Skip to content

Commit e2af612

Browse files
urutvaPatater
authored andcommitted
tools: Musca B1 signing strategy
Currently, the final binary (TF-M + Mbed OS) is signed after concatenating TF-M and Mbed OS binaries. But TF-M signs the images separately and then concatenates them. Update the Musca B1 signing strategy to match TF-M. Signed-off-by: Devaraj Ranganna <[email protected]>
1 parent dc22d89 commit e2af612

File tree

4 files changed

+49
-39
lines changed

4 files changed

+49
-39
lines changed

targets/TARGET_ARM_SSG/TARGET_MUSCA_B1/partition/image_macros_preprocessed.c

Lines changed: 0 additions & 24 deletions
This file was deleted.
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
enum image_attributes {
2+
RE_SECURE_IMAGE_OFFSET = (0x0),
3+
RE_SECURE_IMAGE_MAX_SIZE = (0x60000),
4+
RE_NON_SECURE_IMAGE_OFFSET = ((0x0) + (0x60000)),
5+
RE_NON_SECURE_IMAGE_MAX_SIZE = (0x80000),
6+
RE_SIGN_BIN_SIZE = ((0x80000)),
7+
};
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
enum image_attributes {
2+
RE_SECURE_IMAGE_OFFSET = (0x0),
3+
RE_SECURE_IMAGE_MAX_SIZE = (0x60000),
4+
RE_NON_SECURE_IMAGE_OFFSET = ((0x0) + (0x60000)),
5+
RE_NON_SECURE_IMAGE_MAX_SIZE = (0x80000),
6+
RE_SIGN_BIN_SIZE = ((0x60000)),
7+
};

tools/targets/ARM_MUSCA_B1.py

Lines changed: 35 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -40,43 +40,63 @@ def musca_tfm_bin(t_self, non_secure_bin, secure_bin):
4040
os.makedirs(tempdir)
4141
flash_layout = path_join(MUSCA_B1_BASE, 'partition', 'flash_layout.h')
4242
mcuboot_bin = path_join(MUSCA_B1_BASE, 'prebuilt', 'mcuboot.bin')
43-
image_macros = path_join(MUSCA_B1_BASE, 'partition', 'image_macros_preprocessed.c')
43+
image_macros_s = path_join(MUSCA_B1_BASE, 'partition', 'image_macros_preprocessed_s.c')
44+
image_macros_ns = path_join(MUSCA_B1_BASE, 'partition', 'image_macros_preprocessed_ns.c')
45+
s_bin_name, s_bin_ext = splitext(basename(secure_bin))
46+
s_signed_bin = path_join(tempdir, s_bin_name + '_signed' + s_bin_ext)
4447
ns_bin_name, ns_bin_ext = splitext(basename(non_secure_bin))
45-
concatenated_bin = path_join(tempdir, 'tfm_' + ns_bin_name + ns_bin_ext)
46-
signed_bin = path_join(tempdir, 'tfm_' + ns_bin_name + '_signed' + ns_bin_ext)
48+
ns_signed_bin = path_join(tempdir, 'tfm_' + ns_bin_name + '_signed' + ns_bin_ext)
49+
concatenated_bin = path_join(tempdir, s_bin_name + '_' + ns_bin_name + '_concat' + ns_bin_ext)
4750

48-
assert os.path.isfile(image_macros)
51+
assert os.path.isfile(image_macros_s)
52+
assert os.path.isfile(image_macros_ns)
4953

50-
#1. Concatenate secure TFM and non-secure mbed binaries
51-
output = Assembly(image_macros, concatenated_bin)
52-
output.add_image(secure_bin, "SECURE")
53-
output.add_image(non_secure_bin, "NON_SECURE")
54+
#1. Run imgtool to sign the secure binary
55+
sign_args = Namespace(
56+
layout=image_macros_s,
57+
key=path_join(SCRIPT_DIR, 'musca_b1-root-rsa-3072.pem'),
58+
public_key_format=None,
59+
align=1,
60+
dependencies=None,
61+
version=version.decode_version('1.0'),
62+
header_size=0x400,
63+
security_counter=None,
64+
rsa_pkcs1_15=False,
65+
included_header=False,
66+
infile=secure_bin,
67+
outfile=s_signed_bin
68+
)
69+
do_sign(sign_args)
5470

55-
#2. Run imgtool to sign the concatenated binary
71+
#2. Run imgtool to sign the non-secure mbed binary
5672
sign_args = Namespace(
57-
layout=image_macros,
73+
layout=image_macros_ns,
5874
key=path_join(SCRIPT_DIR, 'musca_b1-root-rsa-3072.pem'),
5975
public_key_format=None,
6076
align=1,
6177
dependencies=None,
6278
version=version.decode_version('1.0'),
6379
header_size=0x400,
64-
pad=0xE0000,
6580
security_counter=None,
6681
rsa_pkcs1_15=False,
6782
included_header=False,
68-
infile=concatenated_bin,
69-
outfile=signed_bin
83+
infile=non_secure_bin,
84+
outfile=ns_signed_bin
7085
)
7186
do_sign(sign_args)
7287

88+
#1. Concatenate signed secure TFM and non-secure mbed binaries
89+
output = Assembly(image_macros_s, concatenated_bin)
90+
output.add_image(s_signed_bin, "SECURE")
91+
output.add_image(ns_signed_bin, "NON_SECURE")
92+
7393
#3. Concatenate mcuboot and signed binary and overwrite mbed built binary file
7494
mcuboot_image_size = find_bl2_size(flash_layout)
75-
with open(mcuboot_bin, "rb") as mcuboot_fh, open(signed_bin, "rb") as signed_fh:
95+
with open(mcuboot_bin, "rb") as mcuboot_fh, open(concatenated_bin, "rb") as concat_fh:
7696
with open(non_secure_bin, "w+b") as out_fh:
7797
out_fh.write(mcuboot_fh.read())
7898
out_fh.seek(mcuboot_image_size)
79-
out_fh.write(signed_fh.read())
99+
out_fh.write(concat_fh.read())
80100

81101

82102
def find_bl2_size(configFile):

0 commit comments

Comments
 (0)