Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 9347dd4efc156c93b1d9beaeb32e9b719ad6a3d2 / . / meta-arm / meta-arm / classes / tfm_sign_image.bbclass
blob: 24df76829bf692fb3d5c3a90c7b0ecfc1aa0583f [file] [log] [blame]
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]1# Functionality to sign binary images using the wrapper script bundled with
2# TF-M. Signed images are written to the deploy directory by default.
3# To use:
4# * Inherit this class
5# * Override the do_sign_images task
6# * Write the signing logic, which may call the function sign_host_image,
7# described below
8
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]9inherit python3native
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]10
11# The output and working directory
12TFM_IMAGE_SIGN_DIR = "${WORKDIR}/tfm-signed-images"
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]13TFM_IMAGE_SIGN_DEPLOY_DIR = "${WORKDIR}/deploy-tfm-signed-images"
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]14
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]15SSTATETASKS += "do_sign_images"
16do_sign_images[sstate-inputdirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR}"
17do_sign_images[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
18do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
19do_sign_images[cleandirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
20do_sign_images[stamp-extra-info] = "${MACHINE_ARCH}"
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]21tfm_sign_image_do_sign_images() {
22 :
23}
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]24addtask sign_images after do_prepare_recipe_sysroot before do_image
25EXPORT_FUNCTIONS do_sign_images
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]26
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]27python do_sign_images_setscene () {
28 sstate_setscene(d)
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]29}
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]30addtask do_sign_images_setscene
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]31
32DEPENDS += "trusted-firmware-m-scripts-native"
33
34# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
35# right path until this is relocated automatically.
36export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
37
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]38# The arguments passed to the TF-M image signing script. Override this variable
39# in an image recipe to customize the arguments.
40TFM_IMAGE_SIGN_ARGS ?= "\
41 -v ${RE_LAYOUT_WRAPPER_VERSION} \
42 --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
43 -k "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
44 --public-key-format full \
45 --align 1 \
46 --pad \
47 --pad-header \
48 --measured-boot-record \
49 -H ${RE_IMAGE_OFFSET} \
50 -s auto \
51"
52
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]53#
54# sign_host_image
55#
56# Description:
57#
58# A generic function that signs a host image
59# using MCUBOOT format
60#
61# Arguments:
62#
63# $1 ... path of binary to sign
64# $2 ... load address of the given binary
65# $3 ... signed binary size
66#
67# Note: The signed binary is copied to ${TFM_IMAGE_SIGN_DIR}
68#
69sign_host_image() {
70 host_binary_filename="$(basename -s .bin "${1}")"
71 host_binary_layout="${host_binary_filename}_ns"
72
73 cat << EOF > ${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}
74enum image_attributes {
75 RE_IMAGE_LOAD_ADDRESS = ${2},
76 RE_SIGN_BIN_SIZE = ${3},
77};
78EOF
79
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]80 host_binary_signed="${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_$(basename "${1}")"
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]81
82 ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
Andrew Geissler9347dd42023-03-03 12:38:41 -0600[diff] [blame^]83 ${TFM_IMAGE_SIGN_ARGS} \
Patrick Williams8dd68482022-10-04 07:57:18 -0500[diff] [blame]84 "${1}" \
85 "${host_binary_signed}"
86}