aboutsummaryrefslogtreecommitdiffstats
path: root/meta-arm/classes/tfm_sign_image.bbclass
blob: 24df76829bf692fb3d5c3a90c7b0ecfc1aa0583f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Functionality to sign binary images using the wrapper script bundled with
# TF-M. Signed images are written to the deploy directory by default.
# To use:
#  * Inherit this class
#  * Override the do_sign_images task
#  * Write the signing logic, which may call the function sign_host_image,
#    described below

inherit python3native

# The output and working directory
TFM_IMAGE_SIGN_DIR = "${WORKDIR}/tfm-signed-images"
TFM_IMAGE_SIGN_DEPLOY_DIR = "${WORKDIR}/deploy-tfm-signed-images"

SSTATETASKS += "do_sign_images"
do_sign_images[sstate-inputdirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR}"
do_sign_images[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
do_sign_images[cleandirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
do_sign_images[stamp-extra-info] = "${MACHINE_ARCH}"
tfm_sign_image_do_sign_images() {
    :
}
addtask sign_images after do_prepare_recipe_sysroot before do_image
EXPORT_FUNCTIONS do_sign_images

python do_sign_images_setscene () {
    sstate_setscene(d)
}
addtask do_sign_images_setscene

DEPENDS += "trusted-firmware-m-scripts-native"

# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
# right path until this is relocated automatically.
export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"

# The arguments passed to the TF-M image signing script. Override this variable
# in an image recipe to customize the arguments.
TFM_IMAGE_SIGN_ARGS ?= "\
    -v ${RE_LAYOUT_WRAPPER_VERSION} \
    --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
    -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
    --public-key-format full \
    --align 1 \
    --pad \
    --pad-header \
    --measured-boot-record \
    -H ${RE_IMAGE_OFFSET} \
    -s auto \
"

#
# sign_host_image
#
# Description:
#
# A generic function that signs a host image
# using MCUBOOT format
#
# Arguments:
#
# $1 ... path of binary to sign
# $2 ... load address of the given binary
# $3 ... signed binary size
#
# Note: The signed binary is copied to ${TFM_IMAGE_SIGN_DIR}
#
sign_host_image() {
    host_binary_filename="$(basename -s .bin "${1}")"
    host_binary_layout="${host_binary_filename}_ns"

    cat << EOF > ${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}
enum image_attributes {
    RE_IMAGE_LOAD_ADDRESS = ${2},
    RE_SIGN_BIN_SIZE = ${3},
};
EOF

    host_binary_signed="${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_$(basename "${1}")"

    ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
            ${TFM_IMAGE_SIGN_ARGS} \
            "${1}" \
            "${host_binary_signed}"
}