diff options
3 files changed, 112 insertions, 54 deletions
diff --git a/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst b/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst index dda8dc16a6..783b2a6980 100644 --- a/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst +++ b/platform/ext/target/cypress/psoc64/cypress_psoc64_spec.rst @@ -16,23 +16,14 @@ Please make sure you have all required software installed as explained in the Please also make sure that all the source code are fetched by following :doc:`general building instruction </docs/user_guides/tfm_build_instruction>`. -Install CySecureTools. The exact command to use depends on what version of -python you are running (which can be determined with "python3 --version"). - -If you have python 3.7, use - -.. code-block:: bash - - pip install cysecuretools==1.0.0 - -If you have python 3.6.8, use +Install CySecureTools. .. code-block:: bash - pip3 install --ignore-requires-python git+https://github.com/cypresssemiconductorco/cysecuretools@v1.0.0 + pip3 install cysecuretools==1.3.3 For more details please refer to -`CySecureTools <https://pypi.org/project/cysecuretools/1.0.0/>`_ page. +`CySecureTools <https://pypi.org/project/cysecuretools/1.3.3/>`_ page. Install OpenOCD with PSoC6 support. It can be obtained from the Cypress Programmer, download it from: @@ -293,23 +284,26 @@ Sign the images (sign.py overwrites unsigned files with signed ones): .. code-block:: bash ./platform/ext/target/cypress/psoc64/security/sign.py \ + -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \ + -d cy8cproto-064s2-sb \ -s <build folder>/tfm_s.hex \ - -n <build folder>/tfm_ns.hex \ - -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json + -n <build folder>/tfm_ns.hex Note: each image can be signed individually, for example: .. code-block:: bash ./platform/ext/target/cypress/psoc64/security/sign.py \ - -n <build folder>/tfm_ns.hex \ - -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json + -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \ + -d cy8cproto-064s2-sb \ + -n <build folder>/tfm_ns.hex .. code-block:: bash ./platform/ext/target/cypress/psoc64/security/sign.py \ - -s <build folder>/tfm_s.hex \ - -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json + -p platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json \ + -d cy8cproto-064s2-sb \ + -s <build folder>/tfm_s.hex ********************** Programming the Device diff --git a/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json b/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json index 4a95235b30..d2cdadcfc0 100644 --- a/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json +++ b/platform/ext/target/cypress/psoc64/security/policy_dual_stage_CM0p_CM4_debug_2M.json @@ -66,10 +66,6 @@ "upgrade_auth": [ 3 ], - "upgrade_keys": [ - { "kid": 3, "key": "./keys/MCUBOOT_CM0P_KEY.json" } - ], - "backup": false, "resources": [ { "type": "FLASH_PC1_SPM", @@ -101,7 +97,7 @@ "smif_id": 0, "version": "0.1", "rollback_counter": 0, - "upgrade": false, + "upgrade": true, "encrypt": false, "encrypt_key_id": 1, "upgrade_auth": [ @@ -149,11 +145,6 @@ "type": "BOOT", "address": 268763136, "size": 1179648 - }, - { - "type": "UPGRADE", - "address": 268763136, - "size": 1179648 } ] } @@ -162,5 +153,10 @@ "cy_bootloader": { "mode": "debug" + }, + "provisioning": + { + "packet_dir": "../packet", + "chain_of_trust": [] } } diff --git a/platform/ext/target/cypress/psoc64/security/sign.py b/platform/ext/target/cypress/psoc64/security/sign.py index 187d67c4db..f5315101c7 100755 --- a/platform/ext/target/cypress/psoc64/security/sign.py +++ b/platform/ext/target/cypress/psoc64/security/sign.py @@ -15,34 +15,102 @@ See the License for the specific language governing permissions and limitations under the License. """ -import cysecuretools -import sys, getopt +from cysecuretools import CySecureTools +import sys, argparse +import os +from shutil import copyfile, move + + +def myargs(argv): + parser = argparse.ArgumentParser(add_help=False) + parser.add_argument('-h', '--help', + dest='show_help', + action='help', + help='Print this help message and exit') + + parser.add_argument('-p', '--policy', + dest='policy_file', + action='store', + type=str, + help="Device policy file", + required=True) + + parser.add_argument('-d', '--device', + dest='device', + action='store', + type=str, + help="device target", + required=True) + + parser.add_argument('-s', '--s_hex', + dest='s_hex_file', + action='store', + default='', + type=str, + help="TFM SPE image to sign in hex format") + + parser.add_argument('-ns', '--ns_hex', + dest='ns_hex_file', + action='store', + default='', + type=str, + help="TFM NSPE image to sign in hex format") + + options = parser.parse_args(argv) + return options + def main(argv): - s_hex_file="" - ns_hex_file="" - policy_file="" - try: - opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="]) - except getopt.GetoptError: - print ('sign.py -s <tfm_s hex> -n <tfm_ns hex> -p <policy json>') - sys.exit(2) - for opt, arg in opts: - if opt == '-h': - print ('sign.py -s <tfm_s hex> -n <tfm_ns hex> -p <policy json>') - sys.exit() - elif opt in ("-s", "--s_hex"): - s_hex_file = arg - elif opt in ("-n", "--ns_hex"): - ns_hex_file = arg - elif opt in ("-p", "--policy"): - policy_file = arg - print ('tfm_s :', s_hex_file) - print ('tfm_ns:', ns_hex_file) - print ('policy:', policy_file) - - cysecuretools.sign_image(s_hex_file, policy_file, 1); - cysecuretools.sign_image(ns_hex_file, policy_file, 16); + + options = myargs(argv) + print("options={}".format(options)) + + if not options.s_hex_file and not options.ns_hex_file: + print('Error: no files to sign') + exit(1) + + tools = CySecureTools(options.device, options.policy_file) + + if options.s_hex_file: + print('signing tfm_s image:', options.s_hex_file) + + # sign_image overwrites original image, make a copy of it + name, ext = os.path.splitext(options.s_hex_file) + s_hex_signed_file = name + '_signed' + ext + try: + copyfile(options.s_hex_file, s_hex_signed_file) + except IOError as e: + print("Failed to copy file '{}' to '{}' ({})" + .format(options.s_hex_file, s_hex_signed_file, e.message)) + raise + + tools.sign_image(s_hex_signed_file, 1) + + if options.ns_hex_file: + print('signing tfm_ns image:', options.ns_hex_file) + + name, ext = os.path.splitext(options.ns_hex_file) + ns_hex_signed_file = name + '_signed' + ext + try: + copyfile(options.ns_hex_file, ns_hex_signed_file) + except IOError as e: + print("Failed to copy file '{}' to '{}' ({})" + .format(options.ns_hex_file, ns_hex_signed_file, e.message)) + raise + + tools.sign_image(ns_hex_signed_file, 16) + + # for CM4, sign_image creates an unsigned copy of the image + # named <image to sign>_cm4.hex. Delete it to avoid confusion. + file_name = name + '_signed_cm4' + ext + if os.path.isfile(file_name): + try: + os.remove(file_name) + except IOError: + print("Could not erase '{}'" + .format(file_name)) + + print('Done.') if __name__ == "__main__": main(sys.argv[1:]) |