@@ -7,11 +7,23 @@ TFA_PLATFORM = "corstone1000"
PREFERRED_VERSION_trusted-firmware-a ?= "2.5%"
EXTRA_IMAGEDEPENDS += "virtual/trusted-firmware-a"
+TFA_BL2_BINARY = "bl2-corstone1000.bin"
+TFA_FIP_BINARY = "fip-corstone1000.bin"
+
# TF-M
PREFERRED_VERSION_trusted-firmware-m ?= "1.4%"
TFM_PLATFORM = "arm/corstone1000"
EXTRA_IMAGEDEPENDS += "virtual/trusted-firmware-m"
+# TF-M settings for signing host images
+TFA_BL2_RE_IMAGE_LOAD_ADDRESS = "0x62353000"
+TFA_BL2_RE_SIGN_BIN_SIZE = "0x2d000"
+TFA_FIP_RE_IMAGE_LOAD_ADDRESS = "0x68130000"
+TFA_FIP_RE_SIGN_BIN_SIZE = "0x00200000"
+RE_LAYOUT_WRAPPER_VERSION = "0.0.7"
+TFM_SIGN_PRIVATE_KEY = "${S}/bl2/ext/mcuboot/root-RSA-3072_1.pem"
+RE_IMAGE_OFFSET = "0x1000"
+
# u-boot
PREFERRED_VERSION_u-boot ?= "2021.07"
EXTRA_IMAGEDEPENDS += "u-boot"
@@ -45,3 +45,6 @@ EXTRA_OEMAKE:append = " \
BL32=${RECIPE_SYSROOT}/lib/firmware/tee-pager_v2.bin \
LOG_LEVEL=50 \
"
+
+# trigger TF-M build so TF-A binaries get signed
+do_deploy[depends]+= "virtual/trusted-firmware-m:do_prepare_recipe_sysroot"
@@ -17,6 +17,13 @@ SRCREV_tfm = "ccd82e35f539c0d7261b2935d6d30c550cfc6736"
SRCREV_FORMAT = "tfm_mcuboot_tfm-tests_mbedtls"
+# The install task signs the TF-A BL2 and FIP binaries.
+# So they need to be copied to the sysroot. Hence the dependencies below:
+do_prepare_recipe_sysroot[depends]+= "virtual/trusted-firmware-a:do_populate_sysroot"
+
+# adding host images signing support
+require trusted-firmware-m-sign-host-images.inc
+
do_install() {
if [ ! -d "${B}/install/outputs/ARM/CORSTONE1000" ]
then
@@ -27,4 +34,16 @@ do_install() {
install -D -p -m 0644 ${B}/install/outputs/ARM/CORSTONE1000/bl2_signed.bin ${D}/firmware/bl2_signed.bin
install -D -p -m 0644 ${B}/install/outputs/ARM/CORSTONE1000/bl1.bin ${D}/firmware/bl1.bin
+ #
+ # Signing TF-A BL2 and the FIP image
+ #
+
+ sign_host_image ${TFA_BL2_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE}
+
+ fiptool update \
+ --tb-fw ${D}/firmware/signed_${TFA_BL2_BINARY} \
+ ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY}
+
+ sign_host_image ${TFA_FIP_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE}
+
}
new file mode 100644
@@ -0,0 +1,50 @@
+# Signing host images using TF-M tools
+
+DEPENDS += "python3-imgtool-native fiptool-native"
+
+#
+# sign_host_image
+#
+# Description:
+#
+# A generic function that signs a host image
+# using MCUBOOT format
+#
+# Arguments:
+#
+# $1 ... host binary to sign
+# $2 ... host binary path
+# $3 ... load address of the given binary
+# $4 ... signed binary size
+#
+# Note: The signed binary is copied to ${D}/firmware
+#
+sign_host_image() {
+
+ host_binary_filename="`basename -s .bin ${1}`"
+ host_binary_layout="${host_binary_filename}_ns"
+
+ cat << EOF > ${B}/${host_binary_layout}
+enum image_attributes {
+ RE_IMAGE_LOAD_ADDRESS = ${3},
+ RE_SIGN_BIN_SIZE = ${4},
+};
+EOF
+
+ host_binary="${2}/`basename ${1}`"
+ host_binary_signed="${D}/firmware/signed_`basename ${1}`"
+
+ ${PYTHON} ${S}/bl2/ext/mcuboot/scripts/wrapper/wrapper.py \
+ -v ${RE_LAYOUT_WRAPPER_VERSION} \
+ --layout ${B}/${host_binary_layout} \
+ -k ${TFM_SIGN_PRIVATE_KEY} \
+ --public-key-format full \
+ --align 1 \
+ --pad \
+ --pad-header \
+ -H ${RE_IMAGE_OFFSET} \
+ -s auto \
+ ${host_binary} \
+ ${host_binary_signed}
+
+}