trusted-firmware-m: Fix sign images to allow FOTA #94470
Conversation
zephyrbot
requested review from
Vge0rge,
d3zd3z,
ithinuel,
tomi-font,
valeriosetti and
wearyzen
|
I have tested the patch, works for my project using U585. I think its a good solution |
nandojve
force-pushed
the
tfm/fix_sign_images
branch
from
a108a23 to
343a5d0
Compare
I could validate that |
zephyrbot
requested review from
FRASTM,
GeorgeCGV,
gautierg-st and
marwaiehm-st
nandojve
force-pushed
the
tfm/fix_sign_images
branch
from
343a5d0 to
00228f4
Compare
|
There was a problem hiding this comment.
I haven't looked at the PR but just adding a -1 so that the MPS2/MPS3 changes don't get merged. I'll have a look at this next week once I am done with my current high priority task.
BTW, @nandojve, currently mps4/**/fvp/ns boards are not enabled because TF-M doesn't generate few required hex files, would this PR help with that? if you would like to try you can add below 1 line here
default "arm/mps4/corstone320/fvp" if BOARD_MPS4_CORSTONE320_FVP_NS
|
Hi @wearyzen , Are you maintaining the ARM platform ?
I have a product that require TF-M + FWU ASAP in mainline. This changes was already proved that makes FWU work by community inclusive. I'm only trying to fix mps2/3 because are in CI but I'm fine to exclude then from tests because those bring 0 value at moment, if they build.
I'm not sure because flash layout from ARM does not provide correct info at all. The layout comment says single image but CONFIG_TFM_MCUBOOT_IMAGE_NUMBER=2. https://discord.com/channels/1106321706588577904/1106321982900945017/1405922987491983581 |
Yes I am.
That would be breaking the mps2/mps3 ns boards isn't it? if you could you change the code to have the current behavior for mps2/mps3/mps4 and the new change only for others then I don't have any issue but with current PR, I will still need some time to understand the changes to approve it.
|
nandojve
force-pushed
the
tfm/fix_sign_images
branch
from
e6f8a89 to
99e7fd2
Compare
This excludes the mps3/corstone300/an547/ns from psa tests becuase QEMU does not model the QSPI flash in MPS3 boards as real QSPI flash, but only as simple ROM, so attempting to rewrite the flash from the guest will fail. See more details in: zephyrproject-rtos#94470 (comment) Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The mps3/foo/ns define flash layouts in tf-m to allow CONFIG_TFM_MCUBOOT_IMAGE_NUMBER be 1 or 2. In the Zephyr project when building the samples the value selected is 2. The layout changes are necessary to allow use the --max-sectors options when signing the images. It ensures that flash layout is respected. To allow this the compatible "soc-nv-flash" was added in the reserved memory and the fixed-partitions were defined. In addition, the ISRAM was redefined to expose the correct size and values for both S and NS firmware. This makes clear to user how the momory was selected. For example, see general details in: https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m.git/%2B/refs/heads/main/platform/ext/target/arm/mps3/corstone310/common/partition/region_defs.h#116 https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m.git/%2B/refs/heads/main/platform/ext/target/arm/mps3/corstone310/common/config.cmake#13 Note: - Not all mps3 ISRAM have the same size and design should take that in consideration. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The external partitions are defined dependent from S and NS images. This move the external partitions from common to the S image. The NS image will be defined in future to allow correct usage of MCUboot. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The parritions from the stm32l562e_dk/stm32l562xx/ns board is not align with tf-m. This fixes the partition alignment. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The current version of TF-M script that sign MCUboot image uses a default alignment of 1. This value varies between flash devices and not all accept the default 1. This improve the script picking the write-block-size property from the current flash controller and pass as the --align parameter when signing an image. Note: This solution works out-of-box for the vast majority of devices in the Zephyr tree and an exception will throw when a device is not supported. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The --max-sectors will helps to catch problems with flash overlap when merging images. If there is a missalignment from flash partitions usually the merge process will fail. This pick information from zephyr flash partitions and flash controller to automatically determine the max sectors value and apply it when singing an image. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The current behaviour when signing an image is to set always --pad and --pad-header for all images unless TFM_USE_NS_APP is set. This does not allow easy creation of a signed image for FOTA applications. Rewrite the PAD parameter into HEADER and TRAILER to easy setup more signing options. The other important reason to do this change is that NS image when signed without --pad run in the hardware. However, it do not perform the MCUboot test image and the FWU never upgrade de image. This will fix the NS image signing process to correct allow TF-M FWU using the PSA API functions. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The current behaviour from signing an image add --pad but do not confirm the image. This seems to be a mistake because user should inspect in the Firmware Upgrade software the image status. This means that if an image is not --confirmed the FSM can not infer correct states. This set the image as confirmed to fix this issue. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Make variable that define output files explicity quote HEX in the name. This is a refactor step to allow introduce BIN files out generation. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
One fundamental use of trusted-firmware-m is to allow IoT applications to have security and the firmware upgrade FOTA is almost 100% mandatory in these applications. The current state of files signing process do not produce the necessary binaries to use with multi image S/NS FWU once the hex images are not suitable for this use case. This introduces the missing signed binaries files to be used by FWU partition. The changes were tested in multi image FWU scenarios and single image can be easily extended in the future. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Use cmake_parse_arguments() to be more idiomatic. This make the code more readable and make it easier to add new options. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The optional --output-bin parameter instructs the IntexHex class to save the content as a binary instead intelhex format. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
When CONFIG_TFM_MCUBOOT_IMAGE_NUMBER is 1 the process to create the final tfm_merged.bin file is more complex. This prepare the content to introduce the generation of the tfm_merged.bin to be used in FOTA applications. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
When CONFIG_TFM_MCUBOOT_IMAGE_NUMBER is 1 all the images will be merged. Currently there is no tfm_merged.bin file to be used in FOTA. This add the file generation to fulfill that need. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Add note about BL2 (MCUboot) signing updates when board is build as TF-M NS. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
This extends the Signing Images details in the build documentation to highlight the details about confirmed and unconfirmed images in regards to PSA Certified Firmware Update API. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
nandojve
force-pushed
the
tfm/fix_sign_images
branch
from
99e7fd2 to
c156984
Compare
|
|
tomi-font
removed request for
gautierg-st,
lindblandro,
tomi-font and
wearyzen
| raise AddressOverlapError("{} has merge issues".format(hex_file_path)) | ||
|
|
||
| ih.write_hex_file(output) | ||
| format = "bin" if output_bin else "hex" |
There was a problem hiding this comment.
13 participants
The
trusted-firmware-mrequires specific instructions when signing the images to allow local development and FOTA. This PR extends the sign process inside Zephyr to generate the hex files with the confirmed image to load firmware for development and production purposes. It add the missing binary sign to generate the correct non confirmed image to allow FOTA upgrade. These images now respect the TF-M/FWU state machine FOTA is now possible.These was tested on STM32U5A5xx SoC with custom OTP and Keys.
Fixes #94204