diff options
author | Andrei Narkevitch <ainh@cypress.com> | 2019-11-21 15:33:35 -0800 |
---|---|---|
committer | David Hu <david.hu@arm.com> | 2019-12-10 01:31:15 +0000 |
commit | 40a7d1cd57ef2e50425b81eda3aaded6f2e694ad (patch) | |
tree | feeb6a084db4ffd1fb3532a043d01595b1f200fe | |
parent | 14d4a73cae631ea291f4d8d04e3c588ea9e955c8 (diff) | |
download | trusted-firmware-m-40a7d1cd57ef2e50425b81eda3aaded6f2e694ad.tar.gz |
Build: Add ability to sign S and NS images separately (psoc64, psoc64_1m)
With this change, script can sign each image individually or
both in the same time.
As long as cysecuretools sign_image overwrites unsigned image file
with the signed one, script creates a copy of the original image
and signs the copy.
For CM4, sign_image also creates an unsigned copy of the image
named <image to sign>_cm4.hex. Script deletes it to avoid confusion.
Signed-off-by: Andrei Narkevitch <ainh@cypress.com>
Change-Id: I99381c33d68c2281cae2ac55cc482da7db5f78ac
-rwxr-xr-x | platform/ext/target/cypress/psoc64/security/sign.py | 61 | ||||
-rwxr-xr-x | platform/ext/target/cypress/psoc64_1m/security/sign.py | 61 |
2 files changed, 108 insertions, 14 deletions
diff --git a/platform/ext/target/cypress/psoc64/security/sign.py b/platform/ext/target/cypress/psoc64/security/sign.py index f6c891392b..a4e50de8e7 100755 --- a/platform/ext/target/cypress/psoc64/security/sign.py +++ b/platform/ext/target/cypress/psoc64/security/sign.py @@ -17,6 +17,8 @@ limitations under the License. import cysecuretools import sys, getopt +import os +from shutil import copyfile, move def main(argv): s_hex_file="" @@ -25,11 +27,11 @@ def main(argv): try: opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="]) except getopt.GetoptError: - print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>') + print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>') sys.exit(2) for opt, arg in opts: if opt == '-h': - print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>') + print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>') sys.exit() elif opt in ("-s", "--s_hex"): s_hex_file = arg @@ -37,12 +39,57 @@ def main(argv): ns_hex_file = arg elif opt in ("-p", "--policy"): policy_file = arg - print ('tfm_s :', s_hex_file) - print ('tfm_ns:', ns_hex_file) - print ('policy:', policy_file) - cysecuretools.sign_image(s_hex_file, policy_file, 1); - cysecuretools.sign_image(ns_hex_file, policy_file, 16); + if not s_hex_file and not ns_hex_file: + print('Error: no files to sign') + exit(1) + + if not policy_file: + print('Error: missing policy file, specify it with -policy <policy json>') + exit(1) + else: + print('policy file:', policy_file) + + if s_hex_file: + print('signing tfm_s image:', s_hex_file) + + # sign_image overwrites original image, make a copy of it + name, ext = os.path.splitext(s_hex_file) + s_hex_signed_file = name + '_signed' + ext + try: + copyfile(s_hex_file, s_hex_signed_file) + except IOError as e: + print("Failed to copy file '{}' to '{}' ({})" + .format(s_hex_file, s_hex_signed_file, e.message)) + raise + + cysecuretools.sign_image(s_hex_signed_file, policy_file, 1) + + if ns_hex_file: + print('signing tfm_ns image:', ns_hex_file) + + name, ext = os.path.splitext(ns_hex_file) + ns_hex_signed_file = name + '_signed' + ext + try: + copyfile(ns_hex_file, ns_hex_signed_file) + except IOError as e: + print("Failed to copy file '{}' to '{}' ({})" + .format(ns_hex_file, ns_hex_signed_file, e.message)) + raise + + cysecuretools.sign_image(ns_hex_signed_file, policy_file, 16) + + # for CM4, sign_image creates an unsigned copy of the image + # named <image to sign>_cm4.hex. Delete it to avoid confusion. + file_name = name + '_signed_cm4' + ext + if os.path.isfile(file_name): + try: + os.remove(file_name) + except IOError: + print("Could not erase '{}'" + .format(file_name)) + + print('Done.') if __name__ == "__main__": main(sys.argv[1:]) diff --git a/platform/ext/target/cypress/psoc64_1m/security/sign.py b/platform/ext/target/cypress/psoc64_1m/security/sign.py index f6c891392b..a4e50de8e7 100755 --- a/platform/ext/target/cypress/psoc64_1m/security/sign.py +++ b/platform/ext/target/cypress/psoc64_1m/security/sign.py @@ -17,6 +17,8 @@ limitations under the License. import cysecuretools import sys, getopt +import os +from shutil import copyfile, move def main(argv): s_hex_file="" @@ -25,11 +27,11 @@ def main(argv): try: opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="]) except getopt.GetoptError: - print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>') + print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>') sys.exit(2) for opt, arg in opts: if opt == '-h': - print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>') + print('sign.py [-s <tfm_s hex>] [-n <tfm_ns hex>] -p <policy json>') sys.exit() elif opt in ("-s", "--s_hex"): s_hex_file = arg @@ -37,12 +39,57 @@ def main(argv): ns_hex_file = arg elif opt in ("-p", "--policy"): policy_file = arg - print ('tfm_s :', s_hex_file) - print ('tfm_ns:', ns_hex_file) - print ('policy:', policy_file) - cysecuretools.sign_image(s_hex_file, policy_file, 1); - cysecuretools.sign_image(ns_hex_file, policy_file, 16); + if not s_hex_file and not ns_hex_file: + print('Error: no files to sign') + exit(1) + + if not policy_file: + print('Error: missing policy file, specify it with -policy <policy json>') + exit(1) + else: + print('policy file:', policy_file) + + if s_hex_file: + print('signing tfm_s image:', s_hex_file) + + # sign_image overwrites original image, make a copy of it + name, ext = os.path.splitext(s_hex_file) + s_hex_signed_file = name + '_signed' + ext + try: + copyfile(s_hex_file, s_hex_signed_file) + except IOError as e: + print("Failed to copy file '{}' to '{}' ({})" + .format(s_hex_file, s_hex_signed_file, e.message)) + raise + + cysecuretools.sign_image(s_hex_signed_file, policy_file, 1) + + if ns_hex_file: + print('signing tfm_ns image:', ns_hex_file) + + name, ext = os.path.splitext(ns_hex_file) + ns_hex_signed_file = name + '_signed' + ext + try: + copyfile(ns_hex_file, ns_hex_signed_file) + except IOError as e: + print("Failed to copy file '{}' to '{}' ({})" + .format(ns_hex_file, ns_hex_signed_file, e.message)) + raise + + cysecuretools.sign_image(ns_hex_signed_file, policy_file, 16) + + # for CM4, sign_image creates an unsigned copy of the image + # named <image to sign>_cm4.hex. Delete it to avoid confusion. + file_name = name + '_signed_cm4' + ext + if os.path.isfile(file_name): + try: + os.remove(file_name) + except IOError: + print("Could not erase '{}'" + .format(file_name)) + + print('Done.') if __name__ == "__main__": main(sys.argv[1:]) |