soc: cyw20829: Initial integrate Cypress MCUBoot for 20829

Added custom mcuboot cmake for sign/encrypt by using cysecuretools

Signed-off-by: Nazar Palamar <[email protected]>

Author: npal-cy

boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts

@@ -19,7 +19,8 @@
 
 	chosen {
 		zephyr,sram = &sram0;
-		zephyr,flash = &app_region;
+		zephyr,flash = &flash0;
+		zephyr,code-partition = &slot0_partition;
 		zephyr,console = &uart2;
 		zephyr,shell-uart = &uart2;
 		zephyr,bt-hci = &bluetooth;
@@ -99,45 +100,48 @@ uart2: &scb2 {
 	status = "okay";
 };
 
-/ {
-	qspi_flash: qspi_flash@40890000 {
-		compatible = "infineon,cat1-qspi-flash";
-		reg = <0x40890000 0x30000>;
+
+&qspi_flash {
+	flash0: flash@8000000 {
+		compatible = "soc-nv-flash";
+		reg = <0x08000000 DT_SIZE_M(1)>;
+		write-block-size = <1>;
+		erase-block-size = <DT_SIZE_K(4)>;
 		#address-cells = <1>;
 		#size-cells = <1>;
 
-		flash0: flash@8000000 {
-			compatible = "soc-nv-flash";
-			reg = <0x08000000 DT_SIZE_K(512)>;
-			write-block-size = <1>;
-			erase-block-size = <DT_SIZE_K(4)>;
+		/* Keep bootstrap_region node to know size, finaly it will
+		 * locate on beginning of code-partition. The BootROM copies
+		 * bootstrap application in RAM and launches it.
+		 */
+		bootstrap_region: bootstrap_region@0 {
+			reg = <0 BOOTSTRAP_SIZE>;
+		};
+
+		partitions {
+			compatible = "fixed-partitions";
 			#address-cells = <1>;
 			#size-cells = <1>;
 
-			toc2_region: toc2_region@8000000 {
-				compatible = "zephyr,memory-region", "soc-nv-flash";
-				zephyr,memory-region = "APP_HEADER_FLASH";
-				reg = <0x08000000 0x50>;
-			};
-			bootstrap_region: bootstrap_region@8000050 {
-				compatible = "zephyr,memory-region", "soc-nv-flash";
-				zephyr,memory-region = "BOOTSTRAP_FLASH";
-				reg = <0x08000050 DT_SIZE_K(12)>;
+			boot_partition: partition@0 {
+				label = "mcuboot";
+				reg = <0x0 0x20000>;
+				read-only;
 			};
-			app_region: app_region@8003050 {
-				compatible = "soc-nv-flash";
-				reg = <0x08003050 0x6CFB0>; /* 435kb */
+
+			slot0_partition: partition@20000 {
+				label = "image-0";
+				reg = <0x20000 0x60000>;
 			};
 
-			partitions {
-				compatible = "fixed-partitions";
-				#address-cells = <1>;
-				#size-cells = <1>;
+			slot1_partition: partition@80000 {
+				label = "image-1";
+				reg = <0x80000 0x60000>;
+			};
 
-				storage_partition: storage_partition@60000 {
-					compatible = "soc-nv-flash";
-					reg = <0x60000 DT_SIZE_K(64)>;
-				};
+			storage_partition: storage_partition@E0000 {
+				compatible = "soc-nv-flash";
+				reg = <0xE0000 DT_SIZE_K(64)>;
 			};
 		};
 	};

boards/infineon/cyw920829m2evk_02/doc/index.rst

@@ -3,9 +3,19 @@
 Overview
 ********
 
-The AIROC™ CYW20829 Bluetooth® LE MCU Evaluation Kit (CYW920829M2EVK-02) with its included on-board peripherals enables evaluation, prototyping, and development of a wide array of Bluetooth® Low Energy applications, all on Infineon's low power, high performance AIROC™ CYW20829. The AIROC™ CYW20829's robust RF performance and 10 dBm TX output power without an external power amplifier (PA). This provides enough link budget for the entire spectrum of Bluetooth® LE use cases including industrial IoT applications, smart home, asset tracking, beacons and sensors, and medical devices.
-
-The system features Dual Arm® Cortex® - M33s for powering the MCU and Bluetooth subsystem with programmable and reconfigurable analog and digital blocks. In addition, on the kit, there is a suite of on-board peripherals including six-axis inertial measurement unit (IMU), thermistor, analog mic, user programmable buttons (2), LEDs (2), and RGB LED. There is also extensive GPIO support with extended headers and Arduino Uno R3 compatibility for third-party shields.
+The AIROC™ CYW20829 Bluetooth® LE MCU Evaluation Kit (CYW920829M2EVK-02) with its included on-board
+peripherals enables evaluation, prototyping, and development of a wide array of
+Bluetooth® Low Energy applications, all on Infineon's low power, high performance AIROC™ CYW20829.
+The AIROC™ CYW20829's robust RF performance and 10 dBm TX output power without an external power
+amplifier (PA). This provides enough link budget for the entire spectrum of Bluetooth® LE use cases
+including industrial IoT applications, smart home, asset tracking, beacons and sensors, and
+medical devices.
+
+The system features Dual Arm® Cortex® - M33s for powering the MCU and Bluetooth subsystem with
+programmable and reconfigurable analog and digital blocks. In addition, on the kit, there is a
+suite of on-board peripherals including six-axis inertial measurement unit (IMU), thermistor,
+analog mic, user programmable buttons (2), LEDs (2), and RGB LED. There is also extensive GPIO
+support with extended headers and Arduino Uno R3 compatibility for third-party shields.
 
 Hardware
 ********
@@ -20,7 +30,8 @@ Kit Features:
 
 - AIROC™ CYW20829 Bluetooth® LE MCU in 56 pin QFN package
 - Arduino compatible headers for hardware expansion
-- On-board sensors - 6-axis IMU, Thermistor, Infineon analog microphone, and Infineon digital microphone
+- On-board sensors - 6-axis IMU, Thermistor, Infineon analog microphone,
+  and Infineon digital microphone
 - User switches, RGB LED and user LEDs
 - USB connector for power, programming and USB-UART bridge
 
@@ -71,24 +82,38 @@ Programming and Debugging
 
 .. zephyr:board-supported-runners::
 
-The CYW920829M2EVK-02 includes an onboard programmer/debugger (`KitProg3`_) to provide debugging, flash programming, and serial communication over USB. Flash and debug commands use OpenOCD and require a custom Infineon OpenOCD version, that supports KitProg3, to be installed.
+The CYW920829M2EVK-02 includes an onboard programmer/debugger (`KitProg3`_) to provide debugging,
+flash programming, and serial communication over USB. Flash and debug commands use OpenOCD and
+require a custom Infineon OpenOCD version, that supports KitProg3, to be installed.
 
-The CYW920829M2EVK-02 supports RTT via a SEGGER JLink device, under the target name cyw20829_tm. This can be enabled for an application by building with the rtt-console snippet or setting the following config values: CONFIG_UART_CONSOLE=n, CONFIG_RTT_CONSOLE=y, and CONFIG_USE_SEGGER_RTT=y.
+The CYW920829M2EVK-02 supports RTT via a SEGGER JLink device, under the target name cyw20829_tm.
+This can be enabled for an application by building with the rtt-console snippet or setting the
+following config values: CONFIG_UART_CONSOLE=n, CONFIG_RTT_CONSOLE=y, and CONFIG_USE_SEGGER_RTT=y.
 e.g. west build -p always -b cyw920829m2evk_02 samples/basic/blinky -S rtt-console
 
-As an additional note there is currently a discrepancy in RAM address between SEGGER and the CYW920829M2EVK-02 device. So, for RTT control block, do not use "Auto Detection". Instead, set the search range to something reflecting: RAM RangeStart at 0x20000000 and RAM RangeSize of 0x3d000.
+As an additional note there is currently a discrepancy in RAM address between SEGGER and the
+CYW920829M2EVK-02 device. So, for RTT control block, do not use "Auto Detection". Instead, set
+the search range to something reflecting: RAM RangeStart at 0x20000000 and RAM RangeSize of 0x3d000.
 
 Infineon OpenOCD Installation
 =============================
 
-Both the full `ModusToolbox`_ and the `ModusToolbox Programming Tools`_ packages include Infineon OpenOCD. Installing either of these packages will also install Infineon OpenOCD. If neither package is installed, a minimal installation can be done by downloading the `Infineon OpenOCD`_ release for your system and manually extract the files to a location of your choice.
+Both the full `ModusToolbox`_ and the `ModusToolbox Programming Tools`_ packages include Infineon
+OpenOCD. Installing either of these packages will also install Infineon OpenOCD. If neither package
+is installed, a minimal installation can be done by downloading the `Infineon OpenOCD`_ release for
+your system and manually extract the files to a location of your choice.
 
-.. note:: Linux requires device access rights to be set up for KitProg3. This is handled automatically by the ModusToolbox and ModusToolbox Programming Tools installations. When doing a minimal installation, this can be done manually by executing the script ``openocd/udev_rules/install_rules.sh``.
+.. note:: Linux requires device access rights to be set up for KitProg3. This is handled
+    automatically by the ModusToolbox and ModusToolbox Programming Tools installations.
+    When doing a minimal installation, this can be done manually by executing the
+    script ``openocd/udev_rules/install_rules.sh``.
 
 West Commands
 =============
 
-The path to the installed Infineon OpenOCD executable must be available to the ``west`` tool commands. There are multiple ways of doing this. The example below uses a permanent CMake argument to set the CMake variable ``OPENOCD``.
+The path to the installed Infineon OpenOCD executable must be available to the ``west`` tool
+commands. There are multiple ways of doing this. The example below uses a permanent CMake argument
+to set the CMake variable ``OPENOCD``.
 
    .. tabs::
       .. group-tab:: Windows
@@ -117,7 +142,101 @@ The path to the installed Infineon OpenOCD executable must be available to the `
             west flash
             west debug
 
-Once the gdb console starts after executing the west debug command, you may now set breakpoints and perform other standard GDB debugging on the CYW20829 CM33 core.
+Once the gdb console starts after executing the west debug command, you may now set breakpoints and
+perform other standard GDB debugging on the CYW20829 CM33 core.
+
+Operate in SECURE Lifecycle Stage
+*********************************
+
+The device lifecycle stage (LCS) is a key aspect of the security of the AIROC™
+CYW20829 Bluetooth® MCU. The lifecycle stages follow a strict, irreversible progression dictated by
+the programming of the eFuse bits (changing the value from "0" to "1"). This system is used to
+protect the device's data and code at the level required by the user.
+SECURE is the lifecycle stage of a secured device.
+Follow the instructions in `AN239590 Provision CYW20829 to SECURE LCS`_ to transition the device
+to SECURE LCS. In the SECURE LCS stage, the protection state is set to secure. A secured device
+will only boot if the authentication of its flash content is successful.
+
+The following configuration options can be used to build for a device which has been provisioned
+to SECURE LCS and configured to use an encrypted flash interface:
+
+- ``CONFIG_INFINEON_SECURE_LCS=y``: Enable if the target device is in SECURE LCS
+- ``CONFIG_INFINEON_SECURE_POLICY="path/to/policy_secure.json"``: Path to the policy JSON file,
+  which was created for provisioning the device to SECURE LCS (refer to section 3.2 "Key creation"
+  of `AN239590 Provision CYW20829 to SECURE LCS`_)
+- ``CONFIG_INFINEON_SMIF_ENCRYPTION=y``: Enable to use encrypted flash interface when provisioned to
+  SECURE LCS.
+
+Here is an example for building the :zephyr:code-sample:`blinky` sample application for SECURE LCS.
+
+.. zephyr-app-commands::
+   :goals: build
+   :board: cyw920829m2evk_02
+   :zephyr-app: samples/basic/blinky
+   :west-args: -p always
+   :gen-args: -DCONFIG_INFINEON_SECURE_LCS=y -DCONFIG_INFINEON_SECURE_POLICY=\"policy/policy_secure.json\"
+
+Using MCUboot
+*************
+
+CYW20829 devices are supported by the Cypress MCU bootloader (MCUBootApp) from the
+`Cypress branch of MCUboot`_.
+
+Building Cypress MCU Bootloader MCUBootApp
+==========================================
+
+Please refer to the `CYW20829 platform description`_ and follow the instructions to understand the
+MCUBootApp building process for normal/secure silicon and its overall usage as a bootloader.
+Place keys and policy-related folders in the cypress directory ``mcuboot/boot/cypress/``.
+
+Ensure the default memory map matches the memory map of the Zephyr application (refer to partitions
+of flash0 in :zephyr_file:`boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts`).
+
+You can use ``west flash`` to flash MCUBootApp:
+
+.. code-block:: shell
+
+   # Flash MCUBootApp.hex
+   west flash --skip-rebuild --hex-file /path/to/cypress/mcuboot/boot/cypress/MCUBootApp/out/CYW20829/Debug/MCUBootApp.hex
+
+.. note:: ``west flash`` requires an existing Zephyr build directory which can be created by first
+    building any Zephyr application for the target board.
+
+Build Zephyr application
+========================
+Here is an example for building and flashing the :zephyr:code-sample:`blinky` sample application
+for MCUboot.
+
+.. zephyr-app-commands::
+   :goals: build flash
+   :board: cyw920829m2evk_02
+   :zephyr-app: samples/basic/blinky
+   :west-args: -p always
+   :gen-args: -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"/path/to/cypress/mcuboot/boot/cypress/keys/cypress-test-ec-p256.pem\"
+
+If you use ``CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE`` to generate an encrypted image then the final
+hex will be ``zephyr.signed.encrypted.hex`` and the corresponding bin file will
+be ``zephyr.signed.encrypted.bin``. Use these files for flashing and ota uploading respectively.
+For example, to build and flash an encrypted :zephyr:code-sample:`blinky` sample application
+image for MCUboot:
+
+.. zephyr-app-commands::
+   :goals: build flash
+   :board: cyw920829m2evk_02
+   :zephyr-app: samples/basic/blinky
+   :west-args: -p always
+   :gen-args: -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"/path/to/cypress/mcuboot/boot/cypress/keys/cypress-test-ec-p256.pem\" -DCONFIG_MCUBOOT_ENCRYPTION_KEY_FILE=\"/path/to/cypress/mcuboot/enc-ec256-pub.pem\"
+   :flash-args: --hex-file build/zephyr/zephyr.signed.encrypted.hex
+
+
+.. _CYW20829 platform description:
+    https://github.com/mcu-tools/mcuboot/blob/v1.9.4-cypress/boot/cypress/platforms/CYW20829.md
+
+.. _Cypress branch of MCUboot:
+    https://github.com/mcu-tools/mcuboot/tree/cypress
+
+.. _AN239590 Provision CYW20829 to SECURE LCS:
+    https://www.infineon.com/dgdl/Infineon-AN239590_Provision_CYW20829_CYW89829_to_Secure_LCS-ApplicationNotes-v02_00-EN.pdf?fileId=8ac78c8c8d2fe47b018e3677dd517258
 
 .. _CYW20829 SoC Website:
     https://www.infineon.com/cms/en/product/wireless-connectivity/airoc-bluetooth-le-bluetooth-multiprotocol/airoc-bluetooth-le/cyw20829/

soc/infineon/cat1b/cyw20829/CMakeLists.txt

@@ -32,63 +32,55 @@ math(EXPR flash_addr_offset
 set(gen_app_header_args --flash_addr_offset ${flash_addr_offset})
 set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
 
-if(CONFIG_INFINEON_SECURE_LCS OR CONFIG_BOOTLOADER_MCUBOOT)
+if(CONFIG_INFINEON_SECURE_LCS OR (DEFINED CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE) OR (DEFINED CONFIG_MCUBOOT_SIGNATURE_KEY_FILE))
   # Check cysecuretools
   find_program(CYSECURETOOLS cysecuretools)
   if(NOT CYSECURETOOLS)
     message(FATAL_ERROR "Can't find cysecuretools. To fix, install cysecuretools with pip3.")
   else()
     message("-- Found cysecuretools: ${CYSECURETOOLS}")
   endif()
-endif()
 
-if(CONFIG_INFINEON_SECURE_LCS)
-  set(default_policy)
-  set(default_policy_name)
-
-  # Cysecuretools policy.
-  if(NOT CONFIG_INFINEON_SECURE_POLICY)
-    # Get default cysecuretools policy
-    if(CONFIG_INFINEON_SECURE_LCS)
-      message(INFO "CONFIG_INFINEON_SECURE_POLICY was not defined.")
-      set(default_policy_name policy_secure.json)
-    else()
-      set(default_policy_name policy_no_secure.json)
-    endif()
+  # Locate CySecureTools policy file
+  if(IS_ABSOLUTE "${CONFIG_INFINEON_SECURE_POLICY}")
+    cmake_path(SET cysecuretools_policy "${CONFIG_INFINEON_SECURE_POLICY}")
+  else()
+    find_file(
+      cysecuretools_policy
+      NAMES
+        "${CONFIG_INFINEON_SECURE_POLICY}"
+      PATHS
+        "${APPLICATION_SOURCE_DIR}"
+        "${WEST_TOPDIR}"
+        "${SOC_FULL_DIR}/cyw20829"
+      NO_DEFAULT_PATH
+      )
   endif()
 
-  find_file(
-    default_policy
-    NAMES
-        ${CONFIG_INFINEON_SECURE_POLICY}
-        ${default_policy_name}
-    PATHS
-        ${APPLICATION_SOURCE_DIR}
-        ${ZEPHYR_BASE}
-    NO_DEFAULT_PATH
-    )
-
-  if(NOT default_policy)
-      message(FATAL_ERROR "Can't find policy:${CONFIG_INFINEON_SECURE_POLICY}"
-              "/${default_policy_name}"
-              "Checked locations: ${APPLICATION_SOURCE_DIR}, ${ZEPHYR_BASE}")
+  if(NOT IS_ABSOLUTE "${cysecuretools_policy}" OR NOT EXISTS "${cysecuretools_policy}")
+    message(FATAL_ERROR "Can't find policy file \"${CONFIG_INFINEON_SECURE_POLICY}\" "
+    "(Note: Relative paths are searched through "
+    "APPLICATION_SOURCE_DIR=\"${APPLICATION_SOURCE_DIR}\" "
+    "and WEST_TOPDIR=\"${WEST_TOPDIR}\")")
   endif()
 
-  set(cysecuretools_policy ${default_policy} CACHE PATH "cysecuretools policy")
   message("-- Using cysecuretools policy: ${cysecuretools_policy}")
+  set(CYSECURETOOLS_POLICY ${cysecuretools_policy} CACHE PATH "cysecuretool policy")
 endif()
 
 if(CONFIG_INFINEON_SECURE_LCS)
   #
-  # Addition postbuild action for SECURE LCS
+  # Additional postbuild action for SECURE LCS
   #
   set(gen_app_header_args ${gen_app_header_args} --secure_lcs True)
-  set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed)
+  set(app_signed_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed)
+  set(app_signed_enc_path "${app_signed_path}")
 
   if(CONFIG_INFINEON_SMIF_ENCRYPTION)
     set(gen_app_header_args ${gen_app_header_args} --smif-config ${ZEPHYR_BINARY_DIR}/nonce-output.bin)
     set(enc_option --encrypt --nonce-output nonce-output.bin)
-    set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed.encrypted)
+    # The encrypted image file path generated by cysecuretools
+    set(app_signed_enc_path "${app_signed_path}_encrypted")
   endif()
 
   set(bin2hex_option bin2hex --image ${app_signed_enc_path}.bin --output ${app_signed_enc_path}.hex --offset 0x60000030)
@@ -97,7 +89,7 @@ if(CONFIG_INFINEON_SECURE_LCS)
   set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
     COMMAND ${CYSECURETOOLS} -q -t cyw20829
       -p ${cysecuretools_policy} sign-image --image-format bootrom_next_app
-      -i ${ZEPHYR_BINARY_DIR}/${KERNEL_BIN_NAME} -k 0 -o ${app_signed_enc_path}.bin
+      -i ${ZEPHYR_BINARY_DIR}/${KERNEL_BIN_NAME} -k 0 -o ${app_signed_path}.bin
       --slot-size ${CONFIG_FLASH_LOAD_SIZE} --app-addr 0x08000030
       ${enc_option} ${bin2hex_option}
     )
@@ -111,7 +103,7 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
     --bootstrap-dst-addr ${bootstrap_dst_addr}
   )
 
-set(MERGED_FILE ${CMAKE_BINARY_DIR}/zephyr/zephyr_merged.hex)
+set(MERGED_FILE ${CMAKE_BINARY_DIR}/zephyr/zephyr_merged.hex  CACHE PATH "merged hex")
 
 # Merge platform specific header and zephyr image to a single binary.
 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
@@ -121,3 +113,9 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
   )
 
 set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${MERGED_FILE})
+
+# Use custom mcuboot cmake for sign/encrypt by using cysecuretools
+if(CONFIG_BOOTLOADER_MCUBOOT)
+  set_target_properties(zephyr_property_target PROPERTIES SIGNING_SCRIPT
+    ${CMAKE_CURRENT_LIST_DIR}/mcuboot.cmake)
+endif()

soc/infineon/cat1b/cyw20829/Kconfig

@@ -26,6 +26,7 @@ config INFINEON_SECURE_LCS
 
 config INFINEON_SECURE_POLICY
 	string "Path to policy JSON file"
+	default "default_policy.json"
 	help
 	  Policy is a text file in JSON format that contains a set of properties
 	  for the device configuration (e.g., enabling/disabling debug access ports,