soc: cyw20829: add support of Secure LCS

Enable support of SECURE LCS stage. In this stage, the protection
state is set to “secure”. A secured device will boot only when the
authentication of its flash boot and application code succeeds

Signed-off-by: Sreeram Tatapudi <[email protected]>

Author: sreeramIfx

boards/infineon/cyw920829m2evk_02/board.cmake

@@ -18,3 +18,5 @@ endif()
 include(${ZEPHYR_BASE}/boards/common/openocd.board.cmake)
 board_runner_args(jlink "--device=CYW20829_tm")
 include (${ZEPHYR_BASE}/boards/common/jlink.board.cmake)
+
+set_property(TARGET runners_yaml_props_target PROPERTY hex_file zephyr_merged.hex)

soc/infineon/cat1b/cyw20829/CMakeLists.txt

@@ -30,6 +30,78 @@ math(EXPR flash_addr_offset
   OUTPUT_FORMAT HEXADECIMAL
 )
 set(gen_app_header_args --flash_addr_offset ${flash_addr_offset})
+set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
+
+if(CONFIG_INFINEON_SECURE_LCS OR CONFIG_BOOTLOADER_MCUBOOT)
+  # Check cysecuretools
+  find_program(CYSECURETOOLS cysecuretools)
+  if(NOT CYSECURETOOLS)
+    message(FATAL_ERROR "Can't find cysecuretools. To fix, install cysecuretools with pip3.")
+  else()
+    message("-- Found cysecuretools: ${CYSECURETOOLS}")
+  endif()
+endif()
+
+if(CONFIG_INFINEON_SECURE_LCS)
+  set(default_policy)
+  set(default_policy_name)
+
+  # Cysecuretools policy.
+  if(NOT CONFIG_INFINEON_SECURE_POLICY)
+    # Get default cysecuretools policy
+    if(CONFIG_INFINEON_SECURE_LCS)
+      message(INFO "CONFIG_INFINEON_SECURE_POLICY was not defined.")
+      set(default_policy_name policy_secure.json)
+    else()
+      set(default_policy_name policy_no_secure.json)
+    endif()
+  endif()
+
+  find_file(
+    default_policy
+    NAMES
+        ${CONFIG_INFINEON_SECURE_POLICY}
+        ${default_policy_name}
+    PATHS
+        ${APPLICATION_SOURCE_DIR}
+        ${ZEPHYR_BASE}
+    NO_DEFAULT_PATH
+    )
+
+  if(NOT default_policy)
+      message(FATAL_ERROR "Can't find policy:${CONFIG_INFINEON_SECURE_POLICY}"
+              "/${default_policy_name}"
+              "Checked locations: ${APPLICATION_SOURCE_DIR}, ${ZEPHYR_BASE}")
+  endif()
+
+  set(cysecuretools_policy ${default_policy} CACHE PATH "cysecuretools policy")
+  message("-- Using cysecuretools policy: ${cysecuretools_policy}")
+endif()
+
+if(CONFIG_INFINEON_SECURE_LCS)
+  #
+  # Addition postbuild action for SECURE LCS
+  #
+  set(gen_app_header_args ${gen_app_header_args} --secure_lcs True)
+  set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed)
+
+  if(CONFIG_INFINEON_SMIF_ENCRYPTION)
+    set(gen_app_header_args ${gen_app_header_args} --smif-config ${ZEPHYR_BINARY_DIR}/nonce-output.bin)
+    set(enc_option --encrypt --nonce-output nonce-output.bin)
+    set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed.encrypted)
+  endif()
+
+  set(bin2hex_option bin2hex --image ${app_signed_enc_path}.bin --output ${app_signed_enc_path}.hex --offset 0x60000030)
+
+  # Sign Zephyr L1 app in SECURE LCS
+  set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+    COMMAND ${CYSECURETOOLS} -q -t cyw20829
+      -p ${cysecuretools_policy} sign-image --image-format bootrom_next_app
+      -i ${ZEPHYR_BINARY_DIR}/${KERNEL_BIN_NAME} -k 0 -o ${app_signed_enc_path}.bin
+      --slot-size ${CONFIG_FLASH_LOAD_SIZE} --app-addr 0x08000030
+      ${enc_option} ${bin2hex_option}
+    )
+endif()
 
 # Generate platform specific header (TOC2, l1_desc, etc)
 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
@@ -39,9 +111,13 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
     --bootstrap-dst-addr ${bootstrap_dst_addr}
   )
 
+set(MERGED_FILE ${CMAKE_BINARY_DIR}/zephyr/zephyr_merged.hex)
+
 # Merge platform specific header and zephyr image to a single binary.
 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
   COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py
-    -o ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.hex
-    ${app_temp_path}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex
+    -o ${MERGED_FILE}
+    ${app_signed_enc_path}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex
   )
+
+set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${MERGED_FILE})

soc/infineon/cat1b/cyw20829/Kconfig

@@ -16,3 +16,23 @@ config SOC_SERIES_CYW20829
 	select BUILD_OUTPUT_HEX
 	select BUILD_OUTPUT_BIN
 	select SOC_EARLY_INIT_HOOK
+
+config INFINEON_SECURE_LCS
+	bool "Secure LCS stage support"
+	help
+	  Enable support of SECURE LCS stage. In this stage, the protection
+	  state is set to “secure”. A secured device will boot only when the
+	  authentication of its flash boot and application code succeeds.
+
+config INFINEON_SECURE_POLICY
+	string "Path to policy JSON file"
+	help
+	  Policy is a text file in JSON format that contains a set of properties
+	  for the device configuration (e.g., enabling/disabling debug access ports,
+	  SMIF configuration, keys information, etc).
+
+config INFINEON_SMIF_ENCRYPTION
+	bool "SMIF encryption support"
+	depends on INFINEON_SECURE_LCS
+	help
+	  Enables SMIF encryption.

tests/application_development/vector_table_relocation/src/main.c

@@ -27,7 +27,7 @@
 
 #if (defined(CONFIG_ARM_MPU) && !defined(CONFIG_CPU_HAS_NXP_SYSMPU))
 #include <cmsis_core.h>
-void disable_mpu_rasr_xn(void)
+static void disable_mpu_rasr_xn(void)
 {
 	uint32_t index;
 	/* Kept the max index as 8(irrespective of soc) because the sram