michaelh/zephyr
1
0
Fork 0
Code Releases Activity

cmake: sysbuild: signing support

Browse source 
This commit introduces image signing by adding the possibility to
specify algorithm and signing key for sysbuild images.

It introduces Kconfig setting to specify signing algorithm and key file.

It will default the signing key to the default key provided by MCUBoot
if no key has been specified.

When signing is enabling, the signature key will be passed to the
application so the build system can sign the image as post build step.

Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
This commit is contained in:
Torsten Rasmussen 2021-11-22 13:52:15 +01:00 committed by Carles Cufí
commit b88c8e1363
2 changed files with 63 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
share/sysbuild/CMakeLists.txt
View file

@ -30,6 +30,31 @@ set(IMAGES)
get_filename_component(APP_DIR ${APP_DIR} ABSOLUTE) get_filename_component(APP_DIR ${APP_DIR} ABSOLUTE)
get_filename_component(app_name ${APP_DIR} NAME) get_filename_component(app_name ${APP_DIR} NAME)
# Propagate bootloader and signing settings from this system to the MCUboot and
# application image build systems.
if(SB_CONFIG_BOOTLOADER_MCUBOOT)
set(${app_name}_CONFIG_BOOTLOADER_MCUBOOT y CACHE STRING
"MCUBOOT is enabled as bootloader" FORCE
)
set(${app_name}_CONFIG_MCUBOOT_SIGNATURE_KEY_FILE
\"${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}\" CACHE STRING
"Signature key file for signing" FORCE
)
# Set corresponding values in mcuboot
set(mcuboot_CONFIG_BOOT_SIGNATURE_TYPE_${SB_CONFIG_SIGNATURE_TYPE} y CACHE STRING
"MCUBOOT signature type" FORCE
)
set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE
\"${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}\" CACHE STRING
"Signature key file for signing" FORCE
)
else()
set(${app_name}_CONFIG_BOOTLOADER_MCUBOOT n CACHE STRING
"MCUBOOT is disabled as bootloader" FORCE
)
endif()
# This adds the primary application to the build. # This adds the primary application to the build.
ExternalZephyrProject_Add( ExternalZephyrProject_Add(
APPLICATION ${app_name} APPLICATION ${app_name}

38
share/sysbuild/bootloader/Kconfig
View file

@ -27,3 +27,41 @@ config BOOTLOADER_MCUBOOT
Include MCUboot (Zephyr port) as the bootloader to use Include MCUboot (Zephyr port) as the bootloader to use
endchoice endchoice
if BOOTLOADER_MCUBOOT
config SIGNATURE_TYPE
string
default NONE if BOOT_SIGNATURE_TYPE_NONE
default RSA if BOOT_SIGNATURE_TYPE_RSA
default ECDSA_P256 if BOOT_SIGNATURE_TYPE_ECDSA_P256
default ED25519 if BOOT_SIGNATURE_TYPE_ED25519
choice
prompt "Signature type"
default BOOT_SIGNATURE_TYPE_RSA
config BOOT_SIGNATURE_TYPE_NONE
bool "No signature; use only hash check"
config BOOT_SIGNATURE_TYPE_RSA
bool "RSA signatures"
config BOOT_SIGNATURE_TYPE_ECDSA_P256
bool "Elliptic curve digital signatures with curve P-256"
config BOOT_SIGNATURE_TYPE_ED25519
bool "Edwards curve digital signatures using ed25519"
endchoice
config BOOT_SIGNATURE_KEY_FILE
string "PEM key file"
default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA
default ""
help
Absolute path to key file to use with MCUBoot.
endif