trusted-firmware-m: Fix sign images to allow FOTA #94470
Conversation
zephyrbot
requested review from
Vge0rge,
d3zd3z,
ithinuel,
tomi-font,
valeriosetti and
wearyzen
|
I have tested the patch, works for my project using U585. I think its a good solution |
nandojve
force-pushed
the
tfm/fix_sign_images
branch
from
a108a23 to
343a5d0
Compare
I could validate that |
zephyrbot
requested review from
FRASTM,
GeorgeCGV,
gautierg-st and
marwaiehm-st
nandojve
force-pushed
the
tfm/fix_sign_images
branch
from
343a5d0 to
00228f4
Compare
|
There was a problem hiding this comment.
I haven't looked at the PR but just adding a -1 so that the MPS2/MPS3 changes don't get merged. I'll have a look at this next week once I am done with my current high priority task.
BTW, @nandojve, currently mps4/**/fvp/ns boards are not enabled because TF-M doesn't generate few required hex files, would this PR help with that? if you would like to try you can add below 1 line here
default "arm/mps4/corstone320/fvp" if BOARD_MPS4_CORSTONE320_FVP_NS
|
Hi @wearyzen , Are you maintaining the ARM platform ?
I have a product that require TF-M + FWU ASAP in mainline. This changes was already proved that makes FWU work by community inclusive. I'm only trying to fix mps2/3 because are in CI but I'm fine to exclude then from tests because those bring 0 value at moment, if they build.
I'm not sure because flash layout from ARM does not provide correct info at all. The layout comment says single image but CONFIG_TFM_MCUBOOT_IMAGE_NUMBER=2. https://discord.com/channels/1106321706588577904/1106321982900945017/1405922987491983581 |
Yes I am.
That would be breaking the mps2/mps3 ns boards isn't it? if you could you change the code to have the current behavior for mps2/mps3/mps4 and the new change only for others then I don't have any issue but with current PR, I will still need some time to understand the changes to approve it.
|
Reorder TFM_BOARD entries by vendor name for improved clarity. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The mps2/an521/cpu0/ns define flash layouts in tf-m to allow CONFIG_TFM_MCUBOOT_IMAGE_NUMBER be 1 or 2. In the Zephyr project when building the samples the value selected is 2. The layout changes are necessary to allow use the --max-sectors options when signing the images. It ensures that flash layout is respected. To allow this the compatible "soc-nv-flash" was added in the reserved memory and the fixed-partitions were defined. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Exclude mps3/corstone300/an547/ns from PSA tests because QEMU does not model the QSPI flash in MPS3 boards as real QSPI flash, but only as simple ROM. Attempting to rewrite the flash from the guest will fail. zephyrproject-rtos#94470 (comment) Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The mps3/foo/ns configuration defines flash layouts in TF-M to support CONFIG_TFM_MCUBOOT_IMAGE_NUMBER values of 1 or 2. In the Zephyr project, when building samples, the selected value is 2. The layout changes are necessary to support the --max-sectors option when signing images, ensuring that the flash layout is respected. To enable this, the compatible "soc-nv-flash" was added to the reserved memory, and fixed-partitions were defined. Additionally, the ISRAM was redefined to expose the correct size and values for both S and NS firmware, clarifying memory selection for the user. For example, see general details in: https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m.git/%2B/refs/heads/main/platform/ext/target/arm/mps3/corstone310/common/partition/region_defs.h#116 https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m.git/%2B/refs/heads/main/platform/ext/target/arm/mps3/corstone310/common/config.cmake#13 Note: - Not all mps3 ISRAM have the same size and design should take that in consideration. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The external partitions are defined dependent from S and NS images. This move the external partitions from common to the S image. The NS image will be defined in future to allow correct usage of MCUboot. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The partitions for the stm32l562e_dk/stm32l562xx/ns board are not aligned with TF-M. This fixes the partition alignment. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The current version of TF-M script that sign MCUboot image uses a default alignment of 1. This value varies between flash devices and not all accept the default 1. This improve the script picking the write-block-size property from the current flash controller and pass as the --align parameter when signing an image. Note: This solution works out-of-box for the vast majority of devices in the Zephyr tree and an exception will throw when a device is not supported. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The --max-sectors option helps catch problems with flash overlap when merging images. If there is a misalignment in flash partitions, the merge process usually fails. This uses information from Zephyr flash partitions and the flash controller to automatically determine the max sectors value and apply it when signing an image. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The current behavior when signing an image is to always set --pad and --pad-header for all images unless TFM_USE_NS_APP is set. This does not allow for easy creation of signed images for FOTA applications. Rewrite the PAD parameter as HEADER and TRAILER to simplify the setup of more signing options. Another important reason for this change is that the NS image, when signed without --pad, runs on the hardware but does not perform the MCUboot test, and the FWU never upgrades the image. This fixes the NS image signing process to correctly support TF-M FWU using the PSA API functions. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The current behavior when signing an image adds --pad but does not confirm the image. This appears to be a mistake, as the user should inspect the image status in the Firmware Upgrade software. If an image is not --confirmed, the FSM cannot infer the correct states. This sets the image as confirmed to resolve the issue. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Make variables that define output files explicitly include 'HEX' in the name. This refactoring step allows for the introduction of BIN file generation. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
A fundamental use of Trusted Firmware-M is to provide security for IoT applications, where firmware upgrades (FOTA) are almost always mandatory. The current file signing process does not produce the necessary binaries for multi-image S/NS FWU, since hex images are not suitable for this use case. This introduces the missing signed binary files for use by the FWU partition. The changes were tested in multi-image FWU scenarios, and support for single-image scenarios can be easily added in the future. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Use cmake_parse_arguments() for more idiomatic code. This makes the code more readable and easier to extend with new options. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
The optional --output-bin parameter instructs the IntelHex class to save the content as a binary file instead of the Intel Hex format. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
When CONFIG_TFM_MCUBOOT_IMAGE_NUMBER is 1, the process to create the final tfm_merged.bin file is more complex. This prepares the content to introduce the generation of tfm_merged.bin for use in FOTA applications. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
When CONFIG_TFM_MCUBOOT_IMAGE_NUMBER is 1, all images are merged. Currently, there is no tfm_merged.bin file for use in FOTA. This adds file generation to fulfill that requirement. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Add a note about BL2 (MCUboot) signing updates when the board is built as TF-M NS. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
Extend the Signing Images section in the build documentation to highlight the differences between confirmed and unconfirmed images with respect to the PSA Certified Firmware Update API. Signed-off-by: BUDKE Gerson Fernando <[email protected]>
nandojve
force-pushed
the
tfm/fix_sign_images
branch
from
fd059a1 to
a726b06
Compare
nandojve
dismissed
JordanYates’s stale review
Request was added with announce and reviewer did not came back in 3 weeks. A 2 days notice was made this week.
|
|
|
@d3zd3z Can you review this? |
|
Added @valeriosetti as assignee since this seems deserving to go to 4.3 while the original assignee seems unresponsive |
Exclude mps3/corstone300/an547/ns from PSA tests because QEMU does not model the QSPI flash in MPS3 boards as real QSPI flash, but only as simple ROM. Attempting to rewrite the flash from the guest will fail. #94470 (comment) Signed-off-by: BUDKE Gerson Fernando <[email protected]>
17 participants
The
trusted-firmware-mrequires specific instructions when signing the images to allow local development and FOTA. This PR extends the sign process inside Zephyr to generate the hex files with the confirmed image to load firmware for development and production purposes. It add the missing binary sign to generate the correct non confirmed image to allow FOTA upgrade. These images now respect the TF-M/FWU state machine FOTA is now possible.These was tested on STM32U5A5xx SoC with custom OTP and Keys.
Fixes #94204