From f48c82ebe7487effbc902bc66a1b329a05a56381 Mon Sep 17 00:00:00 2001 From: Andrei Gansari Date: Fri, 13 Nov 2020 21:20:43 +0200 Subject: [PATCH] boards: lpcxpresso55s69: enable TFM with MCUboot Set building TFM with MCUboot. Set the build configuration to profile_medium, we need smaller TFM images to fit into flash. Build MCUboot, TFM, sign it, sign Zephyr NS image and merge all the images. Also change the other configuration, BL2=OFF, to merge as a single image. Update documentation on how to flash the board. Signed-off-by: Andrei Gansari --- boards/arm/lpcxpresso55s69/CMakeLists.txt | 68 ++++++++++++++++++- boards/arm/lpcxpresso55s69/Kconfig.defconfig | 4 ++ boards/arm/lpcxpresso55s69/doc/index.rst | 14 ++-- .../lpcxpresso55s69_ns_defconfig | 2 - 4 files changed, 77 insertions(+), 11 deletions(-) diff --git a/boards/arm/lpcxpresso55s69/CMakeLists.txt b/boards/arm/lpcxpresso55s69/CMakeLists.txt index 7e5f9cf42a4..c48fe259d0f 100644 --- a/boards/arm/lpcxpresso55s69/CMakeLists.txt +++ b/boards/arm/lpcxpresso55s69/CMakeLists.txt @@ -21,8 +21,11 @@ if (CONFIG_BUILD_WITH_TFM) set(TFM_IMAGE_VERSION_NS 0.0.0+0) endif() - set(PREPROCESSED_FILE "${CMAKE_BINARY_DIR}/tfm/image_macros_preprocessed") - set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot") + if (NOT CONFIG_TFM_BL2_FALSE) + set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o") + set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o") + set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot") + endif() # Configure which format (full or hash) to include the public key in # the image manifest @@ -33,4 +36,65 @@ if (CONFIG_BUILD_WITH_TFM) if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND) message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.") endif() + + if (CONFIG_TFM_BL2_FALSE) + #merge tfm_s and zephyr_ns to a single image + #offset needs to be the same value as flash_layout.h in TFM + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands + COMMAND ${SREC_CAT} + ARGS ${CMAKE_BINARY_DIR}/tfm/bin/tfm_s.bin -Binary + ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary + -offset ${CONFIG_FLASH_LOAD_OFFSET} + -o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary + ) + else() + #Create and sign for concatenated binary image, should align with the TF-M BL2 + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands + + #Sign secure binary image with public key + COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py + --layout ${PREPROCESSED_FILE_S} + -k ${CONFIG_TFM_KEY_FILE_S} + --public-key-format ${TFM_PUBLIC_KEY_FORMAT} + --align 1 + -v ${TFM_IMAGE_VERSION_S} + --pad + --pad-header + ${ADD_NS_IMAGE_MIN_VER} + -s auto + -H ${CONFIG_ROM_START_OFFSET} + ${CMAKE_BINARY_DIR}/tfm/bin/tfm_s.bin + ${CMAKE_BINARY_DIR}/tfm_s_signed.bin + + #Sign non-secure binary image with public key + COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py + --layout ${PREPROCESSED_FILE_NS} + -k ${CONFIG_TFM_KEY_FILE_NS} + --public-key-format ${TFM_PUBLIC_KEY_FORMAT} + --align 1 + -v ${TFM_IMAGE_VERSION_NS} + -s auto + ${ADD_S_IMAGE_MIN_VER} + -H ${CONFIG_ROM_START_OFFSET} + ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} + ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin + + #Create concatenated binary image from the two independently signed binary file + COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py + --layout ${PREPROCESSED_FILE_S} + -s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin + -n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin + -o ${CMAKE_BINARY_DIR}/tfm_sign.bin + + #Copy mcuboot.bin + COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/tfm/bin/bl2.bin ${CMAKE_BINARY_DIR}/mcuboot.bin + + #Merge mcuboot.bin and tfm_sign.bin for flashing + COMMAND ${SREC_CAT} + ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary + ${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary + -offset 0x8000 #slot0_partition + -o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary + ) + endif() endif() diff --git a/boards/arm/lpcxpresso55s69/Kconfig.defconfig b/boards/arm/lpcxpresso55s69/Kconfig.defconfig index ff5f3d8d4e6..35efe4e6350 100644 --- a/boards/arm/lpcxpresso55s69/Kconfig.defconfig +++ b/boards/arm/lpcxpresso55s69/Kconfig.defconfig @@ -66,6 +66,10 @@ config FLASH_LOAD_SIZE endif # TRUSTED_EXECUTION_NONSECURE || BOARD_LPCXPRESSO55S69_CPU1 +config TFM_PROFILE + default "profile_medium" + depends on BUILD_WITH_TFM + endif # BOARD_LPCXPRESSO55S69_CPU0 || BOARD_LPCXPRESSO55S69_CPU1 if DMA_MCUX_LPC diff --git a/boards/arm/lpcxpresso55s69/doc/index.rst b/boards/arm/lpcxpresso55s69/doc/index.rst index de41e312ad3..c1cf91073b2 100644 --- a/boards/arm/lpcxpresso55s69/doc/index.rst +++ b/boards/arm/lpcxpresso55s69/doc/index.rst @@ -202,16 +202,16 @@ see the following message in the terminal: Building and flashing secure/non-secure with Arm |reg| TrustZone |reg| ---------------------------------------------------------------------- The TF-M integration samples can be run using the ``lpcxpresso55s69_ns`` target. -Next we need to manually flash the secure (``tfm_s.hex``) -and non-secure (``zephyr.hex``) images wth a J-Link as follows: +To run we need to manually flash the resulting image (``tfm_merged.bin``) with a +J-Link as follows (reset and erase are for recovering a locked core): -.. code-block:: console + .. code-block:: console - JLinkExe -device lpc55s69 -if swd -speed 2000 -autoconnect 1 - J-Link>loadfile build/tfm/install/outputs/LPC55S69/tfm_s.hex - J-Link>loadfile build/zephyr/zephyr.hex + JLinkExe -device lpc55s69 -if swd -speed 2000 -autoconnect 1 + J-Link>r + J-Link>erase + J-Link>loadfile build/tfm_merged.bin -NOTE: At present, the LPC55S69 doesn't include support for the MCUBoot bootloader. We need to reset the board manually after flashing the image to run this code. Debugging diff --git a/boards/arm/lpcxpresso55s69/lpcxpresso55s69_ns_defconfig b/boards/arm/lpcxpresso55s69/lpcxpresso55s69_ns_defconfig index 89d1aed796a..b8e81398d0c 100644 --- a/boards/arm/lpcxpresso55s69/lpcxpresso55s69_ns_defconfig +++ b/boards/arm/lpcxpresso55s69/lpcxpresso55s69_ns_defconfig @@ -22,7 +22,5 @@ CONFIG_ARM_MPU=n # Enable TrustZone-M CONFIG_TRUSTED_EXECUTION_NONSECURE=y CONFIG_RUNTIME_NMI=y -# TFM will run without MCUboot -CONFIG_TFM_BL2_FALSE=y CONFIG_BUILD_OUTPUT_HEX=y