Platform: add options to disable default signing
Change-Id: If86ffe77aa850ee19eb83181b09272c6352f9910
Signed-off-by: Raef Coles <raef.coles@arm.com>
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 896fc82..aec72cf 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -83,167 +83,66 @@
############################### IMAGE SIGNING ##################################
-find_package(Python3)
+if (PLATFORM_DEFAULT_IMAGE_SIGNING)
+ find_package(Python3)
-set(IMAGE_TYPE "S_IMAGE")
-set(FLASH_AREA_NUM ${MCUBOOT_S_IMAGE_FLASH_AREA_NUM})
-if (MCUBOOT_IMAGE_NUMBER GREATER 1)
- configure_file(signing_layout.c.in signing_layout_s.c @ONLY)
- add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s.c)
-else()
- # Imgtool script requires the s_ns sufix. Since only one sigining layout is
- # used in this mode the signing_layout_s target's source file is renamed.
- configure_file(signing_layout.c.in signing_layout_s_ns.c @ONLY)
- add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s_ns.c)
-endif()
-
-target_compile_options(signing_layout_s
- PRIVATE
- $<$<C_COMPILER_ID:GNU>:-E\;-xc>
- $<$<C_COMPILER_ID:ARMClang>:-E\;-xc>
- $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_s>>
-)
-target_compile_definitions(signing_layout_s
- PRIVATE
- $<$<BOOL:${BL2}>:BL2>
- $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}>
- $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},DIRECT_XIP>:IMAGE_ROM_FIXED>
-)
-target_link_libraries(signing_layout_s
- PRIVATE
- platform_bl2
-)
-
-if(NS)
- add_custom_target(tfm_s_ns_bin
- SOURCES tfm_s_ns.bin
- )
- add_custom_command(OUTPUT tfm_s_ns.bin
- DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
- DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
- DEPENDS tfm_s_bin tfm_ns_bin
- DEPENDS signing_layout_s
-
- COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/assemble.py
- --layout $<TARGET_OBJECTS:signing_layout_s>
- -s $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
- -n $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
- -o tfm_s_ns.bin
- COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns.bin $<TARGET_FILE_DIR:bl2>
- )
-endif()
-
-add_custom_target(tfm_s_signed_bin
- SOURCES tfm_s_signed.bin
-)
-add_custom_command(OUTPUT tfm_s_signed.bin
- DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
- DEPENDS tfm_s_bin signing_layout_s
- WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
-
- #Sign secure binary image with provided secret key
- COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py
- -v ${MCUBOOT_IMAGE_VERSION_S}
- --layout $<TARGET_OBJECTS:signing_layout_s>
- -k ${MCUBOOT_KEY_S}
- --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
- --align ${MCUBOOT_ALIGN_VAL}
- --pad
- --pad-header
- -H ${BL2_HEADER_SIZE}
- -s ${MCUBOOT_SECURITY_COUNTER_S}
- -L ${MCUBOOT_ENC_KEY_LEN}
- -d \"\(1,${MCUBOOT_NS_IMAGE_MIN_VER}\)\"
- $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
- $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
- $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
- $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
- $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
- ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin
- COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin $<TARGET_FILE_DIR:bl2>
-)
-
-set(IMAGE_TYPE "NS_IMAGE")
-set(FLASH_AREA_NUM ${MCUBOOT_NS_IMAGE_FLASH_AREA_NUM})
-configure_file(signing_layout.c.in signing_layout_ns.c @ONLY)
-
-add_library(signing_layout_ns OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_ns.c)
-target_compile_options(signing_layout_ns
- PRIVATE
- $<$<C_COMPILER_ID:GNU>:-E\;-xc>
- $<$<C_COMPILER_ID:ARMClang>:-E\;-xc>
- $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_ns>>
-)
-target_compile_definitions(signing_layout_ns
- PRIVATE
- $<$<BOOL:${BL2}>:BL2>
- $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}>
- $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},DIRECT_XIP>:IMAGE_ROM_FIXED>
-)
-target_link_libraries(signing_layout_ns
- PRIVATE
- platform_bl2
-)
-
-if(NS)
- add_custom_target(tfm_ns_signed_bin
- SOURCES tfm_ns_signed.bin
- )
- add_custom_command(OUTPUT tfm_ns_signed.bin
- DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
- DEPENDS tfm_ns_bin signing_layout_ns
- WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
-
- #Sign non-secure binary image with provided secret key
- COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py
- -v ${MCUBOOT_IMAGE_VERSION_NS}
- --layout $<TARGET_OBJECTS:signing_layout_ns>
- -k ${MCUBOOT_KEY_NS}
- --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
- --align ${MCUBOOT_ALIGN_VAL}
- --pad
- --pad-header
- -H ${BL2_HEADER_SIZE}
- -s ${MCUBOOT_SECURITY_COUNTER_NS}
- -L ${MCUBOOT_ENC_KEY_LEN}
- -d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\"
- $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
- $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
- $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
- $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
- $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
- ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin
- COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin $<TARGET_FILE_DIR:bl2>
- )
-endif()
-
-if(NS)
- add_custom_target(tfm_s_ns_signed_bin
- SOURCES tfm_s_ns_signed.bin
- )
+ set(IMAGE_TYPE "S_IMAGE")
+ set(FLASH_AREA_NUM ${MCUBOOT_S_IMAGE_FLASH_AREA_NUM})
if (MCUBOOT_IMAGE_NUMBER GREATER 1)
- add_custom_command(OUTPUT tfm_s_ns_signed.bin
- DEPENDS tfm_s_signed_bin $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
- DEPENDS tfm_ns_signed_bin $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
+ configure_file(signing_layout.c.in signing_layout_s.c @ONLY)
+ add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s.c)
+ else()
+ # Imgtool script requires the s_ns sufix. Since only one sigining layout is
+ # used in this mode the signing_layout_s target's source file is renamed.
+ configure_file(signing_layout.c.in signing_layout_s_ns.c @ONLY)
+ add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s_ns.c)
+ endif()
+
+ target_compile_options(signing_layout_s
+ PRIVATE
+ $<$<C_COMPILER_ID:GNU>:-E\;-xc>
+ $<$<C_COMPILER_ID:ARMClang>:-E\;-xc>
+ $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_s>>
+ )
+ target_compile_definitions(signing_layout_s
+ PRIVATE
+ $<$<BOOL:${BL2}>:BL2>
+ $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}>
+ $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},DIRECT_XIP>:IMAGE_ROM_FIXED>
+ )
+ target_link_libraries(signing_layout_s
+ PRIVATE
+ platform_bl2
+ )
+
+ if(NS)
+ add_custom_target(tfm_s_ns_bin
+ SOURCES tfm_s_ns.bin
+ )
+ add_custom_command(OUTPUT tfm_s_ns.bin
+ DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
+ DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
+ DEPENDS tfm_s_bin tfm_ns_bin
DEPENDS signing_layout_s
- # Create concatenated binary image from the two independently signed
- # binary file. This only uses the local assemble.py script (not from
- # upstream mcuboot) because that script is geared towards zephyr
- # support
COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/assemble.py
--layout $<TARGET_OBJECTS:signing_layout_s>
- -s $<TARGET_FILE_DIR:bl2>/tfm_s_signed.bin
- -n $<TARGET_FILE_DIR:bl2>/tfm_ns_signed.bin
- -o tfm_s_ns_signed.bin
- COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2>
+ -s $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
+ -n $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
+ -o tfm_s_ns.bin
+ COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns.bin $<TARGET_FILE_DIR:bl2>
)
- else()
- add_custom_command(OUTPUT tfm_s_ns_signed.bin
- WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
- DEPENDS tfm_s_ns_bin tfm_s_ns.bin
- DEPENDS signing_layout_s
+ endif()
+ add_custom_target(tfm_s_signed_bin
+ SOURCES tfm_s_signed.bin
+ )
+ add_custom_command(OUTPUT tfm_s_signed.bin
+ DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
+ DEPENDS tfm_s_bin signing_layout_s
+ WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
+
+ #Sign secure binary image with provided secret key
COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py
-v ${MCUBOOT_IMAGE_VERSION_S}
--layout $<TARGET_OBJECTS:signing_layout_s>
@@ -255,18 +154,121 @@
-H ${BL2_HEADER_SIZE}
-s ${MCUBOOT_SECURITY_COUNTER_S}
-L ${MCUBOOT_ENC_KEY_LEN}
+ -d \"\(1,${MCUBOOT_NS_IMAGE_MIN_VER}\)\"
$<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
$<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
$<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
$<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
- ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns.bin
- ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin
- COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2>
+ $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
+ ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin
+ COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin $<TARGET_FILE_DIR:bl2>
+ )
+
+ set(IMAGE_TYPE "NS_IMAGE")
+ set(FLASH_AREA_NUM ${MCUBOOT_NS_IMAGE_FLASH_AREA_NUM})
+ configure_file(signing_layout.c.in signing_layout_ns.c @ONLY)
+
+ add_library(signing_layout_ns OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_ns.c)
+ target_compile_options(signing_layout_ns
+ PRIVATE
+ $<$<C_COMPILER_ID:GNU>:-E\;-xc>
+ $<$<C_COMPILER_ID:ARMClang>:-E\;-xc>
+ $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_ns>>
+ )
+ target_compile_definitions(signing_layout_ns
+ PRIVATE
+ $<$<BOOL:${BL2}>:BL2>
+ $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}>
+ $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},DIRECT_XIP>:IMAGE_ROM_FIXED>
+ )
+ target_link_libraries(signing_layout_ns
+ PRIVATE
+ platform_bl2
+ )
+
+ if(NS)
+ add_custom_target(tfm_ns_signed_bin
+ SOURCES tfm_ns_signed.bin
+ )
+ add_custom_command(OUTPUT tfm_ns_signed.bin
+ DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
+ DEPENDS tfm_ns_bin signing_layout_ns
+ WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
+
+ #Sign non-secure binary image with provided secret key
+ COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py
+ -v ${MCUBOOT_IMAGE_VERSION_NS}
+ --layout $<TARGET_OBJECTS:signing_layout_ns>
+ -k ${MCUBOOT_KEY_NS}
+ --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
+ --align ${MCUBOOT_ALIGN_VAL}
+ --pad
+ --pad-header
+ -H ${BL2_HEADER_SIZE}
+ -s ${MCUBOOT_SECURITY_COUNTER_NS}
+ -L ${MCUBOOT_ENC_KEY_LEN}
+ -d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\"
+ $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
+ $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
+ $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
+ $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
+ $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
+ ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin
+ COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin $<TARGET_FILE_DIR:bl2>
)
endif()
-endif()
-add_custom_target(signed_images
- ALL
- DEPENDS $<IF:$<BOOL:${NS}>,tfm_s_ns_signed_bin,tfm_s_signed_bin>
-)
+ if(NS)
+ add_custom_target(tfm_s_ns_signed_bin
+ SOURCES tfm_s_ns_signed.bin
+ )
+ if (MCUBOOT_IMAGE_NUMBER GREATER 1)
+ add_custom_command(OUTPUT tfm_s_ns_signed.bin
+ DEPENDS tfm_s_signed_bin $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
+ DEPENDS tfm_ns_signed_bin $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
+ DEPENDS signing_layout_s
+
+ # Create concatenated binary image from the two independently signed
+ # binary file. This only uses the local assemble.py script (not from
+ # upstream mcuboot) because that script is geared towards zephyr
+ # support
+ COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/assemble.py
+ --layout $<TARGET_OBJECTS:signing_layout_s>
+ -s $<TARGET_FILE_DIR:bl2>/tfm_s_signed.bin
+ -n $<TARGET_FILE_DIR:bl2>/tfm_ns_signed.bin
+ -o tfm_s_ns_signed.bin
+ COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2>
+ )
+ else()
+ add_custom_command(OUTPUT tfm_s_ns_signed.bin
+ WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
+ DEPENDS tfm_s_ns_bin tfm_s_ns.bin
+ DEPENDS signing_layout_s
+
+ COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py
+ -v ${MCUBOOT_IMAGE_VERSION_S}
+ --layout $<TARGET_OBJECTS:signing_layout_s>
+ -k ${MCUBOOT_KEY_S}
+ --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
+ --align ${MCUBOOT_ALIGN_VAL}
+ --pad
+ --pad-header
+ -H ${BL2_HEADER_SIZE}
+ -s ${MCUBOOT_SECURITY_COUNTER_S}
+ -L ${MCUBOOT_ENC_KEY_LEN}
+ $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
+ $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
+ $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
+ $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
+ ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns.bin
+ ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin
+ COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2>
+ )
+ endif()
+ endif()
+
+ add_custom_target(signed_images
+ ALL
+ DEPENDS $<IF:$<BOOL:${NS}>,tfm_s_ns_signed_bin,tfm_s_signed_bin>
+ )
+endif()
diff --git a/cmake/install.cmake b/cmake/install.cmake
index 83179cc..36c7f7f 100644
--- a/cmake/install.cmake
+++ b/cmake/install.cmake
@@ -176,12 +176,14 @@
DESTINATION ${INSTALL_IMAGE_SIGNING_DIR}/keys)
endif()
- install(FILES $<TARGET_OBJECTS:signing_layout_s>
+ if (PLATFORM_DEFAULT_IMAGE_SIGNING)
+ install(FILES $<TARGET_OBJECTS:signing_layout_s>
DESTINATION ${INSTALL_IMAGE_SIGNING_DIR}/layout_files)
- if(MCUBOOT_IMAGE_NUMBER GREATER 1)
- install(FILES $<TARGET_OBJECTS:signing_layout_ns>
- DESTINATION ${INSTALL_IMAGE_SIGNING_DIR}/layout_files)
+ if(MCUBOOT_IMAGE_NUMBER GREATER 1)
+ install(FILES $<TARGET_OBJECTS:signing_layout_ns>
+ DESTINATION ${INSTALL_IMAGE_SIGNING_DIR}/layout_files)
+ endif()
install(FILES ${MCUBOOT_KEY_NS}
DESTINATION ${INSTALL_IMAGE_SIGNING_DIR}/keys)
diff --git a/config/config_base.cmake b/config/config_base.cmake
index de8e811..b6c7608 100755
--- a/config/config_base.cmake
+++ b/config/config_base.cmake
@@ -87,6 +87,7 @@
set(PLATFORM_DEFAULT_OTP_WRITEABLE ON CACHE BOOL "Use OTP memory with write support")
set(PLATFORM_DEFAULT_PROVISIONING ON CACHE BOOL "Use default provisioning implementation")
set(PLATFORM_DEFAULT_SYSTEM_RESET_HALT ON CACHE BOOL "Use default system reset/halt implementation")
+set(PLATFORM_DEFAULT_IMAGE_SIGNING ON CACHE BOOL "Use default image signing implementation")
set(TFM_DUMMY_PROVISIONING ON CACHE BOOL "Provision with dummy values. NOT to be used in production")
set(PLATFORM_IS_FVP FALSE CACHE BOOL "Whether to enable FVP or FPGA build of the platform.")