1###########
2Secure boot
3###########
4
5.. toctree::
6    :maxdepth: 1
7
8    BL1 Immutable bootloader <bl1.rst>
9    Rollback Protection      <secure_boot_rollback_protection.rst>
10    HW Key integration       <secure_boot_hw_key_integration.rst>
11
12For secure devices it is security critical to enforce firmware authenticity to
13protect against execution of malicious software. This is implemented by building
14a trust chain where each step in the execution chain authenticates the next
15step before execution. The chain of trust in based on a "Root of Trust" which
16is implemented using asymmetric cryptography. The Root of Trust is a combination
17of an immutable bootloader and a public key (ROTPK).
18
19.. Warning::
20    In order to implement a proper chain of trust functionality, it is
21    mandatory that the first stage bootloader and ROTPK is stored in an
22    **immutable** way. To achieve this the bootloader code must be stored and
23    executed from ROM or such part of flash memory which supports write
24    protection. ROTPK can be stored in a one-time-programmable (OTP) memory. If
25    the SoC has a built-in BL1 (immutable) bootloader and the immutability of
26    TF-M secure boot code is not guaranteed then TF-M secure boot code must be
27    authenticated by BL1 bootloader before execution. If immutability of root
28    of trust (first stage bootloader + ROTPK) is not ensured then there is a
29    risk that the secure boot process could be bypassed, which could lead to
30    arbitrary code execution on the device. Current TF-M secure boot code is
31    intended to be a second stage bootloader, therefore it requires
32    authentication before execution. If TF-M secure boot code is used as a first
33    stage bootloader then it must be stored according to the above requirements.
34
35*******************************
36Second stage bootloader in TF-M
37*******************************
38By default, the MCUboot project from
39`GitHub <https://github.com/mcu-tools/mcuboot>`__ is used as the secure
40bootloader in TF-M. The repository is going to be automatically downloaded by
41CMake. The version downloaded can be controlled by the ``MCUBOOT_VERSION``
42CMake variable. If you wish to use a locally downloaded copy, the CMake variable
43``MCUBOOT_PATH`` can be set to its location. This document contains information
44about how MCUboot has been integrated to TF-M. For further information about
45MCUboot design please refer to the `MCUBoot homepage <https://www.mcuboot.com/>`__.
46
47Bootloader is started when CPU is released from reset. It runs in secure mode.
48It authenticates the firmware image by hash (SHA-256) and digital signature
49(RSA-3072) validation. Public key, that the checks happens against, can be built
50into the bootloader image or can be provisioned to the SoC during manufacturing.
51Metadata of the image is delivered together with the image itself in a header
52and trailer section. In case of successful authentication, bootloader passes
53execution to the secure image. Execution never returns to bootloader until
54next reset.
55
56A default RSA key pair is stored in the repository, public key is in ``keys.c``
57and private key is in ``root-RSA-3072.pem``.
58
59.. Danger::
60    DO NOT use the default keys in a production code, they are exclusively
61    for testing!
62
63The private key must be stored in a safe place outside of the repository.
64``imgtool.py`` (found in the ``scripts`` directory in the MCUBoot repository,
65or installed through the pip package manager) can be used to generate new key
66pairs.
67
68The bootloader can handle the secure and non-secure images independently
69(multiple image boot) or together (single image boot). In case of multiple image
70boot they are signed independently with different keys and they can be updated
71separately. In case of single image boot the secure and non-secure image is
72handled as a single blob, therefore they must be contiguous in the device
73memory. In this case they are signed together and also they can be updated only
74together. In order to have the same artefacts at the end of the build regardless
75of how the images are handled (independently or together) the images are always
76concatenated. In case of single image boot they are concatenated first and then
77signed. In case of multiple image boot they are separately signed first and then
78concatenated. Preparation of payload is done by Python scripts:
79``bl2/ext/mcuboot/scripts/``. At the end of a successful build the signed TF-M
80payload can be found in: ``<build_dir>/bin/tfm_s_ns_signed.bin``
81
82*********************
83Integration with TF-M
84*********************
85MCUBoot assumes a predefined memory layout which is described below (applicable
86for AN521). It is mandatory to define the primary slot and the secondary slot
87partitions, but their size and location can be changed::
88
89    - 0x0000_0000 - 0x0007_FFFF:    BL2 bootloader - MCUBoot
90    - 0x0008_0000 - 0x000F_FFFF:    Primary slot : Single binary blob:
91                                    Secure + Non-Secure image;
92                                    Primary memory partition
93      - 0x0008_0000 - 0x0008_03FF:  Common image header
94      - 0x0008_0400 - 0x0008_xxxx:  Secure image
95      - 0x0008_xxxx - 0x0010_03FF:  Padding (with 0xFF)
96      - 0x0010_0400 - 0x0010_xxxx:  Non-secure image
97      - 0x0010_xxxx - 0x0010_xxxx:  Hash value(SHA256), RSA signature and other
98                                    metadata of combined image
99
100    - 0x0018_0000 - 0x0027_FFFF:    Secondary slot : Secure + Non-Secure image;
101                                    Secondary memory partition, structured
102                                    identically to the primary slot
103    - 0x0028_0000 - 0x0037_FFFF:    Scratch area, only used during image
104                                    swapping
105
106Multiple image boot requires a slightly different layout::
107
108    - 0x0000_0000 - 0x0007_FFFF:    BL2 bootloader - MCUBoot
109    - 0x0008_0000 - 0x000F_FFFF:    Primary slot : Secure image
110      - 0x0008_0000 - 0x0008_03FF:  Secure image header
111      - 0x0008_0400 - 0x000x_xxxx:  Secure image
112      - 0x000x_xxxx - 0x000x_xxxx:  Hash value(SHA256), RSA signature and other
113                                    metadata of secure image
114
115    - 0x0010_0000 - 0x0017_FFFF:    Primary slot : Non-secure image
116      - 0x0010_0000 - 0x0010_03FF:  Non-secure image header
117      - 0x0010_0400 - 0x001x_xxxx:  Non-secure image
118      - 0x001x_xxxx - 0x001x_xxxx:  Hash value(SHA256), RSA signature and other
119                                    metadata of non-secure image
120
121    - 0x0018_0000 - 0x001F_FFFF:    Secondary slot : Secure image
122    - 0x0020_0000 - 0x0027_FFFF:    Secondary slot : Non-secure image
123
124    - 0x0028_0000 - 0x002F_FFFF:    Scratch area, only used during image
125                                    swapping, used for secure and non-secure
126                                    image as well
127
128**************************
129Firmware upgrade operation
130**************************
131MCUBoot handles only the firmware authenticity check after start-up and the
132firmware switch part of the firmware update process. Downloading the new version
133of the firmware is out-of-scope for MCUBoot. MCUBoot supports three different
134ways to switch to the new firmware and it is assumed that firmware images are
135executed-in-place (XIP). The default behaviour is the overwrite-based image
136upgrade. In this case the active firmware is always executed from the primary
137slot and the secondary slot is a staging area for new images. Before executing
138the new firmware image, the content of the primary slot must be overwritten with
139the content of the secondary slot (the new firmware image). The second option is
140the image swapping strategy when the content of the two memory slots must be
141physically swapped. This needs the scratch area to be defined in the memory
142layout. The third option is the direct execute-in-place version, which
143eliminates the complexity of image swapping and its administration. Active image
144can be executed from either memory slot, but new firmware must be linked to the
145address space of the proper (currently inactive) memory slot.
146
147Overwrite operation
148===================
149Active image is stored in the primary slot, and this image is started always by
150the bootloader. Therefore images must be linked to the primary slot. If the
151bootloader finds a valid image in the secondary slot, which is marked for
152upgrade, then the content of the primary slot will be simply overwritten with
153the content of the secondary slot, before starting the new image from the
154primary slot. After the content of the primary slot has been successfully
155overwritten, the header and trailer of the new image in the secondary slot is
156erased to prevent the triggering of another unnecessary image upgrade after a
157restart. The overwrite operation is fail-safe and resistant to power-cut
158failures. For more details please refer to the MCUBoot
159`documentation <https://www.mcuboot.com/mcuboot/design.html>`__.
160
161Swapping operation
162==================
163This operation can be set with the ``MCUBOOT_UPGRADE_STRATEGY`` compile time
164switch (see `Build time configuration`_). With swapping image upgrade strategy
165the active image is also stored in the primary slot and it will always be
166started by the bootloader. If the bootloader finds a valid image in the
167secondary slot, which is marked for upgrade, then contents of the primary slot
168and the secondary slot will be swapped, before starting the new image from the
169primary slot. Scratch area is used as a temporary storage place during image
170swapping. Update mark from the secondary slot is removed when the swapping is
171successful. The boot loader can revert the swapping as a fall-back mechanism to
172recover the previous working firmware version after a faulty update. The swap
173operation is fail-safe and resistant to power-cut failures. For more details
174please refer to the MCUBoot
175`documentation <https://www.mcuboot.com/mcuboot/design.html>`__.
176
177.. Note::
178
179    After a successful image upgrade the firmware can mark itself as "OK" at
180    runtime by setting the image_ok flag in the flash. When this happens, the
181    swap is made "permanent" and MCUBoot will then still choose to run it
182    during the next boot. Currently TF-M does not set the image_ok flag,
183    therefore the bootloader will always perform a "revert" (swap the images
184    back) during the next boot.
185
186Direct execute-in-place operation
187=================================
188This operation can be set with the ``MCUBOOT_UPGRADE_STRATEGY`` compile time
189switch (see `Build time configuration`_). When enabling direct-xip operation
190then the active image flag is moved between slots during firmware upgrade. If
191firmware is executed-in-place (XIP), then two firmware images must be generated.
192One of them is linked to be executed from the primary slot memory region and the
193other from the secondary slot. The firmware upgrade client, which downloads the
194new image, must be aware, which slot hosts the active firmware and which acts as
195a staging area and it is responsible for downloading the proper firmware image.
196At boot time MCUBoot inspects the version number in the image header and passes
197execution to the newer firmware version. New image must be marked for upgrade
198which is automatically done by Python scripts at compile time. Image
199verification is done the same way in all operational modes. If new image fails
200during authentication then MCUBoot erases the memory slot and starts the other
201image, after successful authentication.
202
203To select which slot the image is to be executed from, set
204``MCUBOOT_EXECUTION_SLOT`` to the desired index. It is suggested that you create
205two build directories when building images using this mode, as intermediate
206dependencies cannot be reused due to changes in the flash layout.
207
208.. Note::
209
210    Only single image boot is supported with direct-xip upgrade mode.
211
212RAM Loading firmware upgrade
213============================
214Musca-S supports an image upgrade mode that is separate to the other (overwrite,
215swapping and dirext-xip) modes. This is the ``RAM load`` mode (please refer
216to the table below). Like the direct-xip mode, this selects the newest image
217by reading the image version numbers in the image headers, but instead of
218executing it in place, the newest image is copied to RAM for execution. The load
219address, the location in RAM where the image is copied to, is stored in the
220image header.
221
222Summary of different modes for image upgrade
223============================================
224Different implementations of the image upgrade operation (whether through
225overwriting, swapping, direct-xip or loading into RAM and executing from
226there) are supported by the platforms. The table below shows which of these
227modes are supported by which platforms:
228
229+---------------------+-----------------+----------------------------------------------------------+
230|                     | Without BL2 [1]_| With BL2 [2]_                                            |
231+=====================+=================+===============+==========+================+==============+
232|                     | XIP             | XIP           | XIP      | XIP            | Not XIP      |
233+---------------------+-----------------+---------------+----------+----------------+--------------+
234|                     |                 | Overwrite [3]_| Swap [4]_| direct-xip [5]_| RAM load [6]_|
235+---------------------+-----------------+---------------+----------+----------------+--------------+
236| AN521               | Yes             | Yes           | Yes      | Yes            | No           |
237+---------------------+-----------------+---------------+----------+----------------+--------------+
238| AN519               | Yes             | Yes           | Yes      | Yes            | No           |
239+---------------------+-----------------+---------------+----------+----------------+--------------+
240| FVP_SSE300_MPS3     | No              | Yes           | Yes      | Yes            | No           |
241+---------------------+-----------------+---------------+----------+----------------+--------------+
242| Corstone-310 FVP    | Yes             | Yes           | Yes      | Yes            | No           |
243+---------------------+-----------------+---------------+----------+----------------+--------------+
244| LPC55S69            | Yes             | Yes           | No       | Yes            | No           |
245+---------------------+-----------------+---------------+----------+----------------+--------------+
246| Musca-B1            | Yes             | Yes           | Yes      | Yes            | No           |
247+---------------------+-----------------+---------------+----------+----------------+--------------+
248| Musca-S1            | Yes             | Yes           | Yes      | Yes            | No           |
249+---------------------+-----------------+---------------+----------+----------------+--------------+
250| AN524               | Yes             | No            | No       | Yes            | No           |
251+---------------------+-----------------+---------------+----------+----------------+--------------+
252| AN547               | No              | Yes           | Yes      | Yes            | No           |
253+---------------------+-----------------+---------------+----------+----------------+--------------+
254| AN552               | No              | Yes           | Yes      | Yes            | No           |
255+---------------------+-----------------+---------------+----------+----------------+--------------+
256| PSoC64              | Yes             | No            | No       | No             | No           |
257+---------------------+-----------------+---------------+----------+----------------+--------------+
258| STM_DISCO_L562QE    | No              | Yes           | No       | No             | No           |
259+---------------------+-----------------+---------------+----------+----------------+--------------+
260| STM_NUCLEO_L552ZE_Q | No              | Yes           | No       | No             | No           |
261+---------------------+-----------------+---------------+----------+----------------+--------------+
262| nRF9160 DK          | Yes             | Yes           | No       | No             | No           |
263+---------------------+-----------------+---------------+----------+----------------+--------------+
264| nRF5340 DK          | Yes             | Yes           | No       | No             | No           |
265+---------------------+-----------------+---------------+----------+----------------+--------------+
266| BL5340 DVK          | Yes             | Yes           | Yes      | No             | No           |
267+---------------------+-----------------+---------------+----------+----------------+--------------+
268| RSS                 | No              | No            | No       | No             | Yes          |
269+---------------------+-----------------+---------------+----------+----------------+--------------+
270
271.. [1] To disable BL2, please set the ``BL2`` cmake option to ``OFF``
272
273.. [2] BL2 is enabled by default
274
275.. [3] The image executes in-place (XIP) and is in Overwrite mode for image
276    update by default
277
278.. [4] To enable XIP Swap mode, assign the "SWAP_USING_SCRATCH" or
279    "SWAP_USING_MOVE" string to the ``MCUBOOT_UPGRADE_STRATEGY``
280    configuration variable in the build configuration file, or include this
281    macro definition in the command line
282
283.. [5] To enable direct-xip, assign the "DIRECT_XIP" string to the
284    ``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the build
285    configuration file, or include this macro definition in the command line
286
287.. [6] To enable RAM load, assign the "RAM_LOAD" string to the
288    ``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the build
289    configuration file, or include this macro definition in the command line
290
291*******************
292Multiple image boot
293*******************
294It is possible to update the firmware images independently to support the
295scenario when secure and non-secure images are provided by different vendors.
296Multiple image boot is supported only together with the overwrite and swap
297firmware upgrade modes.
298
299It is possible to describe the dependencies of the images on each other in
300order to avoid a faulty upgrade when incompatible versions would be installed.
301These dependencies are part of the image manifest area.
302The dependencies are composed from two parts:
303
304 - **Image identifier:** The number of the image which the current image (whose
305   manifest area contains the dependency entry) depends on. The image identifier
306   starts from 0.
307
308 - **Minimum version:** The minimum version of other image must be present on
309   the device by the end of the upgrade (both images might be updated at the
310   same time).
311
312Dependencies can be added to the images at compile time with the following
313compile time switches:
314
315 - ``MCUBOOT_S_IMAGE_MIN_VER`` It is added to the non-secure image and specifies the
316   minimum required version of the secure image.
317 - ``MCUBOOT_NS_IMAGE_MIN_VER`` It is added to the secure image and specifies the
318   minimum required version of the non-secure image.
319
320Example of how to provide the secure image minimum version::
321
322    cmake -DTFM_PLATFORM=arm/musca_b1 -DMCUBOOT_S_IMAGE_MIN_VER=1.2.3+4 ..
323
324********************
325Signature algorithms
326********************
327MbedTLS library is used to sign the images. The list of supported signing
328algorithms:
329
330  - `RSA-2048`
331  - `RSA-3072`: default
332
333Example keys stored in:
334
335 - ``root-RSA-2048.pem``   : Used to sign single image (S+NS) or secure image
336   in case of multiple image boot
337 - ``root-RSA-2048_1.pem`` : Used to sign non-secure image in case of multiple
338   image boot
339 - ``root-RSA-3072.pem``   : Used to sign single image (S+NS) or secure image
340   in case of multiple image boot
341 - ``root-RSA-3072_1.pem`` : Used to sign non-secure image in case of multiple
342   image boot
343
344************************
345Build time configuration
346************************
347MCUBoot related compile time switches can be set by cmake variables.
348
349- BL2 (default: True):
350    - **True:** TF-M built together with bootloader. MCUBoot is executed after
351      reset and it authenticates TF-M and starts secure code.
352    - **False:** TF-M built without bootloader. Secure image linked to the
353      beginning of the device memory and executed after reset. If it is false
354      then using any of the further compile time switches is invalid.
355- MCUBOOT_UPGRADE_STRATEGY (default: "OVERWRITE_ONLY"):
356    - **"OVERWRITE_ONLY":** Default firmware upgrade operation with overwrite.
357    - **"SWAP_USING_SCRATCH":** Activate swapping firmware upgrade operation
358      with a scratch area in flash
359    - **"SWAP_USING_MOVE":** Activate swapping firmware upgrade operation
360      without a scratch area in flash
361    - **"DIRECT_XIP":** Activate direct execute-in-place firmware upgrade
362      operation.
363    - **"RAM_LOAD":** Activate RAM loading firmware upgrade operation, where
364      the latest image is copied to RAM and runs from there instead of being
365      executed in-place.
366- MCUBOOT_SIGNATURE_TYPE (default: RSA):
367    - **RSA:** Image is signed with RSA algorithm
368- MCUBOOT_SIGNATURE_KEY_LEN (default: 3072):
369    - **2048:** Image is signed with 2048 bit key.
370    - **3072:** Image is signed with 3072 bit key.
371- MCUBOOT_IMAGE_NUMBER (default: 2):
372    - **1:** Single image boot, secure and non-secure images are signed and
373      updated together.
374    - **2:** Multiple image boot, secure and non-secure images are signed and
375      updatable independently.
376- MCUBOOT_HW_KEY (default: True):
377    - **True:** The hash of public key is provisioned to the SoC and the image
378      manifest contains the whole public key (imgtool uses
379      ``--public_key_format=full``). MCUBoot validates the key before using it
380      for firmware authentication, it calculates the hash of public key from the
381      manifest and compare against the retrieved key-hash from the hardware.
382      This way MCUBoot is independent from the public key(s).  Key(s) can be
383      provisioned any time and by different parties.
384    - **False:** The whole public key is embedded to the bootloader code and the
385      image manifest contains only the hash of the public key (imgtool uses
386      ``--public_key_format=hash``). MCUBoot validates the key before using it
387      for firmware authentication, it calculates the hash of built-in public key
388      and compare against the retrieved key-hash from the image manifest. After
389      this the bootloader can verify that the image was signed with a private
390      key that corresponds to the retrieved key-hash (it can have more public
391      keys embedded in and it may have to look for the matching one). All the
392      public key(s) must be known at MCUBoot build time.
393- MCUBOOT_LOG_LEVEL:
394    Can be used to configure the level of logging in MCUBoot. The possible
395    values are the following:
396
397    - **OFF**
398    - **ERROR**
399    - **WARNING**
400    - **INFO**
401    - **DEBUG**
402
403    The logging in MCUBoot can be disabled and thus the code size can be reduced
404    by setting it to ``OFF``. Its value depends on the build type. If the build
405    type is ``Debug`` then default value is ``INFO``. In case of different kinds
406    of ``Release`` builds the default value is ``OFF``. The default value can
407    be overridden through the command line or in the CMake GUI regardless of the
408    build type.
409- MCUBOOT_ENC_IMAGES (default: False):
410    - **True:** Adds encrypted image support in the source and encrypts the
411      resulting image using the ``enc-rsa2048-pub.pem`` key found in the MCUBoot
412      repository.
413    - **False:** Doesn't add encrypted image support and doesn't encrypt the
414      image.
415
416    .. Note::
417        The decryption takes place during the upgrade process, when the images
418        are being moved between the slots. This means that boards that don't
419        already have an image on them with MCUBoot that has been compiled with
420        ``MCUBOOT_ENCRYPT_RSA`` enabled need special treatment. In order to load
421        an encrypted image to such boards, an upgrade needs to be executed. This
422        can be done by using MCUBoot, putting an image in the secondary image
423        area, and setting ``MCUBOOT_ENCRYPT_RSA`` to ``ON``. When using the
424        ``OVERWRITE_ONLY`` upgrade strategy, this is enough. When using
425        ``SWAP_USING_SCRATCH`` or ``SWAP_USING_MOVE``, an image is needed in
426        the primary image area as well, to trigger the update.
427
428    .. Danger::
429        DO NOT use the ``enc-rsa2048-pub.pem`` key in production code, it is
430        exclusively for testing!
431
432Image versioning
433================
434An image version number is written to its header by one of the Python scripts,
435and this number is used by the bootloader when the direct execute-in-place or
436the RAM loading mode is enabled. It is also used in case of multiple image boot
437when the bootloader checks the image dependencies if any have been added to the
438images.
439
440The version number of the image (single image boot) can manually be passed in
441through the command line in the cmake configuration step::
442
443    cmake -DTFM_PLATFORM=arm/musca_b1 -DIMAGE_VERSION_S=1.2.3+4 ..
444
445Alternatively, the version number can be less specific (e.g 1, 1.2, or 1.2.3),
446where the missing numbers are automatically set to zero. The image version
447number argument is optional, and if it is left out, then the version numbers of
448the image(s) being built in the same directory will automatically change. In
449this case, the last component (the build number) automatically increments from
450the previous one: 0.0.0+1 -> 0.0.0+2, for as many times as the build is re-ran,
451**until a number is explicitly provided**. If automatic versioning is in place
452and then an image version number is provided for the first time, the new number
453will take precedence and be used instead. All subsequent image versions are
454then set to the last number that has been specified, and the build number would
455stop incrementing. Any new version numbers that are provided will overwrite
456the previous one: 0.0.0+1 -> 0.0.0+2. Note: To re-apply automatic image
457versioning, please start a clean build without specifying the image version
458number at all. In case of multiple image boot there are separate compile time
459switches for both images to provide their version: ``IMAGE_VERSION_S`` and
460``IMAGE_VERSION_NS``. These must be used instead of ``IMAGE_VERSION_S``.
461
462Security counter
463================
464Each signed image contains a security counter in its manifest. It is used by the
465bootloader and its aim is to have an independent (from the image version)
466counter to ensure rollback protection by comparing the new image's security
467counter against the original (currently active) image's security counter during
468the image upgrade process. It is added to the manifest (to the TLV area that is
469appended to the end of the image) by one of the Python scripts when signing the
470image. The value of the security counter is security critical data and it is in
471the integrity protected part of the image. The last valid security counter
472should always be stored in a non-volatile and trusted component of the device
473and its value should always be increased if a security flaw was fixed in the
474current image version. The value of the security counter (single image boot) can
475be specified at build time in the cmake configuration step::
476
477    cmake -DTFM_PLATFORM=arm/musca_b1 -DSECURITY_COUNTER_S=42 ../
478
479The security counter can be independent from the image version, but not
480necessarily. Alternatively, if it is not specified at build time with the
481``SECURITY_COUNTER`` option the Python script will automatically generate it
482from the image version number (not including the build number) and this value
483will be added to the signed image. In case of multiple image boot there are
484separate compile time switches for both images to provide their security counter
485value: ``SECURITY_COUNTER_S`` and ``SECURITY_COUNTER_NS``. These must be used
486instead of ``SECURITY_COUNTER_S``. If these are not defined then the security
487counter values will be derived from the corresponding image version similar to
488the single image boot.
489
490***************************
491Signing the images manually
492***************************
493Normally the build system handles the signing (computing hash over the image
494and security critical manifest data and then signing the hash) of the firmware
495images. However, the images also can be signed manually by using the ``imgtool``
496Python program which is located in the MCUboot repository  in the ``scripts``
497folder or can be installed with the pip package manager.
498Issue the ``python3 imgtool.py sign --help`` command in the directory for more
499information about the mandatory and optional arguments. The tool takes an image
500in binary or Intel Hex format and adds a header and trailer that MCUBoot is
501expecting. In case of single image boot after a successful build the
502``tfm_s_ns.bin`` build artifact (contains the concatenated secure and non-secure
503images) must be passed to the script and in case of multiple image boot the
504``tfm_s.bin`` and ``tfm_ns.bin`` binaries can be passed to prepare the signed
505images.
506
507Signing the secure image manually in case of multiple image boot
508================================================================
509
510::
511
512    python3 bl2/ext/mcuboot/scripts/imgtool.py sign \
513        --layout <build_dir>/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.c.obj \
514        -k <tfm_dir>/bl2/ext/mcuboot/root-RSA-3072.pem \
515        --public-key-format full \
516        --align 1 \
517        -v 1.2.3+4 \
518        -d "(1,1.2.3+0)" \
519        -s 42 \
520        -H 0x400 \
521        <build_dir>/bin/tfm_s.bin \
522        <build_dir>/bin/tfm_s_signed.bin
523
524************************
525Testing firmware upgrade
526************************
527As downloading the new firmware image is out of scope for MCUBoot, the update
528process is started from a state where the original and the new image are already
529programmed to the appropriate memory slots. To generate the original and a new
530firmware package, TF-M is built twice with different build configurations.
531
532Overwriting firmware upgrade
533============================
534Run TF-M build twice with ``MCUBOOT_IMAGE_NUMBER`` set to "1" in both cases
535(single image boot), but with two different build configurations: default and
536regression. Save the artifacts between builds, because second run can overwrite
537original binaries. Download default build to the primary slot and regression
538build to the secondary slot.
539
540Executing firmware upgrade on FVP_MPS2_AEMv8M
541---------------------------------------------
542.. code-block:: bash
543
544    <ARM_DS_PATH>/sw/models/bin/FVP_MPS2_AEMv8M  \
545    --parameter fvp_mps2.platform_type=2 \
546    --parameter cpu0.baseline=0 \
547    --parameter cpu0.INITVTOR_S=0x10000000 \
548    --parameter cpu0.semihosting-enable=0 \
549    --parameter fvp_mps2.DISABLE_GATING=0 \
550    --parameter fvp_mps2.telnetterminal0.start_telnet=1 \
551    --parameter fvp_mps2.telnetterminal1.start_telnet=0 \
552    --parameter fvp_mps2.telnetterminal2.start_telnet=0 \
553    --parameter fvp_mps2.telnetterminal0.quiet=0 \
554    --parameter fvp_mps2.telnetterminal1.quiet=1 \
555    --parameter fvp_mps2.telnetterminal2.quiet=1 \
556    --application cpu0=<build_dir>/bin/bl2.axf \
557    --data cpu0=<default_build_dir>/bin/tfm_s_ns_signed.bin@0x10080000 \
558    --data cpu0=<regresssion_build_dir>/bin/tfm_s_ns_signed.bin@0x10180000
559
560Executing firmware upgrade on SSE 200 FPGA on MPS2 board
561--------------------------------------------------------
562
563::
564
565    TITLE: Versatile Express Images Configuration File
566    [IMAGES]
567    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
568    IMAGE0ADDRESS: 0x00000000
569    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
570    IMAGE1ADDRESS: 0x10080000
571    IMAGE1FILE: \Software\tfm_sig1.bin ; TF-M default test binary blob
572    IMAGE2ADDRESS: 0x10180000
573    IMAGE2FILE: \Software\tfm_sig2.bin ; TF-M regression test binary blob
574
575The following message will be shown in case of successful firmware upgrade:
576
577::
578
579    [INF] Starting bootloader
580    [INF] Swap type: test
581    [INF] Image upgrade secondary slot -> primary slot
582    [INF] Erasing the primary slot
583    [INF] Copying the secondary slot to the primary slot: 0x100000 bytes
584    [INF] Bootloader chainload address offset: 0x80000
585    [INF] Jumping to the first image slot
586    [Sec Thread] Secure image initializing!
587
588    #### Execute test suites for the Secure area ####
589    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
590    ...
591
592To update the secure and non-secure images separately (multiple image boot),
593set the ``MCUBOOT_IMAGE_NUMBER`` switch to "2" (this is the default
594configuration value) and follow the same instructions as in case of single image
595boot.
596
597Executing multiple firmware upgrades on SSE 200 FPGA on MPS2 board
598------------------------------------------------------------------
599
600::
601
602    TITLE: Versatile Express Images Configuration File
603    [IMAGES]
604    TOTALIMAGES: 4                     ;Number of Images (Max: 32)
605    IMAGE0ADDRESS: 0x00000000
606    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
607    IMAGE1ADDRESS: 0x10080000
608    IMAGE1FILE: \Software\tfm_sign.bin ; TF-M default test binary blob
609    IMAGE2ADDRESS: 0x10180000
610    IMAGE2FILE: \Software\tfm_ss1.bin  ; TF-M regression test secure (signed) image
611    IMAGE3ADDRESS: 0x10200000
612    IMAGE3FILE: \Software\tfm_nss1.bin ; TF-M regression test non-secure (signed) image
613
614Note that both the concatenated binary blob (the images are signed separately
615and then concatenated) and the separate signed images can be downloaded to the
616device because on this platform (AN521) both the primary slots and the secondary
617slots are contiguous areas in the Flash (see `Integration with TF-M`_). The
618following message will be shown in case of successful firmware upgrades:
619
620::
621
622    [INF] Starting bootloader
623    [INF] Swap type: test
624    [INF] Swap type: test
625    [INF] Image upgrade secondary slot -> primary slot
626    [INF] Erasing the primary slot
627    [INF] Copying the secondary slot to the primary slot: 0x80000 bytes
628    [INF] Image upgrade secondary slot -> primary slot
629    [INF] Erasing the primary slot
630    [INF] Copying the secondary slot to the primary slot: 0x80000 bytes
631    [INF] Bootloader chainload address offset: 0x80000
632    [INF] Jumping to the first image slot
633    [Sec Thread] Secure image initializing!
634    TFM level is: 1
635    [Sec Thread] Jumping to non-secure code...
636
637    #### Execute test suites for the Secure area ####
638    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
639    ...
640
641Swapping firmware upgrade
642=============================
643Follow the same instructions and platform related configurations as in case of
644overwriting build including these changes:
645
646- Set the ``MCUBOOT_UPGRADE_STRATEGY`` compile time switch to "SWAP"
647  before build.
648- Set the ``MCUBOOT_IMAGE_NUMBER`` compile time switch to "1" (single image
649  boot) or "2" (multiple image boot) before build.
650
651During single image boot the following message will be shown in case of
652successful firmware upgrade, ``Swap type: test`` indicates that images were
653swapped:
654
655::
656
657    [INF] Starting bootloader
658    [INF] Image 0: magic= good, copy_done=0x3, image_ok=0x3
659    [INF] Scratch: magic=  bad, copy_done=0x0, image_ok=0x2
660    [INF] Boot source: primary slot
661    [INF] Swap type: test
662    [INF] Bootloader chainload address offset: 0x80000
663    [INF] Jumping to the first image slot
664    [Sec Thread] Secure image initializing!
665
666    #### Execute test suites for the Secure area ####
667    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
668    ...
669
670Direct execute-in-place firmware upgrade
671========================================
672Follow the same instructions and platform related configurations as in case of
673overwriting build including these changes:
674
675- Set the ``MCUBOOT_UPGRADE_STRATEGY`` compile time switch to "DIRECT_XIP"
676  before build.
677- set ``MCUBOOT_EXECUTION_SLOT`` to ``1`` in the regression build dir.
678- Make sure the image version number was increased between the two build runs
679  either by specifying it manually or by checking in the build log that it was
680  incremented automatically.
681
682Executing firmware upgrade on FVP_MPS2_AEMv8M
683---------------------------------------------
684
685.. code-block:: bash
686
687    <ARM_DS_PATH>/sw/models/bin/FVP_MPS2_AEMv8M  \
688    --parameter fvp_mps2.platform_type=2 \
689    --parameter cpu0.baseline=0 \
690    --parameter cpu0.INITVTOR_S=0x10000000 \
691    --parameter cpu0.semihosting-enable=0 \
692    --parameter fvp_mps2.DISABLE_GATING=0 \
693    --parameter fvp_mps2.telnetterminal0.start_telnet=1 \
694    --parameter fvp_mps2.telnetterminal1.start_telnet=0 \
695    --parameter fvp_mps2.telnetterminal2.start_telnet=0 \
696    --parameter fvp_mps2.telnetterminal0.quiet=0 \
697    --parameter fvp_mps2.telnetterminal1.quiet=1 \
698    --parameter fvp_mps2.telnetterminal2.quiet=1 \
699    --application cpu0=<build_dir>/bin/bl2.axf \
700    --data cpu0=<default_build_dir>/bin/tfm_s_ns_signed.bin@0x10080000 \
701    --data cpu0=<regresssion_build_dir>/bin/tfm_s_ns_signed.bin@0x10180000
702
703Executing firmware upgrade on SSE 200 FPGA on MPS2 board
704--------------------------------------------------------
705
706::
707
708    TITLE: Versatile Express Images Configuration File
709    [IMAGES]
710    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
711    IMAGE0ADDRESS: 0x00000000
712    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
713    IMAGE1ADDRESS: 0x10080000
714    IMAGE1FILE: \Software\tfm_sign.bin ; TF-M default test binary blob
715    IMAGE2ADDRESS: 0x10180000
716    IMAGE2FILE: \Software\tfm_sig1.bin ; TF-M regression test binary blob
717
718Executing firmware upgrade on Musca-B1 and Musca-S1 boards
719----------------------------------------------------------
720After the two images have been built, they can be concatenated to create the
721combined image using ``srec_cat``:
722
723- Linux::
724
725    srec_cat bin/bl2.bin -Binary -offset 0xA000000 tfm_sign.bin -Binary -offset 0xA020000 tfm_sign_1.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
726
727- Windows::
728
729    srec_cat.exe bin\bl2.bin -Binary -offset 0xA000000 tfm_sign.bin -Binary -offset 0xA020000 tfm_sign_1.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
730
731The following message will be shown in case of successful firmware upgrade,
732notice that image with higher version number (``version=1.2.3.5``) is executed:
733
734::
735
736    [INF] Starting bootloader
737    [INF] Image 0: version=1.2.3.4, magic= good, image_ok=0x3
738    [INF] Image 1: version=1.2.3.5, magic= good, image_ok=0x3
739    [INF] Booting image from the secondary slot
740    [INF] Bootloader chainload address offset: 0xa0000
741    [INF] Jumping to the first image slot
742    [Sec Thread] Secure image initializing!
743
744    #### Execute test suites for the Secure area ####
745    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
746    ...
747
748Executing firmware upgrade on CoreLink SSE-200 Subsystem for MPS3 (AN524)
749-------------------------------------------------------------------------
750
751::
752
753    TITLE: Arm MPS3 FPGA prototyping board Images Configuration File
754
755    [IMAGES]
756    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
757
758    IMAGE0UPDATE: AUTO                 ;Image Update:NONE/AUTO/FORCE
759    IMAGE0ADDRESS: 0x00000000
760    IMAGE0FILE: \SOFTWARE\bl2.bin      ;BL2 bootloader
761    IMAGE1UPDATE: AUTO
762    IMAGE1ADDRESS: 0x00040000
763    IMAGE1FILE: \SOFTWARE\tfm_sig0.bin ;TF-M example application binary blob
764    IMAGE2UPDATE: AUTO
765    IMAGE2ADDRESS: 0x000C0000
766    IMAGE2FILE: \SOFTWARE\tfm_sig1.bin ;TF-M regression test binary blob
767
768RAM loading firmware upgrade
769============================
770To enable RAM loading, please set ``MCUBOOT_UPGRADE_STRATEGY`` to "RAM_LOAD"
771(either in the configuration file or through the command line), and then specify
772a destination load address in RAM where the image can be copied to and executed
773from. The ``S_IMAGE_LOAD_ADDRESS`` macro must be specified in the target
774dependent files, and if multiple image boot is enabled then
775``NS_IMAGE_LOAD_ADDRESS`` must also be defined. For example with Musca-S, its
776``flash_layout.h`` file in the ``platform`` folder should include ``#define
777S_IMAGE_LOAD_ADDRESS #0xA0020000``
778
779Executing firmware upgrade on Musca-S board
780--------------------------------------------
781After two images have been built, they can be concatenated to create the
782combined image using ``srec_cat``:
783
784- Linux::
785
786    srec_cat bin/bl2.bin -Binary -offset 0xA000000 tfm_sign_old.bin -Binary -offset 0xA020000 tfm_sign_new.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
787
788- Windows::
789
790    srec_cat.exe bin\bl2.bin -Binary -offset 0xA000000 tfm_sign_old.bin -Binary -offset 0xA020000 tfm_sign_new.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
791
792The following message will be shown in case of successful firmware upgrade when,
793RAM loading is enabled, notice that image with higher version number
794(``version=0.0.0.2``) is executed:
795
796::
797
798    [INF] Starting bootloader
799    [INF] Image 0: version=0.0.0.1, magic= good, image_ok=0x3
800    [INF] Image 1: version=0.0.0.2, magic= good, image_ok=0x3
801    [INF] Image has been copied from the secondary slot in flash to SRAM address 0xA0020000
802    [INF] Booting image from SRAM at address 0xA0020000
803    [INF] Bootloader chainload address offset: 0x20000
804    [INF] Jumping to the first image slot
805    [Sec Thread] Secure image initializing!
806
807--------------
808
809****************************************
810Integration with Firmware Update service
811****************************************
812The shim layer of the Firmware Update partition calls the APIs in
813bootutil_misc.c to control the image status.
814
815- Call ``boot_set_pending_multi()`` to make the image as a candidate image for
816  booting.
817- Call ``boot_set_confirmed_multi()`` to make the image as a permanent image.
818
819.. Note::
820    Currently, in direct-xip mode and ram-load mode, TF-M cannot get the
821    information of which slot contains the running image from the bootloader.
822    So the Firmware Update partition cannot decide where to write the new
823    image. As a result, the firmware update service is not supported in
824    direct-xip mode and ram-load mode.
825
826*Copyright (c) 2018-2022, Arm Limited. All rights reserved.*
827