Skip to content

Commit e402ea2

Browse files
nandojvenandojve
committed
trusted-firmware-m: Define header and trailer options
The current behavior when signing an image is to always set --pad and --pad-header for all images unless TFM_USE_NS_APP is set. This does not allow for easy creation of signed images for FOTA applications. Rewrite the PAD parameter as HEADER and TRAILER to simplify the setup of more signing options. Another important reason for this change is that the NS image, when signed without --pad, runs on the hardware but does not perform the MCUboot test, and the FWU never upgrades the image. This fixes the NS image signing process to correctly support TF-M FWU using the PSA API functions. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
1 parent 6bb538f commit e402ea2

File tree

1 file changed

+10
-6
lines changed

1 file changed

+10
-6
lines changed

modules/trusted-firmware-m/CMakeLists.txt

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -502,9 +502,13 @@ if (CONFIG_BUILD_WITH_TFM)
502502
endif()
503503
endif()
504504

505-
function(tfm_sign OUT_ARG SUFFIX PAD MAX_SECTORS INPUT_FILE OUTPUT_FILE)
506-
if(PAD)
505+
function(tfm_sign OUT_ARG SUFFIX HEADER TRAILER MAX_SECTORS INPUT_FILE OUTPUT_FILE)
506+
if(HEADER AND TRAILER)
507507
set(pad_args --pad --pad-header)
508+
elseif(HEADER)
509+
set(pad_args --pad-header)
510+
elseif(TRAILER)
511+
set(pad_args --pad)
508512
endif()
509513
# Secure + Non-secure images are signed the same way as a secure only
510514
# build, but with a different layout file.
@@ -563,7 +567,7 @@ if (CONFIG_BUILD_WITH_TFM)
563567
)
564568

565569
elseif(CONFIG_TFM_MCUBOOT_IMAGE_NUMBER STREQUAL "1")
566-
tfm_sign(sign_cmd S_NS TRUE ${S_NS_MAX_SECTORS} ${S_NS_FILE} ${S_NS_SIGNED_FILE})
570+
tfm_sign(sign_cmd S_NS TRUE TRUE ${S_NS_MAX_SECTORS} ${S_NS_FILE} ${S_NS_SIGNED_FILE})
567571

568572
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
569573
COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py
@@ -588,12 +592,12 @@ if (CONFIG_BUILD_WITH_TFM)
588592

589593
else()
590594
if (CONFIG_TFM_USE_NS_APP)
591-
tfm_sign(sign_cmd_ns NS TRUE ${S_NS_MAX_SECTORS} ${NS_APP_FILE} ${NS_SIGNED_FILE})
595+
tfm_sign(sign_cmd_ns NS TRUE TRUE ${S_NS_MAX_SECTORS} ${NS_APP_FILE} ${NS_SIGNED_FILE})
592596
else()
593-
tfm_sign(sign_cmd_ns NS FALSE ${S_NS_MAX_SECTORS} ${NS_APP_FILE} ${NS_SIGNED_FILE})
597+
tfm_sign(sign_cmd_ns NS FALSE TRUE ${S_NS_MAX_SECTORS} ${NS_APP_FILE} ${NS_SIGNED_FILE})
594598
endif()
595599

596-
tfm_sign(sign_cmd_s S TRUE ${S_NS_MAX_SECTORS} $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
600+
tfm_sign(sign_cmd_s S TRUE TRUE ${S_NS_MAX_SECTORS} $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
597601
${S_SIGNED_FILE})
598602

599603
#Create and sign for concatenated binary image, should align with the TF-M BL2

0 commit comments

Comments
 (0)