From patchwork Wed Feb 22 12:04:36 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 19984
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B30F4C61DA4
	for <webhook@archiver.kernel.org>; Wed, 22 Feb 2023 12:05:06 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web10.6950.1677067500121034224
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 22 Feb 2023 04:05:00 -0800
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 72818139F;
	Wed, 22 Feb 2023 04:05:42 -0800 (PST)
Received: from e125920.cambridge.arm.com (unknown [10.1.199.64])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0F7143F881;
	Wed, 22 Feb 2023 04:04:58 -0800 (PST)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 1/6] arm/trusted-firmware-m: Synchronize with 1.7.0 release
Date: Wed, 22 Feb 2023 12:04:36 +0000
Message-Id: <20230222120441.2684534-1-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 22 Feb 2023 12:05:06 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/4437

From: Peter Hoyes <Peter.Hoyes@arm.com>

Update the TF-M image signing scripts to use the TF-M 1.7.0 sources, so
it is in sync with the TF-M recipe itself.

Synchronize the trusted-firmware-m and -scripts Python dependencies
with the in-repo requirements.txt files. This requires a recipe to be
carried for pyhsslms.

1.7.0 introduces the --measured-boot-record argument to the image
signing script, which is required to maintain existing behavior. Add it
to the arguments in the tfm_sign_image bbclass.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 meta-arm/classes/tfm_sign_image.bbclass            |  1 +
 .../trusted-firmware-m/trusted-firmware-m_1.7.0.bb | 14 ++++++++++----
 .../python/python3-pyhsslms_1.1.1.bb               | 10 ++++++++++
 ... => trusted-firmware-m-scripts-native_1.7.0.bb} | 14 +++++++++++---
 4 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
 rename meta-arm/recipes-devtools/trusted-firmware-m-scripts/{trusted-firmware-m-scripts-native_1.6.0.bb => trusted-firmware-m-scripts-native_1.7.0.bb} (64%)

diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index 542b708b..a5c41ae3 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -72,6 +72,7 @@ EOF
             --align 1 \
             --pad \
             --pad-header \
+            --measured-boot-record \
             -H ${RE_IMAGE_OFFSET} \
             -s auto \
             "${1}" \
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
index f4219be6..8df21339 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
@@ -59,15 +59,21 @@ INHIBIT_DEFAULT_DEPS = "1"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
+# See tools/requirements.txt for Python dependencies
 DEPENDS += "cmake-native \
             ninja-native \
             gcc-arm-none-eabi-native \
-            python3-intelhex-native \
-            python3-jinja2-native \
-            python3-pyyaml-native \
+            python3-cbor2-native \
             python3-click-native \
             python3-cryptography-native \
-            python3-cbor2-native"
+            python3-pyasn1-native \
+            python3-imgtool-native \
+            python3-jinja2-native \
+            python3-pyyaml-native \
+            python3-pyhsslms-native \
+            python3-ecdsa-native \
+            python3-kconfiglib-native \
+"
 
 S = "${WORKDIR}/git/tfm"
 B = "${WORKDIR}/build"
diff --git a/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb b/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
new file mode 100644
index 00000000..6012ab2d
--- /dev/null
+++ b/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
@@ -0,0 +1,10 @@
+SUMMARY = "Pure-Python implementation of HSS/LMS Digital Signatures (RFC 8554)"
+HOMEPAGE ="https://pypi.org/project/pyhsslms"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=58f6f7065b99f9d01d56e759256a6f1b"
+
+inherit pypi python_setuptools_build_meta
+PYPI_PACKAGE = "pyhsslms"
+SRC_URI[sha256sum] = "58bf03e34c6f9d5a3cfd77875d0a1356d4f23d7ad6ffd129b1e60de1208db753"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
similarity index 64%
rename from meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
rename to meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
index db35ecf7..f30c3b52 100644
--- a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
@@ -1,9 +1,9 @@
 
 SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
 SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH}"
-# Use the wrapper script from TF-Mv1.6.0
+# Use the wrapper script from TF-Mv1.7.0
 SRCBRANCH ?= "master"
-SRCREV = "7387d88158701a3c51ad51c90a05326ee12847a8"
+SRCREV = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
 
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
@@ -12,7 +12,15 @@ S = "${WORKDIR}/git"
 
 inherit native
 
-RDEPENDS:${PN} = "python3-imgtool-native python3-click-native"
+# See bl2/ext/mcuboot/scripts/requirements.txt
+RDEPENDS:${PN} = "\
+    python3-cryptography-native \
+    python3-pyasn1-native \
+    python3-pyyaml-native \
+    python3-cbor2-native \
+    python3-imgtool-native \
+    python3-click-native \
+"
 
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"

From patchwork Wed Feb 22 12:04:37 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 19985
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8C251C677F1
	for <webhook@archiver.kernel.org>; Wed, 22 Feb 2023 12:05:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web11.7011.1677067506312761612
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 22 Feb 2023 04:05:06 -0800
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 667F4139F;
	Wed, 22 Feb 2023 04:05:48 -0800 (PST)
Received: from e125920.cambridge.arm.com (unknown [10.1.199.64])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0579E3F881;
	Wed, 22 Feb 2023 04:05:04 -0800 (PST)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 2/6] arm/classes: Factor out image signing arguments in
 tfm_image_sign
Date: Wed, 22 Feb 2023 12:04:37 +0000
Message-Id: <20230222120441.2684534-2-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230222120441.2684534-1-peter.hoyes@arm.com>
References: <20230222120441.2684534-1-peter.hoyes@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 22 Feb 2023 12:05:16 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/4438

From: Peter Hoyes <Peter.Hoyes@arm.com>

Factor out the image signing arguments in tfm_image_sign.bbclass into
its own variable, TFM_IMAGE_SIGN_ARGS, so that it can be customized on a
per-machine basis if necessary.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 meta-arm/classes/tfm_sign_image.bbclass | 26 +++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index a5c41ae3..5ba57dc8 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -35,6 +35,21 @@ DEPENDS += "trusted-firmware-m-scripts-native"
 # right path until this is relocated automatically.
 export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
 
+# The arguments passed to the TF-M image signing script. Override this variable
+# in an image recipe to customize the arguments.
+TFM_IMAGE_SIGN_ARGS ?= "\
+    -v ${RE_LAYOUT_WRAPPER_VERSION} \
+    --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
+    -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
+    --public-key-format full \
+    --align 1 \
+    --pad \
+    --pad-header \
+    --measured-boot-record \
+    -H ${RE_IMAGE_OFFSET} \
+    -s auto \
+"
+
 #
 # sign_host_image
 #
@@ -65,16 +80,7 @@ EOF
     host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")"
 
     ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
-            -v ${RE_LAYOUT_WRAPPER_VERSION} \
-            --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
-            -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
-            --public-key-format full \
-            --align 1 \
-            --pad \
-            --pad-header \
-            --measured-boot-record \
-            -H ${RE_IMAGE_OFFSET} \
-            -s auto \
+            ${TFM_IMAGE_SIGN_ARGS} \
             "${1}" \
             "${host_binary_signed}"
 }

From patchwork Wed Feb 22 12:04:38 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 19988
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9BD97C6FA99
	for <webhook@archiver.kernel.org>; Wed, 22 Feb 2023 12:05:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web10.6954.1677067507163251900
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 22 Feb 2023 04:05:07 -0800
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C7771139F;
	Wed, 22 Feb 2023 04:05:49 -0800 (PST)
Received: from e125920.cambridge.arm.com (unknown [10.1.199.64])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 619E03F881;
	Wed, 22 Feb 2023 04:05:06 -0800 (PST)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 3/6] arm/trusted-firmware-m: Create common inc file for src
 definitions
Date: Wed, 22 Feb 2023 12:04:38 +0000
Message-Id: <20230222120441.2684534-3-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230222120441.2684534-1-peter.hoyes@arm.com>
References: <20230222120441.2684534-1-peter.hoyes@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 22 Feb 2023 12:05:16 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/4439

From: Peter Hoyes <Peter.Hoyes@arm.com>

To try and prevent trusted-firmware-m and trusted-firmware-m-scripts
from becoming out of sync in the future, create a common
trusted-firmware-m-1.7.0-src.inc which defines all the repositories and
their SHAs for both. Include this file in both recipes.

Add a SUMMARY and DESCRIPTION to trusted-firmware-m-scripts.

Update mbedtls to 3.2.1 (the recommended version for TF-M 1.7.0)

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../trusted-firmware-m-1.7.0-src.inc          | 41 +++++++++++++++++++
 .../trusted-firmware-m_1.7.0.bb               | 40 ++----------------
 ...trusted-firmware-m-scripts-native_1.7.0.bb | 14 ++-----
 3 files changed, 48 insertions(+), 47 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc

diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
new file mode 100644
index 00000000..7d5b4b53
--- /dev/null
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
@@ -0,0 +1,41 @@
+# Common src definitions for trusted-firmware-m and trusted-firmware-m-scripts
+
+LICENSE = "BSD-2-Clause & BSD-3-Clause & Apache-2.0"
+
+LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
+                    file://../tf-m-tests/license.rst;md5=02d06ffb8d9f099ff4961c0cb0183a18 \
+                    file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \
+                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
+
+SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_TESTS ?= "git://git.trustedfirmware.org/TF-M/tf-m-tests.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS ?= "git://github.com/ARMmbed/mbedtls.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT ?= "git://github.com/mcu-tools/mcuboot.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_QCBOR ?= "git://github.com/laurencelundblade/QCBOR.git;protocol=https"
+SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_TESTS};branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS};branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT};branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_QCBOR};branch=${SRCBRANCH_qcbor};name=qcbor;destsuffix=git/qcbor \
+            "
+
+# The required dependencies are documented in tf-m/config/config_default.cmake
+# TF-Mv1.7.0
+SRCBRANCH_tfm ?= "master"
+SRCREV_tfm = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
+# TF-Mv1.7.0
+SRCBRANCH_tfm-tests ?= "master"
+SRCREV_tfm-tests = "4c4b58041c6c01670266690538a780b4a23d08b8"
+# mbedtls-3.2.1
+SRCBRANCH_mbedtls ?= "master"
+SRCREV_mbedtls = "869298bffeea13b205343361b7a7daf2b210e33d"
+# v1.9.0
+SRCBRANCH_mcuboot ?= "main"
+SRCREV_mcuboot = "c657cbea75f2bb1faf1fceacf972a0537a8d26dd"
+# qcbor
+SRCBRANCH_qcbor ?= "master"
+SRCREV_qcbor = "b0e7033268e88c9f27146fa9a1415ef4c19ebaff"
+
+SRCREV_FORMAT = "tfm"
+
+S = "${WORKDIR}/git/tfm"
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
index 8df21339..799c5d56 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
@@ -8,42 +8,9 @@ DESCRIPTION = "Trusted Firmware-M"
 HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
 PROVIDES = "virtual/trusted-firmware-m"
 
-LICENSE = "BSD-2-Clause & BSD-3-Clause & Apache-2.0"
-
-LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
-                    file://../tf-m-tests/license.rst;md5=02d06ffb8d9f099ff4961c0cb0183a18 \
-                    file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \
-                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
-
-SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_TESTS ?= "git://git.trustedfirmware.org/TF-M/tf-m-tests.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS ?= "git://github.com/ARMmbed/mbedtls.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT ?= "git://github.com/mcu-tools/mcuboot.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_QCBOR ?= "git://github.com/laurencelundblade/QCBOR.git;protocol=https"
-SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_TESTS};branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS};branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT};branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_QCBOR};branch=${SRCBRANCH_qcbor};name=qcbor;destsuffix=git/qcbor \
-            file://rwx.patch \
-            "
-
-# The required dependencies are documented in tf-m/config/config_default.cmake
-# TF-Mv1.7.0
-SRCBRANCH_tfm ?= "master"
-SRCREV_tfm = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
-# mbedtls-3.2.0
-SRCBRANCH_mbedtls ?= "master"
-SRCREV_mbedtls = "869298bffeea13b205343361b7a7daf2b210e33d"
-# TF-Mv1.7.0
-SRCBRANCH_tfm-tests ?= "master"
-SRCREV_tfm-tests = "4c4b58041c6c01670266690538a780b4a23d08b8"
-# v1.9.0
-SRCBRANCH_mcuboot ?= "main"
-SRCREV_mcuboot = "c657cbea75f2bb1faf1fceacf972a0537a8d26dd"
-# qcbor
-SRCBRANCH_qcbor ?= "master"
-SRCREV_qcbor = "b0e7033268e88c9f27146fa9a1415ef4c19ebaff"
+require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
+
+SRC_URI += "file://rwx.patch"
 
 UPSTREAM_CHECK_GITTAGREGEX = "^TF-Mv(?P<pver>\d+(\.\d+)+)$"
 
@@ -75,7 +42,6 @@ DEPENDS += "cmake-native \
             python3-kconfiglib-native \
 "
 
-S = "${WORKDIR}/git/tfm"
 B = "${WORKDIR}/build"
 
 # Build for debug (set TFM_DEBUG to 1 to activate)
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
index f30c3b52..cd273593 100644
--- a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
@@ -1,14 +1,8 @@
+SUMMARY = "Trusted Firmware image signing scripts"
+DESCRIPTION = "Trusted Firmware-M image signing scripts"
+HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
 
-SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
-SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH}"
-# Use the wrapper script from TF-Mv1.7.0
-SRCBRANCH ?= "master"
-SRCREV = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
-
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
-
-S = "${WORKDIR}/git"
+require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
 
 inherit native
 

From patchwork Wed Feb 22 12:04:39 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 19986
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9A63DC64EC4
	for <webhook@archiver.kernel.org>; Wed, 22 Feb 2023 12:05:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web11.7013.1677067509170243594
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 22 Feb 2023 04:05:09 -0800
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id BEC54139F;
	Wed, 22 Feb 2023 04:05:51 -0800 (PST)
Received: from e125920.cambridge.arm.com (unknown [10.1.199.64])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 3E8013F881;
	Wed, 22 Feb 2023 04:05:08 -0800 (PST)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 4/6] arm/trusted-firmware-m: Create inc file for common config
Date: Wed, 22 Feb 2023 12:04:39 +0000
Message-Id: <20230222120441.2684534-4-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230222120441.2684534-1-peter.hoyes@arm.com>
References: <20230222120441.2684534-1-peter.hoyes@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 22 Feb 2023 12:05:16 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/4440

From: Peter Hoyes <Peter.Hoyes@arm.com>

To simplify adding support for new versions of TF-M in the future,
create a common .inc file with the non-version-specific configuration.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../trusted-firmware-m/trusted-firmware-m.inc | 118 +++++++++++++++++
 .../trusted-firmware-m_1.7.0.bb               | 120 +-----------------
 2 files changed, 119 insertions(+), 119 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc

diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
new file mode 100644
index 00000000..9062df8c
--- /dev/null
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
@@ -0,0 +1,118 @@
+# SPDX-License-Identifier: MIT
+#
+# Copyright (c) 2020 Arm Limited
+#
+
+SUMMARY = "Trusted Firmware for Cortex-M"
+DESCRIPTION = "Trusted Firmware-M"
+HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
+PROVIDES = "virtual/trusted-firmware-m"
+
+SRC_URI += "file://rwx.patch"
+
+UPSTREAM_CHECK_GITTAGREGEX = "^TF-Mv(?P<pver>\d+(\.\d+)+)$"
+
+# Note to future readers of this recipe: until the CMakeLists don't abuse
+# installation (see do_install) there is no point in trying to inherit
+# cmake here. You can easily short-circuit the toolchain but the install
+# is so convoluted there's no gain.
+
+inherit python3native deploy
+
+# Baremetal and we bring a compiler below
+INHIBIT_DEFAULT_DEPS = "1"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+# See tools/requirements.txt for Python dependencies
+DEPENDS += "cmake-native \
+            ninja-native \
+            gcc-arm-none-eabi-native \
+            python3-cbor2-native \
+            python3-click-native \
+            python3-cryptography-native \
+            python3-pyasn1-native \
+            python3-imgtool-native \
+            python3-jinja2-native \
+            python3-pyyaml-native \
+            python3-pyhsslms-native \
+            python3-ecdsa-native \
+            python3-kconfiglib-native \
+"
+
+B = "${WORKDIR}/build"
+
+# Build for debug (set TFM_DEBUG to 1 to activate)
+TFM_DEBUG ?= "0"
+
+# Platform must be set, ideally in the machine configuration.
+TFM_PLATFORM ?= ""
+python() {
+    if not d.getVar("TFM_PLATFORM"):
+        raise bb.parse.SkipRecipe("TFM_PLATFORM needs to be set")
+}
+
+PACKAGECONFIG ??= ""
+# Whether to integrate the test suite
+PACKAGECONFIG[test-secure] = "-DTEST_S=ON,-DTEST_S=OFF"
+PACKAGECONFIG[test-nonsecure] = "-DTEST_NS=ON,-DTEST_NS=OFF"
+
+# Currently we only support using the Arm binary GCC
+EXTRA_OECMAKE += "-DTFM_TOOLCHAIN_FILE=${S}/toolchain_GNUARM.cmake"
+
+# Don't let FetchContent download more sources during do_configure
+EXTRA_OECMAKE += "-DFETCHCONTENT_FULLY_DISCONNECTED=ON"
+
+# Add platform parameters
+EXTRA_OECMAKE += "-DTFM_PLATFORM=${TFM_PLATFORM}"
+
+# Handle TFM_DEBUG parameter
+EXTRA_OECMAKE += "${@bb.utils.contains('TFM_DEBUG', '1', '-DCMAKE_BUILD_TYPE=Debug', '-DCMAKE_BUILD_TYPE=Release', d)}"
+
+# Verbose builds
+EXTRA_OECMAKE += "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON"
+
+EXTRA_OECMAKE += "-DMBEDCRYPTO_PATH=${S}/../mbedtls -DTFM_TEST_REPO_PATH=${S}/../tf-m-tests -DMCUBOOT_PATH=${S}/../mcuboot -DQCBOR_PATH=${S}/../qcbor"
+
+export CMAKE_BUILD_PARALLEL_LEVEL = "${@oe.utils.parallel_make(d, False)}"
+
+# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+do_configure[cleandirs] = "${B}"
+do_configure() {
+    cmake -GNinja -S ${S} -B ${B} ${EXTRA_OECMAKE} ${PACKAGECONFIG_CONFARGS}
+}
+
+# Invoke install here as there's no point in splitting compile from install: the
+# first thing the build does is 'install' inside the build tree thus causing a
+# rebuild. It also overrides the install prefix to be in the build tree, so you
+# can't use the usual install prefix variables.
+do_compile() {
+    cmake --build ${B} -- install
+}
+do_compile[progress] = "outof:^\[(\d+)/(\d+)\]\s+"
+
+do_install() {
+    # TODO install headers and static libraries when we know how they're used
+    install -d -m 755 ${D}/firmware
+    install -m 0644 ${B}/bin/* ${D}/firmware/
+}
+
+FILES:${PN} = "/firmware"
+SYSROOT_DIRS += "/firmware"
+
+addtask deploy after do_install
+do_deploy() {
+    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
+}
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN} += "buildpaths"
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
index 799c5d56..32e6ed34 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
@@ -1,120 +1,2 @@
-# SPDX-License-Identifier: MIT
-#
-# Copyright (c) 2020 Arm Limited
-#
-
-SUMMARY = "Trusted Firmware for Cortex-M"
-DESCRIPTION = "Trusted Firmware-M"
-HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
-PROVIDES = "virtual/trusted-firmware-m"
-
 require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
-
-SRC_URI += "file://rwx.patch"
-
-UPSTREAM_CHECK_GITTAGREGEX = "^TF-Mv(?P<pver>\d+(\.\d+)+)$"
-
-# Note to future readers of this recipe: until the CMakeLists don't abuse
-# installation (see do_install) there is no point in trying to inherit
-# cmake here. You can easily short-circuit the toolchain but the install
-# is so convoluted there's no gain.
-
-inherit python3native deploy
-
-# Baremetal and we bring a compiler below
-INHIBIT_DEFAULT_DEPS = "1"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
-
-# See tools/requirements.txt for Python dependencies
-DEPENDS += "cmake-native \
-            ninja-native \
-            gcc-arm-none-eabi-native \
-            python3-cbor2-native \
-            python3-click-native \
-            python3-cryptography-native \
-            python3-pyasn1-native \
-            python3-imgtool-native \
-            python3-jinja2-native \
-            python3-pyyaml-native \
-            python3-pyhsslms-native \
-            python3-ecdsa-native \
-            python3-kconfiglib-native \
-"
-
-B = "${WORKDIR}/build"
-
-# Build for debug (set TFM_DEBUG to 1 to activate)
-TFM_DEBUG ?= "0"
-
-# Platform must be set, ideally in the machine configuration.
-TFM_PLATFORM ?= ""
-python() {
-    if not d.getVar("TFM_PLATFORM"):
-        raise bb.parse.SkipRecipe("TFM_PLATFORM needs to be set")
-}
-
-PACKAGECONFIG ??= ""
-# Whether to integrate the test suite
-PACKAGECONFIG[test-secure] = "-DTEST_S=ON,-DTEST_S=OFF"
-PACKAGECONFIG[test-nonsecure] = "-DTEST_NS=ON,-DTEST_NS=OFF"
-
-# Currently we only support using the Arm binary GCC
-EXTRA_OECMAKE += "-DTFM_TOOLCHAIN_FILE=${S}/toolchain_GNUARM.cmake"
-
-# Don't let FetchContent download more sources during do_configure
-EXTRA_OECMAKE += "-DFETCHCONTENT_FULLY_DISCONNECTED=ON"
-
-# Add platform parameters
-EXTRA_OECMAKE += "-DTFM_PLATFORM=${TFM_PLATFORM}"
-
-# Handle TFM_DEBUG parameter
-EXTRA_OECMAKE += "${@bb.utils.contains('TFM_DEBUG', '1', '-DCMAKE_BUILD_TYPE=Debug', '-DCMAKE_BUILD_TYPE=Release', d)}"
-
-# Verbose builds
-EXTRA_OECMAKE += "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON"
-
-EXTRA_OECMAKE += "-DMBEDCRYPTO_PATH=${S}/../mbedtls -DTFM_TEST_REPO_PATH=${S}/../tf-m-tests -DMCUBOOT_PATH=${S}/../mcuboot -DQCBOR_PATH=${S}/../qcbor"
-
-export CMAKE_BUILD_PARALLEL_LEVEL = "${@oe.utils.parallel_make(d, False)}"
-
-# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
-CFLAGS[unexport] = "1"
-LDFLAGS[unexport] = "1"
-AS[unexport] = "1"
-LD[unexport] = "1"
-
-# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
-# right path until this is relocated automatically.
-export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
-
-do_configure[cleandirs] = "${B}"
-do_configure() {
-    cmake -GNinja -S ${S} -B ${B} ${EXTRA_OECMAKE} ${PACKAGECONFIG_CONFARGS}
-}
-
-# Invoke install here as there's no point in splitting compile from install: the
-# first thing the build does is 'install' inside the build tree thus causing a
-# rebuild. It also overrides the install prefix to be in the build tree, so you
-# can't use the usual install prefix variables.
-do_compile() {
-    cmake --build ${B} -- install
-}
-do_compile[progress] = "outof:^\[(\d+)/(\d+)\]\s+"
-
-do_install() {
-    # TODO install headers and static libraries when we know how they're used
-    install -d -m 755 ${D}/firmware
-    install -m 0644 ${B}/bin/* ${D}/firmware/
-}
-
-FILES:${PN} = "/firmware"
-SYSROOT_DIRS += "/firmware"
-
-addtask deploy after do_install
-do_deploy() {
-    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
-}
-
-# Build paths are currently embedded
-INSANE_SKIP:${PN} += "buildpaths"
+require recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc

From patchwork Wed Feb 22 12:04:40 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 19987
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AA796C6FA9D
	for <webhook@archiver.kernel.org>; Wed, 22 Feb 2023 12:05:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web10.6956.1677067510322111453
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 22 Feb 2023 04:05:10 -0800
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E7652139F;
	Wed, 22 Feb 2023 04:05:52 -0800 (PST)
Received: from e125920.cambridge.arm.com (unknown [10.1.199.64])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8642A3F881;
	Wed, 22 Feb 2023 04:05:09 -0800 (PST)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 5/6] arm/trusted-firmware-m-scripts: Create inc file for
 common config
Date: Wed, 22 Feb 2023 12:04:40 +0000
Message-Id: <20230222120441.2684534-5-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230222120441.2684534-1-peter.hoyes@arm.com>
References: <20230222120441.2684534-1-peter.hoyes@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 22 Feb 2023 12:05:16 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/4441

From: Peter Hoyes <Peter.Hoyes@arm.com>

To simplify adding support for new versions of TF-M scripts in the
future, create a common .inc file with the non-version-specific
configuration.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../trusted-firmware-m-scripts-native.inc     | 25 +++++++++++++++++
 ...trusted-firmware-m-scripts-native_1.7.0.bb | 27 +------------------
 2 files changed, 26 insertions(+), 26 deletions(-)
 create mode 100644 meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc

diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc
new file mode 100644
index 00000000..afe655f8
--- /dev/null
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc
@@ -0,0 +1,25 @@
+SUMMARY = "Trusted Firmware image signing scripts"
+DESCRIPTION = "Trusted Firmware-M image signing scripts"
+HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
+
+inherit native
+
+# See bl2/ext/mcuboot/scripts/requirements.txt
+RDEPENDS:${PN} = "\
+    python3-cryptography-native \
+    python3-pyasn1-native \
+    python3-pyyaml-native \
+    python3-cbor2-native \
+    python3-imgtool-native \
+    python3-click-native \
+"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+    install -d ${D}/${libdir}
+    cp -rf ${S}/bl2/ext/mcuboot/scripts/ ${D}/${libdir}/tfm-scripts
+    cp -rf ${S}/bl2/ext/mcuboot/*.pem ${D}/${libdir}/tfm-scripts
+}
+FILES:${PN} = "${libdir}/tfm-scripts"
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
index cd273593..2e9e5249 100644
--- a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
@@ -1,27 +1,2 @@
-SUMMARY = "Trusted Firmware image signing scripts"
-DESCRIPTION = "Trusted Firmware-M image signing scripts"
-HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
-
 require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
-
-inherit native
-
-# See bl2/ext/mcuboot/scripts/requirements.txt
-RDEPENDS:${PN} = "\
-    python3-cryptography-native \
-    python3-pyasn1-native \
-    python3-pyyaml-native \
-    python3-cbor2-native \
-    python3-imgtool-native \
-    python3-click-native \
-"
-
-do_configure[noexec] = "1"
-do_compile[noexec] = "1"
-
-do_install() {
-    install -d ${D}/${libdir}
-    cp -rf ${S}/bl2/ext/mcuboot/scripts/ ${D}/${libdir}/tfm-scripts
-    cp -rf ${S}/bl2/ext/mcuboot/*.pem ${D}/${libdir}/tfm-scripts
-}
-FILES:${PN} = "${libdir}/tfm-scripts"
+require recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc

From patchwork Wed Feb 22 12:04:41 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 19989
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AE5D0C6FA9E
	for <webhook@archiver.kernel.org>; Wed, 22 Feb 2023 12:05:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web10.6959.1677067511841091151
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 22 Feb 2023 04:05:12 -0800
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 56DB4139F;
	Wed, 22 Feb 2023 04:05:54 -0800 (PST)
Received: from e125920.cambridge.arm.com (unknown [10.1.199.64])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id EA2F03F881;
	Wed, 22 Feb 2023 04:05:10 -0800 (PST)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 6/6] arm/classes: Add sstate support to tfm_sign_images
Date: Wed, 22 Feb 2023 12:04:41 +0000
Message-Id: <20230222120441.2684534-6-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230222120441.2684534-1-peter.hoyes@arm.com>
References: <20230222120441.2684534-1-peter.hoyes@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 22 Feb 2023 12:05:16 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/4442

From: Peter Hoyes <Peter.Hoyes@arm.com>

Defining a task called do_deploy in an image recipe causes the
license_image bbclass in OE-core to think the recipe is not an image
recipe, which causes errors with license information collection if you
have an image recipe which depends on an image recipe using this
bbclass.

To fix this, and to add support for caching the signed binaries, use a
single task, do_sign_images (and its setscene task). The implementation
is based on deploy.bbclass, so the sstate is responsible for installing
the signed binaries in ${DEPLOY_DIR_IMAGE}, but using a different name
so that license information collection still works as expected.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../recipes-bsp/images/corstone1000-image.bb  |  3 +-
 meta-arm/classes/tfm_sign_image.bbclass       | 28 +++++++++----------
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
index 932b1619..3a1639ea 100644
--- a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
+++ b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
@@ -24,7 +24,8 @@ do_sign_images() {
 
     # Update BL2 in the FIP image
     cp ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} .
-    fiptool update --tb-fw ${TFM_IMAGE_SIGN_DIR}/signed_${TFA_BL2_BINARY} \
+    fiptool update --tb-fw \
+        ${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_${TFA_BL2_BINARY} \
         ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY}
 
     # Sign the FIP image
diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index 5ba57dc8..24df7682 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -6,28 +6,28 @@
 #  * Write the signing logic, which may call the function sign_host_image,
 #    described below
 
-inherit python3native deploy
+inherit python3native
 
 # The output and working directory
 TFM_IMAGE_SIGN_DIR = "${WORKDIR}/tfm-signed-images"
+TFM_IMAGE_SIGN_DEPLOY_DIR = "${WORKDIR}/deploy-tfm-signed-images"
 
+SSTATETASKS += "do_sign_images"
+do_sign_images[sstate-inputdirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR}"
+do_sign_images[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
+do_sign_images[cleandirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
+do_sign_images[stamp-extra-info] = "${MACHINE_ARCH}"
 tfm_sign_image_do_sign_images() {
     :
 }
-addtask sign_images after do_configure before do_compile
-do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DIR}"
+addtask sign_images after do_prepare_recipe_sysroot before do_image
+EXPORT_FUNCTIONS do_sign_images
 
-tfm_sign_image_do_deploy() {
-    :
-}
-addtask deploy after do_sign_images
-
-deploy_signed_images() {
-    cp ${TFM_IMAGE_SIGN_DIR}/signed_* ${DEPLOYDIR}/
+python do_sign_images_setscene () {
+    sstate_setscene(d)
 }
-do_deploy[postfuncs] += "deploy_signed_images"
-
-EXPORT_FUNCTIONS do_sign_images do_deploy
+addtask do_sign_images_setscene
 
 DEPENDS += "trusted-firmware-m-scripts-native"
 
@@ -77,7 +77,7 @@ enum image_attributes {
 };
 EOF
 
-    host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")"
+    host_binary_signed="${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_$(basename "${1}")"
 
     ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
             ${TFM_IMAGE_SIGN_ARGS} \