cmake: sysbuild: signing support

tejlmand · carlescufi · commit b88c8e136344 · 2022-08-03T16:05:07.000+02:00
This commit introduces image signing by adding the possibility to
specify algorithm and signing key for sysbuild images.

It introduces Kconfig setting to specify signing algorithm and key file.

It will default the signing key to the default key provided by MCUBoot
if no key has been specified.

When signing is enabling, the signature key will be passed to the
application so the build system can sign the image as post build step.

Signed-off-by: Torsten Rasmussen &lt;Torsten.Rasmussen@nordicsemi.no&gt;
diff --git a/share/sysbuild/CMakeLists.txt b/share/sysbuild/CMakeLists.txt
@@ -30,6 +30,31 @@ set(IMAGES)
 get_filename_component(APP_DIR  ${APP_DIR} ABSOLUTE)
 get_filename_component(app_name ${APP_DIR} NAME)
 
+# Propagate bootloader and signing settings from this system to the MCUboot and
+# application image build systems.
+if(SB_CONFIG_BOOTLOADER_MCUBOOT)
+  set(${app_name}_CONFIG_BOOTLOADER_MCUBOOT y CACHE STRING
+      "MCUBOOT is enabled as bootloader" FORCE
+  )
+  set(${app_name}_CONFIG_MCUBOOT_SIGNATURE_KEY_FILE
+      \"${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}\" CACHE STRING
+      "Signature key file for signing" FORCE
+  )
+
+  # Set corresponding values in mcuboot
+  set(mcuboot_CONFIG_BOOT_SIGNATURE_TYPE_${SB_CONFIG_SIGNATURE_TYPE} y CACHE STRING
+      "MCUBOOT signature type" FORCE
+  )
+  set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE
+      \"${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}\" CACHE STRING
+      "Signature key file for signing" FORCE
+  )
+else()
+  set(${app_name}_CONFIG_BOOTLOADER_MCUBOOT n CACHE STRING
+      "MCUBOOT is disabled as bootloader" FORCE
+  )
+endif()
+
 # This adds the primary application to the build.
 ExternalZephyrProject_Add(
   APPLICATION ${app_name}
diff --git a/share/sysbuild/bootloader/Kconfig b/share/sysbuild/bootloader/Kconfig
@@ -27,3 +27,41 @@ config BOOTLOADER_MCUBOOT
 	  Include MCUboot (Zephyr port) as the bootloader to use
 
 endchoice
+
+if BOOTLOADER_MCUBOOT
+
+config SIGNATURE_TYPE
+	string
+	default NONE if BOOT_SIGNATURE_TYPE_NONE
+	default RSA  if BOOT_SIGNATURE_TYPE_RSA
+	default ECDSA_P256 if BOOT_SIGNATURE_TYPE_ECDSA_P256
+	default ED25519 if BOOT_SIGNATURE_TYPE_ED25519
+
+choice
+	prompt "Signature type"
+	default BOOT_SIGNATURE_TYPE_RSA
+
+config BOOT_SIGNATURE_TYPE_NONE
+	bool "No signature; use only hash check"
+
+config BOOT_SIGNATURE_TYPE_RSA
+	bool "RSA signatures"
+
+config BOOT_SIGNATURE_TYPE_ECDSA_P256
+	bool "Elliptic curve digital signatures with curve P-256"
+
+config BOOT_SIGNATURE_TYPE_ED25519
+	bool "Edwards curve digital signatures using ed25519"
+
+endchoice
+
+config BOOT_SIGNATURE_KEY_FILE
+	string "PEM key file"
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA
+	default ""
+	help
+	  Absolute path to key file to use with MCUBoot.
+
+endif
