Roman Okhrimenko | 977b375 | 2022-03-31 14:40:48 +0300 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | (set -o igncr) 2>/dev/null && set -o igncr; #keep this comment |
| 3 | |
| 4 | echo_run() { echo "\$ ${@/eval/}" ; "$@" ; } |
| 5 | |
| 6 | # set -vx |
| 7 | |
| 8 | # parameters |
| 9 | # 1. secure/non-secure |
| 10 | # 2. path to app |
| 11 | # 3. app name |
| 12 | # 4. app type |
| 13 | # 5. path to keys |
| 14 | # 6. smif config file |
| 15 | |
| 16 | # additional mcuboot makefile param |
| 17 | # 7. gcc toolchain path |
| 18 | # 8. path to policy |
| 19 | # 9. default application slot size |
| 20 | # 10. enable encryption |
Roman Okhrimenko | 883cb5b | 2024-03-28 17:22:33 +0200 | [diff] [blame^] | 21 | # 11. platform (CYW20829 or CYW89829) |
| 22 | # 12. service application descriptor address |
Roman Okhrimenko | 977b375 | 2022-03-31 14:40:48 +0300 | [diff] [blame] | 23 | |
| 24 | # Combined image configuration |
| 25 | LCS=$1 |
| 26 | : ${LCS:="NORMAL_NO_SECURE"} |
| 27 | |
| 28 | # Path to the image and image name for programming (the extension must be bin) |
| 29 | L1_USER_APP_BIN="$2/$3.bin" |
| 30 | : ${L1_USER_APP_BIN:="blinky.bin"} |
| 31 | |
| 32 | if [ "$LCS" == "SECURE" ]; then |
| 33 | L1_USER_APP_BIN_SIGN="$2/$3.signed.bin" |
| 34 | : ${L1_USER_APP_BIN_SIGN:="blinky.signed.bin"} |
| 35 | fi |
| 36 | |
| 37 | L1_USER_APP_ELF="$2/$3.elf" |
| 38 | : ${L1_USER_APP_ELF:="blinky.elf"} |
| 39 | |
| 40 | FINAL_BIN_FILE="$2/$3.final.bin" |
| 41 | : ${FINAL_BIN_FILE:="blinky.final.bin"} |
| 42 | |
| 43 | COMBINED_BIN_FILE="$2/$3.combined.bin" |
| 44 | : ${L1_USER_APP_BIN:="blinky.combined.bin"} |
| 45 | |
| 46 | FINAL_HEX_FILE="$2/$3.final.hex" |
| 47 | : ${FINAL_HEX_FILE:="blinky.final.hex"} |
| 48 | |
| 49 | AES_CTR_NONCE_FILE="$2/$3.signed_nonce.bin" |
| 50 | |
| 51 | ENCRYPTED_MCUBOOT_BIN_FILE="$2/$3.signed_encrypted.bin" |
| 52 | |
| 53 | TOC2_FILE="$2/toc2.bin" |
| 54 | |
| 55 | L1_DESC_TEMP="$2/l1_app_desc_temp.bin" |
| 56 | |
| 57 | L1_DESC_FILE="$2/l1_app_desc.bin" |
| 58 | |
| 59 | L1_USER_APP_HEADER_FILE="$2/l1_user_app_header.bin" |
| 60 | |
| 61 | APP_TYPE=$4 |
| 62 | : ${APP_TYPE:="l1ram"} |
| 63 | |
| 64 | PROVISION_PATH=$5 |
| 65 | : ${PROVISION_PATH:="."} |
| 66 | |
| 67 | # Path to the smif_crypto_cfg and its name for programming (the extension |
| 68 | # must be bin) |
| 69 | SMIF_CRYPTO_CFG=$6 |
| 70 | : ${SMIF_CRYPTO_CFG:="NONE"} |
| 71 | |
| 72 | # Full path to the default toolchain |
| 73 | if [ "$7" == "" ];then |
| 74 | NM_TOOL=arm-none-eabi-nm |
| 75 | else |
| 76 | NM_TOOL="$7"/bin/arm-none-eabi-nm |
| 77 | fi |
| 78 | |
| 79 | POLICY_PATH=$8 |
| 80 | : ${POLICY_PATH:="$PROVISION_PATH/policy/policy_secure.json"} |
| 81 | |
| 82 | SLOT_SIZE=$9 |
| 83 | |
| 84 | if [ "${10}" == "1" ];then |
| 85 | ENC_OPTION="--encrypt" |
| 86 | else |
| 87 | ENC_OPTION="" |
| 88 | fi |
| 89 | |
Roman Okhrimenko | 883cb5b | 2024-03-28 17:22:33 +0200 | [diff] [blame^] | 90 | TARGET_PLATFORM=${11} |
| 91 | |
| 92 | SERVICE_APP_DESCR_ADDR=${12} |
Roman Okhrimenko | 977b375 | 2022-03-31 14:40:48 +0300 | [diff] [blame] | 93 | : ${SERVICE_APP_DESCR_ADDR:=0x0} |
| 94 | |
| 95 | ######################## Validate Input Args ################################# |
| 96 | if ! [ -f $L1_USER_APP_BIN ]; then |
| 97 | echo "ERROR: $L1_USER_APP_BIN not found" |
| 98 | exit 1 |
| 99 | fi |
| 100 | |
| 101 | if ! [ -f $L1_USER_APP_ELF ]; then |
| 102 | echo "ERROR: $L1_USER_APP_ELF not found" |
| 103 | exit 1 |
| 104 | fi |
| 105 | |
| 106 | if ! [ -d $PROVISION_PATH ]; then |
| 107 | echo "ERROR: $PROVISION_PATH not found" |
| 108 | exit 1 |
| 109 | fi |
| 110 | |
| 111 | if [ "$TOOLCHAIN" != "ARM" ]; then |
| 112 | if ! [ -x $NM_TOOL ]; then |
| 113 | echo "ERROR: $NM_TOOL not found" |
| 114 | exit 1 |
| 115 | fi |
| 116 | fi |
| 117 | |
| 118 | if ! [ -x "$(command -v awk)" ]; then |
| 119 | echo "ERROR: awk not found" |
| 120 | exit 1 |
| 121 | fi |
| 122 | |
| 123 | # if ! [ -x "$(command -v print)" ]; then |
| 124 | # echo "ERROR: print not found" |
| 125 | # exit 1 |
| 126 | # fi |
| 127 | |
| 128 | if [ "$LCS" == "SECURE" ]; then |
| 129 | if ! [ -x "$(command -v cysecuretools)" ]; then |
| 130 | echo "ERROR: cysecuretools not found" |
| 131 | exit 1 |
| 132 | fi |
| 133 | fi |
| 134 | ######################### Generate TOC2 ######################################## |
| 135 | |
| 136 | # Hardcoded value bytes |
| 137 | TOC2_SIZE=16 |
| 138 | |
| 139 | # Hardcoded address in external memory |
| 140 | TOC2_ADDR=0x0 |
| 141 | |
| 142 | # TOC2 entries in hexadecimal |
| 143 | L1_APP_DESCR_ADDR=0x10 |
| 144 | DEBUG_CERT_ADDR=0x0 |
| 145 | |
| 146 | # Convert to hex string (without 0x prefix) |
| 147 | TOC2_SIZE_HEX=$(printf "%08x" $TOC2_SIZE) |
| 148 | L1_APP_DESCR_ADDR_HEX=$(printf "%08x" $(expr $L1_APP_DESCR_ADDR)) |
| 149 | SERVICE_APP_DESCR_ADDR_HEX=$(printf "%08x" $(expr $SERVICE_APP_DESCR_ADDR)) |
| 150 | DEBUG_CERT_ADDR_HEX=$(printf "%08x" $(expr $DEBUG_CERT_ADDR)) |
| 151 | |
| 152 | # Write 4 bytes from hex string, LSB first |
| 153 | printf "\x"${TOC2_SIZE_HEX:6:2} > $TOC2_FILE |
| 154 | printf "\x"${TOC2_SIZE_HEX:4:2} >> $TOC2_FILE |
| 155 | printf "\x"${TOC2_SIZE_HEX:2:2} >> $TOC2_FILE |
| 156 | printf "\x"${TOC2_SIZE_HEX:0:2} >> $TOC2_FILE |
| 157 | |
| 158 | printf "\x"${L1_APP_DESCR_ADDR_HEX:6:2} >> $TOC2_FILE |
| 159 | printf "\x"${L1_APP_DESCR_ADDR_HEX:4:2} >> $TOC2_FILE |
| 160 | printf "\x"${L1_APP_DESCR_ADDR_HEX:2:2} >> $TOC2_FILE |
| 161 | printf "\x"${L1_APP_DESCR_ADDR_HEX:0:2} >> $TOC2_FILE |
| 162 | |
| 163 | printf "\x"${SERVICE_APP_DESCR_ADDR_HEX:6:2} >> $TOC2_FILE |
| 164 | printf "\x"${SERVICE_APP_DESCR_ADDR_HEX:4:2} >> $TOC2_FILE |
| 165 | printf "\x"${SERVICE_APP_DESCR_ADDR_HEX:2:2} >> $TOC2_FILE |
| 166 | printf "\x"${SERVICE_APP_DESCR_ADDR_HEX:0:2} >> $TOC2_FILE |
| 167 | |
| 168 | printf "\x"${DEBUG_CERT_ADDR_HEX:6:2} >> $TOC2_FILE |
| 169 | printf "\x"${DEBUG_CERT_ADDR_HEX:4:2} >> $TOC2_FILE |
| 170 | printf "\x"${DEBUG_CERT_ADDR_HEX:2:2} >> $TOC2_FILE |
| 171 | printf "\x"${DEBUG_CERT_ADDR_HEX:0:2} >> $TOC2_FILE |
| 172 | |
| 173 | if [ ! -f "$TOC2_FILE" ]; then |
| 174 | echo "Error: $TOC2_FILE does not exist." > /dev/tty |
| 175 | exit -1 |
| 176 | fi |
| 177 | ######################### Generate L1_APP_DESCR ################################ |
| 178 | |
| 179 | # Hardcoded value bytes |
| 180 | L1_APP_DESCR_SIZE=28 |
| 181 | |
| 182 | # Placed after the TOC2 |
| 183 | L1_APP_DESCR_ADDR=$(printf "0x%x" `expr $TOC2_SIZE`) |
| 184 | BOOT_STRAP_DST_ADDR=0x20004000 |
| 185 | # L1_APP_DESCR entries in hexadecimal |
| 186 | if [ "$LCS" == "NORMAL_NO_SECURE" ]; then |
| 187 | BOOT_STRAP_ADDR=0x50 # Fix address for un-signed image |
| 188 | else |
| 189 | BOOT_STRAP_ADDR=0x30 # Fix address for signed image |
| 190 | fi |
| 191 | |
| 192 | if [ "$APP_TYPE" == "l1ram" ]; then |
| 193 | BOOT_STRAP_SIZE=`wc -c ${L1_USER_APP_BIN} | awk '{print $1}'` |
| 194 | BOOT_STRAP_DST_ADDR_ELF=`${NM_TOOL} ${L1_USER_APP_ELF} | grep "__bootstrap_start_addr__" | awk '{print $1}'` |
| 195 | BOOT_STRAP_DST_ADDR=$(printf "%d" $((16#$BOOT_STRAP_DST_ADDR_ELF))) |
| 196 | |
| 197 | if [ ! -f "$L1_USER_APP_BIN" ]; then |
| 198 | echo "Error: $L1_USER_APP_BIN does not exist." > /dev/tty |
| 199 | exit -1 |
| 200 | fi |
| 201 | else |
| 202 | BOOT_STRAP_SIZE_ELF=`${NM_TOOL} ${L1_USER_APP_ELF} | grep "__bootstrap_size__" | awk '{print $1}'` |
| 203 | BOOT_STRAP_SIZE=$(printf "%d" $((16#$BOOT_STRAP_SIZE_ELF))) |
| 204 | BOOT_STRAP_DST_ADDR_ELF=`${NM_TOOL} ${L1_USER_APP_ELF} | grep "__bootstrap_start_addr__" | awk '{print $1}'` |
| 205 | BOOT_STRAP_DST_ADDR=$(printf "%d" $((16#$BOOT_STRAP_DST_ADDR_ELF))) |
| 206 | if [ "$TOOLCHAIN" == "ARM" ]; then |
| 207 | # Reserving 0x3000 for bootstrap. This needs to be calculated based on the actual size |
| 208 | BOOT_STRAP_SIZE=12288 |
| 209 | fi |
| 210 | fi |
| 211 | |
| 212 | # Convert to hex string (without 0x prefix) |
| 213 | L1_APP_DESCR_SIZE_HEX=$(printf "%08x" $L1_APP_DESCR_SIZE) |
| 214 | BOOT_STRAP_ADDR_HEX=$(printf "%08x" $BOOT_STRAP_ADDR) |
| 215 | BOOT_STRAP_DST_ADDR_HEX=$(printf "%08x" $BOOT_STRAP_DST_ADDR) |
| 216 | BOOT_STRAP_SIZE_HEX=$(printf "%08x" $BOOT_STRAP_SIZE) |
| 217 | |
| 218 | if [ $BOOT_STRAP_SIZE_HEX == 00000000 ]; then |
| 219 | echo "ERROR: in calculating bootstrap size" |
| 220 | exit 1 |
| 221 | fi |
| 222 | |
| 223 | # Write 4 bytes from hex string, LSB first |
| 224 | printf "\x"${L1_APP_DESCR_SIZE_HEX:6:2} > $L1_DESC_TEMP |
| 225 | printf "\x"${L1_APP_DESCR_SIZE_HEX:4:2} >> $L1_DESC_TEMP |
| 226 | printf "\x"${L1_APP_DESCR_SIZE_HEX:2:2} >> $L1_DESC_TEMP |
| 227 | printf "\x"${L1_APP_DESCR_SIZE_HEX:0:2} >> $L1_DESC_TEMP |
| 228 | |
| 229 | printf "\x"${BOOT_STRAP_ADDR_HEX:6:2} >> $L1_DESC_TEMP |
| 230 | printf "\x"${BOOT_STRAP_ADDR_HEX:4:2} >> $L1_DESC_TEMP |
| 231 | printf "\x"${BOOT_STRAP_ADDR_HEX:2:2} >> $L1_DESC_TEMP |
| 232 | printf "\x"${BOOT_STRAP_ADDR_HEX:0:2} >> $L1_DESC_TEMP |
| 233 | |
| 234 | printf "\x"${BOOT_STRAP_DST_ADDR_HEX:6:2} >> $L1_DESC_TEMP |
| 235 | printf "\x"${BOOT_STRAP_DST_ADDR_HEX:4:2} >> $L1_DESC_TEMP |
| 236 | printf "\x"${BOOT_STRAP_DST_ADDR_HEX:2:2} >> $L1_DESC_TEMP |
| 237 | printf "\x"${BOOT_STRAP_DST_ADDR_HEX:0:2} >> $L1_DESC_TEMP |
| 238 | |
| 239 | printf "\x"${BOOT_STRAP_SIZE_HEX:6:2} >> $L1_DESC_TEMP |
| 240 | printf "\x"${BOOT_STRAP_SIZE_HEX:4:2} >> $L1_DESC_TEMP |
| 241 | printf "\x"${BOOT_STRAP_SIZE_HEX:2:2} >> $L1_DESC_TEMP |
| 242 | printf "\x"${BOOT_STRAP_SIZE_HEX:0:2} >> $L1_DESC_TEMP |
| 243 | |
| 244 | if [ ! -f "$L1_DESC_TEMP" ]; then |
| 245 | echo "Error: $L1_DESC_TEMP does not exist." > /dev/tty |
| 246 | exit -1 |
| 247 | fi |
| 248 | |
| 249 | if [ "$SMIF_CRYPTO_CFG" == "NONE" ]; then |
| 250 | for var in 0 1 2 |
| 251 | do |
| 252 | SMIF_CRYPTO_CFG_HEX=00000000 |
| 253 | printf "\x"${SMIF_CRYPTO_CFG_HEX:6:2} >> $L1_DESC_TEMP |
| 254 | printf "\x"${SMIF_CRYPTO_CFG_HEX:4:2} >> $L1_DESC_TEMP |
| 255 | printf "\x"${SMIF_CRYPTO_CFG_HEX:2:2} >> $L1_DESC_TEMP |
| 256 | printf "\x"${SMIF_CRYPTO_CFG_HEX:0:2} >> $L1_DESC_TEMP |
| 257 | done |
| 258 | |
| 259 | `mv $L1_DESC_TEMP $L1_DESC_FILE` |
| 260 | |
| 261 | if [ ! -f "$L1_DESC_FILE" ]; then |
| 262 | echo "Error: $L1_DESC_FILE does not exist." > /dev/tty |
| 263 | exit -1 |
| 264 | fi |
| 265 | else |
| 266 | if [ ! -f "$L1_DESC_TEMP.bin" ]; then |
| 267 | echo "Error: $L1_DESC_TEMP.bin does not exist." > /dev/tty |
| 268 | exit -1 |
| 269 | fi |
| 270 | if [ ! -f "$SMIF_CRYPTO_CFG.bin" ]; then |
| 271 | echo "Error: $SMIF_CRYPTO_CFG.bin does not exist." > /dev/tty |
| 272 | exit -1 |
| 273 | fi |
| 274 | |
| 275 | `cat $L1_DESC_TEMP $SMIF_CRYPTO_CFG.bin > $L1_DESC_FILE |
| 276 | rm -f $L1_DESC_TEMP` |
| 277 | |
| 278 | if [ ! -f "$L1_DESC_FILE" ]; then |
| 279 | echo "Error: $L1_DESC_FILE does not exist." > /dev/tty |
| 280 | exit -1 |
| 281 | fi |
| 282 | if [ -f "$L1_DESC_TEMP" ]; then |
| 283 | echo "Error: $L1_DESC_TEMP has not been removed." > /dev/tty |
| 284 | exit -1 |
| 285 | fi |
| 286 | fi |
| 287 | |
| 288 | if [ ! -f "$TOC2_FILE" ]; then |
| 289 | echo "Error: $TOC2_FILE does not exist." > /dev/tty |
| 290 | exit -1 |
| 291 | fi |
| 292 | if [ ! -f "$L1_DESC_FILE" ]; then |
| 293 | echo "Error: $L1_DESC_FILE does not exist." > /dev/tty |
| 294 | exit -1 |
| 295 | fi |
| 296 | |
| 297 | # 4 bytes of padding (encrypted data should be aligned to 0x10 boundary) |
| 298 | echo -en "\0\0\0\0" >> $L1_DESC_FILE |
| 299 | |
| 300 | if [ "$LCS" == "NORMAL_NO_SECURE" ]; then |
| 301 | |
| 302 | number=0 |
| 303 | |
| 304 | L1_USER_APP_HEADER_HEX=00000000 |
| 305 | # create 32 byte null header for bootstrap |
| 306 | printf "\x"${L1_USER_APP_HEADER_HEX:6:2} > $L1_USER_APP_HEADER_FILE |
| 307 | printf "\x"${L1_USER_APP_HEADER_HEX:4:2} >> $L1_USER_APP_HEADER_FILE |
| 308 | printf "\x"${L1_USER_APP_HEADER_HEX:2:2} >> $L1_USER_APP_HEADER_FILE |
| 309 | printf "\x"${L1_USER_APP_HEADER_HEX:0:2} >> $L1_USER_APP_HEADER_FILE |
| 310 | |
| 311 | if [ ! -f "$L1_USER_APP_HEADER_FILE" ]; then |
| 312 | echo "Error: $L1_USER_APP_HEADER_FILE does not exist." > /dev/tty |
| 313 | exit -1 |
| 314 | fi |
| 315 | |
| 316 | while [ $number -lt 7 ] |
| 317 | do |
| 318 | printf "\x"${L1_USER_APP_HEADER_HEX:6:2} >> $L1_USER_APP_HEADER_FILE |
| 319 | printf "\x"${L1_USER_APP_HEADER_HEX:4:2} >> $L1_USER_APP_HEADER_FILE |
| 320 | printf "\x"${L1_USER_APP_HEADER_HEX:2:2} >> $L1_USER_APP_HEADER_FILE |
| 321 | printf "\x"${L1_USER_APP_HEADER_HEX:0:2} >> $L1_USER_APP_HEADER_FILE |
| 322 | |
| 323 | number=`expr $number + 1` |
| 324 | done |
| 325 | |
| 326 | if [ ! -f "$L1_USER_APP_HEADER_FILE" ]; then |
| 327 | echo "Error: $L1_USER_APP_HEADER_FILE does not exist." > /dev/tty |
| 328 | exit -1 |
| 329 | fi |
| 330 | if [ ! -f "$L1_USER_APP_BIN" ]; then |
| 331 | echo "Error: $L1_USER_APP_BIN does not exist." > /dev/tty |
| 332 | exit -1 |
| 333 | fi |
| 334 | |
| 335 | # Combining all images (toc2+l1_app_desc+l1_user_app_header+l1_user_app) to Final binary file |
| 336 | `cat $TOC2_FILE $L1_DESC_FILE $L1_USER_APP_HEADER_FILE $L1_USER_APP_BIN > $FINAL_BIN_FILE` |
| 337 | elif [ "$LCS" == "SECURE" ]; then |
| 338 | if [ ! -f "$L1_USER_APP_BIN" ]; then |
| 339 | echo "Error: $L1_USER_APP_BIN does not exist." > /dev/tty |
| 340 | exit -1 |
| 341 | fi |
| 342 | |
| 343 | # Sign l1 user app L1_USER_APP_BIN_SIGN |
Roman Okhrimenko | 883cb5b | 2024-03-28 17:22:33 +0200 | [diff] [blame^] | 344 | cysecuretools -q -t $TARGET_PLATFORM -p $POLICY_PATH sign-image --image-format bootrom_next_app -i $L1_USER_APP_BIN -k 0 -o $L1_USER_APP_BIN_SIGN --slot-size $SLOT_SIZE --app-addr 0x08000030 $ENC_OPTION |
Roman Okhrimenko | 977b375 | 2022-03-31 14:40:48 +0300 | [diff] [blame] | 345 | |
| 346 | if [ ! -f "$L1_USER_APP_BIN_SIGN" ]; then |
| 347 | echo "Error: $L1_USER_APP_BIN_SIGN has not been created." > /dev/tty |
| 348 | exit -1 |
| 349 | fi |
| 350 | |
| 351 | # Combining all images (toc2+l1_app_desc+l1_user_app) to Final binary file of MCUBootApp |
| 352 | if [ -z $ENC_OPTION ]; then |
| 353 | cat $TOC2_FILE $L1_DESC_FILE $L1_USER_APP_BIN_SIGN > $FINAL_BIN_FILE |
| 354 | else |
| 355 | # Patching L1 app descriptor with AES-CTR Nonce |
| 356 | dd seek=16 bs=1 count=12 conv=notrunc if=$AES_CTR_NONCE_FILE of=$L1_DESC_FILE >& /dev/null && \ |
| 357 | cat $TOC2_FILE $L1_DESC_FILE ${ENCRYPTED_MCUBOOT_BIN_FILE} > $FINAL_BIN_FILE |
| 358 | fi |
| 359 | else |
| 360 | echo "ERROR: Invalid LCS ($LCS) value" |
| 361 | exit 1 |
| 362 | fi |
| 363 | |
| 364 | if [ ! -f "$FINAL_BIN_FILE" ]; then |
| 365 | echo "Error: $FINAL_BIN_FILE does not exist." > /dev/tty |
| 366 | exit -1 |
| 367 | fi |