diff options
author | Andrei Narkevitch <ainh@cypress.com> | 2019-10-10 12:57:19 -0700 |
---|---|---|
committer | David Hu <david.hu@arm.com> | 2019-10-17 05:52:10 +0000 |
commit | ce17795b6d4542c9201c03bd24bb79a73fc21cd3 (patch) | |
tree | b9b3d23861258784ef0b486877a9c51918b61b22 | |
parent | 30706c01f7ee43364fcc2ffcbc844ccda75838cd (diff) | |
download | trusted-firmware-m-ce17795b6d4542c9201c03bd24bb79a73fc21cd3.tar.gz |
plat: add policy and script for image signing (psoc64)
Add signing tools for CypressBootloader.
Signed-off-by: Andrei Narkevitch <ainh@cypress.com>
Change-Id: I74b7be1a916e1454bfb2e16e128df895f4cf7db7
4 files changed, 319 insertions, 24 deletions
diff --git a/platform/ext/target/psoc64/cypress_psoc_6_spec.rst b/platform/ext/target/psoc64/cypress_psoc_6_spec.rst index 980504a68c..8b498b2e2c 100644 --- a/platform/ext/target/psoc64/cypress_psoc_6_spec.rst +++ b/platform/ext/target/psoc64/cypress_psoc_6_spec.rst @@ -9,9 +9,14 @@ Building Multi-Core TF-M on Cypress PSoC 6 Please make sure you have all required software installed as explained in the :doc:`software requirements </docs/user_guides/tfm_sw_requirement>`. -Please also download and install ModusToolbox from `Cypress -<https://www.cypress.com/products/modustoolbox-software-environment>`_ -and ensure that it is able to communicate with the PSoC 6 board. +Please install CySecureTools with (requires Python3.7): + +.. code-block:: bash + + pip install cysecuretools + +For more details please refer to +`CySecureTools <https://pypi.org/project/cysecuretools>`_ page. Please also make sure that all the source code are fetched by following :doc:`general building instruction </docs/user_guides/tfm_build_instruction>`. @@ -214,50 +219,113 @@ listed above. cmake --build <build folder> -- -j VERBOSE=1 ********************** -Programming the Device +Signing the images ********************** -After building, the mcuboot image must be signed using the ModusToolbox tools -and the signed mcuboot image and the TFM image must be programmed into flash -memory on the PSoC 6 device. +First, convert tfm_s.axf and tfm_ns.axf images to hex format. This also places +resulting files one folder level up. -The instructions below assume that you have set up an environment variable -``CYSDK`` that points to your ModusToolbox installation, for example like this: +GNUARM build: .. code-block:: bash - export CYSDK=~/ModusToolbox_1.1 + arm-none-eabi-objcopy -O ihex <build folder>/secure_fw/tfm_s.axf <build folder>/tfm_s.hex + arm-none-eabi-objcopy -O ihex <build folder>/app/tfm_ns.axf <build folder>/tfm_ns.hex -All the ``<build folder>`` in the commands below are the build folder created -by build commands above. +ARMCLANG build: + +.. code-block:: bash -To program the primary image to the device: + fromelf --i32 --output=<build folder>/tfm_s.hex <build folder>/secure_fw/tfm_s.axf + fromelf --i32 --output=<build folder>/tfm_ns.hex <build folder>/app/tfm_ns.axf + +Copy secure keys used in the board provisioning process to +platform/ext/target/psoc64/security/keys: + +MCUBOOT_CM0P_KEY.json - private OEM key for signing CM0P image +USERAPP_CM4_KEY.json - private OEM key for signing CM4 image + +Note: provisioned board in SECURE claimed state is required, otherwise refer to +Cypress documentation for details on the provisioning process. + +Sign the images (sign.py overwrites unsigned files with signed ones): .. code-block:: bash - ${CYSDK}/tools/openocd-2.1/bin/openocd -s "${CYSDK}/tools/openocd-2.1/scripts" -c "source [find interface/kitprog3.cfg]" -c "source [find target/psoc6.cfg]" -c "program ./<build folder>/tfm_sign.bin offset 0x10020000 verify" -c "reset_config srst_only;psoc6.dap dpreg 0x04 0x00;shutdown" + ./platform/ext/target/psoc64/security/sign.py \ + -s <build folder>/tfm_s.hex \ + -n <build folder>/tfm_ns.hex \ + -p platform/ext/target/psoc6/security/policy_dual_stage_CM0p_CM4.json + +********************** +Programming the Device +********************** + +After building and signing, the TFM images must be programmed into flash +memory on the PSoC 6 device. -Note that the ``0x10020000`` in the command above must match the start address -of the secure primary image specified in the file:: +There are two methods to program psoc6 device. - platform/ext/target/psoc64/partition/flash_layout.h +DAPLink mode +============ -so be sure to change it if you change that file. +Using KitProg3 mode button, switch it to DAPLink mode. +Mode LED should start blinking rapidly and depending on the host computer +settings DAPLINK will be mounted as a media storage device. +Otherwise, mount it manually. -To sign the mcuboot image: +Copy tfm hex files one by one to the DAPLINK device: .. code-block:: bash - ${CYSDK}/tools/cymcuelftool-1.0/bin/cymcuelftool --sign ./<build folder>/bl2/ext/mcuboot/mcuboot.axf --output ./<build folder>/mcuboot_signed.elf + cp <build folder>/tfm_ns.hex <mount point>/DAPLINK/; sync + cp <build folder>/tfm_s.hex <mount point>/DAPLINK/; sync + +OpenOCD v.2.2 +============= -To program the signed mcuboot image to the device: +Using KitProg3 mode button, switch to KitProg3 CMSIS-DAP BULK mode. +Status LED should be ON and not blinking. +To program the signed tfm_s image to the device with openocd (assuming +OPENOCD_PATH is pointing at the openocd installation directory) run the +following commands: .. code-block:: bash - ${CYSDK}/tools/openocd-2.1/bin/openocd -s "${CYSDK}/tools/openocd-2.1/scripts" -c "source [find interface/kitprog3.cfg]" -c "source [find target/psoc6.cfg]" -c "program ./<build folder>/mcuboot_signed.elf verify" -c "reset_config srst_only;reset run;psoc6.dap dpreg 0x04 0x00;shutdown" + ${OPENOCD_PATH}/bin/openocd \ + -s ${OPENOCD_PATH}/scripts \ + -f interface/kitprog3.cfg \ + -c "set ENABLE_ACQUIRE 0" \ + -f target/psoc6_secure.cfg \ + -c "init; reset init; flash write_image erase <build folder>/tfm_s.hex" \ + -c "resume; reset; exit" + + ${OPENOCD_PATH}/bin/openocd \ + -s ${OPENOCD_PATH}/scripts \ + -f interface/kitprog3.cfg \ + -c "set ENABLE_ACQUIRE 0" \ + -f target/psoc6_secure.cfg \ + -c "init; reset init; flash write_image erase <build folder>/tfm_ns.hex" \ + -c "resume; reset; exit" + +Optionally, erase SST partition: -Alternatively, it is possible to program the device using ModusToolbox. For -details, please refer to the ModusToolbox documentation. +.. code-block:: bash + + ${OPENOCD_PATH}/bin/openocd \ + -s ${OPENOCD_PATH}/scripts \ + -f interface/kitprog3.cfg \ + -f target/psoc6_secure.cfg \ + -c "init; reset init" \ + -c "flash erase_address 0x100c0000 0x10000" \ + -c "shutdown" + +Note that the ``0x100C0000`` in the command above must match the SST start +address of the secure primary image specified in the file: + + platform/ext/target/psoc64/partition/flash_layout.h + +so be sure to change it if you change that file. *Copyright (c) 2017-2019, Arm Limited. All rights reserved.* diff --git a/platform/ext/target/psoc64/security/keys/readme.rst b/platform/ext/target/psoc64/security/keys/readme.rst new file mode 100644 index 0000000000..de80f3d16d --- /dev/null +++ b/platform/ext/target/psoc64/security/keys/readme.rst @@ -0,0 +1,4 @@ +Signing keys: + +MCUBOOT_CM0P_KEY.json - private OEM key for signing CM0P image +USERAPP_CM4_KEY.json - private OEM key for signing CM4 image diff --git a/platform/ext/target/psoc64/security/policy_dual_stage_CM0p_CM4.json b/platform/ext/target/psoc64/security/policy_dual_stage_CM0p_CM4.json new file mode 100644 index 0000000000..71c539ddc6 --- /dev/null +++ b/platform/ext/target/psoc64/security/policy_dual_stage_CM0p_CM4.json @@ -0,0 +1,175 @@ +{ + "debug" : + { + "m0p" : { + "permission" : "enabled", + "control" : "firmware", + "key" : 5 + }, + "m4" : { + "permission" : "allowed", + "control" : "firmware", + "key" : 5 + }, + "system" : { + "permission" : "enabled", + "control" : "firmware", + "key" : 5, + "syscall": true, + "mmio": true, + "flash": true, + "workflash": true, + "sflash": true, + "sram": true + }, + "rma" : { + "permission" : "allowed", + "destroy_fuses" : [ + { + "start" : 888, + "size" : 136 + }, + { + "start" : 648, + "size" : 104 + } + ], + "destroy_flash" : [ + { + "start" : 268435456, + "size" : 851968 + }, + { + "start" : 269483520, + "size" : 16 + } + ], + "key" : 5 + } + }, + "wounding" : + { + }, + "boot_upgrade" : + { + "firmware": [ + { + "boot_auth": [ + 3 + ], + "id": 0, + "launch": 1, + "monotonic": 0, + "smif_id": 0, + "upgrade": false, + "upgrade_auth": [ + 3 + ], + "upgrade_keys": [ + { "kid": 3, "key": "./keys/MCUBOOT_CM0P_KEY.json" } + ], + "backup": false, + "resources": [ + { + "type": "FLASH_PC1_SPM", + "address": 269287424, + "size": 65536 + }, + { + "type": "SRAM_SPM_PRIV", + "address": 134348800, + "size": 65536 + } + ] + }, + { + "boot_auth": [ + 6 + ], + "boot_keys": [ + { "kid": 6, "key": "./keys/MCUBOOT_CM0P_KEY.json" } + ], + "id": 1, + "launch": 16, + "monotonic": 0, + "smif_id": 0, + "version": "0.1", + "rollback_counter": 0, + "upgrade": false, + "encrypt": false, + "encrypt_key_id": 1, + "upgrade_auth": [ + 6 + ], + "upgrade_keys": [ + { "kid": 6, "key": "./keys/MCUBOOT_CM0P_KEY.json" } + ], + "backup": false, + "resources": [ + { + "type": "BOOT", + "address": 268959744, + "size": 327680 + }, + { + "type": "UPGRADE", + "address": 268730368, + "size": 327680 + } + ] + }, + { + "boot_auth": [ + 8 + ], + "boot_keys": [ + { "kid": 8, "key": "./keys/USERAPP_CM4_KEY.json" } + ], + "id": 16, + "monotonic": 0, + "smif_id": 0, + "version": "0.1", + "rollback_counter": 0, + "upgrade": false, + "upgrade_auth": [ + 8 + ], + "upgrade_keys": [ + { "kid": 8, "key": "./keys/USERAPP_CM4_KEY.json" } + ], + "backup": false, + "resources": [ + { + "type": "BOOT", + "address": 268435456, + "size": 163840 + }, + { + "type": "UPGRADE", + "address": 268730368, + "size": 262144 + } + ] + } + ], + "reprogram": [ + { + "size": 917504, + "start": 268435456 + }, + { + "size": 131072, + "start": 268828672 + } + ], + "reprovision": { + "boot_loader": false, + "keys_and_policies": true + }, + "title": "upgrade_policy" + }, + "cy_bootloader": + { + "mode": "debug" + } +} diff --git a/platform/ext/target/psoc64/security/sign.py b/platform/ext/target/psoc64/security/sign.py new file mode 100755 index 0000000000..f6c891392b --- /dev/null +++ b/platform/ext/target/psoc64/security/sign.py @@ -0,0 +1,48 @@ +#!/usr/bin/python3 +""" +Copyright (c) 2019 Cypress Semiconductor Corporation + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +import cysecuretools +import sys, getopt + +def main(argv): + s_hex_file="" + ns_hex_file="" + policy_file="" + try: + opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="]) + except getopt.GetoptError: + print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>') + sys.exit(2) + for opt, arg in opts: + if opt == '-h': + print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>') + sys.exit() + elif opt in ("-s", "--s_hex"): + s_hex_file = arg + elif opt in ("-n", "--ns_hex"): + ns_hex_file = arg + elif opt in ("-p", "--policy"): + policy_file = arg + print ('tfm_s :', s_hex_file) + print ('tfm_ns:', ns_hex_file) + print ('policy:', policy_file) + + cysecuretools.sign_image(s_hex_file, policy_file, 1); + cysecuretools.sign_image(ns_hex_file, policy_file, 16); + +if __name__ == "__main__": + main(sys.argv[1:]) |