| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 1 | #------------------------------------------------------------------------------ |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 2 | # Copyright (c) 2020, Arm Limited. All rights reserved. |
| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 3 | # |
| 4 | # SPDX-License-Identifier: BSD-3-Clause |
| 5 | # |
| 6 | #------------------------------------------------------------------------------ |
| 7 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 8 | cmake_minimum_required(VERSION 3.13) |
| 9 | cmake_policy(SET CMP0079 NEW) |
| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 10 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 11 | if(TFM_INTERNAL_MCUBOOT) |
| 12 | set(MCUBOOT_PATH ${CMAKE_CURRENT_SOURCE_DIR} CACHE PATH "Path to mcuboot (or DOWNLOAD to get automatically" FORCE) |
| Raymond Ngun | e3593c6 | 2020-06-25 09:47:36 -0700 | [diff] [blame] | 13 | endif() |
| 14 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 15 | set(MCUBOOT_KEY_ENC "${MCUBOOT_PATH}/enc-rsa2048-pub.pem" CACHE FILEPATH "Path to key with which to encrypt binary") |
| 16 | |
| 17 | target_include_directories(bl2 |
| 18 | PUBLIC |
| 19 | $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include> |
| 20 | $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}> # for mcuboot_config.h only |
| 21 | $<BUILD_INTERFACE:${MCUBOOT_PATH}/boot/bootutil/include> |
| 22 | $<BUILD_INTERFACE:${MCUBOOT_PATH}/boot> |
| 23 | ) |
| 24 | |
| 25 | target_sources(bl2 |
| 26 | PRIVATE |
| 27 | ${CMAKE_CURRENT_SOURCE_DIR}/bl2_main.c |
| 28 | ${CMAKE_CURRENT_SOURCE_DIR}/keys.c |
| 29 | ${CMAKE_CURRENT_SOURCE_DIR}/flash_map_extended.c |
| 30 | ${CMAKE_CURRENT_SOURCE_DIR}/flash_map_legacy.c |
| 31 | ${MCUBOOT_PATH}/boot/bootutil/src/loader.c |
| 32 | ${MCUBOOT_PATH}/boot/bootutil/src/bootutil_misc.c |
| 33 | ${MCUBOOT_PATH}/boot/bootutil/src/image_validate.c |
| 34 | ${MCUBOOT_PATH}/boot/bootutil/src/image_rsa.c |
| 35 | ${MCUBOOT_PATH}/boot/bootutil/src/tlv.c |
| 36 | ${MCUBOOT_PATH}/boot/bootutil/src/boot_record.c |
| 37 | $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/swap_scratch.c> |
| 38 | $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/swap_move.c> |
| 39 | $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/swap_misc.c> |
| 40 | $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/encrypted.c> |
| 41 | ) |
| 42 | |
| 43 | set(MCUBOOT_ALLOWED_LOG_LEVELS OFF ERROR WARNING INFO DEBUG) |
| 44 | list(FIND MCUBOOT_ALLOWED_LOG_LEVELS ${MCUBOOT_LOG_LEVEL} LOG_LEVEL_ID) |
| 45 | |
| 46 | configure_file(include/mcuboot_config/mcuboot_config.h.in |
| 47 | ${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h |
| 48 | @ONLY) |
| 49 | |
| 50 | ############################### IMAGE SIGNING ################################## |
| 51 | |
| 52 | find_package(Python3) |
| 53 | |
| 54 | set(FLASH_AREA_NUM 0) |
| 55 | if (MCUBOOT_IMAGE_NUMBER GREATER 1) |
| 56 | configure_file(signing_layout.c.in signing_layout_s.c @ONLY) |
| 57 | add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s.c) |
| David Vincze | c3e313a | 2020-01-06 17:31:11 +0100 | [diff] [blame] | 58 | else() |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 59 | # Imgtool script requires the s_ns sufix. Since only one sigining layout is |
| 60 | # used in this mode the signing_layout_s target's source file is renamed. |
| 61 | configure_file(signing_layout.c.in signing_layout_s_ns.c @ONLY) |
| 62 | add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s_ns.c) |
| David Vincze | c3e313a | 2020-01-06 17:31:11 +0100 | [diff] [blame] | 63 | endif() |
| 64 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 65 | target_compile_options(signing_layout_s |
| 66 | PRIVATE |
| 67 | $<$<C_COMPILER_ID:GNU>:-E\;-xc> |
| 68 | $<$<C_COMPILER_ID:ARMClang>:-E\;-xc> |
| 69 | $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_s>> |
| 70 | ) |
| 71 | target_compile_definitions(signing_layout_s |
| 72 | PRIVATE |
| 73 | $<$<BOOL:${BL2}>:BL2> |
| 74 | $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}> |
| 75 | ) |
| 76 | target_link_libraries(signing_layout_s |
| 77 | PRIVATE |
| 78 | platform_bl2 |
| 79 | ) |
| 80 | |
| 81 | if(NS) |
| 82 | add_custom_target(tfm_s_ns_bin |
| 83 | SOURCES tfm_s_ns.bin |
| 84 | ) |
| 85 | add_custom_command(OUTPUT tfm_s_ns.bin |
| 86 | DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 87 | DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 88 | DEPENDS tfm_s_bin tfm_ns_bin |
| 89 | DEPENDS signing_layout_s |
| 90 | |
| 91 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/assemble.py |
| 92 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| 93 | -s $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 94 | -n $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 95 | -o tfm_s_ns.bin |
| 96 | COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns.bin $<TARGET_FILE_DIR:bl2> |
| 97 | ) |
| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 98 | endif() |
| 99 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 100 | add_custom_target(tfm_s_signed_bin |
| 101 | SOURCES tfm_s_signed.bin |
| 102 | ) |
| 103 | add_custom_command(OUTPUT tfm_s_signed.bin |
| 104 | DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 105 | DEPENDS tfm_s_bin signing_layout_s |
| 106 | WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts |
| Tamas Ban | d0f4e1d | 2019-07-11 09:39:03 +0100 | [diff] [blame] | 107 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 108 | #Sign secure binary image with provided secret key |
| 109 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py |
| 110 | -v ${MCUBOOT_IMAGE_VERSION_S} |
| 111 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| 112 | -k ${MCUBOOT_KEY_S} |
| 113 | --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> |
| 114 | --align 1 |
| 115 | --pad |
| 116 | --pad-header |
| 117 | -H 0x400 |
| 118 | -s ${MCUBOOT_SECURITY_COUNTER_S} |
| 119 | -d \"\(0,${MCUBOOT_S_IMAGE_MIN_VER}\)\" |
| 120 | $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only> |
| 121 | $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}> |
| 122 | $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 123 | ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin |
| 124 | COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin $<TARGET_FILE_DIR:bl2> |
| 125 | ) |
| 126 | |
| 127 | if(NS) |
| 128 | set(FLASH_AREA_NUM 1) |
| 129 | configure_file(signing_layout.c.in signing_layout_ns.c @ONLY) |
| 130 | |
| 131 | add_library(signing_layout_ns OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_ns.c) |
| 132 | target_compile_options(signing_layout_ns |
| 133 | PRIVATE |
| 134 | $<$<C_COMPILER_ID:GNU>:-E\;-xc> |
| 135 | $<$<C_COMPILER_ID:ARMClang>:-E\;-xc> |
| 136 | $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_ns>> |
| 137 | ) |
| 138 | target_compile_definitions(signing_layout_ns |
| 139 | PRIVATE |
| 140 | $<$<BOOL:${BL2}>:BL2> |
| 141 | $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}> |
| 142 | ) |
| 143 | target_link_libraries(signing_layout_ns |
| 144 | PRIVATE |
| 145 | platform_bl2 |
| 146 | ) |
| 147 | |
| 148 | add_custom_target(tfm_ns_signed_bin |
| 149 | SOURCES tfm_ns_signed.bin |
| 150 | ) |
| 151 | add_custom_command(OUTPUT tfm_ns_signed.bin |
| 152 | DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 153 | DEPENDS tfm_ns_bin signing_layout_ns |
| 154 | WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts |
| 155 | |
| 156 | #Sign non-secure binary image with provided secret key |
| 157 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py |
| 158 | -v ${MCUBOOT_IMAGE_VERSION_NS} |
| 159 | --layout $<TARGET_OBJECTS:signing_layout_ns> |
| 160 | -k ${MCUBOOT_KEY_NS} |
| 161 | --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> |
| 162 | --align 1 |
| 163 | --pad |
| 164 | --pad-header |
| 165 | -H 0x400 |
| 166 | -s ${MCUBOOT_SECURITY_COUNTER_NS} |
| 167 | -d \"\(1, ${MCUBOOT_NS_IMAGE_MIN_VER}\)\" |
| 168 | $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 169 | $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only> |
| 170 | $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}> |
| 171 | ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin |
| 172 | COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin $<TARGET_FILE_DIR:bl2> |
| 173 | ) |
| Tamas Ban | d0f4e1d | 2019-07-11 09:39:03 +0100 | [diff] [blame] | 174 | endif() |
| 175 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 176 | if(NS) |
| 177 | add_custom_target(tfm_s_ns_signed_bin |
| 178 | ALL |
| 179 | SOURCES tfm_s_ns_signed.bin |
| 180 | ) |
| 181 | if (MCUBOOT_IMAGE_NUMBER GREATER 1) |
| 182 | add_custom_command(OUTPUT tfm_s_ns_signed.bin |
| 183 | DEPENDS tfm_s_signed_bin $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 184 | DEPENDS tfm_ns_signed_bin $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 185 | DEPENDS signing_layout_s |
| 186 | |
| 187 | # Create concatenated binary image from the two independently signed |
| 188 | # binary file. This only uses the local assemble.py script (not from |
| 189 | # upstream mcuboot) because that script is geared towards zephyr |
| 190 | # support |
| 191 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/assemble.py |
| 192 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| 193 | -s $<TARGET_FILE_DIR:bl2>/tfm_s_signed.bin |
| 194 | -n $<TARGET_FILE_DIR:bl2>/tfm_ns_signed.bin |
| 195 | -o tfm_s_ns_signed.bin |
| 196 | COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2> |
| 197 | ) |
| 198 | else() |
| 199 | add_custom_command(OUTPUT tfm_s_ns_signed.bin |
| 200 | DEPENDS tfm_s_ns_bin tfm_s_ns.bin |
| 201 | DEPENDS signing_layout_s |
| 202 | |
| 203 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py |
| 204 | -v ${MCUBOOT_IMAGE_VERSION_S} |
| 205 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| 206 | -k ${MCUBOOT_KEY_S} |
| 207 | --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> |
| 208 | --align 1 |
| 209 | --pad |
| 210 | --pad-header |
| 211 | -H 0x400 |
| 212 | -s ${MCUBOOT_SECURITY_COUNTER_S} |
| 213 | -d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\" |
| 214 | -d \"\(1, ${MCUBOOT_NS_IMAGE_MIN_VER}\)\" |
| 215 | $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only> |
| 216 | $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}> |
| 217 | tfm_s_ns.bin |
| 218 | ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin |
| 219 | COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2> |
| 220 | ) |
| 221 | endif() |
| Marc Moreno Berengue | a1f296f | 2018-01-25 15:21:22 +0000 | [diff] [blame] | 222 | endif() |
| 223 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame^] | 224 | add_custom_target(signed_images |
| 225 | ALL |
| 226 | DEPENDS $<$<BOOL:${NS}>:tfm_s_ns_signed_bin> |
| 227 | ) |