| #------------------------------------------------------------------------------- |
| # Copyright (c) 2018-2020, Arm Limited. All rights reserved. |
| # |
| # SPDX-License-Identifier: BSD-3-Clause |
| # |
| #------------------------------------------------------------------------------- |
| |
| cmake_minimum_required(VERSION 3.7) |
| |
| function(mcuboot_create_boot_payload) |
| set( _OPTIONS_ARGS) #Option (on/off) arguments (e.g. IGNORE_CASE) |
| set( _ONE_VALUE_ARGS S_BIN NS_BIN FULL_BIN SIGN_BIN POSTFIX) #Single option arguments (e.g. PATH "./foo/bar") |
| set( _MULTI_VALUE_ARGS) #List arguments (e.g. LANGUAGES C ASM CXX) |
| cmake_parse_arguments(_MY_PARAMS "${_OPTIONS_ARGS}" "${_ONE_VALUE_ARGS}" "${_MULTI_VALUE_ARGS}" ${ARGN}) |
| |
| if (NOT DEFINED _MY_PARAMS_S_BIN) |
| message(FATAL_ERROR "mcuboot_create_boot_payload(): mandatory parameter 'S_BIN' missing.") |
| endif() |
| |
| if (NOT DEFINED _MY_PARAMS_NS_BIN) |
| message(FATAL_ERROR "mcuboot_create_boot_payload(): mandatory parameter 'NS_BIN' missing.") |
| endif() |
| |
| if (NOT DEFINED _MY_PARAMS_FULL_BIN) |
| message(FATAL_ERROR "mcuboot_create_boot_payload(): mandatory parameter 'FULL_BIN' missing.") |
| endif() |
| |
| if (NOT DEFINED _MY_PARAMS_SIGN_BIN) |
| message(FATAL_ERROR "mcuboot_create_boot_payload(): mandatory parameter 'SIGN_BIN' missing.") |
| endif() |
| |
| if (DEFINED _MY_PARAMS_POSTFIX) |
| if (${_MY_PARAMS_POSTFIX} STREQUAL "_1") |
| set(MY_POSTFIX "1") |
| else() |
| message(FATAL_ERROR "Unknown artefacts postfix: ${_MY_PARAMS_POSTFIX}") |
| endif() |
| endif() |
| |
| #Find Python3.x interpreter |
| find_package(PythonInterp 3) |
| if (NOT PYTHONINTERP_FOUND) |
| message(FATAL_ERROR "Failed to find Python3.x interpreter. Pyhton3 must be installed and available on the PATH.") |
| endif() |
| |
| if(NOT DEFINED FLASH_LAYOUT) |
| message(FATAL_ERROR "ERROR: Incomplete Configuration: FLASH_LAYOUT is not defined.") |
| endif() |
| |
| if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072") |
| set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-3072.pem") |
| set(KEY_FILE_S "${MCUBOOT_DIR}/root-rsa-3072.pem") |
| set(KEY_FILE_NS "${MCUBOOT_DIR}/root-rsa-3072_1.pem") |
| elseif(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-2048") |
| set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-2048.pem") |
| set(KEY_FILE_S "${MCUBOOT_DIR}/root-rsa-2048.pem") |
| set(KEY_FILE_NS "${MCUBOOT_DIR}/root-rsa-2048_1.pem") |
| else() |
| message(FATAL_ERROR "${MCUBOOT_SIGNATURE_TYPE} is not supported as firmware signing algorithm") |
| endif() |
| |
| #Configure in which format (full or hash) include the public key to the image manifest |
| # |
| #|-----------------------|-----------------------|-------------------|--------------------| |
| #| |Key format in manifest |Key in MCUBoot code| Key in HW | |
| #|-----------------------|-----------------------|-------------------|--------------------| |
| #|MCUBOOT_HW_KEY == On | Full public key | No key embedded | Hash of public key | |
| #|-----------------------|-----------------------|-------------------|--------------------| |
| #|MCUBOOT_HW_KEY == Off | Hash of public key | Full public key | No key in HW | |
| #|-----------------------|-----------------------|-------------------|--------------------| |
| if (MCUBOOT_HW_KEY) |
| set(PUBLIC_KEY_FORMAT "full") |
| else() |
| set(PUBLIC_KEY_FORMAT "hash") |
| endif() |
| |
| set(PARTIAL_CONTENT_FOR_PREPROCESSING "#include \"${FLASH_LAYOUT}\"\n\n" |
| "/* Enumeration that is used by the assemble.py and imgtool.py scripts\n" |
| " * for correct binary generation when nested macros are used\n" |
| " */\n" |
| "enum image_attributes {\n" |
| "\tRE_SECURE_IMAGE_OFFSET = SECURE_IMAGE_OFFSET,\n" |
| "\tRE_SECURE_IMAGE_MAX_SIZE = SECURE_IMAGE_MAX_SIZE,\n" |
| "\tRE_NON_SECURE_IMAGE_OFFSET = NON_SECURE_IMAGE_OFFSET,\n" |
| "\tRE_NON_SECURE_IMAGE_MAX_SIZE = NON_SECURE_IMAGE_MAX_SIZE,\n" |
| "#ifdef IMAGE_LOAD_ADDRESS\n" |
| "\tRE_IMAGE_LOAD_ADDRESS = IMAGE_LOAD_ADDRESS,\n" |
| "#endif\n" |
| ) |
| |
| if (MCUBOOT_IMAGE_NUMBER GREATER 1) |
| if (SECURITY_COUNTER_S) |
| set(ADD_SECURITY_COUNTER_S "-s ${SECURITY_COUNTER_S}") |
| else() |
| set(ADD_SECURITY_COUNTER_S "") |
| endif() |
| if (SECURITY_COUNTER_NS) |
| set(ADD_SECURITY_COUNTER_NS "-s ${SECURITY_COUNTER_NS}") |
| else() |
| set(ADD_SECURITY_COUNTER_NS "") |
| endif() |
| if (DEFINED SECURITY_COUNTER) |
| message(WARNING "In case of multiple updatable images the security counter value can be specified" |
| " for the Secure and Non-secure images separately with the SECURITY_COUNTER_S and SECURITY_COUNTER_NS" |
| " defines. The value of SECURITY_COUNTER was ignored.") |
| set(SECURITY_COUNTER "") |
| endif() |
| |
| if (NOT IMAGE_VERSION_S) |
| set(IMAGE_VERSION_S 0.0.0+0) |
| endif() |
| if (NOT IMAGE_VERSION_NS) |
| set(IMAGE_VERSION_NS 0.0.0+0) |
| endif() |
| if (DEFINED IMAGE_VERSION) |
| message(WARNING "In case of multiple updatable images the image version can be specified" |
| " for the Secure and Non-secure images separately with the IMAGE_VERSION_S and IMAGE_VERSION_NS" |
| " defines. The value of IMAGE_VERSION was ignored.") |
| set(IMAGE_VERSION "") |
| endif() |
| |
| if (S_IMAGE_MIN_VER) |
| set(ADD_S_IMAGE_MIN_VER "-d \"(0,${S_IMAGE_MIN_VER})\"") |
| else() |
| set(ADD_S_IMAGE_MIN_VER "") |
| endif() |
| if (NS_IMAGE_MIN_VER) |
| set(ADD_NS_IMAGE_MIN_VER "-d \"(1,${NS_IMAGE_MIN_VER})\"") |
| else() |
| set(ADD_NS_IMAGE_MIN_VER "") |
| endif() |
| |
| set(FILE_TO_PREPROCESS ${CMAKE_BINARY_DIR}/image_macros_to_preprocess) |
| set(PREPROCESSED_FILE ${CMAKE_BINARY_DIR}/image_macros_preprocessed) |
| |
| #Create files that will be preprocessed later in order to be able to handle |
| # nested macros in header files for certain macros |
| string(CONCAT CONTENT_FOR_PREPROCESSING ${PARTIAL_CONTENT_FOR_PREPROCESSING} |
| "\tRE_SIGN_BIN_SIZE = FLASH_AREA_0_SIZE,\n}\;") |
| file(WRITE ${FILE_TO_PREPROCESS}_s.c ${CONTENT_FOR_PREPROCESSING}) |
| string(CONCAT CONTENT_FOR_PREPROCESSING ${PARTIAL_CONTENT_FOR_PREPROCESSING} |
| "\tRE_SIGN_BIN_SIZE = FLASH_AREA_1_SIZE,\n}\;") |
| file(WRITE ${FILE_TO_PREPROCESS}_ns.c ${CONTENT_FOR_PREPROCESSING}) |
| |
| #Preprocess the _s.c file that contains the secure image related macros |
| compiler_preprocess_file(SRC ${FILE_TO_PREPROCESS}_s.c |
| DST ${PREPROCESSED_FILE}_s.c |
| BEFORE_TARGET ${_MY_PARAMS_S_BIN} |
| TARGET_PREFIX ${_MY_PARAMS_S_BIN} |
| DEFINES "MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}") |
| |
| #Preprocess the _ns.c file that contains the non-secure image related macros |
| compiler_preprocess_file(SRC ${FILE_TO_PREPROCESS}_ns.c |
| DST ${PREPROCESSED_FILE}_ns.c |
| BEFORE_TARGET ${_MY_PARAMS_NS_BIN} |
| TARGET_PREFIX ${_MY_PARAMS_NS_BIN} |
| DEFINES "MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}") |
| |
| add_custom_command(TARGET ${_MY_PARAMS_NS_BIN} |
| POST_BUILD |
| |
| #Sign secure binary image with default public key in mcuboot folder |
| COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py |
| ARGS sign |
| --layout ${PREPROCESSED_FILE}_s.c |
| -k ${KEY_FILE_S} |
| --public-key-format ${PUBLIC_KEY_FORMAT} |
| --align 1 |
| -v ${IMAGE_VERSION_S} |
| ${ADD_NS_IMAGE_MIN_VER} |
| ${ADD_SECURITY_COUNTER_S} |
| -H 0x400 |
| $<TARGET_FILE_DIR:${_MY_PARAMS_S_BIN}>/${_MY_PARAMS_S_BIN}.bin |
| ${CMAKE_BINARY_DIR}/${_MY_PARAMS_S_BIN}_signed.bin |
| |
| #Sign non-secure binary image with default public key in mcuboot folder |
| COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py |
| ARGS sign |
| --layout ${PREPROCESSED_FILE}_ns.c |
| -k ${KEY_FILE_NS} |
| --public-key-format ${PUBLIC_KEY_FORMAT} |
| --align 1 |
| -v ${IMAGE_VERSION_NS} |
| ${ADD_S_IMAGE_MIN_VER} |
| ${ADD_SECURITY_COUNTER_NS} |
| -H 0x400 |
| $<TARGET_FILE_DIR:${_MY_PARAMS_NS_BIN}>/${_MY_PARAMS_NS_BIN}.bin |
| ${CMAKE_BINARY_DIR}/${_MY_PARAMS_NS_BIN}_signed.bin |
| |
| #Create concatenated binary image from the two independently signed binary file |
| COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/assemble.py |
| ARGS --layout ${PREPROCESSED_FILE}_s.c |
| -s ${CMAKE_BINARY_DIR}/${_MY_PARAMS_S_BIN}_signed.bin |
| -n ${CMAKE_BINARY_DIR}/${_MY_PARAMS_NS_BIN}_signed.bin |
| -o ${CMAKE_BINARY_DIR}/${_MY_PARAMS_SIGN_BIN}.bin) |
| |
| else() # MCUBOOT_IMAGE_NUMBER = 1 |
| if (SECURITY_COUNTER) |
| set(ADD_SECURITY_COUNTER "-s ${SECURITY_COUNTER}") |
| else() |
| set(ADD_SECURITY_COUNTER "") |
| endif() |
| if (DEFINED SECURITY_COUNTER_S OR |
| DEFINED SECURITY_COUNTER_NS) |
| message(WARNING "In case of a single updatable image the security counter value can be specified with" |
| " the SECURITY_COUNTER define. The values of SECURITY_COUNTER_S and/or SECURITY_COUNTER_NS were ignored.") |
| set(SECURITY_COUNTER_S "") |
| set(SECURITY_COUNTER_NS "") |
| endif() |
| |
| if (NOT IMAGE_VERSION) |
| set(IMAGE_VERSION 0.0.0+0) |
| endif() |
| if (DEFINED IMAGE_VERSION_S OR |
| DEFINED IMAGE_VERSION_NS) |
| message(WARNING "In case of a single updatable image the image version can be specified with" |
| " the IMAGE_VERSION define. The values of IMAGE_VERSION_S and/or IMAGE_VERSION_NS were ignored.") |
| set(IMAGE_VERSION_S "") |
| set(IMAGE_VERSION_NS "") |
| endif() |
| |
| if (DEFINED S_IMAGE_MIN_VER OR |
| DEFINED NS_IMAGE_MIN_VER) |
| message(WARNING "WARNING: In case of a single updatable image a dependency cannot be specified between" |
| " the S and NS images. The S_IMAGE_MIN_VER and/or NS_IMAGE_MIN_VER defines were ignored.") |
| set(S_IMAGE_MIN_VER "") |
| set(NS_IMAGE_MIN_VER "") |
| endif() |
| |
| set(FILE_TO_PREPROCESS ${CMAKE_BINARY_DIR}/image_macros_to_preprocess.c) |
| set(PREPROCESSED_FILE ${CMAKE_BINARY_DIR}/image_macros_preprocessed.c) |
| string(CONCAT CONTENT_FOR_PREPROCESSING ${PARTIAL_CONTENT_FOR_PREPROCESSING} |
| "\tRE_SIGN_BIN_SIZE = FLASH_AREA_0_SIZE,\n}\;") |
| |
| #Create a file that will be preprocessed later in order to be able to handle nested macros |
| #in header files for certain macros |
| file(WRITE ${FILE_TO_PREPROCESS} ${CONTENT_FOR_PREPROCESSING}) |
| |
| #Preprocess the .c file that contains the image related macros |
| compiler_preprocess_file(SRC ${FILE_TO_PREPROCESS} |
| DST ${PREPROCESSED_FILE} |
| BEFORE_TARGET ${_MY_PARAMS_NS_BIN} |
| TARGET_PREFIX ${_MY_PARAMS_NS_BIN} |
| DEFINES "MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}") |
| |
| add_custom_command(TARGET ${_MY_PARAMS_NS_BIN} |
| POST_BUILD |
| #Create concatenated binary image from the two binary file |
| COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/assemble.py |
| ARGS --layout ${PREPROCESSED_FILE} |
| -s $<TARGET_FILE_DIR:${_MY_PARAMS_S_BIN}>/${_MY_PARAMS_S_BIN}.bin |
| -n $<TARGET_FILE_DIR:${_MY_PARAMS_NS_BIN}>/${_MY_PARAMS_NS_BIN}.bin |
| -o ${CMAKE_BINARY_DIR}/${_MY_PARAMS_FULL_BIN}.bin |
| |
| #Sign concatenated binary image with default public key in mcuboot folder |
| COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py |
| ARGS sign |
| --layout ${PREPROCESSED_FILE} |
| -k ${KEY_FILE} |
| --public-key-format ${PUBLIC_KEY_FORMAT} |
| --align 1 |
| -v ${IMAGE_VERSION} |
| ${ADD_SECURITY_COUNTER} |
| -H 0x400 |
| ${CMAKE_BINARY_DIR}/${_MY_PARAMS_FULL_BIN}.bin |
| ${CMAKE_BINARY_DIR}/${_MY_PARAMS_SIGN_BIN}.bin) |
| endif() |
| |
| #Collect executables to common location: build/install/outputs/ |
| set(TFM_SIGN_NAME tfm_s_ns_signed) |
| |
| if (DEFINED MY_POSTFIX) |
| install(FILES ${CMAKE_BINARY_DIR}/${_MY_PARAMS_SIGN_BIN}.bin |
| RENAME tfm_sig${MY_POSTFIX}.bin |
| DESTINATION outputs/${TARGET_PLATFORM}/) |
| else() |
| install(FILES ${CMAKE_BINARY_DIR}/${_MY_PARAMS_SIGN_BIN}.bin |
| DESTINATION outputs/${TARGET_PLATFORM}/) |
| endif() |
| |
| install(FILES ${CMAKE_BINARY_DIR}/${_MY_PARAMS_SIGN_BIN}.bin |
| RENAME ${TFM_SIGN_NAME}${_MY_PARAMS_POSTFIX}.bin |
| DESTINATION outputs/fvp/) |
| |
| if (MCUBOOT_IMAGE_NUMBER GREATER 1) |
| install(FILES ${CMAKE_BINARY_DIR}/${_MY_PARAMS_S_BIN}_signed.bin |
| ${CMAKE_BINARY_DIR}/${_MY_PARAMS_NS_BIN}_signed.bin |
| DESTINATION outputs/${TARGET_PLATFORM}/) |
| install(FILES ${CMAKE_BINARY_DIR}/${_MY_PARAMS_S_BIN}_signed.bin |
| ${CMAKE_BINARY_DIR}/${_MY_PARAMS_NS_BIN}_signed.bin |
| DESTINATION outputs/fvp/) |
| |
| else() # MCUBOOT_IMAGE_NUMBER = 1 |
| set(TFM_FULL_NAME tfm_s_ns_concatenated) |
| |
| install(FILES ${CMAKE_BINARY_DIR}/${_MY_PARAMS_FULL_BIN}.bin |
| DESTINATION outputs/${TARGET_PLATFORM}/) |
| install(FILES ${CMAKE_BINARY_DIR}/${_MY_PARAMS_FULL_BIN}.bin |
| RENAME ${TFM_FULL_NAME}${_MY_PARAMS_POSTFIX}.bin |
| DESTINATION outputs/fvp/) |
| endif() |
| endfunction() |
| |
| #Validate and override the upgrade strategy to be used by the bootloader. |
| # |
| # If the given upgrade strategy is not supported with the current value |
| # of the MCUBOOT_IMAGE_NUMBER variable then the function will override its |
| # previously set value. |
| # |
| #Examples: |
| # mcuboot_override_upgrade_strategy("SWAP") |
| # |
| #INPUTS: |
| # strategy - (mandatory) - Upgrade strategy to be used. |
| # |
| #OUTPUTS: |
| # MCUBOOT_UPGRADE_STRATEGY variable is set to the new strategy. |
| # |
| function(mcuboot_override_upgrade_strategy strategy) |
| if ((${strategy} STREQUAL "NO_SWAP" OR |
| ${strategy} STREQUAL "RAM_LOADING") AND |
| NOT (MCUBOOT_IMAGE_NUMBER EQUAL 1)) |
| message(WARNING "The number of separately updatable images with the NO_SWAP or the RAM_LOADING" |
| " upgrade strategy can be only '1'. Your choice was overriden.") |
| set(MCUBOOT_IMAGE_NUMBER 1 PARENT_SCOPE) |
| endif() |
| get_property(_validation_list CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS) |
| #Check if validation list is set. |
| if (NOT _validation_list) |
| #Set the default upgrade strategy if the CACHE variable has not been set yet. |
| set(MCUBOOT_UPGRADE_STRATEGY "OVERWRITE_ONLY" CACHE STRING "Configure BL2 which upgrade strategy to use") |
| if (MCUBOOT_REPO STREQUAL "TF-M") |
| set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWAP;NO_SWAP;RAM_LOADING") |
| else() |
| set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWAP") |
| endif() |
| endif() |
| set(MCUBOOT_UPGRADE_STRATEGY ${strategy} PARENT_SCOPE) |
| validate_cache_value(MCUBOOT_UPGRADE_STRATEGY STRINGS) |
| endfunction() |