aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrei Narkevitch <ainh@cypress.com>2019-10-10 12:57:19 -0700
committerDavid Hu <david.hu@arm.com>2019-10-17 05:52:10 +0000
commitce17795b6d4542c9201c03bd24bb79a73fc21cd3 (patch)
treeb9b3d23861258784ef0b486877a9c51918b61b22
parent30706c01f7ee43364fcc2ffcbc844ccda75838cd (diff)
downloadtrusted-firmware-m-ce17795b6d4542c9201c03bd24bb79a73fc21cd3.tar.gz
plat: add policy and script for image signing (psoc64)
Add signing tools for CypressBootloader. Signed-off-by: Andrei Narkevitch <ainh@cypress.com> Change-Id: I74b7be1a916e1454bfb2e16e128df895f4cf7db7
-rw-r--r--platform/ext/target/psoc64/cypress_psoc_6_spec.rst116
-rw-r--r--platform/ext/target/psoc64/security/keys/readme.rst4
-rw-r--r--platform/ext/target/psoc64/security/policy_dual_stage_CM0p_CM4.json175
-rwxr-xr-xplatform/ext/target/psoc64/security/sign.py48
4 files changed, 319 insertions, 24 deletions
diff --git a/platform/ext/target/psoc64/cypress_psoc_6_spec.rst b/platform/ext/target/psoc64/cypress_psoc_6_spec.rst
index 980504a68c..8b498b2e2c 100644
--- a/platform/ext/target/psoc64/cypress_psoc_6_spec.rst
+++ b/platform/ext/target/psoc64/cypress_psoc_6_spec.rst
@@ -9,9 +9,14 @@ Building Multi-Core TF-M on Cypress PSoC 6
Please make sure you have all required software installed as explained in the
:doc:`software requirements </docs/user_guides/tfm_sw_requirement>`.
-Please also download and install ModusToolbox from `Cypress
-<https://www.cypress.com/products/modustoolbox-software-environment>`_
-and ensure that it is able to communicate with the PSoC 6 board.
+Please install CySecureTools with (requires Python3.7):
+
+.. code-block:: bash
+
+ pip install cysecuretools
+
+For more details please refer to
+`CySecureTools <https://pypi.org/project/cysecuretools>`_ page.
Please also make sure that all the source code are fetched by following
:doc:`general building instruction </docs/user_guides/tfm_build_instruction>`.
@@ -214,50 +219,113 @@ listed above.
cmake --build <build folder> -- -j VERBOSE=1
**********************
-Programming the Device
+Signing the images
**********************
-After building, the mcuboot image must be signed using the ModusToolbox tools
-and the signed mcuboot image and the TFM image must be programmed into flash
-memory on the PSoC 6 device.
+First, convert tfm_s.axf and tfm_ns.axf images to hex format. This also places
+resulting files one folder level up.
-The instructions below assume that you have set up an environment variable
-``CYSDK`` that points to your ModusToolbox installation, for example like this:
+GNUARM build:
.. code-block:: bash
- export CYSDK=~/ModusToolbox_1.1
+ arm-none-eabi-objcopy -O ihex <build folder>/secure_fw/tfm_s.axf <build folder>/tfm_s.hex
+ arm-none-eabi-objcopy -O ihex <build folder>/app/tfm_ns.axf <build folder>/tfm_ns.hex
-All the ``<build folder>`` in the commands below are the build folder created
-by build commands above.
+ARMCLANG build:
+
+.. code-block:: bash
-To program the primary image to the device:
+ fromelf --i32 --output=<build folder>/tfm_s.hex <build folder>/secure_fw/tfm_s.axf
+ fromelf --i32 --output=<build folder>/tfm_ns.hex <build folder>/app/tfm_ns.axf
+
+Copy secure keys used in the board provisioning process to
+platform/ext/target/psoc64/security/keys:
+
+MCUBOOT_CM0P_KEY.json - private OEM key for signing CM0P image
+USERAPP_CM4_KEY.json - private OEM key for signing CM4 image
+
+Note: provisioned board in SECURE claimed state is required, otherwise refer to
+Cypress documentation for details on the provisioning process.
+
+Sign the images (sign.py overwrites unsigned files with signed ones):
.. code-block:: bash
- ${CYSDK}/tools/openocd-2.1/bin/openocd -s "${CYSDK}/tools/openocd-2.1/scripts" -c "source [find interface/kitprog3.cfg]" -c "source [find target/psoc6.cfg]" -c "program ./<build folder>/tfm_sign.bin offset 0x10020000 verify" -c "reset_config srst_only;psoc6.dap dpreg 0x04 0x00;shutdown"
+ ./platform/ext/target/psoc64/security/sign.py \
+ -s <build folder>/tfm_s.hex \
+ -n <build folder>/tfm_ns.hex \
+ -p platform/ext/target/psoc6/security/policy_dual_stage_CM0p_CM4.json
+
+**********************
+Programming the Device
+**********************
+
+After building and signing, the TFM images must be programmed into flash
+memory on the PSoC 6 device.
-Note that the ``0x10020000`` in the command above must match the start address
-of the secure primary image specified in the file::
+There are two methods to program psoc6 device.
- platform/ext/target/psoc64/partition/flash_layout.h
+DAPLink mode
+============
-so be sure to change it if you change that file.
+Using KitProg3 mode button, switch it to DAPLink mode.
+Mode LED should start blinking rapidly and depending on the host computer
+settings DAPLINK will be mounted as a media storage device.
+Otherwise, mount it manually.
-To sign the mcuboot image:
+Copy tfm hex files one by one to the DAPLINK device:
.. code-block:: bash
- ${CYSDK}/tools/cymcuelftool-1.0/bin/cymcuelftool --sign ./<build folder>/bl2/ext/mcuboot/mcuboot.axf --output ./<build folder>/mcuboot_signed.elf
+ cp <build folder>/tfm_ns.hex <mount point>/DAPLINK/; sync
+ cp <build folder>/tfm_s.hex <mount point>/DAPLINK/; sync
+
+OpenOCD v.2.2
+=============
-To program the signed mcuboot image to the device:
+Using KitProg3 mode button, switch to KitProg3 CMSIS-DAP BULK mode.
+Status LED should be ON and not blinking.
+To program the signed tfm_s image to the device with openocd (assuming
+OPENOCD_PATH is pointing at the openocd installation directory) run the
+following commands:
.. code-block:: bash
- ${CYSDK}/tools/openocd-2.1/bin/openocd -s "${CYSDK}/tools/openocd-2.1/scripts" -c "source [find interface/kitprog3.cfg]" -c "source [find target/psoc6.cfg]" -c "program ./<build folder>/mcuboot_signed.elf verify" -c "reset_config srst_only;reset run;psoc6.dap dpreg 0x04 0x00;shutdown"
+ ${OPENOCD_PATH}/bin/openocd \
+ -s ${OPENOCD_PATH}/scripts \
+ -f interface/kitprog3.cfg \
+ -c "set ENABLE_ACQUIRE 0" \
+ -f target/psoc6_secure.cfg \
+ -c "init; reset init; flash write_image erase <build folder>/tfm_s.hex" \
+ -c "resume; reset; exit"
+
+ ${OPENOCD_PATH}/bin/openocd \
+ -s ${OPENOCD_PATH}/scripts \
+ -f interface/kitprog3.cfg \
+ -c "set ENABLE_ACQUIRE 0" \
+ -f target/psoc6_secure.cfg \
+ -c "init; reset init; flash write_image erase <build folder>/tfm_ns.hex" \
+ -c "resume; reset; exit"
+
+Optionally, erase SST partition:
-Alternatively, it is possible to program the device using ModusToolbox. For
-details, please refer to the ModusToolbox documentation.
+.. code-block:: bash
+
+ ${OPENOCD_PATH}/bin/openocd \
+ -s ${OPENOCD_PATH}/scripts \
+ -f interface/kitprog3.cfg \
+ -f target/psoc6_secure.cfg \
+ -c "init; reset init" \
+ -c "flash erase_address 0x100c0000 0x10000" \
+ -c "shutdown"
+
+Note that the ``0x100C0000`` in the command above must match the SST start
+address of the secure primary image specified in the file:
+
+ platform/ext/target/psoc64/partition/flash_layout.h
+
+so be sure to change it if you change that file.
*Copyright (c) 2017-2019, Arm Limited. All rights reserved.*
diff --git a/platform/ext/target/psoc64/security/keys/readme.rst b/platform/ext/target/psoc64/security/keys/readme.rst
new file mode 100644
index 0000000000..de80f3d16d
--- /dev/null
+++ b/platform/ext/target/psoc64/security/keys/readme.rst
@@ -0,0 +1,4 @@
+Signing keys:
+
+MCUBOOT_CM0P_KEY.json - private OEM key for signing CM0P image
+USERAPP_CM4_KEY.json - private OEM key for signing CM4 image
diff --git a/platform/ext/target/psoc64/security/policy_dual_stage_CM0p_CM4.json b/platform/ext/target/psoc64/security/policy_dual_stage_CM0p_CM4.json
new file mode 100644
index 0000000000..71c539ddc6
--- /dev/null
+++ b/platform/ext/target/psoc64/security/policy_dual_stage_CM0p_CM4.json
@@ -0,0 +1,175 @@
+{
+ "debug" :
+ {
+ "m0p" : {
+ "permission" : "enabled",
+ "control" : "firmware",
+ "key" : 5
+ },
+ "m4" : {
+ "permission" : "allowed",
+ "control" : "firmware",
+ "key" : 5
+ },
+ "system" : {
+ "permission" : "enabled",
+ "control" : "firmware",
+ "key" : 5,
+ "syscall": true,
+ "mmio": true,
+ "flash": true,
+ "workflash": true,
+ "sflash": true,
+ "sram": true
+ },
+ "rma" : {
+ "permission" : "allowed",
+ "destroy_fuses" : [
+ {
+ "start" : 888,
+ "size" : 136
+ },
+ {
+ "start" : 648,
+ "size" : 104
+ }
+ ],
+ "destroy_flash" : [
+ {
+ "start" : 268435456,
+ "size" : 851968
+ },
+ {
+ "start" : 269483520,
+ "size" : 16
+ }
+ ],
+ "key" : 5
+ }
+ },
+ "wounding" :
+ {
+ },
+ "boot_upgrade" :
+ {
+ "firmware": [
+ {
+ "boot_auth": [
+ 3
+ ],
+ "id": 0,
+ "launch": 1,
+ "monotonic": 0,
+ "smif_id": 0,
+ "upgrade": false,
+ "upgrade_auth": [
+ 3
+ ],
+ "upgrade_keys": [
+ { "kid": 3, "key": "./keys/MCUBOOT_CM0P_KEY.json" }
+ ],
+ "backup": false,
+ "resources": [
+ {
+ "type": "FLASH_PC1_SPM",
+ "address": 269287424,
+ "size": 65536
+ },
+ {
+ "type": "SRAM_SPM_PRIV",
+ "address": 134348800,
+ "size": 65536
+ }
+ ]
+ },
+ {
+ "boot_auth": [
+ 6
+ ],
+ "boot_keys": [
+ { "kid": 6, "key": "./keys/MCUBOOT_CM0P_KEY.json" }
+ ],
+ "id": 1,
+ "launch": 16,
+ "monotonic": 0,
+ "smif_id": 0,
+ "version": "0.1",
+ "rollback_counter": 0,
+ "upgrade": false,
+ "encrypt": false,
+ "encrypt_key_id": 1,
+ "upgrade_auth": [
+ 6
+ ],
+ "upgrade_keys": [
+ { "kid": 6, "key": "./keys/MCUBOOT_CM0P_KEY.json" }
+ ],
+ "backup": false,
+ "resources": [
+ {
+ "type": "BOOT",
+ "address": 268959744,
+ "size": 327680
+ },
+ {
+ "type": "UPGRADE",
+ "address": 268730368,
+ "size": 327680
+ }
+ ]
+ },
+ {
+ "boot_auth": [
+ 8
+ ],
+ "boot_keys": [
+ { "kid": 8, "key": "./keys/USERAPP_CM4_KEY.json" }
+ ],
+ "id": 16,
+ "monotonic": 0,
+ "smif_id": 0,
+ "version": "0.1",
+ "rollback_counter": 0,
+ "upgrade": false,
+ "upgrade_auth": [
+ 8
+ ],
+ "upgrade_keys": [
+ { "kid": 8, "key": "./keys/USERAPP_CM4_KEY.json" }
+ ],
+ "backup": false,
+ "resources": [
+ {
+ "type": "BOOT",
+ "address": 268435456,
+ "size": 163840
+ },
+ {
+ "type": "UPGRADE",
+ "address": 268730368,
+ "size": 262144
+ }
+ ]
+ }
+ ],
+ "reprogram": [
+ {
+ "size": 917504,
+ "start": 268435456
+ },
+ {
+ "size": 131072,
+ "start": 268828672
+ }
+ ],
+ "reprovision": {
+ "boot_loader": false,
+ "keys_and_policies": true
+ },
+ "title": "upgrade_policy"
+ },
+ "cy_bootloader":
+ {
+ "mode": "debug"
+ }
+}
diff --git a/platform/ext/target/psoc64/security/sign.py b/platform/ext/target/psoc64/security/sign.py
new file mode 100755
index 0000000000..f6c891392b
--- /dev/null
+++ b/platform/ext/target/psoc64/security/sign.py
@@ -0,0 +1,48 @@
+#!/usr/bin/python3
+"""
+Copyright (c) 2019 Cypress Semiconductor Corporation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+"""
+
+import cysecuretools
+import sys, getopt
+
+def main(argv):
+ s_hex_file=""
+ ns_hex_file=""
+ policy_file=""
+ try:
+ opts, args = getopt.getopt(argv,"hs:n:p:", ["s_hex=", "ns_hex=", "policy="])
+ except getopt.GetoptError:
+ print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ sys.exit(2)
+ for opt, arg in opts:
+ if opt == '-h':
+ print ('sign.py -s_hex <tfm_s hex> -ns_hex <tfm_ns hex> -policy <policy json>')
+ sys.exit()
+ elif opt in ("-s", "--s_hex"):
+ s_hex_file = arg
+ elif opt in ("-n", "--ns_hex"):
+ ns_hex_file = arg
+ elif opt in ("-p", "--policy"):
+ policy_file = arg
+ print ('tfm_s :', s_hex_file)
+ print ('tfm_ns:', ns_hex_file)
+ print ('policy:', policy_file)
+
+ cysecuretools.sign_image(s_hex_file, policy_file, 1);
+ cysecuretools.sign_image(ns_hex_file, policy_file, 16);
+
+if __name__ == "__main__":
+ main(sys.argv[1:])