| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 1 | #------------------------------------------------------------------------------ |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 2 | # Copyright (c) 2020, Arm Limited. All rights reserved. |
| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 3 | # |
| 4 | # SPDX-License-Identifier: BSD-3-Clause |
| 5 | # |
| 6 | #------------------------------------------------------------------------------ |
| 7 | |
| Raef Coles | 6981732 | 2020-10-19 14:14:14 +0100 | [diff] [blame] | 8 | cmake_minimum_required(VERSION 3.15) |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 9 | cmake_policy(SET CMP0079 NEW) |
| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 10 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 11 | set(MCUBOOT_KEY_ENC "${MCUBOOT_PATH}/enc-rsa2048-pub.pem" CACHE FILEPATH "Path to key with which to encrypt binary") |
| 12 | |
| 13 | target_include_directories(bl2 |
| 14 | PUBLIC |
| 15 | $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include> |
| 16 | $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}> # for mcuboot_config.h only |
| 17 | $<BUILD_INTERFACE:${MCUBOOT_PATH}/boot/bootutil/include> |
| 18 | $<BUILD_INTERFACE:${MCUBOOT_PATH}/boot> |
| 19 | ) |
| 20 | |
| 21 | target_sources(bl2 |
| 22 | PRIVATE |
| 23 | ${CMAKE_CURRENT_SOURCE_DIR}/bl2_main.c |
| 24 | ${CMAKE_CURRENT_SOURCE_DIR}/keys.c |
| 25 | ${CMAKE_CURRENT_SOURCE_DIR}/flash_map_extended.c |
| 26 | ${CMAKE_CURRENT_SOURCE_DIR}/flash_map_legacy.c |
| 27 | ${MCUBOOT_PATH}/boot/bootutil/src/loader.c |
| 28 | ${MCUBOOT_PATH}/boot/bootutil/src/bootutil_misc.c |
| 29 | ${MCUBOOT_PATH}/boot/bootutil/src/image_validate.c |
| 30 | ${MCUBOOT_PATH}/boot/bootutil/src/image_rsa.c |
| 31 | ${MCUBOOT_PATH}/boot/bootutil/src/tlv.c |
| 32 | ${MCUBOOT_PATH}/boot/bootutil/src/boot_record.c |
| Balint Matyi | 69e2d2e | 2020-07-08 10:53:54 +0100 | [diff] [blame] | 33 | ${MCUBOOT_PATH}/boot/bootutil/src/swap_scratch.c |
| 34 | ${MCUBOOT_PATH}/boot/bootutil/src/swap_move.c |
| 35 | ${MCUBOOT_PATH}/boot/bootutil/src/swap_misc.c |
| 36 | ${MCUBOOT_PATH}/boot/bootutil/src/encrypted.c |
| Tamas Ban | 1bfc9da | 2020-07-09 13:55:38 +0100 | [diff] [blame] | 37 | ${MCUBOOT_PATH}/boot/bootutil/src/fault_injection_hardening.c |
| 38 | ${MCUBOOT_PATH}/boot/bootutil/src/fault_injection_hardening_delay_rng_mbedtls.c |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 39 | ) |
| 40 | |
| 41 | set(MCUBOOT_ALLOWED_LOG_LEVELS OFF ERROR WARNING INFO DEBUG) |
| 42 | list(FIND MCUBOOT_ALLOWED_LOG_LEVELS ${MCUBOOT_LOG_LEVEL} LOG_LEVEL_ID) |
| 43 | |
| 44 | configure_file(include/mcuboot_config/mcuboot_config.h.in |
| 45 | ${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h |
| 46 | @ONLY) |
| 47 | |
| 48 | ############################### IMAGE SIGNING ################################## |
| 49 | |
| 50 | find_package(Python3) |
| 51 | |
| 52 | set(FLASH_AREA_NUM 0) |
| 53 | if (MCUBOOT_IMAGE_NUMBER GREATER 1) |
| 54 | configure_file(signing_layout.c.in signing_layout_s.c @ONLY) |
| 55 | add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s.c) |
| David Vincze | c3e313a | 2020-01-06 17:31:11 +0100 | [diff] [blame] | 56 | else() |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 57 | # Imgtool script requires the s_ns sufix. Since only one sigining layout is |
| 58 | # used in this mode the signing_layout_s target's source file is renamed. |
| 59 | configure_file(signing_layout.c.in signing_layout_s_ns.c @ONLY) |
| 60 | add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s_ns.c) |
| David Vincze | c3e313a | 2020-01-06 17:31:11 +0100 | [diff] [blame] | 61 | endif() |
| 62 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 63 | target_compile_options(signing_layout_s |
| 64 | PRIVATE |
| 65 | $<$<C_COMPILER_ID:GNU>:-E\;-xc> |
| 66 | $<$<C_COMPILER_ID:ARMClang>:-E\;-xc> |
| 67 | $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_s>> |
| 68 | ) |
| 69 | target_compile_definitions(signing_layout_s |
| 70 | PRIVATE |
| 71 | $<$<BOOL:${BL2}>:BL2> |
| 72 | $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}> |
| 73 | ) |
| 74 | target_link_libraries(signing_layout_s |
| 75 | PRIVATE |
| 76 | platform_bl2 |
| 77 | ) |
| 78 | |
| 79 | if(NS) |
| 80 | add_custom_target(tfm_s_ns_bin |
| 81 | SOURCES tfm_s_ns.bin |
| 82 | ) |
| 83 | add_custom_command(OUTPUT tfm_s_ns.bin |
| 84 | DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 85 | DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 86 | DEPENDS tfm_s_bin tfm_ns_bin |
| 87 | DEPENDS signing_layout_s |
| 88 | |
| 89 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/assemble.py |
| 90 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| 91 | -s $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 92 | -n $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 93 | -o tfm_s_ns.bin |
| 94 | COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns.bin $<TARGET_FILE_DIR:bl2> |
| 95 | ) |
| Tamas Ban | 581034a | 2017-12-19 19:54:37 +0000 | [diff] [blame] | 96 | endif() |
| 97 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 98 | add_custom_target(tfm_s_signed_bin |
| 99 | SOURCES tfm_s_signed.bin |
| 100 | ) |
| 101 | add_custom_command(OUTPUT tfm_s_signed.bin |
| 102 | DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 103 | DEPENDS tfm_s_bin signing_layout_s |
| 104 | WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts |
| Tamas Ban | d0f4e1d | 2019-07-11 09:39:03 +0100 | [diff] [blame] | 105 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 106 | #Sign secure binary image with provided secret key |
| 107 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py |
| 108 | -v ${MCUBOOT_IMAGE_VERSION_S} |
| 109 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| 110 | -k ${MCUBOOT_KEY_S} |
| 111 | --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> |
| 112 | --align 1 |
| 113 | --pad |
| 114 | --pad-header |
| 115 | -H 0x400 |
| 116 | -s ${MCUBOOT_SECURITY_COUNTER_S} |
| 117 | -d \"\(0,${MCUBOOT_S_IMAGE_MIN_VER}\)\" |
| 118 | $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only> |
| 119 | $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}> |
| 120 | $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 121 | ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin |
| 122 | COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin $<TARGET_FILE_DIR:bl2> |
| 123 | ) |
| 124 | |
| 125 | if(NS) |
| 126 | set(FLASH_AREA_NUM 1) |
| 127 | configure_file(signing_layout.c.in signing_layout_ns.c @ONLY) |
| 128 | |
| 129 | add_library(signing_layout_ns OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_ns.c) |
| 130 | target_compile_options(signing_layout_ns |
| 131 | PRIVATE |
| 132 | $<$<C_COMPILER_ID:GNU>:-E\;-xc> |
| 133 | $<$<C_COMPILER_ID:ARMClang>:-E\;-xc> |
| 134 | $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_ns>> |
| 135 | ) |
| 136 | target_compile_definitions(signing_layout_ns |
| 137 | PRIVATE |
| 138 | $<$<BOOL:${BL2}>:BL2> |
| 139 | $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}> |
| 140 | ) |
| 141 | target_link_libraries(signing_layout_ns |
| 142 | PRIVATE |
| 143 | platform_bl2 |
| 144 | ) |
| 145 | |
| 146 | add_custom_target(tfm_ns_signed_bin |
| 147 | SOURCES tfm_ns_signed.bin |
| 148 | ) |
| 149 | add_custom_command(OUTPUT tfm_ns_signed.bin |
| 150 | DEPENDS $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 151 | DEPENDS tfm_ns_bin signing_layout_ns |
| 152 | WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts |
| 153 | |
| 154 | #Sign non-secure binary image with provided secret key |
| 155 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py |
| 156 | -v ${MCUBOOT_IMAGE_VERSION_NS} |
| 157 | --layout $<TARGET_OBJECTS:signing_layout_ns> |
| 158 | -k ${MCUBOOT_KEY_NS} |
| 159 | --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> |
| 160 | --align 1 |
| 161 | --pad |
| 162 | --pad-header |
| 163 | -H 0x400 |
| 164 | -s ${MCUBOOT_SECURITY_COUNTER_NS} |
| 165 | -d \"\(1, ${MCUBOOT_NS_IMAGE_MIN_VER}\)\" |
| 166 | $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 167 | $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only> |
| 168 | $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}> |
| 169 | ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin |
| 170 | COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_ns_signed.bin $<TARGET_FILE_DIR:bl2> |
| 171 | ) |
| Tamas Ban | d0f4e1d | 2019-07-11 09:39:03 +0100 | [diff] [blame] | 172 | endif() |
| 173 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 174 | if(NS) |
| 175 | add_custom_target(tfm_s_ns_signed_bin |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 176 | SOURCES tfm_s_ns_signed.bin |
| 177 | ) |
| 178 | if (MCUBOOT_IMAGE_NUMBER GREATER 1) |
| 179 | add_custom_command(OUTPUT tfm_s_ns_signed.bin |
| 180 | DEPENDS tfm_s_signed_bin $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin |
| 181 | DEPENDS tfm_ns_signed_bin $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin |
| 182 | DEPENDS signing_layout_s |
| 183 | |
| 184 | # Create concatenated binary image from the two independently signed |
| 185 | # binary file. This only uses the local assemble.py script (not from |
| 186 | # upstream mcuboot) because that script is geared towards zephyr |
| 187 | # support |
| 188 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/assemble.py |
| 189 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| 190 | -s $<TARGET_FILE_DIR:bl2>/tfm_s_signed.bin |
| 191 | -n $<TARGET_FILE_DIR:bl2>/tfm_ns_signed.bin |
| 192 | -o tfm_s_ns_signed.bin |
| 193 | COMMAND ${CMAKE_COMMAND} -E copy tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2> |
| 194 | ) |
| 195 | else() |
| 196 | add_custom_command(OUTPUT tfm_s_ns_signed.bin |
| 197 | DEPENDS tfm_s_ns_bin tfm_s_ns.bin |
| 198 | DEPENDS signing_layout_s |
| 199 | |
| Mark Horvath | b9ac0d5 | 2020-09-09 10:48:22 +0200 | [diff] [blame^] | 200 | # Use the non-secure key to sign the combined image if FORWARD_PROT_MSG is set. |
| 201 | # In such a configuration there is a subsystem with higher privileges controlling the |
| 202 | # the boot process and current implementation requires to use the non-secure key here. |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 203 | COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py |
| 204 | -v ${MCUBOOT_IMAGE_VERSION_S} |
| 205 | --layout $<TARGET_OBJECTS:signing_layout_s> |
| Mark Horvath | b9ac0d5 | 2020-09-09 10:48:22 +0200 | [diff] [blame^] | 206 | -k $<IF:$<BOOL:${FORWARD_PROT_MSG}>,${MCUBOOT_KEY_NS},${MCUBOOT_KEY_S}> |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 207 | --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> |
| 208 | --align 1 |
| 209 | --pad |
| 210 | --pad-header |
| 211 | -H 0x400 |
| 212 | -s ${MCUBOOT_SECURITY_COUNTER_S} |
| 213 | -d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\" |
| 214 | -d \"\(1, ${MCUBOOT_NS_IMAGE_MIN_VER}\)\" |
| 215 | $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only> |
| 216 | $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}> |
| 217 | tfm_s_ns.bin |
| 218 | ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin |
| 219 | COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns_signed.bin $<TARGET_FILE_DIR:bl2> |
| 220 | ) |
| 221 | endif() |
| Marc Moreno Berengue | a1f296f | 2018-01-25 15:21:22 +0000 | [diff] [blame] | 222 | endif() |
| 223 | |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 224 | add_custom_target(signed_images |
| 225 | ALL |
| Mark Horvath | f056514 | 2020-11-19 18:52:44 +0100 | [diff] [blame] | 226 | DEPENDS $<IF:$<BOOL:${NS}>,tfm_s_ns_signed_bin,tfm_s_signed_bin> |
| Raef Coles | 8efad88 | 2020-07-10 09:46:00 +0100 | [diff] [blame] | 227 | ) |