tc: add config for running spm tests of TC2
Move the common functions for signing an Image and updating the fip
when loading using RSS to the rss_utils.sh file
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Change-Id: I779f629827e3053c34bde59706272084f02ebca0
diff --git a/group/spm-l3-boot-tests/tc-default,fvp-tc2-spm,fvp-tc-spm:fvp-tc.spm.tftf-tc2-debug b/group/spm-l3-boot-tests/tc-default,fvp-tc2-spm,fvp-tc-spm:fvp-tc.spm.tftf-tc2-debug
new file mode 100644
index 0000000..c473896
--- /dev/null
+++ b/group/spm-l3-boot-tests/tc-default,fvp-tc2-spm,fvp-tc-spm:fvp-tc.spm.tftf-tc2-debug
@@ -0,0 +1,6 @@
+#
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
diff --git a/run_config/fvp-linux.tc b/run_config/fvp-linux.tc
index 206edcd..409aae6 100644
--- a/run_config/fvp-linux.tc
+++ b/run_config/fvp-linux.tc
@@ -4,100 +4,7 @@
#
# SPDX-License-Identifier: BSD-3-Clause
#
-
-sign_image() {
- # $1 ... host binary name to sign
- # $2 ... image load address
- # $3 ... signed bin size
-
- local tmpdir="$(mktempdir)"
- host_bin="`basename ${1}`"
- signed_bin="signed_`basename ${1}`"
- host_binary_layout="`basename -s .bin ${1}`_ns"
-
- # development PEM containing a key - use same key which is used for SCP BL1 in pre-built image
- url="$tc_prebuilts/tc$plat_variant/root-RSA-3072.pem" saveas="root-RSA-3072.pem" fetch_file
- archive_file "root-RSA-3072.pem"
-
- RSS_SIGN_PRIVATE_KEY=$archive/root-RSA-3072.pem
- RSS_SEC_CNTR_INIT_VAL=1
- RSS_LAYOUT_WRAPPER_VERSION="1.7.0"
-
- cat << EOF > $tmpdir/$host_binary_layout
-enum image_attributes {
- RE_IMAGE_LOAD_ADDRESS = $2,
- RE_SIGN_BIN_SIZE = $3,
-};
-EOF
-
- if [ ! -f $archive/$host_bin ]; then
- echo "$archive/$host_bin does not exist. Aborting...!"
- exit 1
- fi
-
- echo "Signing `basename ${1}`"
- # Get mcuboot
- git clone "https://github.com/mcu-tools/mcuboot.git" $tmpdir/mcuboot
- # Fetch wrapper script
- saveas="$tmpdir" url="$tc_prebuilts/tc$plat_variant/wrapper_scripts" fetch_directory
-
- echo "Installing dependencies..."
- pip3 install cryptography cbor2 intelhex pyyaml
-
- pushd $tmpdir/mcuboot/scripts
- python3 $tmpdir/wrapper_scripts/wrapper/wrapper.py \
- -v $RSS_LAYOUT_WRAPPER_VERSION \
- --layout $tmpdir/$host_binary_layout \
- -k $RSS_SIGN_PRIVATE_KEY \
- --public-key-format full \
- --align 1 \
- --pad \
- --pad-header \
- -H 0x2000 \
- -s $RSS_SEC_CNTR_INIT_VAL \
- $archive/$host_bin \
- $tmpdir/$signed_bin
-
- echo "created signed_`basename ${1}`"
- url="$tmpdir/$signed_bin" saveas="$signed_bin" fetch_file
- archive_file "$signed_bin"
- popd
-}
-
-update_fip() {
- local prebuild_prefix=$tc_prebuilts/tc$plat_variant/$rss_revision
-
- # Get pre-built rss rom
- url="$prebuild_prefix/rss_rom.bin" fetch_file
- archive_file "rss_rom.bin"
-
- # Get pre-built rss bl2 signed bin
- url="$prebuild_prefix/bl2_signed.bin" fetch_file
- archive_file "bl2_signed.bin"
-
- # Get pre-built rss TF-M NS signed bin
- url="$prebuild_prefix/tfm_ns_signed.bin" fetch_file
- archive_file "tfm_ns_signed.bin"
-
- # Get pre-built rss TF-M S signed bin
- url="$prebuild_prefix/tfm_s_signed.bin" fetch_file
- archive_file "tfm_s_signed.bin"
-
- # Get pre-built SCP signed bin
- url="$prebuild_prefix/scp_signed.bin" fetch_file
- archive_file "scp_signed.bin"
-
- # Create FIP layout
- "$fiptool" update \
- --align 8192 --rss-bl2 "$archive/bl2_signed.bin" \
- --align 8192 --rss-ns "$archive/tfm_ns_signed.bin" \
- --align 8192 --rss-s "$archive/tfm_s_signed.bin" \
- --align 8192 --rss-scp-bl1 "$archive/scp_signed.bin" \
- --align 8192 --rss-ap-bl1 "$archive/$signed_bin" \
- --out "host_flash_fip.bin" \
- "$archive/fip.bin"
- archive_file "host_flash_fip.bin"
-}
+source "$ci_root/run_config/tc_rss_utils.sh"
fetch_tf_resource() {
image="kernel" type="tc-kernel" get_boot_image
diff --git a/run_config/fvp-tc.spm.tftf b/run_config/fvp-tc.spm.tftf
new file mode 100644
index 0000000..a30e0af
--- /dev/null
+++ b/run_config/fvp-tc.spm.tftf
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+source "$ci_root/run_config/tc_rss_utils.sh"
+
+post_tf_build() {
+ if [ ! -f "$archive/scp_ram.bin" ]; then
+ url="$scp_prebuilts/tc$plat_variant/release/tc$plat_variant-bl2.bin" saveas="scp_ram.bin" fetch_file
+ archive_file "scp_ram.bin"
+ fi
+
+ build_fip BL33="$archive/tftf.bin" BL32="$archive/secure_hafnium.bin" SCP_BL2="$archive/scp_ram.bin"
+}
+
+fetch_tf_resource() {
+ # Use SCP binary from SCP build if it exists, or fetch pre-built ones.
+ if [ ! -f "$archive/scp_rom.bin" ]; then
+ # Pick the appropriate binary based on target platform variant
+ url="$scp_prebuilts/tc$plat_variant/release/tc$plat_variant-bl1.bin" saveas="scp_rom.bin" fetch_file
+ archive_file "scp_rom.bin"
+ fi
+
+ # RSS output is printed to UART 2 so track it.
+ uart="2" file="hold_uart.exp" track_expect
+
+ sign_image bl1.bin $ap_bl1_flash_load_addr $ap_bl1_flash_size
+
+ update_fip
+}
+
+generate_lava_job_template() {
+ uart="0" port="5002" set_primary="1" file="tftf-non-primary.exp" track_expect
+ uart="1" port="5003" file="spm-cactus-sp-uart1.exp" track_expect
+
+ set_uart_port "${archive:?}" 2 5000
+ set_uart_port "${archive:?}" 3 5001
+
+ payload_type="tftf" memory_tagging_support_level="2" gen_yaml_template
+}
diff --git a/run_config/tc_rss_utils.sh b/run_config/tc_rss_utils.sh
new file mode 100644
index 0000000..8597029
--- /dev/null
+++ b/run_config/tc_rss_utils.sh
@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+sign_image() {
+ # $1 ... host binary name to sign
+ # $2 ... image load address
+ # $3 ... signed bin size
+
+ local tmpdir="$(mktempdir)"
+ host_bin="`basename ${1}`"
+ signed_bin="signed_`basename ${1}`"
+ host_binary_layout="`basename -s .bin ${1}`_ns"
+
+ # development PEM containing a key - use same key which is used for SCP BL1 in pre-built image
+ url="$tc_prebuilts/tc$plat_variant/root-RSA-3072.pem" saveas="root-RSA-3072.pem" fetch_file
+ archive_file "root-RSA-3072.pem"
+
+ RSS_SIGN_PRIVATE_KEY=$archive/root-RSA-3072.pem
+ RSS_SEC_CNTR_INIT_VAL=1
+ RSS_LAYOUT_WRAPPER_VERSION="1.7.0"
+
+ cat << EOF > $tmpdir/$host_binary_layout
+enum image_attributes {
+ RE_IMAGE_LOAD_ADDRESS = $2,
+ RE_SIGN_BIN_SIZE = $3,
+};
+EOF
+
+ if [ ! -f $archive/$host_bin ]; then
+ echo "$archive/$host_bin does not exist. Aborting...!"
+ exit 1
+ fi
+
+ echo "Signing `basename ${1}`"
+ # Get mcuboot
+ git clone "https://github.com/mcu-tools/mcuboot.git" $tmpdir/mcuboot
+ # Fetch wrapper script
+ saveas="$tmpdir" url="$tc_prebuilts/tc$plat_variant/wrapper_scripts" fetch_directory
+
+ echo "Installing dependencies..."
+ pip3 install cryptography cbor2 intelhex pyyaml
+
+ pushd $tmpdir/mcuboot/scripts
+ python3 $tmpdir/wrapper_scripts/wrapper/wrapper.py \
+ -v $RSS_LAYOUT_WRAPPER_VERSION \
+ --layout $tmpdir/$host_binary_layout \
+ -k $RSS_SIGN_PRIVATE_KEY \
+ --public-key-format full \
+ --align 1 \
+ --pad \
+ --pad-header \
+ -H 0x2000 \
+ -s $RSS_SEC_CNTR_INIT_VAL \
+ $archive/$host_bin \
+ $tmpdir/$signed_bin
+
+ echo "created signed_`basename ${1}`"
+ url="$tmpdir/$signed_bin" saveas="$signed_bin" fetch_file
+ archive_file "$signed_bin"
+ popd
+}
+
+update_fip() {
+ local prebuild_prefix=$tc_prebuilts/tc$plat_variant/$rss_revision
+
+ # Get pre-built rss rom
+ url="$prebuild_prefix/rss_rom.bin" fetch_file
+ archive_file "rss_rom.bin"
+
+ # Get pre-built rss bl2 signed bin
+ url="$prebuild_prefix/bl2_signed.bin" fetch_file
+ archive_file "bl2_signed.bin"
+
+ # Get pre-built rss TF-M NS signed bin
+ url="$prebuild_prefix/tfm_ns_signed.bin" fetch_file
+ archive_file "tfm_ns_signed.bin"
+
+ # Get pre-built rss TF-M S signed bin
+ url="$prebuild_prefix/tfm_s_signed.bin" fetch_file
+ archive_file "tfm_s_signed.bin"
+
+ # Get pre-built SCP signed bin
+ url="$prebuild_prefix/scp_signed.bin" fetch_file
+ archive_file "scp_signed.bin"
+
+ # Create FIP layout
+ "$fiptool" update \
+ --align 8192 --rss-bl2 "$archive/bl2_signed.bin" \
+ --align 8192 --rss-ns "$archive/tfm_ns_signed.bin" \
+ --align 8192 --rss-s "$archive/tfm_s_signed.bin" \
+ --align 8192 --rss-scp-bl1 "$archive/scp_signed.bin" \
+ --align 8192 --rss-ap-bl1 "$archive/$signed_bin" \
+ --out "host_flash_fip.bin" \
+ "$archive/fip.bin"
+ archive_file "host_flash_fip.bin"
+}
diff --git a/tf_config/fvp-tc2-spm b/tf_config/fvp-tc2-spm
new file mode 100644
index 0000000..c164d2f
--- /dev/null
+++ b/tf_config/fvp-tc2-spm
@@ -0,0 +1,12 @@
+ARM_ARCH_MINOR=5
+BRANCH_PROTECTION=1
+CROSS_COMPILE=aarch64-none-elf-
+CTX_INCLUDE_EL2_REGS=1
+CTX_INCLUDE_PAUTH_REGS=1
+CTX_INCLUDE_MTE_REGS=1
+ENABLE_SVE_FOR_SWD=1
+PLAT=tc
+SCP_BL2=/dev/null
+SPD=spmd
+SP_LAYOUT_FILE=${tftf_root}/build/tc/${bin_mode}/sp_layout.json
+TARGET_PLATFORM=2