Build: Add ability to sign S and NS images separately (psoc64, psoc64_1m)
With this change, script can sign each image individually or
both in the same time.
As long as cysecuretools sign_image overwrites unsigned image file
with the signed one, script creates a copy of the original image
and signs the copy.
For CM4, sign_image also creates an unsigned copy of the image
named <image to sign>_cm4.hex. Script deletes it to avoid confusion.
Signed-off-by: Andrei Narkevitch <ainh@cypress.com>
Change-Id: I99381c33d68c2281cae2ac55cc482da7db5f78ac
diff --git a/platform/ext/target/cypress/psoc64/security/sign.py b/platform/ext/target/cypress/psoc64/security/sign.py
index f6c8913..a4e50de 100755
--- a/platform/ext/target/cypress/psoc64/security/sign.py
+++ b/platform/ext/target/cypress/psoc64/security/sign.py
@@ -17,6 +17,8 @@
import cysecuretools
import sys, getopt
+import os
+from shutil import copyfile, move
def main(argv):
s_hex_file=""
@@ -25,11 +27,11 @@
try:
opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="])
except getopt.GetoptError:
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit()
elif opt in ("-s", "--s_hex"):
s_hex_file = arg
@@ -37,12 +39,57 @@
ns_hex_file = arg
elif opt in ("-p", "--policy"):
policy_file = arg
- print ('tfm_s :', s_hex_file)
- print ('tfm_ns:', ns_hex_file)
- print ('policy:', policy_file)
- cysecuretools.sign_image(s_hex_file, policy_file, 1);
- cysecuretools.sign_image(ns_hex_file, policy_file, 16);
+ if not s_hex_file and not ns_hex_file:
+ print('Error: no files to sign')
+ exit(1)
+
+ if not policy_file:
+ print('Error: missing policy file, specify it with -policy <policy json>')
+ exit(1)
+ else:
+ print('policy file:', policy_file)
+
+ if s_hex_file:
+ print('signing tfm_s image:', s_hex_file)
+
+ # sign_image overwrites original image, make a copy of it
+ name, ext = os.path.splitext(s_hex_file)
+ s_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(s_hex_file, s_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(s_hex_file, s_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(s_hex_signed_file, policy_file, 1)
+
+ if ns_hex_file:
+ print('signing tfm_ns image:', ns_hex_file)
+
+ name, ext = os.path.splitext(ns_hex_file)
+ ns_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(ns_hex_file, ns_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(ns_hex_file, ns_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(ns_hex_signed_file, policy_file, 16)
+
+ # for CM4, sign_image creates an unsigned copy of the image
+ # named <image to sign>_cm4.hex. Delete it to avoid confusion.
+ file_name = name + '_signed_cm4' + ext
+ if os.path.isfile(file_name):
+ try:
+ os.remove(file_name)
+ except IOError:
+ print("Could not erase '{}'"
+ .format(file_name))
+
+ print('Done.')
if __name__ == "__main__":
main(sys.argv[1:])
diff --git a/platform/ext/target/cypress/psoc64_1m/security/sign.py b/platform/ext/target/cypress/psoc64_1m/security/sign.py
index f6c8913..a4e50de 100755
--- a/platform/ext/target/cypress/psoc64_1m/security/sign.py
+++ b/platform/ext/target/cypress/psoc64_1m/security/sign.py
@@ -17,6 +17,8 @@
import cysecuretools
import sys, getopt
+import os
+from shutil import copyfile, move
def main(argv):
s_hex_file=""
@@ -25,11 +27,11 @@
try:
opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="])
except getopt.GetoptError:
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit()
elif opt in ("-s", "--s_hex"):
s_hex_file = arg
@@ -37,12 +39,57 @@
ns_hex_file = arg
elif opt in ("-p", "--policy"):
policy_file = arg
- print ('tfm_s :', s_hex_file)
- print ('tfm_ns:', ns_hex_file)
- print ('policy:', policy_file)
- cysecuretools.sign_image(s_hex_file, policy_file, 1);
- cysecuretools.sign_image(ns_hex_file, policy_file, 16);
+ if not s_hex_file and not ns_hex_file:
+ print('Error: no files to sign')
+ exit(1)
+
+ if not policy_file:
+ print('Error: missing policy file, specify it with -policy <policy json>')
+ exit(1)
+ else:
+ print('policy file:', policy_file)
+
+ if s_hex_file:
+ print('signing tfm_s image:', s_hex_file)
+
+ # sign_image overwrites original image, make a copy of it
+ name, ext = os.path.splitext(s_hex_file)
+ s_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(s_hex_file, s_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(s_hex_file, s_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(s_hex_signed_file, policy_file, 1)
+
+ if ns_hex_file:
+ print('signing tfm_ns image:', ns_hex_file)
+
+ name, ext = os.path.splitext(ns_hex_file)
+ ns_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(ns_hex_file, ns_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(ns_hex_file, ns_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(ns_hex_signed_file, policy_file, 16)
+
+ # for CM4, sign_image creates an unsigned copy of the image
+ # named <image to sign>_cm4.hex. Delete it to avoid confusion.
+ file_name = name + '_signed_cm4' + ext
+ if os.path.isfile(file_name):
+ try:
+ os.remove(file_name)
+ except IOError:
+ print("Could not erase '{}'"
+ .format(file_name))
+
+ print('Done.')
if __name__ == "__main__":
main(sys.argv[1:])