soc: cyw20829: Initial integrate Cypress MCUBoot for 20829

Added custom mcuboot cmake for sign/encrypt by using cysecuretools

Signed-off-by: Sreeram Tatapudi <sreeram.praveen@infineon.com>
Signed-off-by: Nazar Palamar <nazar.palamar@infineon.com>

boards/infineon/cyw920829m2evk_02/Kconfig.defconfig

@@ -11,3 +11,6 @@ endchoice
 config HEAP_MEM_POOL_ADD_SIZE_BOARD
 	int
 	default 10096
+
+config ROM_START_OFFSET
+	default 0x0 if BOOTLOADER_MCUBOOT

boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts

@@ -19,7 +19,8 @@
 
 	chosen {
 		zephyr,sram = &sram0;
-		zephyr,flash = &app_region;
+		zephyr,flash = &flash0;
+		zephyr,code-partition = &slot0_partition;
 		zephyr,console = &uart2;
 		zephyr,shell-uart = &uart2;
 		zephyr,bt-hci = &bluetooth;
@@ -99,45 +100,48 @@ uart2: &scb2 {
 	status = "okay";
 };
 
-/ {
-	qspi_flash: qspi_flash@40890000 {
-		compatible = "infineon,cat1-qspi-flash";
-		reg = <0x40890000 0x30000>;
+
+&qspi_flash {
+	flash0: flash@8000000 {
+		compatible = "soc-nv-flash";
+		reg = <0x08000000 DT_SIZE_M(1)>;
+		write-block-size = <1>;
+		erase-block-size = <DT_SIZE_K(4)>;
 		#address-cells = <1>;
 		#size-cells = <1>;
 
-		flash0: flash@8000000 {
-			compatible = "soc-nv-flash";
-			reg = <0x08000000 DT_SIZE_K(512)>;
-			write-block-size = <1>;
-			erase-block-size = <DT_SIZE_K(4)>;
+		/* Keep bootstrap_region node to know size, finaly it will
+		 * locate on beginning of code-partition. The BootROM copies
+		 * bootstrap application in RAM and launches it.
+		 */
+		bootstrap_region: bootstrap_region@0 {
+			reg = <0 BOOTSTRAP_SIZE>;
+		};
+
+		partitions {
+			compatible = "fixed-partitions";
 			#address-cells = <1>;
 			#size-cells = <1>;
 
-			toc2_region: toc2_region@8000000 {
-				compatible = "zephyr,memory-region", "soc-nv-flash";
-				zephyr,memory-region = "APP_HEADER_FLASH";
-				reg = <0x08000000 0x50>;
+			boot_partition: partition@0 {
+				label = "mcuboot";
+				reg = <0x0 0x20000>;
+				read-only;
 			};
-			bootstrap_region: bootstrap_region@8000050 {
-				compatible = "zephyr,memory-region", "soc-nv-flash";
-				zephyr,memory-region = "BOOTSTRAP_FLASH";
-				reg = <0x08000050 DT_SIZE_K(12)>;
+
+			slot0_partition: partition@20000 {
+				label = "image-0";
+				reg = <0x20000 0x60000>;
 			};
-			app_region: app_region@8003050 {
+
+			slot1_partition: partition@80000 {
+				label = "image-1";
+				reg = <0x80000 0x60000>;
+			};
+
+			storage_partition: storage_partition@E0000 {
 				compatible = "soc-nv-flash";
-				reg = <0x08003050 0x6CFB0>; /* 435kb */
-			};
-
-			partitions {
-				compatible = "fixed-partitions";
-				#address-cells = <1>;
-				#size-cells = <1>;
-
-				storage_partition: storage_partition@60000 {
-					compatible = "soc-nv-flash";
-					reg = <0x60000 DT_SIZE_K(64)>;
-				};
+				reg = <0xE0000 DT_SIZE_K(64)>;
 			};
 		};
 	};

boards/infineon/cyw920829m2evk_02/doc/index.rst

@@ -3,9 +3,19 @@
 Overview
 ********
 
-The AIROC™ CYW20829 Bluetooth® LE MCU Evaluation Kit (CYW920829M2EVK-02) with its included on-board peripherals enables evaluation, prototyping, and development of a wide array of Bluetooth® Low Energy applications, all on Infineon's low power, high performance AIROC™ CYW20829. The AIROC™ CYW20829's robust RF performance and 10 dBm TX output power without an external power amplifier (PA). This provides enough link budget for the entire spectrum of Bluetooth® LE use cases including industrial IoT applications, smart home, asset tracking, beacons and sensors, and medical devices.
+The AIROC™ CYW20829 Bluetooth® LE MCU Evaluation Kit (CYW920829M2EVK-02) with its included on-board
+peripherals enables evaluation, prototyping, and development of a wide array of
+Bluetooth® Low Energy applications, all on Infineon's low power, high performance AIROC™ CYW20829.
+The AIROC™ CYW20829's robust RF performance and 10 dBm TX output power without an external power
+amplifier (PA). This provides enough link budget for the entire spectrum of Bluetooth® LE use cases
+including industrial IoT applications, smart home, asset tracking, beacons and sensors, and
+medical devices.
 
-The system features Dual Arm® Cortex® - M33s for powering the MCU and Bluetooth subsystem with programmable and reconfigurable analog and digital blocks. In addition, on the kit, there is a suite of on-board peripherals including six-axis inertial measurement unit (IMU), thermistor, analog mic, user programmable buttons (2), LEDs (2), and RGB LED. There is also extensive GPIO support with extended headers and Arduino Uno R3 compatibility for third-party shields.
+The system features Dual Arm® Cortex® - M33s for powering the MCU and Bluetooth subsystem with
+programmable and reconfigurable analog and digital blocks. In addition, on the kit, there is a
+suite of on-board peripherals including six-axis inertial measurement unit (IMU), thermistor,
+analog mic, user programmable buttons (2), LEDs (2), and RGB LED. There is also extensive GPIO
+support with extended headers and Arduino Uno R3 compatibility for third-party shields.
 
 Hardware
 ********
@@ -20,7 +30,8 @@ Kit Features:
 
 - AIROC™ CYW20829 Bluetooth® LE MCU in 56 pin QFN package
 - Arduino compatible headers for hardware expansion
-- On-board sensors - 6-axis IMU, Thermistor, Infineon analog microphone, and Infineon digital microphone
+- On-board sensors - 6-axis IMU, Thermistor, Infineon analog microphone,
+  and Infineon digital microphone
 - User switches, RGB LED and user LEDs
 - USB connector for power, programming and USB-UART bridge
 
@@ -71,24 +82,38 @@ Programming and Debugging
 
 .. zephyr:board-supported-runners::
 
-The CYW920829M2EVK-02 includes an onboard programmer/debugger (`KitProg3`_) to provide debugging, flash programming, and serial communication over USB. Flash and debug commands use OpenOCD and require a custom Infineon OpenOCD version, that supports KitProg3, to be installed.
+The CYW920829M2EVK-02 includes an onboard programmer/debugger (`KitProg3`_) to provide debugging,
+flash programming, and serial communication over USB. Flash and debug commands use OpenOCD and
+require a custom Infineon OpenOCD version, that supports KitProg3, to be installed.
 
-The CYW920829M2EVK-02 supports RTT via a SEGGER JLink device, under the target name cyw20829_tm. This can be enabled for an application by building with the rtt-console snippet or setting the following config values: CONFIG_UART_CONSOLE=n, CONFIG_RTT_CONSOLE=y, and CONFIG_USE_SEGGER_RTT=y.
+The CYW920829M2EVK-02 supports RTT via a SEGGER JLink device, under the target name cyw20829_tm.
+This can be enabled for an application by building with the rtt-console snippet or setting the
+following config values: CONFIG_UART_CONSOLE=n, CONFIG_RTT_CONSOLE=y, and CONFIG_USE_SEGGER_RTT=y.
 e.g. west build -p always -b cyw920829m2evk_02 samples/basic/blinky -S rtt-console
 
-As an additional note there is currently a discrepancy in RAM address between SEGGER and the CYW920829M2EVK-02 device. So, for RTT control block, do not use "Auto Detection". Instead, set the search range to something reflecting: RAM RangeStart at 0x20000000 and RAM RangeSize of 0x3d000.
+As an additional note there is currently a discrepancy in RAM address between SEGGER and the
+CYW920829M2EVK-02 device. So, for RTT control block, do not use "Auto Detection". Instead, set
+the search range to something reflecting: RAM RangeStart at 0x20000000 and RAM RangeSize of 0x3d000.
 
 Infineon OpenOCD Installation
 =============================
 
-Both the full `ModusToolbox`_ and the `ModusToolbox Programming Tools`_ packages include Infineon OpenOCD. Installing either of these packages will also install Infineon OpenOCD. If neither package is installed, a minimal installation can be done by downloading the `Infineon OpenOCD`_ release for your system and manually extract the files to a location of your choice.
+Both the full `ModusToolbox`_ and the `ModusToolbox Programming Tools`_ packages include Infineon
+OpenOCD. Installing either of these packages will also install Infineon OpenOCD. If neither package
+is installed, a minimal installation can be done by downloading the `Infineon OpenOCD`_ release for
+your system and manually extract the files to a location of your choice.
 
-.. note:: Linux requires device access rights to be set up for KitProg3. This is handled automatically by the ModusToolbox and ModusToolbox Programming Tools installations. When doing a minimal installation, this can be done manually by executing the script ``openocd/udev_rules/install_rules.sh``.
+.. note:: Linux requires device access rights to be set up for KitProg3. This is handled
+    automatically by the ModusToolbox and ModusToolbox Programming Tools installations.
+    When doing a minimal installation, this can be done manually by executing the
+    script ``openocd/udev_rules/install_rules.sh``.
 
 West Commands
 =============
 
-The path to the installed Infineon OpenOCD executable must be available to the ``west`` tool commands. There are multiple ways of doing this. The example below uses a permanent CMake argument to set the CMake variable ``OPENOCD``.
+The path to the installed Infineon OpenOCD executable must be available to the ``west`` tool
+commands. There are multiple ways of doing this. The example below uses a permanent CMake argument
+to set the CMake variable ``OPENOCD``.
 
    .. tabs::
       .. group-tab:: Windows
@@ -117,7 +142,101 @@ The path to the installed Infineon OpenOCD executable must be available to the `
             west flash
             west debug
 
-Once the gdb console starts after executing the west debug command, you may now set breakpoints and perform other standard GDB debugging on the CYW20829 CM33 core.
+Once the gdb console starts after executing the west debug command, you may now set breakpoints and
+perform other standard GDB debugging on the CYW20829 CM33 core.
+
+Operate in SECURE Lifecycle Stage
+*********************************
+
+The device lifecycle stage (LCS) is a key aspect of the security of the AIROC™
+CYW20829 Bluetooth® MCU. The lifecycle stages follow a strict, irreversible progression dictated by
+the programming of the eFuse bits (changing the value from "0" to "1"). This system is used to
+protect the device's data and code at the level required by the user.
+SECURE is the lifecycle stage of a secured device.
+Follow the instructions in `AN239590 Provision CYW20829 to SECURE LCS`_ to transition the device
+to SECURE LCS. In the SECURE LCS stage, the protection state is set to secure. A secured device
+will only boot if the authentication of its flash content is successful.
+
+The following configuration options can be used to build for a device which has been provisioned
+to SECURE LCS and configured to use an encrypted flash interface:
+
+- :kconfig:option:`CONFIG_INFINEON_SECURE_LCS`: Enable if the target device is in SECURE LCS
+- :kconfig:option:`CONFIG_INFINEON_SECURE_POLICY`: Path to the policy JSON file,
+  which was created for provisioning the device to SECURE LCS (refer to section 3.2 "Key creation"
+  of `AN239590 Provision CYW20829 to SECURE LCS`_)
+- :kconfig:option:`CONFIG_INFINEON_SMIF_ENCRYPTION`: Enable to use encrypted flash interface when provisioned to
+  SECURE LCS.
+
+Here is an example for building the :zephyr:code-sample:`blinky` sample application for SECURE LCS.
+
+.. zephyr-app-commands::
+   :goals: build
+   :board: cyw920829m2evk_02
+   :zephyr-app: samples/basic/blinky
+   :west-args: -p always
+   :gen-args: -DCONFIG_INFINEON_SECURE_LCS=y -DCONFIG_INFINEON_SECURE_POLICY=\"policy/policy_secure.json\"
+
+Using MCUboot
+*************
+
+CYW20829 devices are supported by the Cypress MCU bootloader (MCUBootApp) from the
+`Cypress branch of MCUboot`_.
+
+Building Cypress MCU Bootloader MCUBootApp
+==========================================
+
+Please refer to the `CYW20829 platform description`_ and follow the instructions to understand the
+MCUBootApp building process for normal/secure silicon and its overall usage as a bootloader.
+Place keys and policy-related folders in the cypress directory ``mcuboot/boot/cypress/``.
+
+Ensure the default memory map matches the memory map of the Zephyr application (refer to partitions
+of flash0 in :zephyr_file:`boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts`).
+
+You can use ``west flash`` to flash MCUBootApp:
+
+.. code-block:: shell
+
+   # Flash MCUBootApp.hex
+   west flash --skip-rebuild --hex-file /path/to/cypress/mcuboot/boot/cypress/MCUBootApp/out/CYW20829/Debug/MCUBootApp.hex
+
+.. note:: ``west flash`` requires an existing Zephyr build directory which can be created by first
+    building any Zephyr application for the target board.
+
+Build Zephyr application
+========================
+Here is an example for building and flashing the :zephyr:code-sample:`blinky` sample application
+for MCUboot.
+
+.. zephyr-app-commands::
+   :goals: build flash
+   :board: cyw920829m2evk_02
+   :zephyr-app: samples/basic/blinky
+   :west-args: -p always
+   :gen-args: -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"/path/to/cypress/mcuboot/boot/cypress/keys/cypress-test-ec-p256.pem\"
+
+If you use :kconfig:option:`CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE` to generate an encrypted image then the final
+hex will be ``zephyr.signed.encrypted.hex`` and the corresponding bin file will
+be ``zephyr.signed.encrypted.bin``. Use these files for flashing and ota uploading respectively.
+For example, to build and flash an encrypted :zephyr:code-sample:`blinky` sample application
+image for MCUboot:
+
+.. zephyr-app-commands::
+   :goals: build flash
+   :board: cyw920829m2evk_02
+   :zephyr-app: samples/basic/blinky
+   :west-args: -p always
+   :gen-args: -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"/path/to/cypress/mcuboot/boot/cypress/keys/cypress-test-ec-p256.pem\" -DCONFIG_MCUBOOT_ENCRYPTION_KEY_FILE=\"/path/to/cypress/mcuboot/enc-ec256-pub.pem\"
+   :flash-args: --hex-file build/zephyr/zephyr.signed.encrypted.hex
+
+
+.. _CYW20829 platform description:
+    https://github.com/mcu-tools/mcuboot/blob/v1.9.4-cypress/boot/cypress/platforms/CYW20829.md
+
+.. _Cypress branch of MCUboot:
+    https://github.com/mcu-tools/mcuboot/tree/cypress
+
+.. _AN239590 Provision CYW20829 to SECURE LCS:
+    https://www.infineon.com/dgdl/Infineon-AN239590_Provision_CYW20829_CYW89829_to_Secure_LCS-ApplicationNotes-v02_00-EN.pdf?fileId=8ac78c8c8d2fe47b018e3677dd517258
 
 .. _CYW20829 SoC Website:
     https://www.infineon.com/cms/en/product/wireless-connectivity/airoc-bluetooth-le-bluetooth-multiprotocol/airoc-bluetooth-le/cyw20829/

soc/infineon/cat1b/cyw20829/default_policy.json

@@ -0,0 +1,15 @@
+{
+    "policy": {
+        "platform": "cyw20829",
+        "version": 2.0,
+        "type": "no_secure"
+    },
+    "device_policy":
+    {
+        "flow_control":
+        {
+            "target_lcs": {
+            }
+        }
+    }
+}

soc/infineon/cat1b/cyw20829/linker.ld

@@ -76,10 +76,14 @@ _region_min_align = 4;
 /* Maximum bootstrap code + data size */
 #define BOOTSTRAP_REGION_SIZE   DT_REG_SIZE(DT_NODELABEL(bootstrap_region))
 
-#define USER_APP_START_OFFSET   (CONFIG_FLASH_LOAD_OFFSET + CONFIG_ROM_START_OFFSET)
+#if defined(CONFIG_BOOTLOADER_MCUBOOT)
+#define MCUBOOT_HEADER_OFFSET   (0x400)
+#else
+#define MCUBOOT_HEADER_OFFSET   (0)
+#endif
 
-#define FLASH_START_ADDR_CBUS   (CONFIG_CYW20829_FLASH_CBUS_ADDR + USER_APP_START_OFFSET)
-#define FLASH_START_ADDR_SAHB   (CONFIG_CYW20829_FLASH_SAHB_ADDR + USER_APP_START_OFFSET)
+#define FLASH_START_ADDR_CBUS   (CONFIG_CYW20829_FLASH_CBUS_ADDR + CONFIG_FLASH_LOAD_OFFSET + MCUBOOT_HEADER_OFFSET)
+#define FLASH_START_ADDR_SAHB   (CONFIG_CYW20829_FLASH_SAHB_ADDR + CONFIG_FLASH_LOAD_OFFSET + MCUBOOT_HEADER_OFFSET)
 
 #define RAM_START_ADDR_CBUS     CONFIG_CYW20829_SRAM_CBUS_ADDR          /* 0x04000000 */
 #define RAM_START_ADDR_SAHB     CONFIG_CYW20829_SRAM_SAHB_ADDR          /* 0x20000000 */

soc/infineon/cat1b/cyw20829/mcuboot.cmake

@@ -0,0 +1,221 @@
+# Copyright (c) 2020-2023 Nordic Semiconductor ASA
+# Copyright (c) 2024 Cypress Semiconductor Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+# This file includes extra build system logic that is enabled when
+# CONFIG_BOOTLOADER_MCUBOOT=y.
+#
+# It builds signed binaries using cysecuretools as a post-processing step
+# after zephyr/zephyr.elf is created in the build directory.
+
+function(zephyr_runner_file type path)
+  # Property magic which makes west flash choose the signed build
+  # output of a given type.
+  set_target_properties(runners_yaml_props_target PROPERTIES "${type}_file" "${path}")
+endfunction()
+
+function(zephyr_mcuboot_tasks)
+  # Extensionless prefix of any output file.
+  set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
+
+  cmake_path(SET keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
+  cmake_path(SET keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")
+
+  set(encrypted_args)
+  set(confirmed_args)
+
+  # Calculate flash address (SAHB/CBUS)
+  math(EXPR flash_addr_sahb_offset
+       "${CONFIG_CYW20829_FLASH_SAHB_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET}"
+       OUTPUT_FORMAT HEXADECIMAL
+    )
+
+  math(EXPR flash_addr_sbus_offset
+       "${CONFIG_CYW20829_FLASH_CBUS_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET}"
+       OUTPUT_FORMAT HEXADECIMAL
+    )
+
+  # Check for misconfiguration.
+  if((NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}") AND ("${keyfile}" STREQUAL ""))
+      message(WARNING "Neither CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE nor"
+                      "CONFIG_MCUBOOT_SIGNATURE_KEY_FILE are set, the generated build will not be"
+                      "bootable by MCUboot unless it is signed manually/externally.")
+      return()
+  endif()
+
+  foreach(file keyfile keyfile_enc)
+    if(NOT "${${file}}" STREQUAL "")
+      if(NOT IS_ABSOLUTE "${${file}}")
+        find_file(
+          temp_file
+          NAMES
+            "${${file}}"
+          PATHS
+            "${APPLICATION_SOURCE_DIR}"
+            "${WEST_TOPDIR}"
+          NO_DEFAULT_PATH
+          )
+
+          if(NOT "${temp_file}" STREQUAL "temp_file-NOTFOUND")
+            set(${file} "${temp_file}")
+          endif()
+      endif()
+
+      if((NOT IS_ABSOLUTE "${${file}}" OR NOT EXISTS "${${file}}") AND NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}")
+        message(FATAL_ERROR "Can't find file \"${${file}}\" "
+                            "(Note: Relative paths are searched through"
+                            "APPLICATION_SOURCE_DIR=\"${APPLICATION_SOURCE_DIR}\" "
+                            "and WEST_TOPDIR=\"${WEST_TOPDIR}\")")
+      elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
+        message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor"
+                            "CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
+      endif()
+    endif()
+  endforeach()
+
+  # Basic 'cysecuretools' command and output format independent arguments.
+  set(cysecuretools_cmd ${CYSECURETOOLS} -q -t cyw20829 -p ${CYSECURETOOLS_POLICY})
+
+  # sign-image arguments.
+  set(sign_image_cmd_args sign-image
+      --image-format mcuboot_user_app
+      --image "${MERGED_FILE}"
+      --slot-size ${CONFIG_FLASH_LOAD_SIZE}
+      --align 1
+      --image-id 0
+      --hex-addr ${flash_addr_sahb_offset}
+      --app-addr ${flash_addr_sbus_offset}
+      -v "${CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION}")
+
+  # Extra arguments from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS.
+  if(NOT CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS STREQUAL "")
+    # Separate extra arguments into the proper format for adding to
+    # extra_post_build_commands.
+    #
+    # Use UNIX_COMMAND syntax for uniform results across host
+    # platforms.
+    separate_arguments(cysecuretools_extra_args UNIX_COMMAND
+                       ${CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS})
+  else()
+    set(cysecuretools_extra_args)
+  endif()
+
+  if(NOT "${keyfile}" STREQUAL "")
+    set(sign_image_cmd_args ${sign_image_cmd_args} --key-path "${keyfile}")
+  endif()
+
+  if(NOT "${keyfile_enc}" STREQUAL "")
+    set(encrypted_args --encrypt --enckey "${keyfile_enc}")
+  endif()
+
+  # Use overwrite-only instead of swap upgrades.
+  if(CONFIG_MCUBOOT_IMGTOOL_OVERWRITE_ONLY)
+    set(sign_image_cmd_args ${sign_image_cmd_args} --overwrite-only --align 1)
+  endif()
+
+  if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE)
+    list(APPEND confirmed_args --pad --confirm)
+  endif()
+
+  # List of additional build byproducts.
+  set(byproducts)
+  set(bin2hex_cmd_args_signed)
+  set(bin2hex_cmd_args_confirmed)
+  set(bin2hex_cmd_args_encrypted)
+
+  # Set up .bin outputs.
+  if(CONFIG_BUILD_OUTPUT_BIN)
+    list(APPEND byproducts ${output}.signed.bin)
+    zephyr_runner_file(bin ${output}.signed.bin)
+    set(BYPRODUCT_KERNEL_SIGNED_BIN_NAME "${output}.signed.bin"
+        CACHE FILEPATH "Signed kernel bin file" FORCE
+   )
+  endif()
+
+  if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE)
+    list(APPEND byproducts ${output}.signed.confirmed.bin)
+    set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_BIN_NAME "${output}.signed.confirmed.bin"
+        CACHE FILEPATH "Signed and confirmed kernel bin file" FORCE
+    )
+  endif()
+
+  if(NOT "${keyfile_enc}" STREQUAL "")
+    list(APPEND byproducts ${output}.signed.encrypted.bin)
+    set(BYPRODUCT_KERNEL_SIGNED_ENCRYPTED_BIN_NAME "${output}.signed.encrypted.bin"
+        CACHE FILEPATH "Signed and encrypted kernel bin file" FORCE
+    )
+  endif()
+
+  # Set up .hex outputs.
+  if(CONFIG_BUILD_OUTPUT_HEX)
+    list(APPEND bin2hex_cmd_args_signed bin2hex
+          --image ${output}.signed.bin --output ${output}.signed.hex
+          --offset ${flash_addr_sahb_offset}
+    )
+    list(APPEND byproducts ${output}.signed.hex)
+    zephyr_runner_file(hex ${output}.signed.hex)
+    set(BYPRODUCT_KERNEL_SIGNED_HEX_NAME "${output}.signed.hex"
+        CACHE FILEPATH "Signed kernel hex file" FORCE)
+
+    if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE)
+      list(APPEND bin2hex_cmd_args_confirmed bin2hex
+            --image ${output}.signed.confirmed.bin --output ${output}.signed.confirmed.hex
+            --offset ${flash_addr_sahb_offset}
+      )
+      list(APPEND byproducts ${output}.signed.confirmed.hex)
+      set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_HEX_NAME "${output}.signed.confirmed.hex"
+          CACHE FILEPATH "Signed and confirmed kernel hex file" FORCE
+      )
+    endif()
+
+    if(NOT "${keyfile_enc}" STREQUAL "")
+      list(APPEND bin2hex_cmd_args_encrypted bin2hex
+           --image ${output}.signed.encrypted.bin --output ${output}.signed.encrypted.hex
+           --offset ${flash_addr_sahb_offset}
+      )
+      list(APPEND byproducts ${output}.signed.encrypted.hex)
+      set(BYPRODUCT_KERNEL_SIGNED_ENCRYPTED_HEX_NAME "${output}.signed.encrypted.hex"
+          CACHE FILEPATH "Signed and encrypted kernel hex file" FORCE
+      )
+    endif()
+  endif()
+
+  # Add the post-processing steps to generate
+  # signed /signed.confirmed / signed.encrypted bin and hex files
+  set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+               ${cysecuretools_cmd}
+               ${sign_image_cmd_args} --output ${output}.signed.bin
+               ${bin2hex_cmd_args_signed} # bin to hex
+               ${cysecuretools_extra_args}) # from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS
+
+  if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE)
+    set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+                 ${cysecuretools_cmd}
+                 ${sign_image_cmd_args} --output ${output}.signed.confirmed.bin
+                 ${confirmed_args}
+                 ${bin2hex_cmd_args_confirmed} # bin to hex
+                 ${cysecuretools_extra_args}) # from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS
+  endif()
+
+  if(NOT "${keyfile_enc}" STREQUAL "")
+    set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+                 ${cysecuretools_cmd}
+                 ${sign_image_cmd_args} --output ${output}.signed.encrypted.bin
+                 ${confirmed_args} ${encrypted_args}
+                 ${bin2hex_cmd_args_encrypted} # bin to hex
+                 ${cysecuretools_extra_args} # from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS
+
+                 COMMAND ${CMAKE_COMMAND} -E echo
+                 "Generating encrypted files ${output}.signed.encrypted.hex/bin files"
+
+                 COMMAND ${CMAKE_COMMAND} -E echo
+                 \"Use 'west flash --hex-file ${output}.signed.encrypted.hex' to flash in primary
+                 partition\")
+  endif()
+
+  set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts})
+endfunction()
+
+if((NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}") OR (NOT "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}" STREQUAL ""))
+  zephyr_mcuboot_tasks()
+endif()