Patrick Williams | 8dd6848 | 2022-10-04 07:57:18 -0500 | [diff] [blame] | 1 | # Functionality to sign binary images using the wrapper script bundled with |
| 2 | # TF-M. Signed images are written to the deploy directory by default. |
| 3 | # To use: |
| 4 | # * Inherit this class |
| 5 | # * Override the do_sign_images task |
| 6 | # * Write the signing logic, which may call the function sign_host_image, |
| 7 | # described below |
| 8 | |
| 9 | inherit python3native deploy |
| 10 | |
| 11 | # The output and working directory |
| 12 | TFM_IMAGE_SIGN_DIR = "${WORKDIR}/tfm-signed-images" |
| 13 | |
| 14 | tfm_sign_image_do_sign_images() { |
| 15 | : |
| 16 | } |
| 17 | addtask sign_images after do_configure before do_compile |
| 18 | do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DIR}" |
| 19 | |
| 20 | tfm_sign_image_do_deploy() { |
| 21 | : |
| 22 | } |
| 23 | addtask deploy after do_sign_images |
| 24 | |
| 25 | deploy_signed_images() { |
| 26 | cp ${TFM_IMAGE_SIGN_DIR}/signed_* ${DEPLOYDIR}/ |
| 27 | } |
| 28 | do_deploy[postfuncs] += "deploy_signed_images" |
| 29 | |
| 30 | EXPORT_FUNCTIONS do_sign_images do_deploy |
| 31 | |
| 32 | DEPENDS += "trusted-firmware-m-scripts-native" |
| 33 | |
| 34 | # python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the |
| 35 | # right path until this is relocated automatically. |
| 36 | export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" |
| 37 | |
| 38 | # |
| 39 | # sign_host_image |
| 40 | # |
| 41 | # Description: |
| 42 | # |
| 43 | # A generic function that signs a host image |
| 44 | # using MCUBOOT format |
| 45 | # |
| 46 | # Arguments: |
| 47 | # |
| 48 | # $1 ... path of binary to sign |
| 49 | # $2 ... load address of the given binary |
| 50 | # $3 ... signed binary size |
| 51 | # |
| 52 | # Note: The signed binary is copied to ${TFM_IMAGE_SIGN_DIR} |
| 53 | # |
| 54 | sign_host_image() { |
| 55 | host_binary_filename="$(basename -s .bin "${1}")" |
| 56 | host_binary_layout="${host_binary_filename}_ns" |
| 57 | |
| 58 | cat << EOF > ${TFM_IMAGE_SIGN_DIR}/${host_binary_layout} |
| 59 | enum image_attributes { |
| 60 | RE_IMAGE_LOAD_ADDRESS = ${2}, |
| 61 | RE_SIGN_BIN_SIZE = ${3}, |
| 62 | }; |
| 63 | EOF |
| 64 | |
| 65 | host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")" |
| 66 | |
| 67 | ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \ |
| 68 | -v ${RE_LAYOUT_WRAPPER_VERSION} \ |
| 69 | --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \ |
| 70 | -k "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \ |
| 71 | --public-key-format full \ |
| 72 | --align 1 \ |
| 73 | --pad \ |
| 74 | --pad-header \ |
| 75 | -H ${RE_IMAGE_OFFSET} \ |
| 76 | -s auto \ |
| 77 | "${1}" \ |
| 78 | "${host_binary_signed}" |
| 79 | } |