aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrei Narkevitch <ainh@cypress.com>2019-11-21 15:33:35 -0800
committerDavid Hu <david.hu@arm.com>2019-12-10 01:31:15 +0000
commit40a7d1cd57ef2e50425b81eda3aaded6f2e694ad (patch)
treefeeb6a084db4ffd1fb3532a043d01595b1f200fe
parent14d4a73cae631ea291f4d8d04e3c588ea9e955c8 (diff)
downloadtrusted-firmware-m-40a7d1cd57ef2e50425b81eda3aaded6f2e694ad.tar.gz
Build: Add ability to sign S and NS images separately (psoc64, psoc64_1m)
With this change, script can sign each image individually or both in the same time. As long as cysecuretools sign_image overwrites unsigned image file with the signed one, script creates a copy of the original image and signs the copy. For CM4, sign_image also creates an unsigned copy of the image named <image to sign>_cm4.hex. Script deletes it to avoid confusion. Signed-off-by: Andrei Narkevitch <ainh@cypress.com> Change-Id: I99381c33d68c2281cae2ac55cc482da7db5f78ac
-rwxr-xr-xplatform/ext/target/cypress/psoc64/security/sign.py61
-rwxr-xr-xplatform/ext/target/cypress/psoc64_1m/security/sign.py61
2 files changed, 108 insertions, 14 deletions
diff --git a/platform/ext/target/cypress/psoc64/security/sign.py b/platform/ext/target/cypress/psoc64/security/sign.py
index f6c891392b..a4e50de8e7 100755
--- a/platform/ext/target/cypress/psoc64/security/sign.py
+++ b/platform/ext/target/cypress/psoc64/security/sign.py
@@ -17,6 +17,8 @@ limitations under the License.
import cysecuretools
import sys, getopt
+import os
+from shutil import copyfile, move
def main(argv):
s_hex_file=""
@@ -25,11 +27,11 @@ def main(argv):
try:
opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="])
except getopt.GetoptError:
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit()
elif opt in ("-s", "--s_hex"):
s_hex_file = arg
@@ -37,12 +39,57 @@ def main(argv):
ns_hex_file = arg
elif opt in ("-p", "--policy"):
policy_file = arg
- print ('tfm_s :', s_hex_file)
- print ('tfm_ns:', ns_hex_file)
- print ('policy:', policy_file)
- cysecuretools.sign_image(s_hex_file, policy_file, 1);
- cysecuretools.sign_image(ns_hex_file, policy_file, 16);
+ if not s_hex_file and not ns_hex_file:
+ print('Error: no files to sign')
+ exit(1)
+
+ if not policy_file:
+ print('Error: missing policy file, specify it with -policy <policy json>')
+ exit(1)
+ else:
+ print('policy file:', policy_file)
+
+ if s_hex_file:
+ print('signing tfm_s image:', s_hex_file)
+
+ # sign_image overwrites original image, make a copy of it
+ name, ext = os.path.splitext(s_hex_file)
+ s_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(s_hex_file, s_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(s_hex_file, s_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(s_hex_signed_file, policy_file, 1)
+
+ if ns_hex_file:
+ print('signing tfm_ns image:', ns_hex_file)
+
+ name, ext = os.path.splitext(ns_hex_file)
+ ns_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(ns_hex_file, ns_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(ns_hex_file, ns_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(ns_hex_signed_file, policy_file, 16)
+
+ # for CM4, sign_image creates an unsigned copy of the image
+ # named <image to sign>_cm4.hex. Delete it to avoid confusion.
+ file_name = name + '_signed_cm4' + ext
+ if os.path.isfile(file_name):
+ try:
+ os.remove(file_name)
+ except IOError:
+ print("Could not erase '{}'"
+ .format(file_name))
+
+ print('Done.')
if __name__ == "__main__":
main(sys.argv[1:])
diff --git a/platform/ext/target/cypress/psoc64_1m/security/sign.py b/platform/ext/target/cypress/psoc64_1m/security/sign.py
index f6c891392b..a4e50de8e7 100755
--- a/platform/ext/target/cypress/psoc64_1m/security/sign.py
+++ b/platform/ext/target/cypress/psoc64_1m/security/sign.py
@@ -17,6 +17,8 @@ limitations under the License.
import cysecuretools
import sys, getopt
+import os
+from shutil import copyfile, move
def main(argv):
s_hex_file=""
@@ -25,11 +27,11 @@ def main(argv):
try:
opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="])
except getopt.GetoptError:
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
- print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>')
sys.exit()
elif opt in ("-s", "--s_hex"):
s_hex_file = arg
@@ -37,12 +39,57 @@ def main(argv):
ns_hex_file = arg
elif opt in ("-p", "--policy"):
policy_file = arg
- print ('tfm_s :', s_hex_file)
- print ('tfm_ns:', ns_hex_file)
- print ('policy:', policy_file)
- cysecuretools.sign_image(s_hex_file, policy_file, 1);
- cysecuretools.sign_image(ns_hex_file, policy_file, 16);
+ if not s_hex_file and not ns_hex_file:
+ print('Error: no files to sign')
+ exit(1)
+
+ if not policy_file:
+ print('Error: missing policy file, specify it with -policy <policy json>')
+ exit(1)
+ else:
+ print('policy file:', policy_file)
+
+ if s_hex_file:
+ print('signing tfm_s image:', s_hex_file)
+
+ # sign_image overwrites original image, make a copy of it
+ name, ext = os.path.splitext(s_hex_file)
+ s_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(s_hex_file, s_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(s_hex_file, s_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(s_hex_signed_file, policy_file, 1)
+
+ if ns_hex_file:
+ print('signing tfm_ns image:', ns_hex_file)
+
+ name, ext = os.path.splitext(ns_hex_file)
+ ns_hex_signed_file = name + '_signed' + ext
+ try:
+ copyfile(ns_hex_file, ns_hex_signed_file)
+ except IOError as e:
+ print("Failed to copy file '{}' to '{}' ({})"
+ .format(ns_hex_file, ns_hex_signed_file, e.message))
+ raise
+
+ cysecuretools.sign_image(ns_hex_signed_file, policy_file, 16)
+
+ # for CM4, sign_image creates an unsigned copy of the image
+ # named <image to sign>_cm4.hex. Delete it to avoid confusion.
+ file_name = name + '_signed_cm4' + ext
+ if os.path.isfile(file_name):
+ try:
+ os.remove(file_name)
+ except IOError:
+ print("Could not erase '{}'"
+ .format(file_name))
+
+ print('Done.')
if __name__ == "__main__":
main(sys.argv[1:])