soc: cyw20829: add support of Secure LCS

Enable support of SECURE LCS stage. In this stage, the protection
state is set to “secure”. A secured device will boot only when the
authentication of its flash boot and application code succeeds

Signed-off-by: Sreeram Tatapudi <[email protected]>

Author: sreeramIfx

dts/arm/infineon/cat1b/cyw20829/cyw20829.dtsi

@@ -7,6 +7,9 @@
 
 #include <mem.h>
 
+#define BOOTSTRAP_SIZE    DT_SIZE_K(12)
+#define SRAM0_SIZE       (DT_SIZE_K(256) - BOOTSTRAP_SIZE)
+
 / {
 	cpus {
 		#address-cells = <1>;
@@ -35,14 +38,46 @@
 	};
 
 	sram0: memory@20000000 {
+		#address-cells = <1>;
+		#size-cells = <1>;
+
 		compatible = "mmio-sram";
-		reg = <0x20000000 DT_SIZE_K(244)>;
+		reg = <0x20000000 SRAM0_SIZE>;
+
+		/* SRAM aliased address path */
+		sram_sahb: sram_bus_alias@20000000 {
+			reg = <0x20000000 0x00040000>;  /* SAHB address */
+		};
+
+		sram_cbus: sram_bus_alias@4000000 {
+			reg = <0x04000000 0x00040000>;  /* CBUS address */
+		};
 	};
 
+	/* sram_bootstrap address calculation:
+	 * sram_sahb + sram_size (256k) - bootstrap size
+	 * (e.g. 0x20000000 + 0x40000 - 12K (0x3000) = 0x2003D000)
+	 */
 	sram_bootstrap: memory@2003D000 {
 		compatible = "zephyr,memory-region", "mmio-sram";
 		zephyr,memory-region = "BOOTSTRAP_RAM";
-		reg = <0x2003D000 DT_SIZE_K(12)>;
+		reg = <0x2003D000 BOOTSTRAP_SIZE>;
+	};
+
+	qspi_flash: qspi_flash@40890000 {
+		compatible = "infineon,cat1-qspi-flash";
+		reg = <0x40890000 0x30000>;
+		#address-cells = <1>;
+		#size-cells = <1>;
+	};
+
+	/* Flash aliased address path */
+	flash_sahb: flash_bus_alias@60000000 {
+		reg = <0x60000000 0x80000>;  /* SAHB address */
+	};
+
+	flash_cbus: flash_bus_alias@8000000 {
+		reg = <0x08000000 0x80000>;  /* CBUS address */
 	};
 
 	soc {

soc/infineon/cat1b/cyw20829/CMakeLists.txt

@@ -1,8 +1,7 @@
-# Copyright (c) 2023 Cypress Semiconductor Corporation.
+# Copyright (c) 2024 Cypress Semiconductor Corporation.
 # SPDX-License-Identifier: Apache-2.0
 
 zephyr_sources(soc.c)
-zephyr_sources(app_header.c)
 zephyr_sources(mpu_regions.c)
 zephyr_include_directories(.)
 
@@ -19,3 +18,105 @@ zephyr_compile_definitions(CY_PDL_FLASH_BOOT)
 
 # Use custome linker script
 set(SOC_LINKER_SCRIPT ${ZEPHYR_BASE}/soc/infineon/cat1b/cyw20829/linker.ld CACHE INTERNAL "")
+
+if(CONFIG_INFINEON_SECURE_LCS OR CONFIG_BOOTLOADER_MCUBOOT)
+  # Check cysecuretools
+  find_program(CYSECURETOOLS cysecuretools)
+  if(NOT CYSECURETOOLS)
+    message(FATAL_ERROR "Can't find cysecuretools. To fix, install cysecuretools with pip3.")
+  else()
+    message("-- Found cysecuretools: ${CYSECURETOOLS}")
+  endif()
+
+  set(default_policy)
+  set(default_policy_name)
+  # Cysecuretools policy.
+  if(NOT CONFIG_INFINEON_SECURE_POLICY)
+    # Get default cysecuretools policy
+    if(CONFIG_INFINEON_SECURE_LCS)
+      message(INFO "CONFIG_INFINEON_SECURE_POLICY was not defined.")
+      set(default_policy_name policy_secure.json)
+    else()
+      set(default_policy_name policy_no_secure.json)
+    endif()
+  endif()
+
+  find_file(
+    default_policy
+    NAMES
+        ${CONFIG_INFINEON_SECURE_POLICY}
+        ${default_policy_name}
+    PATHS
+        ${APPLICATION_SOURCE_DIR}
+        ${ZEPHYR_BASE}
+    NO_DEFAULT_PATH
+    )
+
+  if(NOT default_policy)
+      message(FATAL_ERROR "Can't find policy:${CONFIG_INFINEON_SECURE_POLICY}"
+              "/${default_policy_name}"
+              "Checked locations: ${APPLICATION_SOURCE_DIR}, ${ZEPHYR_BASE}")
+  endif()
+
+  set(cysecuretools_policy ${default_policy} CACHE PATH "cysecuretools policy")
+  message("-- Using cysecuretools policy: ${cysecuretools_policy}")
+endif()
+
+# Copy Zephyr application hex
+set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+  ${CMAKE_COMMAND} -E copy
+  ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.hex ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}_org.hex
+  )
+
+# Get sram_bootstrap address and size
+dt_nodelabel(sram_bootstrap NODELABEL "sram_bootstrap")
+dt_reg_addr(bootstrap_dst_addr PATH ${sram_bootstrap})
+dt_reg_size(bootstrap_size PATH ${sram_bootstrap})
+
+# Calculate the place in flash
+math(EXPR flash_addr_offset
+  "${CONFIG_CYW20829_FLASH_SAHB_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET} + ${CONFIG_ROM_START_OFFSET}"
+  OUTPUT_FORMAT HEXADECIMAL
+)
+set(gen_app_header_args --flash_addr_offset ${flash_addr_offset})
+set(app_temp_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}_org)
+
+if(CONFIG_INFINEON_SECURE_LCS)
+  #
+  # Addition postbuild action for SECURE LCS
+  #
+  set(gen_app_header_args ${gen_app_header_args} --secure_lcs True)
+  set(app_temp_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}_signed_tmp)
+
+  if(CONFIG_INFINEON_SMIF_ENCRYPTION)
+    set(gen_app_header_args ${gen_app_header_args} --smif-config ${ZEPHYR_BINARY_DIR}/nonce-output.bin)
+    set(enc_option --encrypt --nonce-output nonce-output.bin)
+    set(bin2hex_option bin2hex --image ${app_temp_path}_encrypted.bin --output ${app_temp_path}.hex --offset 0x60000030)
+  else()
+    set(bin2hex_option bin2hex --image ${app_temp_path}.bin --output ${app_temp_path}.hex --offset 0x60000030)
+  endif()
+
+  # Sign Zephyr L1 app in SECURE LCS
+  set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+    COMMAND ${CYSECURETOOLS} -q -t cyw20829
+      -p ${cysecuretools_policy} sign-image --image-format bootrom_next_app
+      -i ${ZEPHYR_BINARY_DIR}/${KERNEL_BIN_NAME} -k 0 -o ${app_temp_path}.bin
+      --slot-size ${CONFIG_FLASH_LOAD_SIZE} --app-addr 0x08000030
+      ${enc_option} ${bin2hex_option}
+    )
+endif()
+
+# Generate platform specific header (TOC2, l1_desc, etc)
+set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+    ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/soc/infineon/cat1b/cyw20829/gen_app_header.py
+    -p ${ZEPHYR_BINARY_DIR} -n ${KERNEL_NAME} ${gen_app_header_args}
+    --bootstrap-size ${bootstrap_size}
+    --bootstrap-dst-addr ${bootstrap_dst_addr}
+  )
+
+# Merge platform specific header and zephyr image to a single binary.
+set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+  COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py
+    -o ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.hex
+    ${app_temp_path}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex
+  )

soc/infineon/cat1b/cyw20829/Kconfig

@@ -16,3 +16,23 @@ config SOC_SERIES_CYW20829
 	select BUILD_OUTPUT_HEX
 	select BUILD_OUTPUT_BIN
 	select SOC_EARLY_INIT_HOOK
+
+config INFINEON_SECURE_LCS
+	bool "Secure LCS stage support"
+	help
+	  Enable support of SECURE LCS stage. In this stage, the protection
+	  state is set to “secure”. A secured device will boot only when the
+	  authentication of its flash boot and application code succeeds.
+
+config INFINEON_SECURE_POLICY
+	string "Path to policy JSON file"
+	help
+	  Policy is a text file in JSON format that contains a set of properties
+	  for the device configuration (e.g., enabling/disabling debug access ports,
+	  SMIF configuration, keys information, etc).
+
+config INFINEON_SMIF_ENCRYPTION
+	bool "SMIF encryption support"
+	depends on INFINEON_SECURE_LCS
+	help
+	  Enables SMIF encryption.

soc/infineon/cat1b/cyw20829/Kconfig.defconfig

@@ -28,6 +28,9 @@ config MAIN_STACK_SIZE
 config IDLE_STACK_SIZE
 	default 1024 if PM
 
+config ROM_START_OFFSET
+	default 0x400 if BOOTLOADER_MCUBOOT
+
 # add additional die specific params
 
 endif # SOC_DIE_CYW20829

soc/infineon/cat1b/cyw20829/Kconfig.soc

@@ -26,6 +26,22 @@ config SOC_PACKAGE_CYW20829_40_QFN
 config SOC_PACKAGE_CYW20829_77_BGA
 	bool
 
+config CYW20829_FLASH_SAHB_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,flash_sahb)
+
+config CYW20829_FLASH_CBUS_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,flash_cbus)
+
+config CYW20829_SRAM_SAHB_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,sram_sahb)
+
+config CYW20829_SRAM_CBUS_ADDR
+	hex
+	default $(dt_nodelabel_reg_addr_hex,sram_cbus)
+
 # MPN
 config SOC_CYW20829A0LKML
 	bool

soc/infineon/cat1b/cyw20829/app_header.c

@@ -1,18 +1,7 @@
-/* Copyright 2024 Cypress Semiconductor Corporation (an Infineon company) or
- * an affiliate of Cypress Semiconductor Corporation
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-SECTIONS
-{
-    .app_header :
-    {
-	    KEEP(*(.app_header))
-    } > APP_HEADER_FLASH
-
-   /* Cortex-M33 bootstrap code area */
-    .bootstrapText :
+    /* Cortex-M33 bootstrap code area */
+    bootstrap.text_lma = BS_CODE_LMA_CBUS;
+    bootstrap.text_vma = BS_CODE_VMA_CBUS;
+    .bootstrapText (bootstrap.text_vma) : AT (bootstrap.text_lma)
     {
         . = ALIGN(4);
         __bootstrapText_begin = .;
@@ -49,19 +38,23 @@ SECTIONS
 
         . = ALIGN(4);
         __bootstrapText_end = .;
-    } > BOOTSTRAP_RAM AT>BOOTSTRAP_FLASH
+    }
 
-    .bootstrapzero.table :
+    bootstrap.zerotable.vma = (__bootstrapText_end);
+    bootstrap.zerotable.lma = (bootstrap.text_lma + (__bootstrapText_end - __bootstrapText_begin));
+    .bootstrapzero.table (bootstrap.zerotable.vma): AT (bootstrap.zerotable.lma)
     {
         . = ALIGN(4);
         __bootstrapzero_table_start__ = .;
         LONG (__bootstrap_bss_start__)
         LONG ((__bootstrap_bss_end__ - __bootstrap_bss_start__)/4)
         . = ALIGN(4);
         __bootstrapzero_table_end__ = .;
-    } > BOOTSTRAP_RAM AT>BOOTSTRAP_FLASH
+    }
 
-    .bootstrapData :
+    bootstrap.data.vma = ((__bootstrapzero_table_end__ - RAM_START_ADDR_CBUS) + RAM_START_ADDR_SAHB); /* CBUS -> SAHB */
+    bootstrap.data.lma = (bootstrap.zerotable.lma + (__bootstrapzero_table_end__ - __bootstrapzero_table_start__));
+    .bootstrapData (bootstrap.data.vma): AT (bootstrap.data.lma)
     {
         __bootstrapData_start__ = .;
         . = ALIGN(4);
@@ -85,9 +78,9 @@ SECTIONS
 
         . = ALIGN(4);
         __bootstrapData_end__ = .;
-    } > BOOTSTRAP_RAM AT>BOOTSTRAP_FLASH
+    } > BOOTSTRAP_RAM
 
-    .bootstrapBss (NOLOAD):
+    .bootstrapBss (__bootstrapData_end__) (NOLOAD):
     {
         . = ALIGN(4);
         __bootstrap_bss_start__ = .;
@@ -111,4 +104,3 @@ SECTIONS
         . = ALIGN(4);
         __bootstrap_bss_end__ = .;
     } > BOOTSTRAP_RAM
-}