@@ -18,7 +18,7 @@ TFA_BL2_RE_SIGN_BIN_SIZE = "0x2d000"
TFA_FIP_RE_IMAGE_LOAD_ADDRESS = "0x68130000"
TFA_FIP_RE_SIGN_BIN_SIZE = "0x00200000"
RE_LAYOUT_WRAPPER_VERSION = "0.0.7"
-TFM_SIGN_PRIVATE_KEY = "${S}/bl2/ext/mcuboot/root-RSA-3072_1.pem"
+TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
RE_IMAGE_OFFSET = "0x1000"
# u-boot
@@ -6,8 +6,27 @@ LICENSE = "MIT"
COMPATIBLE_MACHINE = "corstone1000"
inherit image
-inherit wic_nopt
+inherit wic_nopt tfm_sign_image
PACKAGE_INSTALL = ""
IMAGE_FSTYPES += "wic wic.nopt"
+
+do_sign_images() {
+ # Sign TF-A BL2
+ sign_host_image ${RECIPE_SYSROOT}/firmware/${TFA_BL2_BINARY} \
+ ${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE}
+
+ # Update BL2 in the FIP image
+ cp ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} .
+ fiptool update --tb-fw ${TFM_IMAGE_SIGN_DIR}/signed_${TFA_BL2_BINARY} \
+ ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY}
+
+ # Sign the FIP image
+ sign_host_image ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY} \
+ ${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE}
+}
+do_sign_images[depends] = "\
+ trusted-firmware-a:do_populate_sysroot \
+ fiptool-native:do_populate_sysroot \
+ "
@@ -37,6 +37,3 @@ EXTRA_OEMAKE:append = " \
BL32=${RECIPE_SYSROOT}/lib/firmware/tee-pager_v2.bin \
LOG_LEVEL=50 \
"
-
-# trigger TF-M build so TF-A binaries get signed
-do_deploy[depends]+= "virtual/trusted-firmware-m:do_prepare_recipe_sysroot"
@@ -25,25 +25,8 @@ SRC_URI += "git://github.com/OpenAMP/open-amp.git;protocol=https;branch=main;nam
SRCREV_openamp = "347397decaa43372fc4d00f965640ebde042966d"
EXTRA_OECMAKE += "-DLIBOPENAMP_SRC_PATH=${WORKDIR}/git/openamp -DLIBOPENAMP_BIN_PATH=${B}/libopenamp-build"
-DEPENDS += "trusted-firmware-a"
-
-# adding host images signing support
-require trusted-firmware-m-sign-host-images.inc
-
do_install() {
install -D -p -m 0644 ${B}/install/outputs/tfm_s_signed.bin ${D}/firmware/tfm_s_signed.bin
install -D -p -m 0644 ${B}/install/outputs/bl2_signed.bin ${D}/firmware/bl2_signed.bin
install -D -p -m 0644 ${B}/install/outputs/bl1.bin ${D}/firmware/bl1.bin
-
- #
- # Signing TF-A BL2 and the FIP image
- #
-
- sign_host_image ${TFA_BL2_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE}
-
- fiptool update \
- --tb-fw ${D}/firmware/signed_${TFA_BL2_BINARY} \
- ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY}
-
- sign_host_image ${TFA_FIP_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE}
}