suit: Build system changes to signing process

This commit allows to sign the envelopes during the
build process using the new, more robust method.

Signed-off-by: Artur Hadasz <[email protected]>

Author: ahasztag

cmake/sysbuild/suit.cmake

@@ -21,29 +21,6 @@ function(suit_set_absolute_or_relative_path path relative_root output_variable)
   set(${output_variable} "${path}" PARENT_SCOPE)
 endfunction()
 
-# Sign an envelope using SIGN_SCRIPT.
-#
-# Usage:
-#   suit_sign_envelope(<input_file> <output_file>)
-#
-# Parameters:
-#   'input_file' - path to input unsigned envelope
-#   'output_file' - path to output signed envelope
-function(suit_sign_envelope input_file output_file)
-  cmake_path(GET ZEPHYR_NRF_MODULE_DIR PARENT_PATH NRF_DIR_PARENT)
-  suit_set_absolute_or_relative_path(${SB_CONFIG_SUIT_ENVELOPE_SIGN_SCRIPT} ${NRF_DIR_PARENT} SIGN_SCRIPT)
-  if(NOT EXISTS ${SIGN_SCRIPT})
-    message(SEND_ERROR "DFU: ${SB_CONFIG_SUIT_ENVELOPE_SIGN_SCRIPT} does not exist. Corrupted configuration?")
-    return()
-  endif()
-  set_property(
-    GLOBAL APPEND PROPERTY SUIT_POST_BUILD_COMMANDS
-    COMMAND ${PYTHON_EXECUTABLE} ${SIGN_SCRIPT}
-    --input-file ${input_file}
-    --output-file ${output_file}
-  )
-endfunction()
-
 # Register SUIT post build commands.
 #
 # Usage:
@@ -237,14 +214,16 @@ function(suit_create_package)
   set(STORAGE_BOOT_ARGS)
   sysbuild_get(app_config_dir IMAGE ${DEFAULT_IMAGE} VAR APPLICATION_CONFIG_DIR CACHE)
   get_property(SUIT_KMS_SCRIPT GLOBAL PROPERTY SUIT_KMS_SCRIPT)
+  get_property(SUIT_SIGN_SCRIPT GLOBAL PROPERTY SUIT_SIGN_SCRIPT)
+
   # If the user has not provided the path to the kms script, use the default one.
   if(NOT SUIT_KMS_SCRIPT)
     set(SUIT_KMS_SCRIPT "${ZEPHYR_SUIT_GENERATOR_MODULE_DIR}/ncs/basic_kms.py")
   endif()
 
-
-  if(NOT DEFINED SB_CONFIG_SUIT_ENVELOPE_SIGN)
-    set(SB_CONFIG_SUIT_ENVELOPE_SIGN FALSE)
+  # If the user has not provided the path to the sign script, use the default one.
+  if(NOT SUIT_SIGN_SCRIPT)
+    set(SUIT_SIGN_SCRIPT "${ZEPHYR_SUIT_GENERATOR_MODULE_DIR}/ncs/sign_script.py")
   endif()
 
   list(APPEND CORE_ARGS
@@ -345,7 +324,28 @@ function(suit_create_package)
     set(ENVELOPE_SUIT_FILE ${SUIT_ROOT_DIRECTORY}${target}.suit)
 
     suit_render_template(${INPUT_ENVELOPE_JINJA_FILE} ${ENVELOPE_YAML_FILE} "${TEMPLATE_ARGS}")
-    suit_create_envelope(${ENVELOPE_YAML_FILE} ${ENVELOPE_SUIT_FILE} ${SB_CONFIG_SUIT_ENVELOPE_SIGN})
+    suit_create_envelope(${ENVELOPE_YAML_FILE} ${ENVELOPE_SUIT_FILE})
+
+    unset(sign_envelope)
+    sysbuild_get(sign_envelope IMAGE ${image} VAR CONFIG_SUIT_ENVELOPE_TARGET_SIGN KCONFIG)
+    if(sign_envelope)
+      set(SUIT_SIGN_ARGS)
+      unset(sign_key_id)
+      unset(sign_private_key_name)
+      unset(sign_alg_name)
+
+      sysbuild_get(sign_key_id IMAGE ${image} VAR CONFIG_SUIT_ENVELOPE_TARGET_SIGN_KEY_ID KCONFIG)
+      sysbuild_get(sign_private_key_name IMAGE ${image} VAR CONFIG_SUIT_ENVELOPE_TARGET_SIGN_PRIVATE_KEY_NAME KCONFIG)
+      sysbuild_get(sign_alg_name IMAGE ${image} VAR CONFIG_SUIT_ENVELOPE_TARGET_SIGN_ALG_NAME KCONFIG)
+
+      list(APPEND SUIT_SIGN_ARGS --key-name ${sign_private_key_name})
+      list(APPEND SUIT_SIGN_ARGS --key-id ${sign_key_id})
+      list(APPEND SUIT_SIGN_ARGS --alg ${sign_alg_name})
+      list(APPEND SUIT_SIGN_ARGS --context ${SB_CONFIG_SUIT_ENVELOPE_KMS_SCRIPT_CONTEXT})
+      list(APPEND SUIT_SIGN_ARGS --kms-script ${SUIT_KMS_SCRIPT})
+
+      suit_sign_envelope(${ENVELOPE_SUIT_FILE} ${ENVELOPE_SUIT_FILE} "${SUIT_SIGN_ARGS}" ${SUIT_SIGN_SCRIPT})
+    endif()
 
     unset(recovery)
     sysbuild_get(recovery IMAGE ${image} VAR CONFIG_SUIT_RECOVERY KCONFIG)
@@ -444,10 +444,23 @@ function(suit_create_package)
       set(APP_RECOVERY_ENVELOPE_YAML_FILE ${SUIT_ROOT_DIRECTORY}${APP_RECOVERY_NAME}.yaml)
       set(APP_RECOVERY_ENVELOPE_SUIT_FILE ${SUIT_ROOT_DIRECTORY}${APP_RECOVERY_NAME}.suit)
       suit_render_template(${INPUT_APP_RECOVERY_ENVELOPE_JINJA_FILE} ${APP_RECOVERY_ENVELOPE_YAML_FILE} "${TEMPLATE_ARGS}")
-      suit_create_envelope(${APP_RECOVERY_ENVELOPE_YAML_FILE} ${APP_RECOVERY_ENVELOPE_SUIT_FILE} ${SB_CONFIG_SUIT_ENVELOPE_SIGN})
-        list(APPEND STORAGE_BOOT_ARGS
-          --input-envelope ${APP_RECOVERY_ENVELOPE_SUIT_FILE}
-        )
+      suit_create_envelope(${APP_RECOVERY_ENVELOPE_YAML_FILE} ${APP_RECOVERY_ENVELOPE_SUIT_FILE})
+
+      if(SB_CONFIG_SUIT_ENVELOPE_APP_RECOVERY_SIGN)
+        set(SUIT_SIGN_ARGS)
+
+        list(APPEND SUIT_SIGN_ARGS --key-name ${SB_CONFIG_SUIT_ENVELOPE_APP_RECOVERY_SIGN_PRIVATE_KEY_NAME})
+        list(APPEND SUIT_SIGN_ARGS --key-id ${SB_CONFIG_SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_ID})
+        list(APPEND SUIT_SIGN_ARGS --alg ${SB_CONFIG_SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_NAME})
+        list(APPEND SUIT_SIGN_ARGS --context ${SB_CONFIG_SUIT_ENVELOPE_KMS_SCRIPT_CONTEXT})
+        list(APPEND SUIT_SIGN_ARGS --kms-script ${SUIT_KMS_SCRIPT})
+
+        suit_sign_envelope(${APP_RECOVERY_ENVELOPE_SUIT_FILE} ${APP_RECOVERY_ENVELOPE_SUIT_FILE} "${SUIT_SIGN_ARGS}" ${SUIT_SIGN_SCRIPT})
+      endif()
+
+      list(APPEND STORAGE_BOOT_ARGS
+        --input-envelope ${APP_RECOVERY_ENVELOPE_SUIT_FILE}
+      )
       set_property(GLOBAL APPEND PROPERTY SUIT_RECOVERY_DFU_ARTIFACTS ${APP_RECOVERY_ENVELOPE_SUIT_FILE})
     endif()
   endif()
@@ -491,7 +504,20 @@ function(suit_create_package)
     set(ROOT_ENVELOPE_YAML_FILE ${SUIT_ROOT_DIRECTORY}${ROOT_NAME}.yaml)
     set(ROOT_ENVELOPE_SUIT_FILE ${SUIT_ROOT_DIRECTORY}${ROOT_NAME}.suit)
     suit_render_template(${INPUT_ROOT_ENVELOPE_JINJA_FILE} ${ROOT_ENVELOPE_YAML_FILE} "${TEMPLATE_ARGS}")
-    suit_create_envelope(${ROOT_ENVELOPE_YAML_FILE} ${ROOT_ENVELOPE_SUIT_FILE} ${SB_CONFIG_SUIT_ENVELOPE_SIGN})
+    suit_create_envelope(${ROOT_ENVELOPE_YAML_FILE} ${ROOT_ENVELOPE_SUIT_FILE})
+
+    if(SB_CONFIG_SUIT_ENVELOPE_ROOT_SIGN)
+      set(SUIT_SIGN_ARGS)
+
+      list(APPEND SUIT_SIGN_ARGS --key-name ${SB_CONFIG_SUIT_ENVELOPE_ROOT_SIGN_PRIVATE_KEY_NAME})
+      list(APPEND SUIT_SIGN_ARGS --key-id ${SB_CONFIG_SUIT_ENVELOPE_ROOT_SIGN_KEY_ID})
+      list(APPEND SUIT_SIGN_ARGS --alg ${SB_CONFIG_SUIT_ENVELOPE_ROOT_SIGN_ALG_NAME})
+      list(APPEND SUIT_SIGN_ARGS --context ${SB_CONFIG_SUIT_ENVELOPE_KMS_SCRIPT_CONTEXT})
+      list(APPEND SUIT_SIGN_ARGS --kms-script ${SUIT_KMS_SCRIPT})
+
+      suit_sign_envelope(${ROOT_ENVELOPE_SUIT_FILE} ${ROOT_ENVELOPE_SUIT_FILE} "${SUIT_SIGN_ARGS}" ${SUIT_SIGN_SCRIPT})
+    endif()
+
       list(APPEND STORAGE_BOOT_ARGS
         --input-envelope ${ROOT_ENVELOPE_SUIT_FILE}
       )

cmake/sysbuild/suit_utilities.cmake

@@ -75,7 +75,7 @@ endfunction()
 #   'input_file' - path to input yaml configuration
 #   'output_file' - path to output binary suit envelope
 #   'create_signature' - sign the envelope if set to true
-function(suit_create_envelope input_file output_file create_signature)
+function(suit_create_envelope input_file output_file)
   set_property(
     GLOBAL APPEND PROPERTY SUIT_POST_BUILD_COMMANDS
     COMMAND ${PYTHON_EXECUTABLE} ${SUIT_GENERATOR_CLI_SCRIPT}
@@ -84,10 +84,6 @@ function(suit_create_envelope input_file output_file create_signature)
     --output-file ${output_file}
     BYPRODUCTS ${output_file}
   )
-
-  if (create_signature AND SB_CONFIG_SUIT_ENVELOPE_SIGN_SCRIPT)
-    suit_sign_envelope(${output_file} ${output_file})
-  endif()
 endfunction()
 
 # Create a SUIT DFU cache partition file from a list of payloads.
@@ -188,7 +184,7 @@ function(suit_encrypt_image args output_directory)
   endif()
 
   if(NOT EXISTS ${encrypt_script})
-    message(SEND_ERROR "DFU: ${encrypt_script} does not exist. Corrupted configuration?")
+    message(SEND_ERROR "DFU: Encrypt script ${encrypt_script} does not exist. Corrupted configuration?")
     return()
   endif()
 
@@ -207,3 +203,31 @@ function(suit_encrypt_image args output_directory)
     ${args}
   )
 endfunction()
+
+# Sign an envelope using the sign script.
+#
+# Usage:
+#   suit_sign_envelope(<input_file> <output_file>)
+#
+# Parameters:
+#   'input_file' - path to input unsigned envelope
+#   'output_file' - path to output signed envelope
+#   'args' - list of other arguments for the sign script
+#   'sign_script_path' - path to the sign script
+function(suit_sign_envelope input_file output_file args sign_script_path)
+  if(NOT EXISTS ${sign_script_path})
+    message(SEND_ERROR "DFU: Sign script ${sign_script_path} does not exist. Corrupted configuration?")
+    return()
+  endif()
+  list(APPEND args "--input-envelope" "${input_file}")
+  list(APPEND args "--output-envelope" "${output_file}")
+  list(APPEND args "--sign-script" "${sign_script_path}")
+
+  set_property(
+    GLOBAL APPEND PROPERTY SUIT_POST_BUILD_COMMANDS
+    COMMAND ${PYTHON_EXECUTABLE} ${SUIT_GENERATOR_CLI_SCRIPT}
+    sign
+    single-level
+    ${args}
+  )
+endfunction()

sysbuild/Kconfig.suit

@@ -14,11 +14,6 @@ menuconfig SUIT_ENVELOPE
 
 if SUIT_ENVELOPE
 
-config SUIT_ENVELOPE_SIGN
-	bool "Sign created SUIT envelope"
-	help
-	  Sign created SUIT envelope by external script
-
 config SUIT_ENVELOPE_ROOT_TEMPLATE_FILENAME
 	string "Name of the default root envelope template"
 	default "root_with_binary_nordic_top.yaml.jinja2"
@@ -27,19 +22,6 @@ config SUIT_ENVELOPE_ROOT_TEMPLATE_FILENAME
 	  name in the suit/<soc> directory inside the application directory. If the file is not found
 	  the default template from the base template directory is used.
 
-
-config SUIT_ENVELOPE_SIGN_SCRIPT
-	string "Location of SUIT sign script"
-	depends on SUIT_ENVELOPE_SIGN
-	default "modules/lib/suit-generator/ncs/sign_script.py"
-	help
-	  Python script called to sign SUIT envelope.
-	  You can use either absolute or relative path.
-	  In case relative path is used, the build system uses NRF parent directory.
-	  Script need to accept two arguments:
-	  - --input-file <STRING> - location of unsigned envelope in the build system
-	  - --output-file <STRING> - location of signed envelope to create by script
-
 config SUIT_ENVELOPE_BASIC_KMS_SCRIPT_KEY_DIRECTORY
 	string "The directory in which the keys are stored"
 	default "${ZEPHYR_SUIT_GENERATOR_MODULE_DIR}/ncs"
@@ -90,6 +72,67 @@ config SUIT_ENVELOPE_NORDIC_TOP_CACHE_PARTITION_NUM
 
 endif # SUIT_ENVELOPE_NORDIC_TOP_IN_ROOT
 
+config SUIT_ENVELOPE_ROOT_SIGN
+	bool "Sign the root envelope"
+
+if SUIT_ENVELOPE_ROOT_SIGN
+
+choice SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN
+	prompt "SUIT root envelope signing key generation"
+	default SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN1
+
+config SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN1
+	bool "Key generation 1"
+
+config SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN2
+	bool "Key generation 2"
+
+config SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN3
+	bool "Key generation 3"
+
+endchoice
+
+config SUIT_ENVELOPE_ROOT_SIGN_KEY_ID
+	hex "The key ID used to identify the OEM root public key on the device"
+	default 0x4000AA00 if SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN1
+	default 0x4000AA01 if SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN2
+	default 0x4000AA02 if SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN3
+	help
+	  This string is translated to the numeric KEY ID by the encryption script
+
+config SUIT_ENVELOPE_ROOT_SIGN_PRIVATE_KEY_NAME
+	string "Name of the private key used for signing - to identify the key in the KMS"
+	default "MANIFEST_OEM_ROOT_GEN1_priv" if SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN1
+	default "MANIFEST_OEM_ROOT_GEN2_priv" if SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN2
+	default "MANIFEST_OEM_ROOT_GEN3_priv" if SUIT_ENVELOPE_ROOT_SIGN_KEY_GEN3
+
+choice SUIT_ENVELOPE_ROOT_SIGN_ALG
+	prompt "Algorithm used to sign the root envelope"
+	default SUIT_ENVELOPE_ROOT_SIGN_ALG_EDDSA
+
+config SUIT_ENVELOPE_ROOT_SIGN_ALG_EDDSA
+	bool "Use the EdDSA algorithm"
+
+config SUIT_ENVELOPE_ROOT_SIGN_ALG_ECDSA_256
+	bool "Use the ECDSA algorithm with key length of 256 bits"
+
+config SUIT_ENVELOPE_ROOT_SIGN_ALG_ECDSA_384
+	bool "Use the ECDSA algorithm with key length of 384 bits"
+
+config SUIT_ENVELOPE_ROOT_SIGN_ALG_ECDSA_521
+	bool "Use the ECDSA algorithm with key length of 521 bits"
+
+endchoice
+
+config SUIT_ENVELOPE_ROOT_SIGN_ALG_NAME
+	string "String name of the algorithm used to sign the root envelope"
+	default "eddsa" if SUIT_ENVELOPE_ROOT_SIGN_ALG_EDDSA
+	default "es-256" if SUIT_ENVELOPE_ROOT_SIGN_ALG_ECDSA_256
+	default "es-384" if SUIT_ENVELOPE_ROOT_SIGN_ALG_ECDSA_384
+	default "es-521" if SUIT_ENVELOPE_ROOT_SIGN_ALG_ECDSA_521
+
+endif # SUIT_ENVELOPE_ROOT_SIGN
+
 config SUIT_BASE_MANIFEST_TEMPLATE_DIR
 	string "Base manifest directory"
 	default "${ZEPHYR_NRF_MODULE_DIR}/config/suit/templates"
@@ -164,6 +207,67 @@ config SUIT_ENVELOPE_APP_RECOVERY_ARTIFACT_NAME
 	help
 	  Name of the root SUIT artifact.
 
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN
+	bool "Sign the app recovery envelope"
+
+if SUIT_ENVELOPE_APP_RECOVERY_SIGN
+
+choice SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN
+	prompt "SUIT app recovery envelope signing key generation"
+	default SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN1
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN1
+	bool "Key generation 1"
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN2
+	bool "Key generation 2"
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN3
+	bool "Key generation 3"
+
+endchoice
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_ID
+	hex "The key ID used to identify the app recovery public key on the device"
+	default 0x40022100 if SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN1
+	default 0x40022101 if SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN2
+	default 0x40022102 if SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN3
+	help
+	  This string is translated to the numeric KEY ID by the encryption script
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_PRIVATE_KEY_NAME
+	string "Name of the private key used for signing - to identify the key in the KMS"
+	default "MANIFEST_APPLICATION_GEN1_priv" if SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN1
+	default "MANIFEST_APPLICATION_GEN2_priv" if SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN2
+	default "MANIFEST_APPLICATION_GEN3_priv" if SUIT_ENVELOPE_APP_RECOVERY_SIGN_KEY_GEN3
+
+choice SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG
+	prompt "Algorithm used to sign the app recovery envelope"
+	default SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_EDDSA
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_EDDSA
+	bool "Use the EdDSA algorithm"
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_ECDSA_256
+	bool "Use the ECDSA algorithm with key length of 256 bits"
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_ECDSA_384
+	bool "Use the ECDSA algorithm with key length of 384 bits"
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_ECDSA_521
+	bool "Use the ECDSA algorithm with key length of 521 bits"
+
+endchoice
+
+config SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_NAME
+	string "String name of the algorithm used to sign the app recovery envelope"
+	default "eddsa" if SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_EDDSA
+	default "es-256" if SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_ECDSA_256
+	default "es-384" if SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_ECDSA_384
+	default "es-521" if SUIT_ENVELOPE_APP_RECOVERY_SIGN_ALG_ECDSA_521
+
+endif # SUIT_ENVELOPE_APP_RECOVERY_SIGN
+
 endif # SUIT_BUILD_RECOVERY
 
 config SUIT_BUILD_FLASH_COMPANION

tests/subsys/suit/manifest_common/regenerate.sh

@@ -10,6 +10,7 @@ generated_files=()
 SUIT_PROCESSOR_DIR="../../../../../modules/lib/suit-processor"
 SUIT_GENERATOR_DIR="../../../../../modules/lib/suit-generator"
 SIGN_SCRIPT=${SUIT_GENERATOR_DIR}/ncs/sign_script.py
+KMS_SCRIPT=${SUIT_GENERATOR_DIR}/ncs/basic_kms.py
 KEYS_DIR=${SUIT_GENERATOR_DIR}/ncs
 
 if [ -z "$1" ]
@@ -30,21 +31,6 @@ if [ ! -f key_private.pem ]; then
   generated_files+=("\tpublic key:\t\t$PWD/key_public.pem")
 fi
 
-    # 0x4000AA00: Path(__file__).parent / "key_private_OEM_ROOT_GEN1.pem",
-    # 0x40022100: Path(__file__).parent / "key_private_APPLICATION_GEN1.pem",
-    # 0x40032100: Path(__file__).parent / "key_private_RADIO_GEN1.pem",
-if [ ! -f key_private_OEM_ROOT_GEN1.pem ]; then
-  cp key_private.pem key_private_OEM_ROOT_GEN1.pem
-fi
-
-if [ ! -f key_private_APPLICATION_GEN1.pem ]; then
-  cp key_private.pem key_private_APPLICATION_GEN1.pem
-fi
-
-if [ ! -f key_private_RADIO_GEN1.pem ]; then
-  cp key_private.pem key_private_RADIO_GEN1.pem
-fi
-
 if [ ! -f key_public.c ]; then
   echo "Generating public key as C source file..."
   suit-generator convert --input-file key_private.pem --output-file key_public.c
@@ -57,7 +43,9 @@ echo "Generating SUIT envelope for $1 input file ..."
 suit-generator create --input-file $1 --output-file sample.suit
 generated_files+=("\tunsigned binary envelope:\t\t$PWD/sample.suit")
 echo "Signing SUIT envelope using key_priv.pem ..."
-python3 ${SIGN_SCRIPT} --input-file sample.suit --output-file sample_signed.suit
+suit-generator sign single-level --input-envelope sample.suit --output-envelope sample_signed.suit \
+               --key-name key_private --key-id 0x40000000 --sign-script ${SIGN_SCRIPT} \
+               --kms-script ${KMS_SCRIPT}
 generated_files+=("\tsigned binary envelope:\t\t\t$PWD/sample_signed.suit")
 echo "Converting binary envelope into C code ..."
 zcbor convert \