aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrei Narkevitch <ainh@cypress.com>2019-12-10 15:43:23 -0800
committerDavid Hu <david.hu@arm.com>2020-01-15 03:06:26 +0000
commit84b409772f195c029d4f31e4805a35e3148a8677 (patch)
tree7f2eb510324a9c9335da1e72556ff1c882f3ef33
parent4c415f2ba253af8aea71df46b83b067a8966225e (diff)
downloadtrusted-firmware-m-84b409772f195c029d4f31e4805a35e3148a8677.tar.gz
Platform: Update sign.py for cysecuretools 1.3.3 (psoc64)
Updated image signing script sign.py to support the recent cysecuretools API changes. Changed sign.py to use argparse instead of getopt. Updated the policy file to satisfy the cysecuretools policy validation. Signed-off-by: Andrei Narkevitch <ainh@cypress.com> Change-Id: I69e6de577e561f351f9ea659e90ba06a67ff8423
-rw-r--r--platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst30
-rw-r--r--platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json16
-rwxr-xr-xplatform/ext/target/cypress/psoc64/security/sign.py120
3 files changed, 112 insertions, 54 deletions
diff --git a/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst b/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst
index dda8dc16a6..783b2a6980 100644
--- a/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst
+++ b/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst
@@ -16,23 +16,14 @@ Please make sure you have all required software installed as explained in the
Please also make sure that all the source code are fetched by following
:doc:`general building instruction </docs/user_guides/tfm_build_instruction>`.
-Install CySecureTools. The exact command to use depends on what version of
-python you are running (which can be determined with "python3 --version").
-
-If you have python 3.7, use
-
-.. code-block:: bash
-
- pip install cysecuretools==1.0.0
-
-If you have python 3.6.8, use
+Install CySecureTools.
.. code-block:: bash
- pip3 install --ignore-requires-python git+https://github.com/cypresssemiconductorco/cysecuretools@v1.0.0
+ pip3 install cysecuretools==1.3.3
For more details please refer to
-`CySecureTools <https://pypi.org/project/cysecuretools/1.0.0/>`_ page.
+`CySecureTools <https://pypi.org/project/cysecuretools/1.3.3/>`_ page.
Install OpenOCD with PSoC6 support. It can be obtained from the Cypress
Programmer, download it from:
@@ -293,23 +284,26 @@ Sign the images (sign.py overwrites unsigned files with signed ones):
.. code-block:: bash
./platform/ext/target/cypress/psoc64/security/sign.py \
+ -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \
+ -d cy8cproto-064s2-sb \
-s <build folder>/tfm_s.hex \
- -n <build folder>/tfm_ns.hex \
- -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+ -n <build folder>/tfm_ns.hex
Note: each image can be signed individually, for example:
.. code-block:: bash
./platform/ext/target/cypress/psoc64/security/sign.py \
- -n <build folder>/tfm_ns.hex \
- -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+ -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \
+ -d cy8cproto-064s2-sb \
+ -n <build folder>/tfm_ns.hex
.. code-block:: bash
./platform/ext/target/cypress/psoc64/security/sign.py \
- -s <build folder>/tfm_s.hex \
- -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+ -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \
+ -d cy8cproto-064s2-sb \
+ -s <build folder>/tfm_s.hex
**********************
Programming the Device
diff --git a/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json b/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
index 4a95235b30..d2cdadcfc0 100644
--- a/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+++ b/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
@@ -66,10 +66,6 @@
"upgrade_auth": [
3
],
- "upgrade_keys": [
- { "kid": 3, "key": "./keys/MCUBOOT_CM0P_KEY.json" }
- ],
- "backup": false,
"resources": [
{
"type": "FLASH_PC1_SPM",
@@ -101,7 +97,7 @@
"smif_id": 0,
"version": "0.1",
"rollback_counter": 0,
- "upgrade": false,
+ "upgrade": true,
"encrypt": false,
"encrypt_key_id": 1,
"upgrade_auth": [
@@ -149,11 +145,6 @@
"type": "BOOT",
"address": 268763136,
"size": 1179648
- },
- {
- "type": "UPGRADE",
- "address": 268763136,
- "size": 1179648
}
]
}
@@ -162,5 +153,10 @@
"cy_bootloader":
{
"mode": "debug"
+ },
+ "provisioning":
+ {
+ "packet_dir": "../packet",
+ "chain_of_trust": []
}
}
diff --git a/platform/ext/target/cypress/psoc64/security/sign.py b/platform/ext/target/cypress/psoc64/security/sign.py
index 187d67c4db..f5315101c7 100755
--- a/platform/ext/target/cypress/psoc64/security/sign.py
+++ b/platform/ext/target/cypress/psoc64/security/sign.py
@@ -15,34 +15,102 @@ See the License for the specific language governing permissions and
limitations under the License.
"""
-import cysecuretools
-import sys, getopt
+from cysecuretools import CySecureTools
+import sys, argparse
+import os
+from shutil import copyfile, move
+
+
+def myargs(argv):
+ parser = argparse.ArgumentParser(add_help=False)
+ parser.add_argument('-h', '--help',
+ dest='show_help',
+ action='help',
+ help='Print this help message and exit')
+
+ parser.add_argument('-p', '--policy',
+ dest='policy_file',
+ action='store',
+ type=str,
+ help="Device policy file",
+ required=True)
+
+ parser.add_argument('-d', '--device',
+ dest='device',
+ action='store',
+ type=str,
+ help="device target",
+ required=True)
+
+ parser.add_argument('-s', '--s_hex',
+ dest='s_hex_file',
+ action='store',
+ default='',
+ type=str,
+ help="TFM SPE image to sign in hex format")
+
+ parser.add_argument('-ns', '--ns_hex',
+ dest='ns_hex_file',
+ action='store',
+ default='',
+ type=str,
+ help="TFM NSPE image to sign in hex format")
+
+ options = parser.parse_args(argv)
+ return options
+
def main(argv):
- s_hex_file=""
- ns_hex_file=""
- policy_file=""
- try:
- opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="])
- except getopt.GetoptError:
- print ('sign.py -s <tfm_s hex> -n <tfm_ns hex> -p <policy json>')
- sys.exit(2)
- for opt, arg in opts:
- if opt == '-h':
- print ('sign.py -s <tfm_s hex> -n <tfm_ns hex> -p <policy json>')
- sys.exit()
- elif opt in ("-s", "--s_hex"):
- s_hex_file = arg
- elif opt in ("-n", "--ns_hex"):
- ns_hex_file = arg
- elif opt in ("-p", "--policy"):
- policy_file = arg
- print ('tfm_s :', s_hex_file)
- print ('tfm_ns:', ns_hex_file)
- print ('policy:', policy_file)
-
- cysecuretools.sign_image(s_hex_file, policy_file, 1);
- cysecuretools.sign_image(ns_hex_file, policy_file, 16);
+
+ options = myargs(argv)
+ print("options={}".format(options))
+
+ if not options.s_hex_file and not options.ns_hex_file:
+ print('Error: no files to sign')
+ exit(1)
+
+ tools = CySecureTools(options.device, options.policy_file)
+
+ if options.s_hex_file:
+ print('signing tfm_s image:', options.s_hex_file)
+
+ # sign_image overwrites original image, make a copy of it
+ name, ext = os.path.splitext(options.s_hex_file)
+ s_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(options.s_hex_file, s_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(options.s_hex_file, s_hex_signed_file, e.message))
+ raise
+
+ tools.sign_image(s_hex_signed_file, 1)
+
+ if options.ns_hex_file:
+ print('signing tfm_ns image:', options.ns_hex_file)
+
+ name, ext = os.path.splitext(options.ns_hex_file)
+ ns_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(options.ns_hex_file, ns_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(options.ns_hex_file, ns_hex_signed_file, e.message))
+ raise
+
+ tools.sign_image(ns_hex_signed_file, 16)
+
+ # for CM4, sign_image creates an unsigned copy of the image
+ # named <image to sign>_cm4.hex. Delete it to avoid confusion.
+ file_name = name + '_signed_cm4' + ext
+ if os.path.isfile(file_name):
+ try:
+ os.remove(file_name)
+ except IOError:
+ print("Could not erase '{}'"
+ .format(file_name))
+
+ print('Done.')
if __name__ == "__main__":
main(sys.argv[1:])