boards: nucleo_l552ze_q: Leverage consolidated TFM signing code

This commit removes the signing commands from the post build steps,
in order to leverage the consolidated TFM signing code.

Also with the support to adjust the hex base address when signing,
there is no need to run the TFM_UPDATE.sh script. We can use west
flash to flash the merged hex file on the board.

Signed-off-by: Yestin Sun <[email protected]>

Author: yestin

boards/arm/nucleo_l552ze_q/CMakeLists.txt

@@ -11,58 +11,8 @@ elseif(${ZEPHYR_TOOLCHAIN_VARIANT} STREQUAL "gnuarmemb")
 endif()
 
 if (CONFIG_BUILD_WITH_TFM)
-	# Set default image versions if not defined elsewhere
-	if (NOT DEFINED TFM_IMAGE_VERSION_S)
-		set(TFM_IMAGE_VERSION_S 0.0.0+0)
-	endif()
-
-	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
-		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
-	endif()
-
-	set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
-	set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
-	set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
-
-	# Configure which format (full or hash) to include the public key in
-	# the image manifest
-	set(TFM_PUBLIC_KEY_FORMAT "full")
-
-	#Create and sign for concatenated binary image, should align with the TF-M BL2
-	set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-
-		#Sign secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_S}
-			 -k ${CONFIG_TFM_KEY_FILE_S}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_S}
-			 --pad
-			 --pad-header
-			 ${ADD_NS_IMAGE_MIN_VER}
-			 -s auto
-			 -H 0x400
-			 $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
-			 ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-
-		#Sign non-secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_NS}
-			 -k ${CONFIG_TFM_KEY_FILE_NS}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_NS}
-			 -s auto
-			 ${ADD_S_IMAGE_MIN_VER}
-			 -H 0x400
-			 ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
-			 ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-
-		#Copy mcuboot.bin
-		COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
-
+	set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
 		#Execute post build script postbuild.sh
 		COMMAND ${CMAKE_BINARY_DIR}/tfm/postbuild.sh ${COMPILER_FULL_PATH}
-      )
+	)
 endif()

boards/arm/nucleo_l552ze_q/board.cmake

@@ -1,5 +1,15 @@
- set_ifndef(BOARD_DEBUG_RUNNER pyocd)
- set_ifndef(BOARD_FLASH_RUNNER pyocd)
+if(CONFIG_BUILD_WITH_TFM)
+  set(FLASH_BASE_ADDRESS_S 0x0C000000)
+
+  if (CONFIG_HAS_FLASH_LOAD_OFFSET)
+    MATH(EXPR TFM_HEX_BASE_ADDRESS_NS "${FLASH_BASE_ADDRESS_S}+${CONFIG_FLASH_LOAD_OFFSET}")
+  else()
+    set(TFM_HEX_BASE_ADDRESS_NS ${TFM_FLASH_BASE_ADDRESS_S})
+  endif()
+endif()
+
+set_ifndef(BOARD_DEBUG_RUNNER pyocd)
+set_ifndef(BOARD_FLASH_RUNNER pyocd)
 
 board_runner_args(pyocd "--target=stm32l552zetxq")
 

boards/arm/nucleo_l552ze_q/doc/nucleol552ze_q.rst

@@ -276,7 +276,16 @@ You should see the following message on the console:
 Building a secure/non-secure with Arm |reg| TrustZone |reg|
 -----------------------------------------------------------
 
-The TF-M integration sample :ref:`tfm_ipc` can be run by a Nucleo L552ZE Q, using the ``nucleo_l552ze_q_ns`` target. When building a ``*_ns`` image with TF-M, a ``build/tfm/install/postbuild.sh`` bash script will be run as a post-build step to make some required flash layout changes. The ``build/tfm/install/postbuild.sh`` script will also be used to flash the board. Check the ``build/tfm/install`` directory to ensure that the commands required by these scripts (``readlink``, etc.) are available on your system.
+The TF-M integration sample :ref:`tfm_ipc` can be run by a Nucleo L552ZE Q,
+using the ``nucleo_l552ze_q_ns`` target. When building a ``*_ns`` image with TF-M,
+a ``build/tfm/install/postbuild.sh`` bash script will be run as a post-build step
+to make some required flash layout changes. The ``build/tfm/regression.sh`` script
+will need to be run to perform device initialization, and then run ``west flash --hex-file build/tfm_merged.hex``
+to flash the board.
+
+Check the ``build/tfm/`` directory to ensure that the commands required by these scripts
+(``readlink``, etc.) are available on your system. Please also check ``STM32_Programmer_CLI``
+used for initialization is available in the PATH.
 
 Debugging
 =========