Blame - run_config/tc_rse_utils.sh - ci/tf-a-ci-scripts

blob: f81eab0fc66705c9b7fbfaaefe2f699a5a77b6ac [file] [log] [blame]

David Vincze	d8ed562	2024-02-23 17:00:12 +0100	[diff] [blame]	1	#!/usr/bin/env bash
				2	#
				3	# Copyright (c) 2023-2024, Arm Limited. All rights reserved.
				4	#
				5	# SPDX-License-Identifier: BSD-3-Clause
				6	#
				7
				8	sign_image() {
				9	# $1 ... host binary name to sign
				10	# $2 ... image load address
				11	# $3 ... signed bin size
				12
				13	local tmpdir="$(mktempdir)"
				14	host_bin="`basename ${1}`"
				15	signed_bin="signed_`basename ${1}`"
				16	host_binary_layout="`basename -s .bin ${1}`_ns"
				17
				18	# development PEM containing a key - use same key which is used for SCP BL1 in pre-built image
David Vincze	9d68908	2024-10-21 16:23:19 +0000	[diff] [blame]	19	if [ $plat_variant -eq 2 ]; then
				20	url="$tc_prebuilts/tc$plat_variant/root-RSA-3072.pem" saveas="root-RSA-3072.pem" fetch_file
				21	archive_file "root-RSA-3072.pem"
				22	RSE_SIGN_PRIVATE_KEY=$archive/root-RSA-3072.pem
				23	elif [ $plat_variant -eq 3 ]; then
				24	url="$tc_prebuilts/tc$plat_variant/root-EC-P256.pem" saveas="root-EC-P256.pem" fetch_file
				25	archive_file "root-EC-P256.pem"
				26	RSE_SIGN_PRIVATE_KEY=$archive/root-EC-P256.pem
				27	fi
David Vincze	d8ed562	2024-02-23 17:00:12 +0100	[diff] [blame]	28
David Vincze	d8ed562	2024-02-23 17:00:12 +0100	[diff] [blame]	29	RSE_SEC_CNTR_INIT_VAL=1
David Vincze	9d68908	2024-10-21 16:23:19 +0000	[diff] [blame]	30	RSE_LAYOUT_WRAPPER_VERSION="2.1.0"
David Vincze	d8ed562	2024-02-23 17:00:12 +0100	[diff] [blame]	31
				32	cat << EOF > $tmpdir/$host_binary_layout
				33	enum image_attributes {
				34	RE_IMAGE_LOAD_ADDRESS = $2,
				35	RE_SIGN_BIN_SIZE = $3,
				36	};
				37	EOF
				38
				39	if [ ! -f $archive/$host_bin ]; then
				40	echo "$archive/$host_bin does not exist. Aborting...!"
				41	exit 1
				42	fi
				43
				44	echo "Signing `basename ${1}`"
				45	# Get mcuboot
				46	git clone "https://github.com/mcu-tools/mcuboot.git" $tmpdir/mcuboot
				47	# Fetch wrapper script
				48	saveas="$tmpdir" url="$tc_prebuilts/tc$plat_variant/wrapper_scripts" fetch_directory
				49
				50	echo "Installing dependencies..."
				51	pip3 install cryptography cbor2 intelhex pyyaml
				52
				53	pushd $tmpdir/mcuboot/scripts
				54	python3 $tmpdir/wrapper_scripts/wrapper/wrapper.py \
				55	-v $RSE_LAYOUT_WRAPPER_VERSION \
				56	--layout $tmpdir/$host_binary_layout \
				57	-k $RSE_SIGN_PRIVATE_KEY \
				58	--public-key-format full \
				59	--align 1 \
				60	--pad \
				61	--pad-header \
				62	-H 0x2000 \
				63	-s $RSE_SEC_CNTR_INIT_VAL \
				64	$archive/$host_bin \
				65	$tmpdir/$signed_bin
				66
				67	echo "created signed_`basename ${1}`"
				68	url="$tmpdir/$signed_bin" saveas="$signed_bin" fetch_file
				69	archive_file "$signed_bin"
				70	popd
				71	}
				72
				73	update_fip() {
				74	local prebuild_prefix=$tc_prebuilts/tc$plat_variant/$rse_revision
				75
				76	# Get pre-built rse rom
				77	url="$prebuild_prefix/rse_rom.bin" fetch_file
				78	archive_file "rse_rom.bin"
				79
				80	# Get pre-built rse bl2 signed bin
				81	url="$prebuild_prefix/rse_bl2_signed.bin" fetch_file
				82	archive_file "rse_bl2_signed.bin"
				83
				84	# Get pre-built rse TF-M S signed bin
Leo Yan	7d0aa2c	2024-07-03 21:18:38 +0100	[diff] [blame]	85	if [ $plat_variant -eq 2 ]; then
				86	url="$prebuild_prefix/rse_s_signed.bin" fetch_file
				87	archive_file "rse_s_signed.bin"
				88	elif [ $plat_variant -eq 3 ]; then
				89	url="$prebuild_prefix/rse_s_encrypted.bin" fetch_file
				90	archive_file "rse_s_encrypted.bin"
				91	url="$prebuild_prefix/rse_s_sic_tables_signed.bin" fetch_file
				92	archive_file "rse_s_sic_tables_signed.bin"
				93	fi
David Vincze	d8ed562	2024-02-23 17:00:12 +0100	[diff] [blame]	94
				95	# Get pre-built SCP signed bin
				96	url="$prebuild_prefix/signed_scp_romfw.bin" fetch_file
				97	archive_file "signed_scp_romfw.bin"
				98
				99	# Create FIP layout
Leo Yan	7d0aa2c	2024-07-03 21:18:38 +0100	[diff] [blame]	100	if [ $plat_variant -eq 2 ]; then
				101	"$fiptool" update \
				102	--align 8192 --rse-bl2 "$archive/rse_bl2_signed.bin" \
				103	--align 8192 --rse-s "$archive/rse_s_signed.bin" \
				104	--align 8192 --rse-scp-bl1 "$archive/signed_scp_romfw.bin" \
				105	--align 8192 --rse-ap-bl1 "$archive/$signed_bin" \
				106	--out "host_flash_fip.bin" \
				107	"$archive/fip.bin"
				108	elif [ $plat_variant -eq 3 ]; then
				109	"$fiptool" update \
				110	--align 8192 --rse-bl2 "$archive/rse_bl2_signed.bin" \
				111	--align 8192 --rse-scp-bl1 "$archive/signed_scp_romfw.bin" \
				112	--align 8192 --rse-ap-bl1 "$archive/$signed_bin" \
				113	--align 8192 --rse-s "$archive/rse_s_encrypted.bin" \
				114	--align 8192 --rse-sic-tables-s "$archive/rse_s_sic_tables_signed.bin" \
				115	--out "host_flash_fip.bin" \
				116	"$archive/fip.bin"
				117	fi
David Vincze	d8ed562	2024-02-23 17:00:12 +0100	[diff] [blame]	118	archive_file "host_flash_fip.bin"
				119	}
				120
				121	get_rse_prov_bins() {
				122	local prebuild_prefix=$tc_prebuilts/tc$plat_variant/$rse_revision
				123
				124	# Get pre-built rse rse_encrypted_cm_provisioning_bundle_0 bin
				125	url="$prebuild_prefix/rse_encrypted_cm_provisioning_bundle_0.bin" fetch_file
				126	archive_file "rse_encrypted_cm_provisioning_bundle_0.bin"
				127
				128	# Get pre-built rse rse_encrypted_dm_provisioning_bundle bin
				129	url="$prebuild_prefix/rse_encrypted_dm_provisioning_bundle.bin" fetch_file
				130	archive_file "rse_encrypted_dm_provisioning_bundle.bin"
				131	}