aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst30
-rw-r--r--platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json16
-rwxr-xr-xplatform/ext/target/cypress/psoc64/security/sign.py120
3 files changed, 112 insertions, 54 deletions
diff --git a/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst b/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst
index dda8dc16a6..783b2a6980 100644
--- a/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst
+++ b/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst
@@ -16,23 +16,14 @@ Please make sure you have all required software installed as explained in the
Please also make sure that all the source code are fetched by following
:doc:`general building instruction </docs/user_guides/tfm_build_instruction>`.
-Install CySecureTools. The exact command to use depends on what version of
-python you are running (which can be determined with "python3 --version").
-
-If you have python 3.7, use
-
-.. code-block:: bash
-
- pip install cysecuretools==1.0.0
-
-If you have python 3.6.8, use
+Install CySecureTools.
.. code-block:: bash
- pip3 install --ignore-requires-python git+https://github.com/cypresssemiconductorco/cysecuretools@v1.0.0
+ pip3 install cysecuretools==1.3.3
For more details please refer to
-`CySecureTools <https://pypi.org/project/cysecuretools/1.0.0/>`_ page.
+`CySecureTools <https://pypi.org/project/cysecuretools/1.3.3/>`_ page.
Install OpenOCD with PSoC6 support. It can be obtained from the Cypress
Programmer, download it from:
@@ -293,23 +284,26 @@ Sign the images (sign.py overwrites unsigned files with signed ones):
.. code-block:: bash
./platform/ext/target/cypress/psoc64/security/sign.py \
+ -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \
+ -d cy8cproto-064s2-sb \
-s <build folder>/tfm_s.hex \
- -n <build folder>/tfm_ns.hex \
- -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+ -n <build folder>/tfm_ns.hex
Note: each image can be signed individually, for example:
.. code-block:: bash
./platform/ext/target/cypress/psoc64/security/sign.py \
- -n <build folder>/tfm_ns.hex \
- -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+ -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \
+ -d cy8cproto-064s2-sb \
+ -n <build folder>/tfm_ns.hex
.. code-block:: bash
./platform/ext/target/cypress/psoc64/security/sign.py \
- -s <build folder>/tfm_s.hex \
- -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+ -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \
+ -d cy8cproto-064s2-sb \
+ -s <build folder>/tfm_s.hex
**********************
Programming the Device
diff --git a/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json b/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
index 4a95235b30..d2cdadcfc0 100644
--- a/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
+++ b/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json
@@ -66,10 +66,6 @@
"upgrade_auth": [
3
],
- "upgrade_keys": [
- { "kid": 3, "key": "./keys/MCUBOOT_CM0P_KEY.json" }
- ],
- "backup": false,
"resources": [
{
"type": "FLASH_PC1_SPM",
@@ -101,7 +97,7 @@
"smif_id": 0,
"version": "0.1",
"rollback_counter": 0,
- "upgrade": false,
+ "upgrade": true,
"encrypt": false,
"encrypt_key_id": 1,
"upgrade_auth": [
@@ -149,11 +145,6 @@
"type": "BOOT",
"address": 268763136,
"size": 1179648
- },
- {
- "type": "UPGRADE",
- "address": 268763136,
- "size": 1179648
}
]
}
@@ -162,5 +153,10 @@
"cy_bootloader":
{
"mode": "debug"
+ },
+ "provisioning":
+ {
+ "packet_dir": "../packet",
+ "chain_of_trust": []
}
}
diff --git a/platform/ext/target/cypress/psoc64/security/sign.py b/platform/ext/target/cypress/psoc64/security/sign.py
index 187d67c4db..f5315101c7 100755
--- a/platform/ext/target/cypress/psoc64/security/sign.py
+++ b/platform/ext/target/cypress/psoc64/security/sign.py
@@ -15,34 +15,102 @@ See the License for the specific language governing permissions and
limitations under the License.
"""
-import cysecuretools
-import sys, getopt
+from cysecuretools import CySecureTools
+import sys, argparse
+import os
+from shutil import copyfile, move
+
+
+def myargs(argv):
+ parser = argparse.ArgumentParser(add_help=False)
+ parser.add_argument('-h', '--help',
+ dest='show_help',
+ action='help',
+ help='Print this help message and exit')
+
+ parser.add_argument('-p', '--policy',
+ dest='policy_file',
+ action='store',
+ type=str,
+ help="Device policy file",
+ required=True)
+
+ parser.add_argument('-d', '--device',
+ dest='device',
+ action='store',
+ type=str,
+ help="device target",
+ required=True)
+
+ parser.add_argument('-s', '--s_hex',
+ dest='s_hex_file',
+ action='store',
+ default='',
+ type=str,
+ help="TFM SPE image to sign in hex format")
+
+ parser.add_argument('-ns', '--ns_hex',
+ dest='ns_hex_file',
+ action='store',
+ default='',
+ type=str,
+ help="TFM NSPE image to sign in hex format")
+
+ options = parser.parse_args(argv)
+ return options
+
def main(argv):
- s_hex_file=""
- ns_hex_file=""
- policy_file=""
- try:
- opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="])
- except getopt.GetoptError:
- print ('sign.py -s <tfm_s hex> -n <tfm_ns hex> -p <policy json>')
- sys.exit(2)
- for opt, arg in opts:
- if opt == '-h':
- print ('sign.py -s <tfm_s hex> -n <tfm_ns hex> -p <policy json>')
- sys.exit()
- elif opt in ("-s", "--s_hex"):
- s_hex_file = arg
- elif opt in ("-n", "--ns_hex"):
- ns_hex_file = arg
- elif opt in ("-p", "--policy"):
- policy_file = arg
- print ('tfm_s :', s_hex_file)
- print ('tfm_ns:', ns_hex_file)
- print ('policy:', policy_file)
-
- cysecuretools.sign_image(s_hex_file, policy_file, 1);
- cysecuretools.sign_image(ns_hex_file, policy_file, 16);
+
+ options = myargs(argv)
+ print("options={}".format(options))
+
+ if not options.s_hex_file and not options.ns_hex_file:
+ print('Error: no files to sign')
+ exit(1)
+
+ tools = CySecureTools(options.device, options.policy_file)
+
+ if options.s_hex_file:
+ print('signing tfm_s image:', options.s_hex_file)
+
+ # sign_image overwrites original image, make a copy of it
+ name, ext = os.path.splitext(options.s_hex_file)
+ s_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(options.s_hex_file, s_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(options.s_hex_file, s_hex_signed_file, e.message))
+ raise
+
+ tools.sign_image(s_hex_signed_file, 1)
+
+ if options.ns_hex_file:
+ print('signing tfm_ns image:', options.ns_hex_file)
+
+ name, ext = os.path.splitext(options.ns_hex_file)
+ ns_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(options.ns_hex_file, ns_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(options.ns_hex_file, ns_hex_signed_file, e.message))
+ raise
+
+ tools.sign_image(ns_hex_signed_file, 16)
+
+ # for CM4, sign_image creates an unsigned copy of the image
+ # named <image to sign>_cm4.hex. Delete it to avoid confusion.
+ file_name = name + '_signed_cm4' + ext
+ if os.path.isfile(file_name):
+ try:
+ os.remove(file_name)
+ except IOError:
+ print("Could not erase '{}'"
+ .format(file_name))
+
+ print('Done.')
if __name__ == "__main__":
main(sys.argv[1:])