diff --git a/boards/infineon/cyw920829m2evk_02/Kconfig.defconfig b/boards/infineon/cyw920829m2evk_02/Kconfig.defconfig index 645567a40c7ef..f58a5582d26f5 100644 --- a/boards/infineon/cyw920829m2evk_02/Kconfig.defconfig +++ b/boards/infineon/cyw920829m2evk_02/Kconfig.defconfig @@ -11,3 +11,6 @@ endchoice config HEAP_MEM_POOL_ADD_SIZE_BOARD int default 10096 + +config ROM_START_OFFSET + default 0x0 if BOOTLOADER_MCUBOOT diff --git a/boards/infineon/cyw920829m2evk_02/board.cmake b/boards/infineon/cyw920829m2evk_02/board.cmake index be95fa715a3f5..76fe7d1bdc4e4 100644 --- a/boards/infineon/cyw920829m2evk_02/board.cmake +++ b/boards/infineon/cyw920829m2evk_02/board.cmake @@ -2,6 +2,21 @@ # SPDX-License-Identifier: Apache-2.0 board_runner_args(openocd "--target-handle=TARGET.cm33") + +# MCUboot requires a flashloader with 64k erase size, please use 'west blobs fetch hal_infineon' to download it. +if(CONFIG_BOOTLOADER_MCUBOOT) + set(flashloader_blobs_path ${ZEPHYR_HAL_INFINEON_MODULE_DIR}/zephyr/blobs/flashloader/TARGET_CYW920829M2EVK-02) + + if(NOT EXISTS ${flashloader_blobs_path}/CYW208xx_SMIF_64K.FLM) + message(WARNING "MCUboot requires a flashloader with 64k erase size, please use 'west blobs fetch hal_infineon' to download it") + else() + board_runner_args(openocd "--openocd-search=${flashloader_blobs_path}") + board_runner_args(openocd "--config=${BOARD_DIR}/support/openocd_CYW208xx_SMIF_64K.cfg") + endif() +endif() + include(${ZEPHYR_BASE}/boards/common/openocd.board.cmake) board_runner_args(jlink "--device=CYW20829_tm") include (${ZEPHYR_BASE}/boards/common/jlink.board.cmake) + +set_property(TARGET runners_yaml_props_target PROPERTY hex_file zephyr_merged.hex) diff --git a/boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts b/boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts index 92a748d2ee1b7..b398836798019 100644 --- a/boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts +++ b/boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts @@ -19,7 +19,8 @@ chosen { zephyr,sram = &sram0; - zephyr,flash = &app_region; + zephyr,flash = &flash0; + zephyr,code-partition = &slot0_partition; zephyr,console = &uart2; zephyr,shell-uart = &uart2; zephyr,bt-hci = &bluetooth; @@ -99,45 +100,48 @@ uart2: &scb2 { status = "okay"; }; -/ { - qspi_flash: qspi_flash@40890000 { - compatible = "infineon,cat1-qspi-flash"; - reg = <0x40890000 0x30000>; + +&qspi_flash { + flash0: flash@8000000 { + compatible = "soc-nv-flash"; + reg = <0x08000000 DT_SIZE_M(1)>; + write-block-size = <1>; + erase-block-size = ; #address-cells = <1>; #size-cells = <1>; - flash0: flash@8000000 { - compatible = "soc-nv-flash"; - reg = <0x08000000 DT_SIZE_K(512)>; - write-block-size = <1>; - erase-block-size = ; + /* Keep bootstrap_region node to know size, finaly it will + * locate on beginning of code-partition. The BootROM copies + * bootstrap application in RAM and launches it. + */ + bootstrap_region: bootstrap_region@0 { + reg = <0 BOOTSTRAP_SIZE>; + }; + + partitions { + compatible = "fixed-partitions"; #address-cells = <1>; #size-cells = <1>; - toc2_region: toc2_region@8000000 { - compatible = "zephyr,memory-region", "soc-nv-flash"; - zephyr,memory-region = "APP_HEADER_FLASH"; - reg = <0x08000000 0x50>; - }; - bootstrap_region: bootstrap_region@8000050 { - compatible = "zephyr,memory-region", "soc-nv-flash"; - zephyr,memory-region = "BOOTSTRAP_FLASH"; - reg = <0x08000050 DT_SIZE_K(12)>; + boot_partition: partition@0 { + label = "mcuboot"; + reg = <0x0 0x20000>; + read-only; }; - app_region: app_region@8003050 { - compatible = "soc-nv-flash"; - reg = <0x08003050 0x6CFB0>; /* 435kb */ + + slot0_partition: partition@20000 { + label = "image-0"; + reg = <0x20000 0x60000>; }; - partitions { - compatible = "fixed-partitions"; - #address-cells = <1>; - #size-cells = <1>; + slot1_partition: partition@80000 { + label = "image-1"; + reg = <0x80000 0x60000>; + }; - storage_partition: storage_partition@60000 { - compatible = "soc-nv-flash"; - reg = <0x60000 DT_SIZE_K(64)>; - }; + storage_partition: storage_partition@E0000 { + compatible = "soc-nv-flash"; + reg = <0xE0000 DT_SIZE_K(64)>; }; }; }; diff --git a/boards/infineon/cyw920829m2evk_02/doc/index.rst b/boards/infineon/cyw920829m2evk_02/doc/index.rst index 0dd56962c1500..f1101dc3e9c9e 100644 --- a/boards/infineon/cyw920829m2evk_02/doc/index.rst +++ b/boards/infineon/cyw920829m2evk_02/doc/index.rst @@ -3,9 +3,19 @@ Overview ******** -The AIROC™ CYW20829 Bluetooth® LE MCU Evaluation Kit (CYW920829M2EVK-02) with its included on-board peripherals enables evaluation, prototyping, and development of a wide array of Bluetooth® Low Energy applications, all on Infineon's low power, high performance AIROC™ CYW20829. The AIROC™ CYW20829's robust RF performance and 10 dBm TX output power without an external power amplifier (PA). This provides enough link budget for the entire spectrum of Bluetooth® LE use cases including industrial IoT applications, smart home, asset tracking, beacons and sensors, and medical devices. - -The system features Dual Arm® Cortex® - M33s for powering the MCU and Bluetooth subsystem with programmable and reconfigurable analog and digital blocks. In addition, on the kit, there is a suite of on-board peripherals including six-axis inertial measurement unit (IMU), thermistor, analog mic, user programmable buttons (2), LEDs (2), and RGB LED. There is also extensive GPIO support with extended headers and Arduino Uno R3 compatibility for third-party shields. +The AIROC™ CYW20829 Bluetooth® LE MCU Evaluation Kit (CYW920829M2EVK-02) with its included on-board +peripherals enables evaluation, prototyping, and development of a wide array of +Bluetooth® Low Energy applications, all on Infineon's low power, high performance AIROC™ CYW20829. +The AIROC™ CYW20829's robust RF performance and 10 dBm TX output power without an external power +amplifier (PA). This provides enough link budget for the entire spectrum of Bluetooth® LE use cases +including industrial IoT applications, smart home, asset tracking, beacons and sensors, and +medical devices. + +The system features Dual Arm® Cortex® - M33s for powering the MCU and Bluetooth subsystem with +programmable and reconfigurable analog and digital blocks. In addition, on the kit, there is a +suite of on-board peripherals including six-axis inertial measurement unit (IMU), thermistor, +analog mic, user programmable buttons (2), LEDs (2), and RGB LED. There is also extensive GPIO +support with extended headers and Arduino Uno R3 compatibility for third-party shields. Hardware ******** @@ -20,7 +30,8 @@ Kit Features: - AIROC™ CYW20829 Bluetooth® LE MCU in 56 pin QFN package - Arduino compatible headers for hardware expansion -- On-board sensors - 6-axis IMU, Thermistor, Infineon analog microphone, and Infineon digital microphone +- On-board sensors - 6-axis IMU, Thermistor, Infineon analog microphone, + and Infineon digital microphone - User switches, RGB LED and user LEDs - USB connector for power, programming and USB-UART bridge @@ -71,24 +82,38 @@ Programming and Debugging .. zephyr:board-supported-runners:: -The CYW920829M2EVK-02 includes an onboard programmer/debugger (`KitProg3`_) to provide debugging, flash programming, and serial communication over USB. Flash and debug commands use OpenOCD and require a custom Infineon OpenOCD version, that supports KitProg3, to be installed. +The CYW920829M2EVK-02 includes an onboard programmer/debugger (`KitProg3`_) to provide debugging, +flash programming, and serial communication over USB. Flash and debug commands use OpenOCD and +require a custom Infineon OpenOCD version, that supports KitProg3, to be installed. -The CYW920829M2EVK-02 supports RTT via a SEGGER JLink device, under the target name cyw20829_tm. This can be enabled for an application by building with the rtt-console snippet or setting the following config values: CONFIG_UART_CONSOLE=n, CONFIG_RTT_CONSOLE=y, and CONFIG_USE_SEGGER_RTT=y. +The CYW920829M2EVK-02 supports RTT via a SEGGER JLink device, under the target name cyw20829_tm. +This can be enabled for an application by building with the rtt-console snippet or setting the +following config values: CONFIG_UART_CONSOLE=n, CONFIG_RTT_CONSOLE=y, and CONFIG_USE_SEGGER_RTT=y. e.g. west build -p always -b cyw920829m2evk_02 samples/basic/blinky -S rtt-console -As an additional note there is currently a discrepancy in RAM address between SEGGER and the CYW920829M2EVK-02 device. So, for RTT control block, do not use "Auto Detection". Instead, set the search range to something reflecting: RAM RangeStart at 0x20000000 and RAM RangeSize of 0x3d000. +As an additional note there is currently a discrepancy in RAM address between SEGGER and the +CYW920829M2EVK-02 device. So, for RTT control block, do not use "Auto Detection". Instead, set +the search range to something reflecting: RAM RangeStart at 0x20000000 and RAM RangeSize of 0x3d000. Infineon OpenOCD Installation ============================= -Both the full `ModusToolbox`_ and the `ModusToolbox Programming Tools`_ packages include Infineon OpenOCD. Installing either of these packages will also install Infineon OpenOCD. If neither package is installed, a minimal installation can be done by downloading the `Infineon OpenOCD`_ release for your system and manually extract the files to a location of your choice. +Both the full `ModusToolbox`_ and the `ModusToolbox Programming Tools`_ packages include Infineon +OpenOCD. Installing either of these packages will also install Infineon OpenOCD. If neither package +is installed, a minimal installation can be done by downloading the `Infineon OpenOCD`_ release for +your system and manually extract the files to a location of your choice. -.. note:: Linux requires device access rights to be set up for KitProg3. This is handled automatically by the ModusToolbox and ModusToolbox Programming Tools installations. When doing a minimal installation, this can be done manually by executing the script ``openocd/udev_rules/install_rules.sh``. +.. note:: Linux requires device access rights to be set up for KitProg3. This is handled + automatically by the ModusToolbox and ModusToolbox Programming Tools installations. + When doing a minimal installation, this can be done manually by executing the + script ``openocd/udev_rules/install_rules.sh``. West Commands ============= -The path to the installed Infineon OpenOCD executable must be available to the ``west`` tool commands. There are multiple ways of doing this. The example below uses a permanent CMake argument to set the CMake variable ``OPENOCD``. +The path to the installed Infineon OpenOCD executable must be available to the ``west`` tool +commands. There are multiple ways of doing this. The example below uses a permanent CMake argument +to set the CMake variable ``OPENOCD``. .. tabs:: .. group-tab:: Windows @@ -117,7 +142,101 @@ The path to the installed Infineon OpenOCD executable must be available to the ` west flash west debug -Once the gdb console starts after executing the west debug command, you may now set breakpoints and perform other standard GDB debugging on the CYW20829 CM33 core. +Once the gdb console starts after executing the west debug command, you may now set breakpoints and +perform other standard GDB debugging on the CYW20829 CM33 core. + +Operate in SECURE Lifecycle Stage +********************************* + +The device lifecycle stage (LCS) is a key aspect of the security of the AIROC™ +CYW20829 Bluetooth® MCU. The lifecycle stages follow a strict, irreversible progression dictated by +the programming of the eFuse bits (changing the value from "0" to "1"). This system is used to +protect the device's data and code at the level required by the user. +SECURE is the lifecycle stage of a secured device. +Follow the instructions in `AN239590 Provision CYW20829 to SECURE LCS`_ to transition the device +to SECURE LCS. In the SECURE LCS stage, the protection state is set to secure. A secured device +will only boot if the authentication of its flash content is successful. + +The following configuration options can be used to build for a device which has been provisioned +to SECURE LCS and configured to use an encrypted flash interface: + +- :kconfig:option:`CONFIG_INFINEON_SECURE_LCS`: Enable if the target device is in SECURE LCS +- :kconfig:option:`CONFIG_INFINEON_SECURE_POLICY`: Path to the policy JSON file, + which was created for provisioning the device to SECURE LCS (refer to section 3.2 "Key creation" + of `AN239590 Provision CYW20829 to SECURE LCS`_) +- :kconfig:option:`CONFIG_INFINEON_SMIF_ENCRYPTION`: Enable to use encrypted flash interface when provisioned to + SECURE LCS. + +Here is an example for building the :zephyr:code-sample:`blinky` sample application for SECURE LCS. + +.. zephyr-app-commands:: + :goals: build + :board: cyw920829m2evk_02 + :zephyr-app: samples/basic/blinky + :west-args: -p always + :gen-args: -DCONFIG_INFINEON_SECURE_LCS=y -DCONFIG_INFINEON_SECURE_POLICY=\"policy/policy_secure.json\" + +Using MCUboot +************* + +CYW20829 devices are supported by the Cypress MCU bootloader (MCUBootApp) from the +`Cypress branch of MCUboot`_. + +Building Cypress MCU Bootloader MCUBootApp +========================================== + +Please refer to the `CYW20829 platform description`_ and follow the instructions to understand the +MCUBootApp building process for normal/secure silicon and its overall usage as a bootloader. +Place keys and policy-related folders in the cypress directory ``mcuboot/boot/cypress/``. + +Ensure the default memory map matches the memory map of the Zephyr application (refer to partitions +of flash0 in :zephyr_file:`boards/infineon/cyw920829m2evk_02/cyw920829m2evk_02.dts`). + +You can use ``west flash`` to flash MCUBootApp: + +.. code-block:: shell + + # Flash MCUBootApp.hex + west flash --skip-rebuild --hex-file /path/to/cypress/mcuboot/boot/cypress/MCUBootApp/out/CYW20829/Debug/MCUBootApp.hex + +.. note:: ``west flash`` requires an existing Zephyr build directory which can be created by first + building any Zephyr application for the target board. + +Build Zephyr application +======================== +Here is an example for building and flashing the :zephyr:code-sample:`blinky` sample application +for MCUboot. + +.. zephyr-app-commands:: + :goals: build flash + :board: cyw920829m2evk_02 + :zephyr-app: samples/basic/blinky + :west-args: -p always + :gen-args: -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"/path/to/cypress/mcuboot/boot/cypress/keys/cypress-test-ec-p256.pem\" + +If you use :kconfig:option:`CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE` to generate an encrypted image then the final +hex will be ``zephyr.signed.encrypted.hex`` and the corresponding bin file will +be ``zephyr.signed.encrypted.bin``. Use these files for flashing and ota uploading respectively. +For example, to build and flash an encrypted :zephyr:code-sample:`blinky` sample application +image for MCUboot: + +.. zephyr-app-commands:: + :goals: build flash + :board: cyw920829m2evk_02 + :zephyr-app: samples/basic/blinky + :west-args: -p always + :gen-args: -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"/path/to/cypress/mcuboot/boot/cypress/keys/cypress-test-ec-p256.pem\" -DCONFIG_MCUBOOT_ENCRYPTION_KEY_FILE=\"/path/to/cypress/mcuboot/enc-ec256-pub.pem\" + :flash-args: --hex-file build/zephyr/zephyr.signed.encrypted.hex + + +.. _CYW20829 platform description: + https://github.com/mcu-tools/mcuboot/blob/v1.9.4-cypress/boot/cypress/platforms/CYW20829.md + +.. _Cypress branch of MCUboot: + https://github.com/mcu-tools/mcuboot/tree/cypress + +.. _AN239590 Provision CYW20829 to SECURE LCS: + https://www.infineon.com/dgdl/Infineon-AN239590_Provision_CYW20829_CYW89829_to_Secure_LCS-ApplicationNotes-v02_00-EN.pdf?fileId=8ac78c8c8d2fe47b018e3677dd517258 .. _CYW20829 SoC Website: https://www.infineon.com/cms/en/product/wireless-connectivity/airoc-bluetooth-le-bluetooth-multiprotocol/airoc-bluetooth-le/cyw20829/ diff --git a/boards/infineon/cyw920829m2evk_02/support/openocd.cfg b/boards/infineon/cyw920829m2evk_02/support/openocd.cfg index fe70fb383a8a3..d6578e98a03aa 100644 --- a/boards/infineon/cyw920829m2evk_02/support/openocd.cfg +++ b/boards/infineon/cyw920829m2evk_02/support/openocd.cfg @@ -2,7 +2,6 @@ # Copyright (c) 2018 Linaro Limited. # # SPDX-License-Identifier: Apache-2.0 - source [find interface/kitprog3.cfg] transport select swd diff --git a/boards/infineon/cyw920829m2evk_02/support/openocd_CYW208xx_SMIF_64K.cfg b/boards/infineon/cyw920829m2evk_02/support/openocd_CYW208xx_SMIF_64K.cfg new file mode 100644 index 0000000000000..d1f0a09f855ba --- /dev/null +++ b/boards/infineon/cyw920829m2evk_02/support/openocd_CYW208xx_SMIF_64K.cfg @@ -0,0 +1,7 @@ +# +# Copyright (c) 2018 Linaro Limited. +# +# SPDX-License-Identifier: Apache-2.0 +set QSPI_FLASHLOADER "CYW208xx_SMIF_64K.FLM" + +source [find openocd.cfg] diff --git a/dts/arm/infineon/cat1b/cyw20829/cyw20829.dtsi b/dts/arm/infineon/cat1b/cyw20829/cyw20829.dtsi index 69ef3d0fbf668..95246d3d4197b 100644 --- a/dts/arm/infineon/cat1b/cyw20829/cyw20829.dtsi +++ b/dts/arm/infineon/cat1b/cyw20829/cyw20829.dtsi @@ -7,6 +7,9 @@ #include +#define BOOTSTRAP_SIZE DT_SIZE_K(12) +#define SRAM0_SIZE (DT_SIZE_K(256) - BOOTSTRAP_SIZE) + / { cpus { #address-cells = <1>; @@ -35,14 +38,46 @@ }; sram0: memory@20000000 { + #address-cells = <1>; + #size-cells = <1>; + compatible = "mmio-sram"; - reg = <0x20000000 DT_SIZE_K(244)>; + reg = <0x20000000 SRAM0_SIZE>; + + /* SRAM aliased address path */ + sram_sahb: sram_bus_alias@20000000 { + reg = <0x20000000 SRAM0_SIZE>; /* SAHB address */ + }; + + sram_cbus: sram_bus_alias@4000000 { + reg = <0x04000000 SRAM0_SIZE>; /* CBUS address */ + }; }; + /* sram_bootstrap address calculation: + * sram_sahb + sram_size (256k) - bootstrap size + * (e.g. 0x20000000 + 0x40000 - 12K (0x3000) = 0x2003D000) + */ sram_bootstrap: memory@2003D000 { compatible = "zephyr,memory-region", "mmio-sram"; zephyr,memory-region = "BOOTSTRAP_RAM"; - reg = <0x2003D000 DT_SIZE_K(12)>; + reg = <0x2003D000 BOOTSTRAP_SIZE>; + }; + + qspi_flash: qspi_flash@40890000 { + compatible = "infineon,cat1-qspi-flash"; + reg = <0x40890000 0x30000>; + #address-cells = <1>; + #size-cells = <1>; + }; + + /* Flash aliased address path */ + flash_sahb: flash_bus_alias@60000000 { + reg = <0x60000000 0x80000>; /* SAHB address */ + }; + + flash_cbus: flash_bus_alias@8000000 { + reg = <0x08000000 0x80000>; /* CBUS address */ }; soc { diff --git a/soc/infineon/cat1b/cyw20829/CMakeLists.txt b/soc/infineon/cat1b/cyw20829/CMakeLists.txt index 5bbff012c05f5..04368077e9c4f 100644 --- a/soc/infineon/cat1b/cyw20829/CMakeLists.txt +++ b/soc/infineon/cat1b/cyw20829/CMakeLists.txt @@ -1,8 +1,7 @@ -# Copyright (c) 2023 Cypress Semiconductor Corporation. +# Copyright (c) 2024 Cypress Semiconductor Corporation. # SPDX-License-Identifier: Apache-2.0 zephyr_sources(soc.c) -zephyr_sources(app_header.c) zephyr_sources(mpu_regions.c) zephyr_include_directories(.) @@ -17,5 +16,111 @@ zephyr_compile_definitions(COMPONENT_CM33) zephyr_compile_definitions(FLASH_BOOT) zephyr_compile_definitions(CY_PDL_FLASH_BOOT) -# Use custome linker script +# Use custom linker script set(SOC_LINKER_SCRIPT ${ZEPHYR_BASE}/soc/infineon/cat1b/cyw20829/linker.ld CACHE INTERNAL "") + +# Get sram_bootstrap address and size +dt_nodelabel(sram_bootstrap NODELABEL "sram_bootstrap") +dt_reg_addr(bootstrap_dst_addr PATH ${sram_bootstrap}) +dt_reg_size(bootstrap_size PATH ${sram_bootstrap}) + +set(gen_app_header_args) +set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}) + +if(CONFIG_INFINEON_SECURE_LCS OR (DEFINED CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE) OR (DEFINED CONFIG_MCUBOOT_SIGNATURE_KEY_FILE)) + # Check cysecuretools + find_program(CYSECURETOOLS cysecuretools REQUIRED) + message("-- Found cysecuretools: ${CYSECURETOOLS}") + + # Locate CySecureTools policy file + if(IS_ABSOLUTE "${CONFIG_INFINEON_SECURE_POLICY}") + cmake_path(SET cysecuretools_policy "${CONFIG_INFINEON_SECURE_POLICY}") + else() + find_file( + cysecuretools_policy + NAMES + "${CONFIG_INFINEON_SECURE_POLICY}" + PATHS + "${APPLICATION_SOURCE_DIR}" + "${WEST_TOPDIR}" + "${SOC_FULL_DIR}/cyw20829" + NO_DEFAULT_PATH + ) + endif() + + if(NOT IS_ABSOLUTE "${cysecuretools_policy}" OR NOT EXISTS "${cysecuretools_policy}") + message(FATAL_ERROR "Can't find policy file \"${CONFIG_INFINEON_SECURE_POLICY}\" " + "(Note: Relative paths are searched through " + "APPLICATION_SOURCE_DIR=\"${APPLICATION_SOURCE_DIR}\" " + "and WEST_TOPDIR=\"${WEST_TOPDIR}\")") + endif() + + message("-- Using cysecuretools policy: ${cysecuretools_policy}") + set(CYSECURETOOLS_POLICY ${cysecuretools_policy} CACHE PATH "cysecuretools policy") +endif() + +if(CONFIG_INFINEON_SECURE_LCS) + # + # Additional postbuild action for SECURE LCS + # + set(gen_app_header_args ${gen_app_header_args} --secure_lcs True) + set(app_signed_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed) + set(app_signed_enc_path "${app_signed_path}") + + if(CONFIG_INFINEON_SMIF_ENCRYPTION) + set(gen_app_header_args ${gen_app_header_args} --smif-config ${ZEPHYR_BINARY_DIR}/nonce-output.bin) + set(enc_option --encrypt --nonce-output nonce-output.bin) + # The encrypted image file path generated by cysecuretools + set(app_signed_enc_path "${app_signed_path}_encrypted") + endif() + + set(bin2hex_option bin2hex --image ${app_signed_enc_path}.bin --output ${app_signed_enc_path}.hex --offset 0x60000030) + + # Sign Zephyr L1 app in SECURE LCS + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands + COMMAND ${CYSECURETOOLS} -q -t cyw20829 + -p ${cysecuretools_policy} sign-image --image-format bootrom_next_app + -i ${ZEPHYR_BINARY_DIR}/${KERNEL_BIN_NAME} -k 0 -o ${app_signed_path}.bin + --slot-size ${CONFIG_FLASH_LOAD_SIZE} --app-addr 0x08000030 + ${enc_option} ${bin2hex_option} + ) +endif() + +# By default the MCUboot header size if set to 0x400 by the cysecuretools +# https://github.com/Infineon/edgeprotecttools/blob/master/docs/README_GENERAL.md#sign-image +set(mcuboot_header_offset 0) +if((DEFINED CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE) OR (DEFINED CONFIG_MCUBOOT_SIGNATURE_KEY_FILE)) +set(mcuboot_header_offset 0x400) +endif() + +# Calculate the place in flash +math(EXPR flash_addr_offset + "${CONFIG_CYW20829_FLASH_SAHB_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET} + ${mcuboot_header_offset}" + OUTPUT_FORMAT HEXADECIMAL +) +set(gen_app_header_args ${gen_app_header_args} --flash_addr_offset ${flash_addr_offset} ) + +# Generate platform specific header (TOC2, l1_desc, etc) +set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/soc/infineon/cat1b/cyw20829/gen_app_header.py + -p ${ZEPHYR_BINARY_DIR} -n ${KERNEL_NAME} ${gen_app_header_args} + --bootstrap-size ${bootstrap_size} + --bootstrap-dst-addr ${bootstrap_dst_addr} + ) + +set(MERGED_FILE ${CMAKE_BINARY_DIR}/zephyr/zephyr_merged.hex CACHE PATH "merged hex") + +# Merge platform specific header and zephyr image to a single binary. +set_property(GLOBAL APPEND PROPERTY extra_post_build_commands + COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py + -o ${MERGED_FILE} + ${app_signed_enc_path}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex + ) + +set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${MERGED_FILE}) + +# Use custom mcuboot cmake for sign/encrypt by using cysecuretools +if(CONFIG_BOOTLOADER_MCUBOOT) + set_target_properties(zephyr_property_target PROPERTIES SIGNING_SCRIPT + ${CMAKE_CURRENT_LIST_DIR}/mcuboot.cmake) +endif() diff --git a/soc/infineon/cat1b/cyw20829/Kconfig b/soc/infineon/cat1b/cyw20829/Kconfig index f4e960d65c49f..c86d521602052 100644 --- a/soc/infineon/cat1b/cyw20829/Kconfig +++ b/soc/infineon/cat1b/cyw20829/Kconfig @@ -16,3 +16,40 @@ config SOC_SERIES_CYW20829 select BUILD_OUTPUT_HEX select BUILD_OUTPUT_BIN select SOC_EARLY_INIT_HOOK + +config INFINEON_SECURE_LCS + bool "Secure LCS stage support" + help + Enable support of SECURE LCS stage. In this stage, the protection + state is set to “secure”. A secured device will boot only when the + authentication of its flash boot and application code succeeds. + +config INFINEON_SECURE_POLICY + string "Path to policy JSON file" + default "default_policy.json" + help + Policy is a text file in JSON format that contains a set of properties + for the device configuration (e.g., enabling/disabling debug access ports, + SMIF configuration, keys information, etc). + +config INFINEON_SMIF_ENCRYPTION + bool "SMIF encryption support" + depends on INFINEON_SECURE_LCS + help + Enables SMIF encryption. + +config CYW20829_FLASH_SAHB_ADDR + hex + default $(dt_nodelabel_reg_addr_hex,flash_sahb) + +config CYW20829_FLASH_CBUS_ADDR + hex + default $(dt_nodelabel_reg_addr_hex,flash_cbus) + +config CYW20829_SRAM_SAHB_ADDR + hex + default $(dt_nodelabel_reg_addr_hex,sram_sahb) + +config CYW20829_SRAM_CBUS_ADDR + hex + default $(dt_nodelabel_reg_addr_hex,sram_cbus) diff --git a/soc/infineon/cat1b/cyw20829/app_header.c b/soc/infineon/cat1b/cyw20829/app_header.c deleted file mode 100644 index 9d64178b1e23f..0000000000000 --- a/soc/infineon/cat1b/cyw20829/app_header.c +++ /dev/null @@ -1,45 +0,0 @@ -/* Copyright 2023 Cypress Semiconductor Corporation (an Infineon company) or - * an affiliate of Cypress Semiconductor Corporation - * - * SPDX-License-Identifier: Apache-2.0 - */ - -#include -#include -#include - -struct toc2_data { - uint32_t toc2_size; - uint32_t l1_app_descr_addr; - uint32_t service_app_descr_addr; - uint32_t debug_cert_addr; -} __packed; - -struct l1_desc { - uint32_t l1_app_descr_size; - uint32_t boot_strap_addr; - uint32_t boot_strap_dst_addr; - uint32_t boot_strap_size; - uint32_t reserved[3]; -} __packed; - -struct l1_usr_app_hdr { - uint8_t reserved[32]; -} __packed; - -struct app_header { - struct toc2_data toc2_data; - struct l1_desc l1_desc; - uint8_t padding[4]; - struct l1_usr_app_hdr l1_usr_app_hdr; -} __packed; - -const struct app_header app_header Z_GENERIC_SECTION(.app_header) = { - .toc2_data = {.toc2_size = sizeof(struct toc2_data), - .l1_app_descr_addr = offsetof(struct app_header, l1_desc)}, - .l1_desc = {.l1_app_descr_size = sizeof(struct l1_desc), - .boot_strap_addr = DT_REG_ADDR(DT_NODELABEL(bootstrap_region)) - - DT_REG_ADDR(DT_NODELABEL(flash0)), - .boot_strap_dst_addr = DT_REG_ADDR(DT_NODELABEL(sram_bootstrap)), - .boot_strap_size = DT_REG_SIZE(DT_NODELABEL(sram_bootstrap))}, -}; diff --git a/soc/infineon/cat1b/cyw20829/bootstrap.ld b/soc/infineon/cat1b/cyw20829/bootstrap.ld index da007baa74912..1ffa7c33b2054 100644 --- a/soc/infineon/cat1b/cyw20829/bootstrap.ld +++ b/soc/infineon/cat1b/cyw20829/bootstrap.ld @@ -1,18 +1,13 @@ -/* Copyright 2024 Cypress Semiconductor Corporation (an Infineon company) or +/* Copyright 2025 Cypress Semiconductor Corporation (an Infineon company) or * an affiliate of Cypress Semiconductor Corporation * * SPDX-License-Identifier: Apache-2.0 */ -SECTIONS -{ - .app_header : - { - KEEP(*(.app_header)) - } > APP_HEADER_FLASH - - /* Cortex-M33 bootstrap code area */ - .bootstrapText : + /* Cortex-M33 bootstrap code area */ + bootstrap.text_lma = BS_CODE_LMA_CBUS; + bootstrap.text_vma = BS_CODE_VMA_CBUS; + .bootstrapText (bootstrap.text_vma) : AT (bootstrap.text_lma) { . = ALIGN(4); __bootstrapText_begin = .; @@ -49,9 +44,11 @@ SECTIONS . = ALIGN(4); __bootstrapText_end = .; - } > BOOTSTRAP_RAM AT>BOOTSTRAP_FLASH + } - .bootstrapzero.table : + bootstrap.zerotable.vma = (__bootstrapText_end); + bootstrap.zerotable.lma = (bootstrap.text_lma + (__bootstrapText_end - __bootstrapText_begin)); + .bootstrapzero.table (bootstrap.zerotable.vma): AT (bootstrap.zerotable.lma) { . = ALIGN(4); __bootstrapzero_table_start__ = .; @@ -59,9 +56,11 @@ SECTIONS LONG ((__bootstrap_bss_end__ - __bootstrap_bss_start__)/4) . = ALIGN(4); __bootstrapzero_table_end__ = .; - } > BOOTSTRAP_RAM AT>BOOTSTRAP_FLASH + } - .bootstrapData : + bootstrap.data.vma = ((__bootstrapzero_table_end__ - RAM_START_ADDR_CBUS) + RAM_START_ADDR_SAHB); /* CBUS -> SAHB */ + bootstrap.data.lma = (bootstrap.zerotable.lma + (__bootstrapzero_table_end__ - __bootstrapzero_table_start__)); + .bootstrapData (bootstrap.data.vma): AT (bootstrap.data.lma) { __bootstrapData_start__ = .; . = ALIGN(4); @@ -85,9 +84,9 @@ SECTIONS . = ALIGN(4); __bootstrapData_end__ = .; - } > BOOTSTRAP_RAM AT>BOOTSTRAP_FLASH + } > BOOTSTRAP_RAM - .bootstrapBss (NOLOAD): + .bootstrapBss (__bootstrapData_end__) (NOLOAD): { . = ALIGN(4); __bootstrap_bss_start__ = .; @@ -111,4 +110,3 @@ SECTIONS . = ALIGN(4); __bootstrap_bss_end__ = .; } > BOOTSTRAP_RAM -} diff --git a/soc/infineon/cat1b/cyw20829/default_policy.json b/soc/infineon/cat1b/cyw20829/default_policy.json new file mode 100644 index 0000000000000..d7d7280782a03 --- /dev/null +++ b/soc/infineon/cat1b/cyw20829/default_policy.json @@ -0,0 +1,15 @@ +{ + "policy": { + "platform": "cyw20829", + "version": 2.0, + "type": "no_secure" + }, + "device_policy": + { + "flow_control": + { + "target_lcs": { + } + } + } +} diff --git a/soc/infineon/cat1b/cyw20829/gen_app_header.py b/soc/infineon/cat1b/cyw20829/gen_app_header.py new file mode 100644 index 0000000000000..928f971c46563 --- /dev/null +++ b/soc/infineon/cat1b/cyw20829/gen_app_header.py @@ -0,0 +1,139 @@ +# Copyright (c) 2024 Cypress Semiconductor Corporation. +# SPDX-License-Identifier: Apache-2.0 + +import argparse +import ctypes +import sys +from pathlib import Path + +from intelhex import bin2hex + +# Const +TOC2_SIZE = 16 +L1_APP_DESCR_SIZE = 28 +L1_APP_DESCR_ADDR = 0x10 +DEBUG_CERT_ADDR = 0x0 +SERV_APP_DESCR_ADDR = 0x0 + +DEBUG = False + + +# Define the structures +class TOC2Data(ctypes.Structure): + _fields_ = [ + ("toc2_size", ctypes.c_uint32), + ("l1_app_descr_addr", ctypes.c_uint32), + ("service_app_descr_addr", ctypes.c_uint32), + ("debug_cert_addr", ctypes.c_uint32), + ] + + +class L1Desc(ctypes.Structure): + _fields_ = [ + ("l1_app_descr_size", ctypes.c_uint32), + ("boot_strap_addr", ctypes.c_uint32), + ("boot_strap_dst_addr", ctypes.c_uint32), + ("boot_strap_size", ctypes.c_uint32), + ("smif_crypto_cfg", ctypes.c_uint8 * 12), + ("reserve", ctypes.c_uint8 * 4), + ] + + +class SignHeader(ctypes.Structure): + _fields_ = [ + ("reserved", ctypes.c_uint8 * 32), # 32b for sign header + ] + + +def generate_platform_headers( + secure_lcs, + output_path, + project_name, + bootstrap_size, + bootstrap_dst_addr, + flash_addr_offset, + smif_config, +): + ######################### Generate TOC2 ######################### + toc2_data = TOC2Data( + toc2_size=TOC2_SIZE, + l1_app_descr_addr=L1_APP_DESCR_ADDR, + service_app_descr_addr=SERV_APP_DESCR_ADDR, + debug_cert_addr=DEBUG_CERT_ADDR, + ) + + ###################### Generate L1_APP_DESCR #################### + if secure_lcs: + boot_strap_addr = 0x30 # Fix address for signed image + else: + boot_strap_addr = 0x50 # Fix address for un-signed image + + l1_desc = L1Desc( + l1_app_descr_size=L1_APP_DESCR_SIZE, + boot_strap_addr=boot_strap_addr, + boot_strap_dst_addr=int(bootstrap_dst_addr, 16), + boot_strap_size=int(bootstrap_size, 16), + ) + + if smif_config: + with open(smif_config, 'rb') as binary_file: + l1_desc.smif_crypto_cfg[0:] = binary_file.read() + + # Write the structure to a binary file + with open(Path(output_path) / 'app_header.bin', 'wb') as f: + f.write(bytearray(toc2_data)) + f.write(bytearray(l1_desc)) + + if not secure_lcs: + f.write(bytearray(SignHeader())) + + # Generate hex from bin + sys.exit( + bin2hex( + Path(output_path) / 'app_header.bin', + Path(output_path) / 'app_header.hex', + int(flash_addr_offset, 16), + ) + ) + + +def main(): + parser = argparse.ArgumentParser(allow_abbrev=False) + parser.add_argument( + '-m', + '--secure_lcs', + required=False, + type=bool, + default=False, + help='Use SECURE Life Cycle stage: True/False', + ) + + parser.add_argument('-p', '--project-path', required=True, help='path to application artifacts') + parser.add_argument('-n', '--project-name', required=True, help='Application name') + parser.add_argument('-k', '--keys', required=False, help='Path to keys') + + parser.add_argument('--bootstrap-size', required=False, help='Bootstrap size') + parser.add_argument( + '--bootstrap-dst-addr', + required=False, + help='Bootstrap destanation address. Should be in RAM (SAHB)', + ) + + parser.add_argument('--flash_addr_offset', required=False, help='Flash offset') + + parser.add_argument('-s', '--smif-config', required=False, help='smif config file') + args = parser.parse_args() + + generate_platform_headers( + args.secure_lcs, + args.project_path, + args.project_name, + args.bootstrap_size, + args.bootstrap_dst_addr, + args.flash_addr_offset, + args.smif_config, + ) + + +if __name__ == '__main__': + main() diff --git a/soc/infineon/cat1b/cyw20829/linker.ld b/soc/infineon/cat1b/cyw20829/linker.ld index 5f6b02e25bd0f..e3668727e17a7 100644 --- a/soc/infineon/cat1b/cyw20829/linker.ld +++ b/soc/infineon/cat1b/cyw20829/linker.ld @@ -64,33 +64,60 @@ _region_min_align = 4; #if !defined(CONFIG_CUSTOM_SECTION_ALIGN) && defined(CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT) #define MPU_ALIGN(region_size) \ - . = ALIGN(_region_min_align); \ - . = ALIGN( 1 << LOG2CEIL(region_size)) + . = ALIGN(_region_min_align); \ + . = ALIGN( 1 << LOG2CEIL(region_size)) #else #define MPU_ALIGN(region_size) \ - . = ALIGN(_region_min_align) + . = ALIGN(_region_min_align) #endif +#define BOOTSTRAP_REGION BOOTSTRAP_FLASH + +/* Maximum bootstrap code + data size */ +#define BOOTSTRAP_REGION_SIZE DT_REG_SIZE(DT_NODELABEL(bootstrap_region)) + +#if defined(CONFIG_BOOTLOADER_MCUBOOT) +#define MCUBOOT_HEADER_OFFSET (0x400) +#else +#define MCUBOOT_HEADER_OFFSET (0) +#endif + +#define FLASH_START_ADDR_CBUS (CONFIG_CYW20829_FLASH_CBUS_ADDR + CONFIG_FLASH_LOAD_OFFSET + MCUBOOT_HEADER_OFFSET) +#define FLASH_START_ADDR_SAHB (CONFIG_CYW20829_FLASH_SAHB_ADDR + CONFIG_FLASH_LOAD_OFFSET + MCUBOOT_HEADER_OFFSET) + +#define RAM_START_ADDR_CBUS CONFIG_CYW20829_SRAM_CBUS_ADDR /* 0x04000000 */ +#define RAM_START_ADDR_SAHB CONFIG_CYW20829_SRAM_SAHB_ADDR /* 0x20000000 */ + +#define BOOTSTRAP_OFFSET_FLASH 0x00000050 /* toc2=0x10, l1_desc=0x1C, sign_header=0x20 */ + +/* vma for bootstrap code region */ +#define BS_CODE_VMA_CBUS RAM_START_ADDR_CBUS + (DT_REG_ADDR(DT_NODELABEL(sram_bootstrap)) - RAM_START_ADDR_SAHB) +#define BS_CODE_VMA_SAHB DT_REG_ADDR(DT_NODELABEL(sram_bootstrap)) + +/* lma for bootstrap code region */ +#define BS_CODE_LMA_CBUS FLASH_START_ADDR_CBUS + BOOTSTRAP_OFFSET_FLASH +#define BS_CODE_LMA_SAHB FLASH_START_ADDR_SAHB + BOOTSTRAP_OFFSET_FLASH + #include MEMORY - { - FLASH (rx) : ORIGIN = ROM_ADDR, LENGTH = ROM_SIZE - RAM (wx) : ORIGIN = RAM_ADDR, LENGTH = RAM_SIZE + { + FLASH (rx) : ORIGIN = ROM_ADDR, LENGTH = ROM_SIZE + RAM (wx) : ORIGIN = RAM_ADDR, LENGTH = RAM_SIZE + #if defined(CONFIG_LINKER_DEVNULL_MEMORY) - DEVNULL_ROM (rx) : ORIGIN = DEVNULL_ADDR, LENGTH = DEVNULL_SIZE + DEVNULL_ROM (rx) : ORIGIN = DEVNULL_ADDR, LENGTH = DEVNULL_SIZE #endif - LINKER_DT_REGIONS() - /* Used by and documented in include/linker/intlist.ld */ - IDT_LIST (wx) : ORIGIN = 0xFFFF7FFF, LENGTH = 32K - } + LINKER_DT_REGIONS() + /* Used by and documented in include/linker/intlist.ld */ + IDT_LIST (wx) : ORIGIN = 0xFFFF7FFF, LENGTH = 32K + } ENTRY(CONFIG_KERNEL_ENTRY) -#include SECTIONS - { + { #include @@ -98,27 +125,28 @@ SECTIONS #include #endif - /* - * .plt and .iplt are here according to 'arm-zephyr-elf-ld --verbose', - * before text section. - */ - /DISCARD/ : + /* + * .plt and .iplt are here according to 'arm-zephyr-elf-ld --verbose', + * before text section. + */ + /DISCARD/ : { *(.plt) } - /DISCARD/ : + /DISCARD/ : { *(.iplt) } - GROUP_START(ROMABLE_REGION) + GROUP_START(ROMABLE_REGION) __rom_region_start = ROM_ADDR; - - SECTION_PROLOGUE(rom_start,,) +#include + SECTION_PROLOGUE(rom_start,(ROM_ADDR + BOOTSTRAP_REGION_SIZE + BOOTSTRAP_OFFSET_FLASH),) { - + . = 0x4; + . = ALIGN(4); } GROUP_LINK_IN(ROMABLE_REGION) @@ -128,10 +156,9 @@ SECTIONS #endif /* CONFIG_CODE_DATA_RELOCATION */ - SECTION_PROLOGUE(_TEXT_SECTION_NAME,,) + SECTION_PROLOGUE(_TEXT_SECTION_NAME,,) { __text_region_start = .; - #include *(.text) @@ -180,7 +207,7 @@ SECTIONS #include #include - SECTION_PROLOGUE(_RODATA_SECTION_NAME,,) + SECTION_PROLOGUE(_RODATA_SECTION_NAME,,) { *(.rodata) *(".rodata.*") @@ -209,12 +236,12 @@ SECTIONS #include #if defined(CONFIG_BUILD_ALIGN_LMA) - /* - * Include a padding section here to make sure that the LMA address - * of the sections in the RAMABLE_REGION are aligned with those - * section's VMA alignment requirements. - */ - SECTION_PROLOGUE(padding_section,,) + /* + * Include a padding section here to make sure that the LMA address + * of the sections in the RAMABLE_REGION are aligned with those + * section's VMA alignment requirements. + */ + SECTION_PROLOGUE(padding_section,,) { __rodata_region_end = .; MPU_ALIGN(__rodata_region_end - ADDR(rom_start)); @@ -225,20 +252,20 @@ SECTIONS #endif __rom_region_end = __rom_region_start + . - ADDR(rom_start); - GROUP_END(ROMABLE_REGION) + GROUP_END(ROMABLE_REGION) - /* - * These are here according to 'arm-zephyr-elf-ld --verbose', - * before data section. - */ - /DISCARD/ : { + /* + * These are here according to 'arm-zephyr-elf-ld --verbose', + * before data section. + */ + /DISCARD/ : { *(.got.plt) *(.igot.plt) *(.got) *(.igot) } - GROUP_START(RAMABLE_REGION) + GROUP_START(RAMABLE_REGION) . = RAM_ADDR; /* Align the start of image RAM with the @@ -261,13 +288,13 @@ SECTIONS _app_smem_size = _app_smem_end - _app_smem_start; _app_smem_rom_start = LOADADDR(_APP_SMEM_SECTION_NAME); - SECTION_DATA_PROLOGUE(_BSS_SECTION_NAME,(NOLOAD),) + SECTION_DATA_PROLOGUE(_BSS_SECTION_NAME,(NOLOAD),) { - /* - * For performance, BSS section is assumed to be 4 byte aligned and - * a multiple of 4 bytes - */ - . = ALIGN(4); + /* + * For performance, BSS section is assumed to be 4 byte aligned and + * a multiple of 4 bytes + */ + . = ALIGN(4); __bss_start = .; __kernel_ram_start = .; @@ -280,9 +307,9 @@ SECTIONS #include #endif - /* - * As memory is cleared in words only, it is simpler to ensure the BSS - * section ends on a 4 byte boundary. This wastes a maximum of 3 bytes. + /* + * As memory is cleared in words only, it is simpler to ensure the BSS + * section ends on a 4 byte boundary. This wastes a maximum of 3 bytes. */ __bss_end = ALIGN(4); } GROUP_DATA_LINK_IN(RAMABLE_REGION, RAMABLE_REGION) @@ -291,9 +318,9 @@ SECTIONS #endif /* CONFIG_USERSPACE */ - GROUP_START(DATA_REGION) + GROUP_START(DATA_REGION) - SECTION_DATA_PROLOGUE(_DATA_SECTION_NAME,,) + SECTION_DATA_PROLOGUE(_DATA_SECTION_NAME,,) { __data_region_start = .; __data_start = .; @@ -312,10 +339,10 @@ SECTIONS __data_end = .; } GROUP_DATA_LINK_IN(RAMABLE_REGION, ROMABLE_REGION) - __data_size = __data_end - __data_start; - __data_load_start = LOADADDR(_DATA_SECTION_NAME); + __data_size = __data_end - __data_start; + __data_load_start = LOADADDR(_DATA_SECTION_NAME); - __data_region_load_start = LOADADDR(_DATA_SECTION_NAME); + __data_region_load_start = LOADADDR(_DATA_SECTION_NAME); #include #include @@ -327,16 +354,16 @@ SECTIONS */ #include - __data_region_end = .; + __data_region_end = .; #ifndef CONFIG_USERSPACE SECTION_DATA_PROLOGUE(_BSS_SECTION_NAME,(NOLOAD),) { - /* - * For performance, BSS section is assumed to be 4 byte aligned and - * a multiple of 4 bytes - */ - . = ALIGN(4); + /* + * For performance, BSS section is assumed to be 4 byte aligned and + * a multiple of 4 bytes + */ + . = ALIGN(4); __bss_start = .; __kernel_ram_start = .; @@ -349,21 +376,21 @@ SECTIONS #include #endif - /* - * As memory is cleared in words only, it is simpler to ensure the BSS - * section ends on a 4 byte boundary. This wastes a maximum of 3 bytes. + /* + * As memory is cleared in words only, it is simpler to ensure the BSS + * section ends on a 4 byte boundary. This wastes a maximum of 3 bytes. */ __bss_end = ALIGN(4); } GROUP_DATA_LINK_IN(RAMABLE_REGION, RAMABLE_REGION) - SECTION_PROLOGUE(_NOINIT_SECTION_NAME,(NOLOAD),) - { - /* - * This section is used for non-initialized objects that - * will not be cleared during the boot process. - */ - *(.noinit) - *(".noinit.*") + SECTION_PROLOGUE(_NOINIT_SECTION_NAME,(NOLOAD),) + { + /* + * This section is used for non-initialized objects that + * will not be cleared during the boot process. + */ + *(.noinit) + *(".noinit.*") *(".kernel_noinit.*") /* Located in generated directory. This file is populated by the @@ -371,13 +398,13 @@ SECTIONS */ #include - } GROUP_NOLOAD_LINK_IN(RAMABLE_REGION, RAMABLE_REGION) + } GROUP_NOLOAD_LINK_IN(RAMABLE_REGION, RAMABLE_REGION) #endif /* CONFIG_USERSPACE */ - /* Define linker symbols */ + /* Define linker symbols */ - __kernel_ram_end = RAM_ADDR + RAM_SIZE; - __kernel_ram_size = __kernel_ram_end - __kernel_ram_start; + __kernel_ram_end = RAM_ADDR + RAM_SIZE; + __kernel_ram_size = __kernel_ram_end - __kernel_ram_start; #if DT_NODE_HAS_STATUS(DT_CHOSEN(zephyr_itcm), okay) GROUP_START(ITCM) @@ -448,20 +475,20 @@ GROUP_END(DTCM) #include - GROUP_END(RAMABLE_REGION) + GROUP_END(RAMABLE_REGION) #include - /DISCARD/ : { *(.note.GNU-stack) } + /DISCARD/ : { *(.note.GNU-stack) } - SECTION_PROLOGUE(.ARM.attributes, 0,) + SECTION_PROLOGUE(.ARM.attributes, 0,) { KEEP(*(.ARM.attributes)) KEEP(*(.gnu.attributes)) } - /* Sections generated from 'zephyr,memory-region' nodes */ - LINKER_DT_SECTIONS() + /* Sections generated from 'zephyr,memory-region' nodes */ + LINKER_DT_SECTIONS() /* Must be last in romable region */ SECTION_PROLOGUE(.last_section,,) @@ -475,4 +502,4 @@ SECTION_PROLOGUE(.last_section,,) * calculate this value here. */ _flash_used = LOADADDR(.last_section) + SIZEOF(.last_section) - __rom_region_start; - } + } diff --git a/soc/infineon/cat1b/cyw20829/mcuboot.cmake b/soc/infineon/cat1b/cyw20829/mcuboot.cmake new file mode 100644 index 0000000000000..3998b3707868f --- /dev/null +++ b/soc/infineon/cat1b/cyw20829/mcuboot.cmake @@ -0,0 +1,221 @@ +# Copyright (c) 2020-2023 Nordic Semiconductor ASA +# Copyright (c) 2024 Cypress Semiconductor Corporation +# SPDX-License-Identifier: Apache-2.0 + +# This file includes extra build system logic that is enabled when +# CONFIG_BOOTLOADER_MCUBOOT=y. +# +# It builds signed binaries using cysecuretools as a post-processing step +# after zephyr/zephyr.elf is created in the build directory. + +function(zephyr_runner_file type path) + # Property magic which makes west flash choose the signed build + # output of a given type. + set_target_properties(runners_yaml_props_target PROPERTIES "${type}_file" "${path}") +endfunction() + +function(zephyr_mcuboot_tasks) + # Extensionless prefix of any output file. + set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}) + + cmake_path(SET keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}") + cmake_path(SET keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}") + + set(encrypted_args) + set(confirmed_args) + + # Calculate flash address (SAHB/CBUS) + math(EXPR flash_addr_sahb_offset + "${CONFIG_CYW20829_FLASH_SAHB_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET}" + OUTPUT_FORMAT HEXADECIMAL + ) + + math(EXPR flash_addr_sbus_offset + "${CONFIG_CYW20829_FLASH_CBUS_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET}" + OUTPUT_FORMAT HEXADECIMAL + ) + + # Check for misconfiguration. + if((NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}") AND ("${keyfile}" STREQUAL "")) + message(WARNING "Neither CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE nor" + "CONFIG_MCUBOOT_SIGNATURE_KEY_FILE are set, the generated build will not be" + "bootable by MCUboot unless it is signed manually/externally.") + return() + endif() + + foreach(file keyfile keyfile_enc) + if(NOT "${${file}}" STREQUAL "") + if(NOT IS_ABSOLUTE "${${file}}") + find_file( + temp_file + NAMES + "${${file}}" + PATHS + "${APPLICATION_SOURCE_DIR}" + "${WEST_TOPDIR}" + NO_DEFAULT_PATH + ) + + if(NOT "${temp_file}" STREQUAL "temp_file-NOTFOUND") + set(${file} "${temp_file}") + endif() + endif() + + if((NOT IS_ABSOLUTE "${${file}}" OR NOT EXISTS "${${file}}") AND NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}") + message(FATAL_ERROR "Can't find file \"${${file}}\" " + "(Note: Relative paths are searched through" + "APPLICATION_SOURCE_DIR=\"${APPLICATION_SOURCE_DIR}\" " + "and WEST_TOPDIR=\"${WEST_TOPDIR}\")") + elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX)) + message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor" + "CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.") + endif() + endif() + endforeach() + + # Basic 'cysecuretools' command and output format independent arguments. + set(cysecuretools_cmd ${CYSECURETOOLS} -q -t cyw20829 -p ${CYSECURETOOLS_POLICY}) + + # sign-image arguments. + set(sign_image_cmd_args sign-image + --image-format mcuboot_user_app + --image "${MERGED_FILE}" + --slot-size ${CONFIG_FLASH_LOAD_SIZE} + --align 1 + --image-id 0 + --hex-addr ${flash_addr_sahb_offset} + --app-addr ${flash_addr_sbus_offset} + -v "${CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION}") + + # Extra arguments from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS. + if(NOT CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS STREQUAL "") + # Separate extra arguments into the proper format for adding to + # extra_post_build_commands. + # + # Use UNIX_COMMAND syntax for uniform results across host + # platforms. + separate_arguments(cysecuretools_extra_args UNIX_COMMAND + ${CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS}) + else() + set(cysecuretools_extra_args) + endif() + + if(NOT "${keyfile}" STREQUAL "") + set(sign_image_cmd_args ${sign_image_cmd_args} --key-path "${keyfile}") + endif() + + if(NOT "${keyfile_enc}" STREQUAL "") + set(encrypted_args --encrypt --enckey "${keyfile_enc}") + endif() + + # Use overwrite-only instead of swap upgrades. + if(CONFIG_MCUBOOT_IMGTOOL_OVERWRITE_ONLY) + set(sign_image_cmd_args ${sign_image_cmd_args} --overwrite-only --align 1) + endif() + + if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE) + list(APPEND confirmed_args --pad --confirm) + endif() + + # List of additional build byproducts. + set(byproducts) + set(bin2hex_cmd_args_signed) + set(bin2hex_cmd_args_confirmed) + set(bin2hex_cmd_args_encrypted) + + # Set up .bin outputs. + if(CONFIG_BUILD_OUTPUT_BIN) + list(APPEND byproducts ${output}.signed.bin) + zephyr_runner_file(bin ${output}.signed.bin) + set(BYPRODUCT_KERNEL_SIGNED_BIN_NAME "${output}.signed.bin" + CACHE FILEPATH "Signed kernel bin file" FORCE + ) + endif() + + if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE) + list(APPEND byproducts ${output}.signed.confirmed.bin) + set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_BIN_NAME "${output}.signed.confirmed.bin" + CACHE FILEPATH "Signed and confirmed kernel bin file" FORCE + ) + endif() + + if(NOT "${keyfile_enc}" STREQUAL "") + list(APPEND byproducts ${output}.signed.encrypted.bin) + set(BYPRODUCT_KERNEL_SIGNED_ENCRYPTED_BIN_NAME "${output}.signed.encrypted.bin" + CACHE FILEPATH "Signed and encrypted kernel bin file" FORCE + ) + endif() + + # Set up .hex outputs. + if(CONFIG_BUILD_OUTPUT_HEX) + list(APPEND bin2hex_cmd_args_signed bin2hex + --image ${output}.signed.bin --output ${output}.signed.hex + --offset ${flash_addr_sahb_offset} + ) + list(APPEND byproducts ${output}.signed.hex) + zephyr_runner_file(hex ${output}.signed.hex) + set(BYPRODUCT_KERNEL_SIGNED_HEX_NAME "${output}.signed.hex" + CACHE FILEPATH "Signed kernel hex file" FORCE) + + if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE) + list(APPEND bin2hex_cmd_args_confirmed bin2hex + --image ${output}.signed.confirmed.bin --output ${output}.signed.confirmed.hex + --offset ${flash_addr_sahb_offset} + ) + list(APPEND byproducts ${output}.signed.confirmed.hex) + set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_HEX_NAME "${output}.signed.confirmed.hex" + CACHE FILEPATH "Signed and confirmed kernel hex file" FORCE + ) + endif() + + if(NOT "${keyfile_enc}" STREQUAL "") + list(APPEND bin2hex_cmd_args_encrypted bin2hex + --image ${output}.signed.encrypted.bin --output ${output}.signed.encrypted.hex + --offset ${flash_addr_sahb_offset} + ) + list(APPEND byproducts ${output}.signed.encrypted.hex) + set(BYPRODUCT_KERNEL_SIGNED_ENCRYPTED_HEX_NAME "${output}.signed.encrypted.hex" + CACHE FILEPATH "Signed and encrypted kernel hex file" FORCE + ) + endif() + endif() + + # Add the post-processing steps to generate + # signed /signed.confirmed / signed.encrypted bin and hex files + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${cysecuretools_cmd} + ${sign_image_cmd_args} --output ${output}.signed.bin + ${bin2hex_cmd_args_signed} # bin to hex + ${cysecuretools_extra_args}) # from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS + + if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE) + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${cysecuretools_cmd} + ${sign_image_cmd_args} --output ${output}.signed.confirmed.bin + ${confirmed_args} + ${bin2hex_cmd_args_confirmed} # bin to hex + ${cysecuretools_extra_args}) # from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS + endif() + + if(NOT "${keyfile_enc}" STREQUAL "") + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${cysecuretools_cmd} + ${sign_image_cmd_args} --output ${output}.signed.encrypted.bin + ${confirmed_args} ${encrypted_args} + ${bin2hex_cmd_args_encrypted} # bin to hex + ${cysecuretools_extra_args} # from CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS + + COMMAND ${CMAKE_COMMAND} -E echo + "Generating encrypted files ${output}.signed.encrypted.hex/bin files" + + COMMAND ${CMAKE_COMMAND} -E echo + \"Use 'west flash --hex-file ${output}.signed.encrypted.hex' to flash in primary + partition\") + endif() + + set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts}) +endfunction() + +if((NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}") OR (NOT "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}" STREQUAL "")) + zephyr_mcuboot_tasks() +endif() diff --git a/tests/application_development/vector_table_relocation/src/main.c b/tests/application_development/vector_table_relocation/src/main.c index 903541d006d22..d102f713df53f 100644 --- a/tests/application_development/vector_table_relocation/src/main.c +++ b/tests/application_development/vector_table_relocation/src/main.c @@ -27,7 +27,7 @@ #if (defined(CONFIG_ARM_MPU) && !defined(CONFIG_CPU_HAS_NXP_SYSMPU)) #include -void disable_mpu_rasr_xn(void) +static void disable_mpu_rasr_xn(void) { uint32_t index; /* Kept the max index as 8(irrespective of soc) because the sram