[nrf fromlist] boards: Consolidate all TFM signing code

Place the new signing code in the TFM module (update west.yml here). Make some small tweaks and add a sentence to the docs. Ref: NCSDK-7608 Upstream PR: zephyrproject-rtos/zephyr#32044 Signed-off-by: Øyvind Rønningstad <[email protected]>
jhirsi · Feb 17, 2021 · 7598e62 · 7598e62
1 parent 46e99f3
commit 7598e62
Show file tree

Hide file tree

Showing 8 changed files with 4 additions and 490 deletions.
diff --git a/boards/arm/lpcxpresso55s69/CMakeLists.txt b/boards/arm/lpcxpresso55s69/CMakeLists.txt
@@ -11,93 +11,6 @@ if(CONFIG_PINMUX_MCUX_LPC)
   zephyr_library_sources(pinmux.c)
 endif()
 
-if (CONFIG_BUILD_WITH_TFM)
-	# Set default image versions if not defined elsewhere
-	if (NOT DEFINED TFM_IMAGE_VERSION_S)
-		set(TFM_IMAGE_VERSION_S 0.0.0+0)
-	endif()
-
-	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
-		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
-	endif()
-
-	if (NOT CONFIG_TFM_BL2_FALSE)
-		set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
-		set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
-		set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
-	endif()
-
-	# Configure which format (full or hash) to include the public key in
-	# the image manifest
-	set(TFM_PUBLIC_KEY_FORMAT "full")
-
-	# Set srec_cat binary name
-	find_program(SREC_CAT srec_cat)
-	if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
-		message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
-	endif()
-
-	if (CONFIG_TFM_BL2_FALSE)
-		#merge tfm_s and zephyr_ns to a single image
-		#offset needs to be the same value as flash_layout.h in TFM
-		set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-			COMMAND ${SREC_CAT}
-			ARGS $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE> -Binary
-				${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary
-				-offset ${CONFIG_FLASH_LOAD_OFFSET}
-				-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
-		)
-	else()
-		#Create and sign for concatenated binary image, should align with the TF-M BL2
-		set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-
-			#Sign secure binary image with public key
-			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-				--layout ${PREPROCESSED_FILE_S}
-				-k ${CONFIG_TFM_KEY_FILE_S}
-				--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-				--align 1
-				-v ${TFM_IMAGE_VERSION_S}
-				--pad
-				--pad-header
-				${ADD_NS_IMAGE_MIN_VER}
-				-s auto
-				-H ${CONFIG_ROM_START_OFFSET}
-				$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
-				${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-
-			#Sign non-secure binary image with public key
-			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-				--layout ${PREPROCESSED_FILE_NS}
-				-k ${CONFIG_TFM_KEY_FILE_NS}
-				--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-				--align 1
-				-v ${TFM_IMAGE_VERSION_NS}
-				-s auto
-				${ADD_S_IMAGE_MIN_VER}
-				-H ${CONFIG_ROM_START_OFFSET}
-				${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
-				${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-
-			#Create concatenated binary image from the two independently signed binary file
-			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
-				--layout ${PREPROCESSED_FILE_S}
-				-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-				-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-				-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
-
-			#Copy mcuboot.bin
-			COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
-
-			#Merge mcuboot.bin and tfm_sign.bin for flashing
-			COMMAND ${SREC_CAT}
-			ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
-				${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
-				-offset 0x8000 #slot0_partition
-				-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
-		)
-	endif()
-endif()
 
 if (CONFIG_SECOND_CORE_MCUX)
 	# Set srec_cat binary name

diff --git a/boards/arm/mps2_an521/CMakeLists.txt b/boards/arm/mps2_an521/CMakeLists.txt
@@ -7,83 +7,3 @@
 zephyr_library()
 zephyr_library_sources(pinmux.c)
 zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
-
-if (CONFIG_BUILD_WITH_TFM)
-	# Set default image versions if not defined elsewhere
-	if (NOT DEFINED TFM_IMAGE_VERSION_S)
-		set(TFM_IMAGE_VERSION_S 0.0.0+0)
-	endif()
-
-	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
-		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
-	endif()
-
-	set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
-	set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
-	set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
-
-	# Configure which format (full or hash) to include the public key in
-	# the image manifest
-	set(TFM_PUBLIC_KEY_FORMAT "full")
-
-	# Set srec_cat binary name
-	find_program(SREC_CAT srec_cat)
-	if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
-	    message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
-	endif()
-
-	#Create and sign for concatenated binary image, should align with the TF-M BL2
-	set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-
-		#Sign secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_S}
-			 -k ${CONFIG_TFM_KEY_FILE_S}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_S}
-			 --pad
-			 --pad-header
-			 ${ADD_NS_IMAGE_MIN_VER}
-			 -s auto
-			 -H 0x400
-			 $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
-			 ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-
-		#Sign non-secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_NS}
-			 -k ${CONFIG_TFM_KEY_FILE_NS}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_NS}
-			 -s auto
-			 ${ADD_S_IMAGE_MIN_VER}
-			 -H 0x400
-			 ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
-			 ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-
-		#Create concatenated binary image from the two independently signed binary file
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
-		     --layout ${PREPROCESSED_FILE_S}
-			 -s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-			 -n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-			 -o ${CMAKE_BINARY_DIR}/tfm_sign.bin
-
-		#Copy mcuboot.bin
-		COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
-
-		#Merge mcuboot.bin and tfm_sign.bin for QEMU
-		COMMAND ${SREC_CAT}
-		ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
-			${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
-			-offset 0x80000
-			-o ${CMAKE_BINARY_DIR}/tfm_qemu.bin -Binary
-
-		#Convert tfm_qemu.bin to .hex with an appropriate offset
-		COMMAND ${SREC_CAT}
-		ARGS ${CMAKE_BINARY_DIR}/tfm_qemu.bin -binary
-			-offset 0x10000000
-			-o ${CMAKE_BINARY_DIR}/tfm_qemu.hex -intel --line-length=44
-	)
-endif()
diff --git a/boards/arm/nrf5340dk_nrf5340/CMakeLists.txt b/boards/arm/nrf5340dk_nrf5340/CMakeLists.txt
@@ -7,105 +7,3 @@ if (((CONFIG_BOARD_NRF5340PDK_NRF5340_CPUAPP OR CONFIG_BOARD_NRF5340PDK_NRF5340_
 zephyr_library()
 zephyr_library_sources(nrf5340_cpunet_reset.c)
 endif()
-
-if (CONFIG_BUILD_WITH_TFM)
-	# Set default image versions if not defined elsewhere
-	if (NOT DEFINED TFM_IMAGE_VERSION_S)
-		set(TFM_IMAGE_VERSION_S 0.0.0+0)
-	endif()
-
-	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
-		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
-	endif()
-
-	if (NOT CONFIG_TFM_BL2_FALSE)
-		set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
-		set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
-		set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
-	endif()
-
-	# Configure which format (full or hash) to include the public key in
-	# the image manifest
-	if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
-		set(TFM_PUBLIC_KEY_FORMAT "full")
-	endif()
-
-	if(CONFIG_BOARD_NRF5340PDK_NRF5340_CPUAPPNS)
-		set(TFM_INSTALL_DIR ${CMAKE_BINARY_DIR}/tfm/install/outputs/NORDIC_NRF/NRF5340PDK_NRF5340_CPUAPP)
-	elseif(CONFIG_BOARD_NRF5340DK_NRF5340_CPUAPPNS)
-		set(TFM_INSTALL_DIR ${CMAKE_BINARY_DIR}/tfm/install/outputs/NORDIC_NRF/NRF5340DK_NRF5340_CPUAPP)
-	endif()
-
-	# Set srec_cat binary name
-	find_program(SREC_CAT srec_cat)
-	if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
-	    message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
-	endif()
-
-	if (CONFIG_TFM_BL2_FALSE)
-		# Merge tfm_s and zephyr (NS) image to a single binary.
-		set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-			COMMAND ${SREC_CAT}
-			ARGS $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE> -Binary
-				${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary
-				-offset ${CONFIG_FLASH_LOAD_OFFSET}
-				-o ${CMAKE_BINARY_DIR}/tfm_merged.hex -intel
-		)
-	else()
-		#Create and sign for concatenated binary image, should align with the TF-M BL2
-		set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-
-			#Sign secure binary image with public key
-			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-				--layout ${PREPROCESSED_FILE_S}
-				-k ${CONFIG_TFM_KEY_FILE_S}
-				--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-				--align 1
-				-v ${TFM_IMAGE_VERSION_S}
-				--pad
-				--pad-header
-				${ADD_NS_IMAGE_MIN_VER}
-				-s auto
-				-H 0x400
-				$<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
-				${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-
-			#Sign non-secure binary image with public key
-			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-				--layout ${PREPROCESSED_FILE_NS}
-				-k ${CONFIG_TFM_KEY_FILE_NS}
-				--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-				--align 1
-				-v ${TFM_IMAGE_VERSION_NS}
-				-s auto
-				${ADD_S_IMAGE_MIN_VER}
-				-H 0x400
-				${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
-				${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-
-			#Create concatenated binary image from the two independently signed binary files
-			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
-				--layout ${PREPROCESSED_FILE_S}
-				-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-				-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-				-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
-
-			#Copy mcuboot.bin
-			COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
-
-			# Generate an intel hex file from the signed output binary
-			COMMAND ${SREC_CAT} ${CMAKE_BINARY_DIR}/tfm_sign.bin
-				-binary
-				-offset 0x10000
-				-o ${CMAKE_BINARY_DIR}/tfm_sign.hex
-				-intel
-		)
-
-		set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
-			${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-			${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-			${CMAKE_BINARY_DIR}/tfm_sign.bin
-			${CMAKE_BINARY_DIR}/tfm_sign.hex
-		)
-	endif()
-endif()
diff --git a/boards/arm/nrf9160dk_nrf9160/CMakeLists.txt b/boards/arm/nrf9160dk_nrf9160/CMakeLists.txt
@@ -3,86 +3,3 @@
 
 zephyr_library()
 zephyr_library_sources(nrf52840_reset.c)
-
-if (CONFIG_BUILD_WITH_TFM)
-	# Set default image versions if not defined elsewhere
-	if (NOT DEFINED TFM_IMAGE_VERSION_S)
-		set(TFM_IMAGE_VERSION_S 0.0.0+0)
-	endif()
-
-	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
-		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
-	endif()
-
-	set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
-	set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
-	set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
-
-	# Configure which format (full or hash) to include the public key in
-	# the image manifest
-	if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
-		set(TFM_PUBLIC_KEY_FORMAT "full")
-	endif()
-
-	# Set srec_cat binary name
-	find_program(SREC_CAT srec_cat)
-	if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
-	    message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
-	endif()
-
-	#Create and sign for concatenated binary image, should align with the TF-M BL2
-	set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-
-		#Sign secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_S}
-			 -k ${CONFIG_TFM_KEY_FILE_S}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_S}
-			 --pad
-			 --pad-header
-			 ${ADD_NS_IMAGE_MIN_VER}
-			 -s auto
-			 -H 0x400
-			 $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
-			 ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-
-		#Sign non-secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_NS}
-			 -k ${CONFIG_TFM_KEY_FILE_NS}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_NS}
-			 -s auto
-			 ${ADD_S_IMAGE_MIN_VER}
-			 -H 0x400
-			 ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
-			 ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-
-		#Create concatenated binary image from the two independently signed binary files
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
-			 --layout ${PREPROCESSED_FILE_S}
-			 -s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-			 -n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-			 -o ${CMAKE_BINARY_DIR}/tfm_sign.bin
-
-		#Copy mcuboot.bin
-		COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
-
-		# Generate an intel hex file from the signed output binary
-		COMMAND ${SREC_CAT} ${CMAKE_BINARY_DIR}/tfm_sign.bin
-		-binary
-		-offset 0x10000
-		-o ${CMAKE_BINARY_DIR}/tfm_sign.hex
-		-intel
-	)
-
-	set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
-		${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-		${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-		${CMAKE_BINARY_DIR}/tfm_sign.bin
-		${CMAKE_BINARY_DIR}/tfm_sign.hex
-	)
-endif()