MCUboot: Generate and sign with new keys if needed
If the MCUBOOT_GENERATE_SIGNING_KEYPAIR config flag is on
then generate new private key with the imgtool and use the new
keys to sign the S and NS images.
The public keys of the newly generated keys have to be
provisioned into the OTP so the MCUboot can validate the
signed images correctly.
Change-Id: Ia833775fd66c046e2afaffca8f59361ef3cbebb8
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index aec72cf..c35b566 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -85,7 +85,30 @@
if (PLATFORM_DEFAULT_IMAGE_SIGNING)
find_package(Python3)
+ if(MCUBOOT_GENERATE_SIGNING_KEYPAIR)
+ add_custom_target(generated_private_key
+ SOURCES
+ generated_private_key_s.pem
+ generated_private_key_ns.pem
+ )
+ add_custom_command(OUTPUT generated_private_key_s.pem
+ COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py
+ keygen
+ -k generated_private_key_s.pem
+ -t rsa-${MCUBOOT_SIGNATURE_KEY_LEN}
+ COMMAND ${CMAKE_COMMAND} -E copy generated_private_key_s.pem $<TARGET_FILE_DIR:bl2>
+ )
+ add_custom_command(OUTPUT generated_private_key_ns.pem
+ COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py
+ keygen
+ -k generated_private_key_ns.pem
+ -t rsa-${MCUBOOT_SIGNATURE_KEY_LEN}
+ COMMAND ${CMAKE_COMMAND} -E copy generated_private_key_ns.pem $<TARGET_FILE_DIR:bl2>
+ )
+ set(MCUBOOT_KEY_S $<TARGET_FILE_DIR:bl2>/generated_private_key_s.pem CACHE FILEPATH "" FORCE)
+ set(MCUBOOT_KEY_NS $<TARGET_FILE_DIR:bl2>/generated_private_key_ns.pem CACHE FILEPATH "" FORCE)
+ endif()
set(IMAGE_TYPE "S_IMAGE")
set(FLASH_AREA_NUM ${MCUBOOT_S_IMAGE_FLASH_AREA_NUM})
if (MCUBOOT_IMAGE_NUMBER GREATER 1)
@@ -140,6 +163,8 @@
add_custom_command(OUTPUT tfm_s_signed.bin
DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
DEPENDS tfm_s_bin signing_layout_s
+ # FIXME: combining the two generator prepends the current path, so two is used
+ DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,> $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key_s.pem,>
WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
#Sign secure binary image with provided secret key
@@ -193,6 +218,8 @@
add_custom_command(OUTPUT tfm_ns_signed.bin
DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
DEPENDS tfm_ns_bin signing_layout_ns
+ # FIXME: combining the two generator prepends the current path, so two is used
+ DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,> $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key_ns.pem,>
WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
#Sign non-secure binary image with provided secret key
diff --git a/bl2/ext/mcuboot/Kconfig b/bl2/ext/mcuboot/Kconfig
index 0271976..dca283f 100644
--- a/bl2/ext/mcuboot/Kconfig
+++ b/bl2/ext/mcuboot/Kconfig
@@ -175,6 +175,10 @@
int "Key length to use for signature validation"
default 3072
+config MCUBOOT_GENERATE_SIGNING_KEYPAIR
+ bool "Generate new keypair or use MCUBOOT_KEY_S and MCUBOOT_KEY_NS for signing"
+ default n
+
config MCUBOOT_KEY_S
string "Path to key with which to sign secure binary"
default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem"
diff --git a/bl2/ext/mcuboot/mcuboot_default_config.cmake b/bl2/ext/mcuboot/mcuboot_default_config.cmake
index 0f134cb..fd13c75 100644
--- a/bl2/ext/mcuboot/mcuboot_default_config.cmake
+++ b/bl2/ext/mcuboot/mcuboot_default_config.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2021-2022, Arm Limited. All rights reserved.
+# Copyright (c) 2021-2023, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -47,6 +47,7 @@
# will be set to default again.
set(MCUBOOT_SIGNATURE_TYPE "RSA" CACHE STRING "Algorithm to use for signature validation")
set(MCUBOOT_SIGNATURE_KEY_LEN 3072 CACHE STRING "Key length to use for signature validation")
+set(MCUBOOT_GENERATE_SIGNING_KEYPAIR OFF CACHE BOOL "Generate new keypair for signing and use that instead of MCUBOOT_KEY_S and MCUBOOT_KEY_NS")
set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem" CACHE FILEPATH "Path to key with which to sign secure binary")
set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary")
diff --git a/config/check_config.cmake b/config/check_config.cmake
index 0d8ac0a..2110340 100644
--- a/config/check_config.cmake
+++ b/config/check_config.cmake
@@ -63,6 +63,7 @@
get_property(MCUBOOT_ALIGN_VAL_LIST CACHE MCUBOOT_ALIGN_VAL PROPERTY STRINGS)
tfm_invalid_config(BL2 AND (NOT MCUBOOT_ALIGN_VAL IN_LIST MCUBOOT_ALIGN_VAL_LIST) AND NOT USE_KCONFIG_TOOL)
+tfm_invalid_config(TFM_DUMMY_PROVISIONING AND MCUBOOT_GENERATE_SIGNING_KEYPAIR)
####################### Code sharing ###########################################
set(TFM_CODE_SHARING_PLATFORM_LISTS arm/mps2/an521 arm/musca_b1) # Without crypto hw acceleration