soc: cyw20829: add support of Secure LCS

sreeramIfx · sreeramIfx · commit 45761ac7196d · 2025-05-14T14:43:19.000-07:00
Enable support of SECURE LCS stage. In this stage, the protection
state is set to “secure”. A secured device will boot only when the
authentication of its flash boot and application code succeeds

Signed-off-by: Sreeram Tatapudi &lt;sreeram.praveen@infineon.com&gt;
diff --git a/boards/infineon/cyw920829m2evk_02/board.cmake b/boards/infineon/cyw920829m2evk_02/board.cmake
@@ -18,3 +18,5 @@ endif()
 include(${ZEPHYR_BASE}/boards/common/openocd.board.cmake)
 board_runner_args(jlink "--device=CYW20829_tm")
 include (${ZEPHYR_BASE}/boards/common/jlink.board.cmake)
+
+set_property(TARGET runners_yaml_props_target PROPERTY hex_file zephyr_merged.hex)
diff --git a/soc/infineon/cat1b/cyw20829/CMakeLists.txt b/soc/infineon/cat1b/cyw20829/CMakeLists.txt
@@ -30,6 +30,66 @@ math(EXPR flash_addr_offset
   OUTPUT_FORMAT HEXADECIMAL
 )
 set(gen_app_header_args --flash_addr_offset ${flash_addr_offset})
+set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
+
+if(CONFIG_INFINEON_SECURE_LCS OR (DEFINED CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE) OR (DEFINED CONFIG_MCUBOOT_SIGNATURE_KEY_FILE))
+  # Check cysecuretools
+  find_program(CYSECURETOOLS cysecuretools REQUIRED)
+  message("-- Found cysecuretools: ${CYSECURETOOLS}")
+
+  # Locate CySecureTools policy file
+  if(IS_ABSOLUTE "${CONFIG_INFINEON_SECURE_POLICY}")
+    cmake_path(SET cysecuretools_policy "${CONFIG_INFINEON_SECURE_POLICY}")
+  else()
+    find_file(
+      cysecuretools_policy
+      NAMES
+        "${CONFIG_INFINEON_SECURE_POLICY}"
+      PATHS
+        "${APPLICATION_SOURCE_DIR}"
+        "${WEST_TOPDIR}"
+        "${SOC_FULL_DIR}/cyw20829"
+      NO_DEFAULT_PATH
+      )
+  endif()
+
+  if(NOT IS_ABSOLUTE "${cysecuretools_policy}" OR NOT EXISTS "${cysecuretools_policy}")
+    message(FATAL_ERROR "Can't find policy file \"${CONFIG_INFINEON_SECURE_POLICY}\" "
+                        "(Note: Relative paths are searched through "
+                        "APPLICATION_SOURCE_DIR=\"${APPLICATION_SOURCE_DIR}\" "
+                        "and WEST_TOPDIR=\"${WEST_TOPDIR}\")")
+  endif()
+
+  message("-- Using cysecuretools policy: ${cysecuretools_policy}")
+  set(CYSECURETOOLS_POLICY ${cysecuretools_policy} CACHE PATH "cysecuretool policy")
+endif()
+
+if(CONFIG_INFINEON_SECURE_LCS)
+  #
+  # Additional postbuild action for SECURE LCS
+  #
+  set(gen_app_header_args ${gen_app_header_args} --secure_lcs True)
+  set(app_signed_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed)
+  set(app_signed_enc_path "${app_signed_path}")
+
+  if(CONFIG_INFINEON_SMIF_ENCRYPTION)
+    set(gen_app_header_args ${gen_app_header_args} --smif-config ${ZEPHYR_BINARY_DIR}/nonce-output.bin)
+    set(enc_option --encrypt --nonce-output nonce-output.bin)
+    # The encrypted image file path generated by cysecuretools
+    set(app_signed_enc_path "${app_signed_path}_encrypted")
+  endif()
+
+  set(bin2hex_option bin2hex --image ${app_signed_enc_path}.bin --output ${app_signed_enc_path}.hex --offset 0x60000030)
+
+  # Sign Zephyr L1 app in SECURE LCS
+  set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+    COMMAND ${CYSECURETOOLS} -q -t cyw20829
+      -p ${cysecuretools_policy} sign-image --image-format bootrom_next_app
+      -i ${ZEPHYR_BINARY_DIR}/${KERNEL_BIN_NAME} -k 0 -o ${app_signed_path}.bin
+      --slot-size ${CONFIG_FLASH_LOAD_SIZE} --app-addr 0x08000030
+      ${enc_option} ${bin2hex_option}
+    )
+endif()
 
 # Generate platform specific header (TOC2, l1_desc, etc)
 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
@@ -39,9 +99,13 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
     --bootstrap-dst-addr ${bootstrap_dst_addr}
   )
 
+set(MERGED_FILE ${CMAKE_BINARY_DIR}/zephyr/zephyr_merged.hex  CACHE PATH "merged hex")
+
 # Merge platform specific header and zephyr image to a single binary.
 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
   COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py
-    -o ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.hex
-    ${app_temp_path}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex
+    -o ${MERGED_FILE}
+    ${app_signed_enc_path}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex
   )
+
+set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${MERGED_FILE})
diff --git a/soc/infineon/cat1b/cyw20829/Kconfig b/soc/infineon/cat1b/cyw20829/Kconfig
@@ -16,3 +16,40 @@ config SOC_SERIES_CYW20829
 	select BUILD_OUTPUT_HEX
 	select BUILD_OUTPUT_BIN
 	select SOC_EARLY_INIT_HOOK
+
+config INFINEON_SECURE_LCS
+	bool "Secure LCS stage support"
+	help
+	  Enable support of SECURE LCS stage. In this stage, the protection
+	  state is set to “secure”. A secured device will boot only when the
+	  authentication of its flash boot and application code succeeds.
+
+config INFINEON_SECURE_POLICY
+	string "Path to policy JSON file"
+	default "default_policy.json"
+	help
+	  Policy is a text file in JSON format that contains a set of properties
+	  for the device configuration (e.g., enabling/disabling debug access ports,
+	  SMIF configuration, keys information, etc).
+
+config INFINEON_SMIF_ENCRYPTION
+	bool "SMIF encryption support"
+	depends on INFINEON_SECURE_LCS
+	help
+	  Enables SMIF encryption.
+
+config CYW20829_FLASH_SAHB_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,flash_sahb)
+
+config CYW20829_FLASH_CBUS_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,flash_cbus)
+
+config CYW20829_SRAM_SAHB_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,sram_sahb)
+
+config CYW20829_SRAM_CBUS_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,sram_cbus)
diff --git a/soc/infineon/cat1b/cyw20829/Kconfig.soc b/soc/infineon/cat1b/cyw20829/Kconfig.soc
@@ -26,22 +26,6 @@ config SOC_PACKAGE_CYW20829_40_QFN
 config SOC_PACKAGE_CYW20829_77_BGA
 	bool
 
-config CYW20829_FLASH_SAHB_ADDR
-	hex
-	default $(dt_nodelabel_reg_addr_hex,flash_sahb)
-
-config CYW20829_FLASH_CBUS_ADDR
-	hex
-	default $(dt_nodelabel_reg_addr_hex,flash_cbus)
-
-config CYW20829_SRAM_SAHB_ADDR
-	hex
-	default $(dt_nodelabel_reg_addr_hex,sram_sahb)
-
-config CYW20829_SRAM_CBUS_ADDR
-	hex
-	default $(dt_nodelabel_reg_addr_hex,sram_cbus)
-
 # MPN
 config SOC_CYW20829A0LKML
 	bool
diff --git a/tests/application_development/vector_table_relocation/src/main.c b/tests/application_development/vector_table_relocation/src/main.c
@@ -27,7 +27,7 @@
 
 #if (defined(CONFIG_ARM_MPU) && !defined(CONFIG_CPU_HAS_NXP_SYSMPU))
 #include <cmsis_core.h>
-void disable_mpu_rasr_xn(void)
+static void disable_mpu_rasr_xn(void)
 {
 	uint32_t index;
 	/* Kept the max index as 8(irrespective of soc) because the sram

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@`
`27`	`27`
`28`	`28`	`#if (defined(CONFIG_ARM_MPU) && !defined(CONFIG_CPU_HAS_NXP_SYSMPU))`
`29`	`29`	`#include <cmsis_core.h>`
`30`		`-void disable_mpu_rasr_xn(void)`
	`30`	`+static void disable_mpu_rasr_xn(void)`
`31`	`31`	`{`
`32`	`32`	`uint32_t index;`
`33`	`33`	`/* Kept the max index as 8(irrespective of soc) because the sram`