| David Vincze | d8ed562 | 2024-02-23 17:00:12 +0100 | [diff] [blame] | 1 | #!/usr/bin/env bash |
| 2 | # |
| 3 | # Copyright (c) 2023-2024, Arm Limited. All rights reserved. |
| 4 | # |
| 5 | # SPDX-License-Identifier: BSD-3-Clause |
| 6 | # |
| 7 | |
| 8 | sign_image() { |
| 9 | # $1 ... host binary name to sign |
| 10 | # $2 ... image load address |
| 11 | # $3 ... signed bin size |
| 12 | |
| 13 | local tmpdir="$(mktempdir)" |
| 14 | host_bin="`basename ${1}`" |
| 15 | signed_bin="signed_`basename ${1}`" |
| 16 | host_binary_layout="`basename -s .bin ${1}`_ns" |
| 17 | |
| 18 | # development PEM containing a key - use same key which is used for SCP BL1 in pre-built image |
| 19 | url="$tc_prebuilts/tc$plat_variant/root-RSA-3072.pem" saveas="root-RSA-3072.pem" fetch_file |
| 20 | archive_file "root-RSA-3072.pem" |
| 21 | |
| 22 | RSE_SIGN_PRIVATE_KEY=$archive/root-RSA-3072.pem |
| 23 | RSE_SEC_CNTR_INIT_VAL=1 |
| 24 | RSE_LAYOUT_WRAPPER_VERSION="1.5.0" |
| 25 | |
| 26 | cat << EOF > $tmpdir/$host_binary_layout |
| 27 | enum image_attributes { |
| 28 | RE_IMAGE_LOAD_ADDRESS = $2, |
| 29 | RE_SIGN_BIN_SIZE = $3, |
| 30 | }; |
| 31 | EOF |
| 32 | |
| 33 | if [ ! -f $archive/$host_bin ]; then |
| 34 | echo "$archive/$host_bin does not exist. Aborting...!" |
| 35 | exit 1 |
| 36 | fi |
| 37 | |
| 38 | echo "Signing `basename ${1}`" |
| 39 | # Get mcuboot |
| 40 | git clone "https://github.com/mcu-tools/mcuboot.git" $tmpdir/mcuboot |
| 41 | # Fetch wrapper script |
| 42 | saveas="$tmpdir" url="$tc_prebuilts/tc$plat_variant/wrapper_scripts" fetch_directory |
| 43 | |
| 44 | echo "Installing dependencies..." |
| 45 | pip3 install cryptography cbor2 intelhex pyyaml |
| 46 | |
| 47 | pushd $tmpdir/mcuboot/scripts |
| 48 | python3 $tmpdir/wrapper_scripts/wrapper/wrapper.py \ |
| 49 | -v $RSE_LAYOUT_WRAPPER_VERSION \ |
| 50 | --layout $tmpdir/$host_binary_layout \ |
| 51 | -k $RSE_SIGN_PRIVATE_KEY \ |
| 52 | --public-key-format full \ |
| 53 | --align 1 \ |
| 54 | --pad \ |
| 55 | --pad-header \ |
| 56 | -H 0x2000 \ |
| 57 | -s $RSE_SEC_CNTR_INIT_VAL \ |
| 58 | $archive/$host_bin \ |
| 59 | $tmpdir/$signed_bin |
| 60 | |
| 61 | echo "created signed_`basename ${1}`" |
| 62 | url="$tmpdir/$signed_bin" saveas="$signed_bin" fetch_file |
| 63 | archive_file "$signed_bin" |
| 64 | popd |
| 65 | } |
| 66 | |
| 67 | update_fip() { |
| 68 | local prebuild_prefix=$tc_prebuilts/tc$plat_variant/$rse_revision |
| 69 | |
| 70 | # Get pre-built rse rom |
| 71 | url="$prebuild_prefix/rse_rom.bin" fetch_file |
| 72 | archive_file "rse_rom.bin" |
| 73 | |
| 74 | # Get pre-built rse bl2 signed bin |
| 75 | url="$prebuild_prefix/rse_bl2_signed.bin" fetch_file |
| 76 | archive_file "rse_bl2_signed.bin" |
| 77 | |
| 78 | # Get pre-built rse TF-M S signed bin |
| Leo Yan | 7d0aa2c | 2024-07-03 21:18:38 +0100 | [diff] [blame^] | 79 | if [ $plat_variant -eq 2 ]; then |
| 80 | url="$prebuild_prefix/rse_s_signed.bin" fetch_file |
| 81 | archive_file "rse_s_signed.bin" |
| 82 | elif [ $plat_variant -eq 3 ]; then |
| 83 | url="$prebuild_prefix/rse_s_encrypted.bin" fetch_file |
| 84 | archive_file "rse_s_encrypted.bin" |
| 85 | url="$prebuild_prefix/rse_s_sic_tables_signed.bin" fetch_file |
| 86 | archive_file "rse_s_sic_tables_signed.bin" |
| 87 | fi |
| David Vincze | d8ed562 | 2024-02-23 17:00:12 +0100 | [diff] [blame] | 88 | |
| 89 | # Get pre-built SCP signed bin |
| 90 | url="$prebuild_prefix/signed_scp_romfw.bin" fetch_file |
| 91 | archive_file "signed_scp_romfw.bin" |
| 92 | |
| 93 | # Create FIP layout |
| Leo Yan | 7d0aa2c | 2024-07-03 21:18:38 +0100 | [diff] [blame^] | 94 | if [ $plat_variant -eq 2 ]; then |
| 95 | "$fiptool" update \ |
| 96 | --align 8192 --rse-bl2 "$archive/rse_bl2_signed.bin" \ |
| 97 | --align 8192 --rse-s "$archive/rse_s_signed.bin" \ |
| 98 | --align 8192 --rse-scp-bl1 "$archive/signed_scp_romfw.bin" \ |
| 99 | --align 8192 --rse-ap-bl1 "$archive/$signed_bin" \ |
| 100 | --out "host_flash_fip.bin" \ |
| 101 | "$archive/fip.bin" |
| 102 | elif [ $plat_variant -eq 3 ]; then |
| 103 | "$fiptool" update \ |
| 104 | --align 8192 --rse-bl2 "$archive/rse_bl2_signed.bin" \ |
| 105 | --align 8192 --rse-scp-bl1 "$archive/signed_scp_romfw.bin" \ |
| 106 | --align 8192 --rse-ap-bl1 "$archive/$signed_bin" \ |
| 107 | --align 8192 --rse-s "$archive/rse_s_encrypted.bin" \ |
| 108 | --align 8192 --rse-sic-tables-s "$archive/rse_s_sic_tables_signed.bin" \ |
| 109 | --out "host_flash_fip.bin" \ |
| 110 | "$archive/fip.bin" |
| 111 | fi |
| David Vincze | d8ed562 | 2024-02-23 17:00:12 +0100 | [diff] [blame] | 112 | archive_file "host_flash_fip.bin" |
| 113 | } |
| 114 | |
| 115 | get_rse_prov_bins() { |
| 116 | local prebuild_prefix=$tc_prebuilts/tc$plat_variant/$rse_revision |
| 117 | |
| 118 | # Get pre-built rse rse_encrypted_cm_provisioning_bundle_0 bin |
| 119 | url="$prebuild_prefix/rse_encrypted_cm_provisioning_bundle_0.bin" fetch_file |
| 120 | archive_file "rse_encrypted_cm_provisioning_bundle_0.bin" |
| 121 | |
| 122 | # Get pre-built rse rse_encrypted_dm_provisioning_bundle bin |
| 123 | url="$prebuild_prefix/rse_encrypted_dm_provisioning_bundle.bin" fetch_file |
| 124 | archive_file "rse_encrypted_dm_provisioning_bundle.bin" |
| 125 | } |