Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CMake: support signing TF-M targets with post binary hooks #14361

Merged
merged 4 commits into from
Mar 8, 2021
Merged

CMake: support signing TF-M targets with post binary hooks #14361

merged 4 commits into from
Mar 8, 2021

Conversation

LDong-Arm
Copy link
Contributor

@LDong-Arm LDong-Arm commented Mar 1, 2021
edited
Loading

Summary of changes

Preceding PR: #14378 (merged)

Changes:

  • Add a post binary hook to sign TF-M targets: mbed_post_build_tfm_sign_image() (should work for any TF-M v1.2+ targets with secure and non-secure images in separate MCUboot slots). This was refactored from the existing tools/targets/ARM_MUSCA.py.
  • Apply the signing hook to ARM_MUSCA_B1 and ARM_MUSCA_S1 targets.
  • Copy the signing keys to each target's own directory, as per the new tools' convention (the old key paths are kept for compatibility of CLI 1 - to be deleted eventually).

Impact of changes

Images built for Musca B1 and S1 with Mbed CLI 2 are now signed and able to run on the targets.

Migration actions required

None.

Documentation

To be added to the porting guide: how to integrate CMake and the provided post binary hook to a new TF-M target.

Pull request type 

[] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[x] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

Test results 

[] No Tests required for this change (E.g docs only update)
[x] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

Reviewers

@evedon @0xc0170 @hugueskamba @rajkan01 @ARMmbed/mbed-b-tools

@LDong-Arm LDong-Arm changed the title CMake: support signing TF-M targets CMake: support signing TF-M targets with post binary hooks Mar 1, 2021
@ciarmcom ciarmcom requested review from 0xc0170, evedon, hugueskamba, rajkan01 and a team March 1, 2021 19:00
@ciarmcom
Copy link
Member

ciarmcom commented Mar 1, 2021

@LDong-Arm, thank you for your changes.
@hugueskamba @rajkan01 @evedon @0xc0170 @ARMmbed/mbed-os-maintainers please review.

hugueskamba
hugueskamba reviewed Mar 2, 2021
View reviewed changes
Copy link
Collaborator

@hugueskamba hugueskamba left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move tools/psa/tfm/bin_utils/mbed_set_post_build_tfm.cmake to tools/cmake.

targets/TARGET_ARM_SSG/TARGET_MUSCA_B1/CMakeLists.txt Show resolved Hide resolved
@LDong-Arm LDong-Arm changed the base branch from feature-tf-m-1.2-integration to master March 4, 2021 11:48
@LDong-Arm LDong-Arm mentioned this pull request Mar 4, 2021
Merged
@mbed-ci
Copy link

mbed-ci commented Mar 5, 2021

Jenkins CI Test : ❌ FAILED

Build Number: 1 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM ✔️
jenkins-ci/mbed-os-ci_tfm-integration
jenkins-ci/mbed-os-ci_cmake-example-test ✔️
jenkins-ci/mbed-os-ci_greentea-test ✔️

@LDong-Arm
Copy signing keys into each Musca target's path
4e45b0a 
The signing keys were previously imported from trusted-firmware-m
and located in mbed-os/tools/targets/musca_* (path for Mbed CLI 1).
This PR copie them into each target's directory as per the
convention of the new tools. Keys in the old path remain untouched
for backward compatibility, but they will be eventually removed
once we stop supporting Mbed CLI 1.
@LDong-Arm
CMake: Support signing and merging TF-M binaries
f225791 
This commit adds post binary hook support for TF-M targets.

To apply this hook to a TF-M target, do the following in the target's
`CMakeLists.txt`:
* include `mbed_set_post_build_tfm.cmake`
* call `mbed_post_build_tfm_sign_image()`, passing
  - Mbed OS target name
  - TF-M target name
  - path containing the target's bootloader, layout files and signing
    keys
  - path to the secure binary
  - path to the non-secure binary (i.e. the "raw" Mbed application)
@LDong-Arm
CMake: Enable post binary hook for ARM_MUSCA_S1
816f81d
@LDong-Arm
CMake: Enable post binary hook for ARM_MUSCA_B1
3e19778
@LDong-Arm
Copy link
Contributor Author

Rebased after the merging of the preceding PR. Now looking into the failed test in CI.

@LDong-Arm
Copy link
Contributor Author

It's a CI issue. "jenkins-ci/mbed-os-ci_tfm-integration" is a brand new pipeline that never ran before, we need to fix the pipeline.

@mbed-ci
Copy link

mbed-ci commented Mar 5, 2021

Jenkins CI Test : ✔️ SUCCESS

Build Number: 2 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-test ✔️
jenkins-ci/mbed-os-ci_greentea-test ✔️
jenkins-ci/mbed-os-ci_tfm-integration ✔️

@LDong-Arm
Copy link
Contributor Author

CI passed.
@0xc0170 It was triggered by @saheerb to verify the new pipeline jenkins-ci/mbed-os-ci_tfm-integration when a TF-M directory is touched by a PR, but it has also verified this PR.

@0xc0170 0xc0170 merged commit 278ff00 into ARMmbed:master Mar 8, 2021
@mergify mergify bot removed the ready for merge label Mar 8, 2021
@LDong-Arm LDong-Arm mentioned this pull request Mar 8, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 9, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hugueskamba hugueskamba hugueskamba approved these changes

@0xc0170 0xc0170 0xc0170 approved these changes

@evedon evedon Awaiting requested review from evedon

@rajkan01 rajkan01 Awaiting requested review from rajkan01

Assignees
No one assigned
Labels
release-version: 6.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@LDong-Arm @ciarmcom @mbed-ci @0xc0170 @evedon @hugueskamba @mbedmain