUBLIC_KEY_FORMAT "full")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Set srec_cat binary name
|
|
||||||
find_program(SREC_CAT srec_cat)
|
|
||||||
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
|
|
||||||
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
#Create and sign for concatenated binary image, should align with the TF-M BL2
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
|
|
||||||
#Sign secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_S}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_S}
|
|
||||||
--pad
|
|
||||||
--pad-header
|
|
||||||
${ADD_NS_IMAGE_MIN_VER}
|
|
||||||
-s auto
|
|
||||||
-H 0x400
|
|
||||||
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
|
|
||||||
#Sign non-secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_NS}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_NS}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_NS}
|
|
||||||
-s auto
|
|
||||||
${ADD_S_IMAGE_MIN_VER}
|
|
||||||
-H 0x400
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
|
|
||||||
#Create concatenated binary image from the two independently signed binary files
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
|
|
||||||
#Copy mcuboot.bin
|
|
||||||
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
|
|
||||||
|
|
||||||
# Generate an intel hex file from the signed output binary
|
|
||||||
COMMAND ${SREC_CAT} ${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
-binary
|
|
||||||
-offset 0x10000
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_sign.hex
|
|
||||||
-intel
|
|
||||||
)
|
|
||||||
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.hex
|
|
||||||
)
|
|
||||||
endif()
|
|
||||||
|
|
|
@ -7,65 +7,3 @@
|
||||||
zephyr_library()
|
zephyr_library()
|
||||||
zephyr_library_sources(pinmux.c)
|
zephyr_library_sources(pinmux.c)
|
||||||
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
|
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
|
||||||
|
|
||||||
if (CONFIG_BUILD_WITH_TFM)
|
|
||||||
# Set default image versions if not defined elsewhere
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_S)
|
|
||||||
set(TFM_IMAGE_VERSION_S 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
|
|
||||||
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
|
|
||||||
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
|
|
||||||
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
|
|
||||||
|
|
||||||
# Configure which format (full or hash) to include the public key in
|
|
||||||
# the image manifest
|
|
||||||
set(TFM_PUBLIC_KEY_FORMAT "full")
|
|
||||||
|
|
||||||
# Set srec_cat binary name
|
|
||||||
find_program(SREC_CAT srec_cat)
|
|
||||||
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
|
|
||||||
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Create and sign for concatenated binary image should align with the TF-M BL2
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
|
|
||||||
# Create concatenated binary image from the two binary files
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
|
|
||||||
--layout ${PREPROCESSED_FILE_NS}
|
|
||||||
-s $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
|
|
||||||
-n ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_full.bin
|
|
||||||
|
|
||||||
#Sign concatenated binary image with default public key in mcuboot folder
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_NS}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_NS}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${TFM_IMAGE_VERSION_NS}
|
|
||||||
--pad
|
|
||||||
--pad-header
|
|
||||||
${ADD_NS_IMAGE_MIN_VER}
|
|
||||||
-s auto
|
|
||||||
-H 0x400
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_full.bin
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
|
|
||||||
#Copy mcuboot.bin
|
|
||||||
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
|
|
||||||
|
|
||||||
#srec_cat to combine images into hex for drag and drop
|
|
||||||
COMMAND ${SREC_CAT}
|
|
||||||
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
|
|
||||||
-offset 0xA000000
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
|
|
||||||
-offset 0xA020000
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_zephyr.hex -intel --line-length=44
|
|
||||||
)
|
|
||||||
endif()
|
|
||||||
|
|
|
@ -7,79 +7,3 @@
|
||||||
zephyr_library()
|
zephyr_library()
|
||||||
zephyr_library_sources(pinmux.c)
|
zephyr_library_sources(pinmux.c)
|
||||||
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
|
zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
|
||||||
|
|
||||||
if (CONFIG_BUILD_WITH_TFM)
|
|
||||||
# Set default image versions if not defined elsewhere
|
|
||||||
if (NOT DEFINED MCUBOOT_IMAGE_VERSION_S)
|
|
||||||
set(MCUBOOT_IMAGE_VERSION_S 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if (NOT DEFINED MCUBOOT_IMAGE_VERSION_NS)
|
|
||||||
set(MCUBOOT_IMAGE_VERSION_NS 0.0.0+0)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
|
|
||||||
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
|
|
||||||
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
|
|
||||||
|
|
||||||
# Configure which format (full or hash) to include the public key in
|
|
||||||
# the image manifest
|
|
||||||
set(TFM_PUBLIC_KEY_FORMAT "full")
|
|
||||||
|
|
||||||
# Set srec_cat binary name
|
|
||||||
find_program(SREC_CAT srec_cat)
|
|
||||||
if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
|
|
||||||
message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Create and sign for concatenated binary image, should align with the TF-M BL2
|
|
||||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
|
||||||
|
|
||||||
# Sign secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_S}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${MCUBOOT_IMAGE_VERSION_S}
|
|
||||||
--pad
|
|
||||||
--pad-header
|
|
||||||
${ADD_NS_IMAGE_MIN_VER}
|
|
||||||
-s auto
|
|
||||||
-H 0x400
|
|
||||||
$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
|
|
||||||
#Sign non-secure binary image with public key
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
|
||||||
--layout ${PREPROCESSED_FILE_NS}
|
|
||||||
-k ${CONFIG_TFM_KEY_FILE_NS}
|
|
||||||
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
|
||||||
--align 1
|
|
||||||
-v ${MCUBOOT_IMAGE_VERSION_NS}
|
|
||||||
--pad
|
|
||||||
${ADD_S_IMAGE_MIN_VER}
|
|
||||||
-s auto
|
|
||||||
-H 0x400
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
|
|
||||||
${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
|
|
||||||
#Create concatenated binary image from the two independently signed binary file
|
|
||||||
COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
|
|
||||||
--layout ${PREPROCESSED_FILE_S}
|
|
||||||
-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
|
|
||||||
-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
|
|
||||||
|
|
||||||
#Copy mcuboot.bin
|
|
||||||
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
|
|
||||||
|
|
||||||
#srec_cat to combine images into hex for drag and drop
|
|
||||||
COMMAND ${SREC_CAT}
|
|
||||||
ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
|
|
||||||
-offset 0xA000000
|
|
||||||
${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
|
|
||||||
-offset 0xA020000
|
|
||||||
-o ${CMAKE_BINARY_DIR}/tfm_zephyr.hex -Intel --line-length=44
|
|
||||||
)
|
|
||||||
endif()
|
|
||||||
|
|
|
@ -256,4 +256,110 @@ if (CONFIG_BUILD_WITH_TFM)
|
||||||
)
|
)
|
||||||
|
|
||||||
zephyr_link_libraries(tfm_api)
|
zephyr_link_libraries(tfm_api)
|
||||||
|
|
||||||
|
# Set default image versions if not defined elsewhere
|
||||||
|
if (NOT DEFINED TFM_IMAGE_VERSION_S)
|
||||||
|
set(TFM_IMAGE_VERSION_S 0.0.0+0)
|
||||||
|
endif()
|
||||||
|
|
||||||
|
if (NOT DEFINED TFM_IMAGE_VERSION_NS)
|
||||||
|
set(TFM_IMAGE_VERSION_NS 0.0.0+0)
|
||||||
|
endif()
|
||||||
|
|
||||||
|
if (CONFIG_TFM_BL2)
|
||||||
|
set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
|
||||||
|
set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
|
||||||
|
set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
|
||||||
|
endif()
|
||||||
|
|
||||||
|
# Configure which format (full or hash) to include the public key in
|
||||||
|
# the image manifest
|
||||||
|
if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
|
||||||
|
set(TFM_PUBLIC_KEY_FORMAT "full")
|
||||||
|
endif()
|
||||||
|
|
||||||
|
function(tfm_sign OUT_ARG SUFFIX PAD INPUT_FILE OUTPUT_FILE)
|
||||||
|
if(PAD)
|
||||||
|
set(pad_args --pad --pad-header)
|
||||||
|
endif()
|
||||||
|
set (${OUT_ARG}
|
||||||
|
${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
|
||||||
|
--layout ${PREPROCESSED_FILE_${SUFFIX}}
|
||||||
|
-k ${CONFIG_TFM_KEY_FILE_${SUFFIX}}
|
||||||
|
--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
|
||||||
|
--align 1
|
||||||
|
-v ${TFM_IMAGE_VERSION_${SUFFIX}}
|
||||||
|
${pad_args}
|
||||||
|
${ADD_${SUFFIX}_IMAGE_MIN_VER}
|
||||||
|
-s auto
|
||||||
|
-H ${CONFIG_ROM_START_OFFSET}
|
||||||
|
${INPUT_FILE}
|
||||||
|
${OUTPUT_FILE}
|
||||||
|
PARENT_SCOPE)
|
||||||
|
endfunction()
|
||||||
|
|
||||||
|
set(MERGED_FILE ${CMAKE_BINARY_DIR}/tfm_merged.hex)
|
||||||
|
set(S_NS_FILE ${CMAKE_BINARY_DIR}/tfm_s_zephyr_ns.hex)
|
||||||
|
set(S_NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/tfm_s_zephyr_ns_signed.hex)
|
||||||
|
set(NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/zephyr_ns_signed.hex)
|
||||||
|
set(S_SIGNED_FILE ${CMAKE_BINARY_DIR}/tfm_s_signed.hex)
|
||||||
|
|
||||||
|
if (NOT CONFIG_TFM_BL2)
|
||||||
|
# Merge tfm_s and zephyr (NS) image to a single binary.
|
||||||
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
||||||
|
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
|
||||||
|
-o ${MERGED_FILE}
|
||||||
|
$<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
|
||||||
|
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME}
|
||||||
|
)
|
||||||
|
|
||||||
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
|
||||||
|
${MERGED_FILE}
|
||||||
|
)
|
||||||
|
|
||||||
|
elseif(CONFIG_TFM_MCUBOOT_IMAGE_NUMBER STREQUAL "1")
|
||||||
|
tfm_sign(sign_cmd NS TRUE ${S_NS_FILE} ${S_NS_SIGNED_FILE})
|
||||||
|
|
||||||
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
||||||
|
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
|
||||||
|
-o ${S_NS_FILE}
|
||||||
|
$<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
|
||||||
|
${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME}
|
||||||
|
|
||||||
|
COMMAND ${sign_cmd}
|
||||||
|
|
||||||
|
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
|
||||||
|
-o ${MERGED_FILE}
|
||||||
|
$<TARGET_PROPERTY:tfm,BL2_HEX_FILE>
|
||||||
|
${S_NS_SIGNED_FILE}
|
||||||
|
)
|
||||||
|
|
||||||
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
|
||||||
|
${S_NS_FILE}
|
||||||
|
${S_NS_SIGNED_FILE}
|
||||||
|
${MERGED_FILE}
|
||||||
|
)
|
||||||
|
|
||||||
|
else()
|
||||||
|
tfm_sign(sign_cmd_ns NS FALSE ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME} ${NS_SIGNED_FILE})
|
||||||
|
tfm_sign(sign_cmd_s S TRUE $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE> ${S_SIGNED_FILE})
|
||||||
|
|
||||||
|
#Create and sign for concatenated binary image, should align with the TF-M BL2
|
||||||
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
|
||||||
|
COMMAND ${sign_cmd_ns}
|
||||||
|
COMMAND ${sign_cmd_s}
|
||||||
|
|
||||||
|
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/mergehex.py
|
||||||
|
-o ${MERGED_FILE}
|
||||||
|
$<TARGET_PROPERTY:tfm,BL2_HEX_FILE>
|
||||||
|
${S_SIGNED_FILE}
|
||||||
|
${NS_SIGNED_FILE}
|
||||||
|
)
|
||||||
|
|
||||||
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
|
||||||
|
${S_SIGNED_FILE}
|
||||||
|
${NS_SIGNED_FILE}
|
||||||
|
${MERGED_FILE}
|
||||||
|
)
|
||||||
|
endif()
|
||||||
endif()
|
endif()
|
||||||
|
|
|
@ -25,6 +25,7 @@ menuconfig BUILD_WITH_TFM
|
||||||
depends on TRUSTED_EXECUTION_NONSECURE
|
depends on TRUSTED_EXECUTION_NONSECURE
|
||||||
depends on TFM_BOARD != ""
|
depends on TFM_BOARD != ""
|
||||||
depends on ARM_TRUSTZONE_M
|
depends on ARM_TRUSTZONE_M
|
||||||
|
select BUILD_OUTPUT_HEX
|
||||||
imply INIT_ARCH_HW_AT_BOOT
|
imply INIT_ARCH_HW_AT_BOOT
|
||||||
help
|
help
|
||||||
When enabled, this option instructs the Zephyr build process to
|
When enabled, this option instructs the Zephyr build process to
|
||||||
|
|
|
@ -167,5 +167,8 @@ Zephyr application folder, and reference them in the ``prj.conf`` file via the
|
||||||
lose this key file, you will be unable to sign any future firmware images,
|
lose this key file, you will be unable to sign any future firmware images,
|
||||||
and it will no longer be possible to update your devices in the field!
|
and it will no longer be possible to update your devices in the field!
|
||||||
|
|
||||||
|
After the built-in signing code has run, it creates a tfm_merged.hex file that
|
||||||
|
contains all the binaries, bl2, tfm_s, and the zephyr app.
|
||||||
|
|
||||||
.. _PSA Certified Level 1:
|
.. _PSA Certified Level 1:
|
||||||
https://www.psacertified.org/security-certification/psa-certified-level-1/
|
https://www.psacertified.org/security-certification/psa-certified-level-1/
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue