1###########
2Secure boot
3###########
4
5.. toctree::
6    :maxdepth: 1
7
8    BL1 Immutable bootloader <bl1.rst>
9    Rollback Protection      <secure_boot_rollback_protection.rst>
10    HW Key integration       <secure_boot_hw_key_integration.rst>
11
12For secure devices it is security critical to enforce firmware authenticity to
13protect against execution of malicious software. This is implemented by building
14a trust chain where each step in the execution chain authenticates the next
15step before execution. The chain of trust is based on a "Root of Trust" which
16is implemented using asymmetric cryptography. The Root of Trust is a combination
17of an immutable bootloader and a public key (ROTPK).
18
19.. Warning::
20    In order to implement a proper chain of trust functionality, it is
21    mandatory that the first stage bootloader and ROTPK is stored in an
22    **immutable** way. To achieve this the bootloader code must be stored and
23    executed from ROM or such part of flash memory which supports write
24    protection. ROTPK can be stored in a one-time-programmable (OTP) memory. If
25    the SoC has a built-in BL1 (immutable) bootloader and the immutability of
26    TF-M secure boot code is not guaranteed then TF-M secure boot code must be
27    authenticated by BL1 bootloader before execution. If immutability of root
28    of trust (first stage bootloader + ROTPK) is not ensured then there is a
29    risk that the secure boot process could be bypassed, which could lead to
30    arbitrary code execution on the device. Current TF-M secure boot code is
31    intended to be a second stage bootloader, therefore it requires
32    authentication before execution. If TF-M secure boot code is used as a first
33    stage bootloader then it must be stored according to the above requirements.
34
35*******************************
36Second stage bootloader in TF-M
37*******************************
38By default, the MCUboot project from
39`GitHub <https://github.com/mcu-tools/mcuboot>`__ is used as the secure
40bootloader in TF-M. The repository is going to be automatically downloaded by
41CMake. The version downloaded can be controlled by the ``MCUBOOT_VERSION``
42CMake variable. If you wish to use a locally downloaded copy, the CMake variable
43``MCUBOOT_PATH`` can be set to its location. This document contains information
44about how MCUboot has been integrated to TF-M. For further information about
45MCUboot design please refer to the `MCUBoot homepage <https://www.mcuboot.com/>`__.
46
47Bootloader is started when CPU is released from reset. It runs in secure mode.
48It authenticates the firmware image by hash (SHA-256) and digital signature
49(RSA-3072) validation. Public key, that the checks happens against, can be built
50into the bootloader image or can be provisioned to the SoC during manufacturing.
51Metadata of the image is delivered together with the image itself in a header
52and trailer section. In case of successful authentication, bootloader passes
53execution to the secure image. Execution never returns to bootloader until
54next reset.
55
56A default RSA key pair is stored in the repository, public key is in ``keys.c``
57and private key is in ``root-RSA-3072.pem``.
58
59.. Danger::
60    DO NOT use the default keys in a production code, they are exclusively
61    for testing!
62
63The private key must be stored in a safe place outside of the repository.
64``imgtool.py`` (found in the ``scripts`` directory in the MCUBoot repository,
65or installed through the pip package manager) can be used to generate new key
66pairs.
67
68The bootloader can handle the secure and non-secure images independently
69(multiple image boot) or together (single image boot). In case of multiple image
70boot they are signed independently with different keys and they can be updated
71separately. In case of single image boot the secure and non-secure image is
72handled as a single blob, therefore they must be contiguous in the device
73memory. In this case they are signed together and also they can be updated only
74together. In order to have the same artefacts at the end of the build regardless
75of how the images are handled (independently or together) the images are always
76concatenated. In case of single image boot they are concatenated first and then
77signed. In case of multiple image boot they are separately signed first and then
78concatenated. Preparation of payload is done by Python scripts:
79``bl2/ext/mcuboot/scripts/``. At the end of a successful build the signed TF-M
80payload can be found in: ``<build_dir>/bin/tfm_s_ns_signed.bin``
81
82*********************
83Integration with TF-M
84*********************
85MCUBoot assumes a predefined memory layout which is described below (applicable
86for AN521). It is mandatory to define the primary slot and the secondary slot
87partitions, but their size and location can be changed::
88
89    - 0x0000_0000 - 0x0007_FFFF:    BL2 bootloader - MCUBoot
90    - 0x0008_0000 - 0x000F_FFFF:    Primary slot : Single binary blob:
91                                    Secure + Non-Secure image;
92                                    Primary memory partition
93      - 0x0008_0000 - 0x0008_03FF:  Common image header
94      - 0x0008_0400 - 0x0008_xxxx:  Secure image
95      - 0x0008_xxxx - 0x0010_03FF:  Padding (with 0xFF)
96      - 0x0010_0400 - 0x0010_xxxx:  Non-secure image
97      - 0x0010_xxxx - 0x0010_xxxx:  Hash value(SHA256), RSA signature and other
98                                    metadata of combined image
99
100    - 0x0018_0000 - 0x0027_FFFF:    Secondary slot : Secure + Non-Secure image;
101                                    Secondary memory partition, structured
102                                    identically to the primary slot
103    - 0x0028_0000 - 0x0037_FFFF:    Scratch area, only used during image
104                                    swapping
105
106Multiple image boot requires a slightly different layout::
107
108    - 0x0000_0000 - 0x0007_FFFF:    BL2 bootloader - MCUBoot
109    - 0x0008_0000 - 0x000F_FFFF:    Primary slot : Secure image
110      - 0x0008_0000 - 0x0008_03FF:  Secure image header
111      - 0x0008_0400 - 0x000x_xxxx:  Secure image
112      - 0x000x_xxxx - 0x000x_xxxx:  Hash value(SHA256), RSA signature and other
113                                    metadata of secure image
114
115    - 0x0010_0000 - 0x0017_FFFF:    Primary slot : Non-secure image
116      - 0x0010_0000 - 0x0010_03FF:  Non-secure image header
117      - 0x0010_0400 - 0x001x_xxxx:  Non-secure image
118      - 0x001x_xxxx - 0x001x_xxxx:  Hash value(SHA256), RSA signature and other
119                                    metadata of non-secure image
120
121    - 0x0018_0000 - 0x001F_FFFF:    Secondary slot : Secure image
122    - 0x0020_0000 - 0x0027_FFFF:    Secondary slot : Non-secure image
123
124    - 0x0028_0000 - 0x002F_FFFF:    Scratch area, only used during image
125                                    swapping, used for secure and non-secure
126                                    image as well
127
128**************************
129Firmware upgrade operation
130**************************
131MCUBoot handles only the firmware authenticity check after start-up and the
132firmware switch part of the firmware update process. Downloading the new version
133of the firmware is out-of-scope for MCUBoot. MCUBoot supports three different
134ways to switch to the new firmware and it is assumed that firmware images are
135executed-in-place (XIP). The default behaviour is the overwrite-based image
136upgrade. In this case the active firmware is always executed from the primary
137slot and the secondary slot is a staging area for new images. Before executing
138the new firmware image, the content of the primary slot must be overwritten with
139the content of the secondary slot (the new firmware image). The second option is
140the image swapping strategy when the content of the two memory slots must be
141physically swapped. This needs the scratch area to be defined in the memory
142layout. The third option is the direct execute-in-place version, which
143eliminates the complexity of image swapping and its administration. Active image
144can be executed from either memory slot, but new firmware must be linked to the
145address space of the proper (currently inactive) memory slot.
146
147Overwrite operation
148===================
149Active image is stored in the primary slot, and this image is started always by
150the bootloader. Therefore images must be linked to the primary slot. If the
151bootloader finds a valid image in the secondary slot, which is marked for
152upgrade, then the content of the primary slot will be simply overwritten with
153the content of the secondary slot, before starting the new image from the
154primary slot. After the content of the primary slot has been successfully
155overwritten, the header and trailer of the new image in the secondary slot is
156erased to prevent the triggering of another unnecessary image upgrade after a
157restart. The overwrite operation is fail-safe and resistant to power-cut
158failures. For more details please refer to the MCUBoot
159`documentation <https://docs.mcuboot.com/>`__.
160
161Swapping operation
162==================
163This operation can be set with the ``MCUBOOT_UPGRADE_STRATEGY`` compile time
164switch (see `Build time configuration`_). With swapping image upgrade strategy
165the active image is also stored in the primary slot and it will always be
166started by the bootloader. If the bootloader finds a valid image in the
167secondary slot, which is marked for upgrade, then contents of the primary slot
168and the secondary slot will be swapped, before starting the new image from the
169primary slot. Scratch area is used as a temporary storage place during image
170swapping. Update mark from the secondary slot is removed when the swapping is
171successful. The boot loader can revert the swapping as a fall-back mechanism to
172recover the previous working firmware version after a faulty update. The swap
173operation is fail-safe and resistant to power-cut failures. For more details
174please refer to the MCUBoot
175`documentation <https://docs.mcuboot.com/>`__.
176
177.. Note::
178
179    After a successful image upgrade, user can mark the image as "OK"
180    at runtime by explicitly calling ``psa_fwu_accept``. When this happens,
181    the swap is made "permanent" and MCUBoot will then still choose to run it
182    during the next boot.
183
184    TF-M does not set the image_ok flag, because it is user's duty to determine
185    whether the image is acceptable. Therefore the bootloader will always
186    perform a "revert" (swap the images back) during the next boot.
187
188Direct execute-in-place operation
189=================================
190This operation can be set with the ``MCUBOOT_UPGRADE_STRATEGY`` compile time
191switch (see `Build time configuration`_). When enabling direct-xip operation
192then the active image flag is moved between slots during firmware upgrade. If
193firmware is executed-in-place (XIP), then two firmware images must be generated.
194One of them is linked to be executed from the primary slot memory region and the
195other from the secondary slot. The firmware upgrade client, which downloads the
196new image, must be aware, which slot hosts the active firmware and which acts as
197a staging area and it is responsible for downloading the proper firmware image.
198At boot time MCUBoot inspects the version number in the image header and passes
199execution to the newer firmware version. New image must be marked for upgrade
200which is automatically done by Python scripts at compile time. Image
201verification is done the same way in all operational modes. If new image fails
202during authentication then MCUBoot erases the memory slot and starts the other
203image, after successful authentication.
204
205To select which slot the image is to be executed from, set
206``MCUBOOT_EXECUTION_SLOT`` to the desired index. It is suggested that you create
207two build directories when building images using this mode, as intermediate
208dependencies cannot be reused due to changes in the flash layout.
209
210.. Note::
211
212    Only single image boot is supported with direct-xip upgrade mode.
213
214RAM Loading firmware upgrade
215============================
216Musca-S supports an image upgrade mode that is separate to the other (overwrite,
217swapping and dirext-xip) modes. This is the ``RAM load`` mode (please refer
218to the table below). Like the direct-xip mode, this selects the newest image
219by reading the image version numbers in the image headers, but instead of
220executing it in place, the newest image is copied to RAM for execution. The load
221address, the location in RAM where the image is copied to, is stored in the
222image header.
223
224Summary of different modes for image upgrade
225============================================
226Different implementations of the image upgrade operation (whether through
227overwriting, swapping, direct-xip or loading into RAM and executing from
228there) are supported by the platforms. The table below shows which of these
229modes are supported by which platforms:
230
231+---------------------+-----------------+----------------------------------------------------------+
232|                     | Without BL2 [1]_| With BL2 [2]_                                            |
233+=====================+=================+===============+==========+================+==============+
234|                     | XIP             | XIP           | XIP      | XIP            | Not XIP      |
235+---------------------+-----------------+---------------+----------+----------------+--------------+
236|                     |                 | Overwrite [3]_| Swap [4]_| direct-xip [5]_| RAM load [6]_|
237+---------------------+-----------------+---------------+----------+----------------+--------------+
238| AN521               | Yes             | Yes           | Yes      | Yes            | No           |
239+---------------------+-----------------+---------------+----------+----------------+--------------+
240| AN519               | Yes             | Yes           | Yes      | Yes            | No           |
241+---------------------+-----------------+---------------+----------+----------------+--------------+
242| FVP_SSE300_MPS3     | No              | Yes           | Yes      | Yes            | No           |
243+---------------------+-----------------+---------------+----------+----------------+--------------+
244| Corstone-310 FVP    | Yes             | Yes           | Yes      | Yes            | No           |
245+---------------------+-----------------+---------------+----------+----------------+--------------+
246| LPC55S69            | Yes             | Yes           | No       | Yes            | No           |
247+---------------------+-----------------+---------------+----------+----------------+--------------+
248| Musca-B1            | Yes             | Yes           | Yes      | Yes            | No           |
249+---------------------+-----------------+---------------+----------+----------------+--------------+
250| Musca-S1            | Yes             | Yes           | Yes      | Yes            | No           |
251+---------------------+-----------------+---------------+----------+----------------+--------------+
252| AN524               | Yes             | No            | No       | Yes            | No           |
253+---------------------+-----------------+---------------+----------+----------------+--------------+
254| AN547               | No              | Yes           | Yes      | Yes            | No           |
255+---------------------+-----------------+---------------+----------+----------------+--------------+
256| AN552               | No              | Yes           | Yes      | Yes            | No           |
257+---------------------+-----------------+---------------+----------+----------------+--------------+
258| PSoC64              | Yes             | No            | No       | No             | No           |
259+---------------------+-----------------+---------------+----------+----------------+--------------+
260| STM_DISCO_L562QE    | No              | Yes           | No       | No             | No           |
261+---------------------+-----------------+---------------+----------+----------------+--------------+
262| STM_NUCLEO_L552ZE_Q | No              | Yes           | No       | No             | No           |
263+---------------------+-----------------+---------------+----------+----------------+--------------+
264| nRF9160 DK          | Yes             | Yes           | No       | No             | No           |
265+---------------------+-----------------+---------------+----------+----------------+--------------+
266| nRF5340 DK          | Yes             | Yes           | No       | No             | No           |
267+---------------------+-----------------+---------------+----------+----------------+--------------+
268| BL5340 DVK          | Yes             | Yes           | Yes      | No             | No           |
269+---------------------+-----------------+---------------+----------+----------------+--------------+
270| RSE                 | No              | No            | No       | No             | Yes          |
271+---------------------+-----------------+---------------+----------+----------------+--------------+
272
273.. [1] To disable BL2, please set the ``BL2`` cmake option to ``OFF``
274
275.. [2] BL2 is enabled by default
276
277.. [3] The image executes in-place (XIP) and is in Overwrite mode for image
278    update by default
279
280.. [4] To enable XIP Swap mode, assign the "SWAP_USING_SCRATCH" or
281    "SWAP_USING_MOVE" string to the ``MCUBOOT_UPGRADE_STRATEGY``
282    configuration variable in the build configuration file, or include this
283    macro definition in the command line
284
285.. [5] To enable direct-xip, assign the "DIRECT_XIP" string to the
286    ``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the build
287    configuration file, or include this macro definition in the command line
288
289.. [6] To enable RAM load, assign the "RAM_LOAD" string to the
290    ``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the build
291    configuration file, or include this macro definition in the command line
292
293*******************
294Multiple image boot
295*******************
296It is possible to update the firmware images independently to support the
297scenario when secure and non-secure images are provided by different vendors.
298Multiple image boot is supported only together with the overwrite and swap
299firmware upgrade modes.
300
301It is possible to describe the dependencies of the images on each other in
302order to avoid a faulty upgrade when incompatible versions would be installed.
303These dependencies are part of the image manifest area.
304The dependencies are composed from two parts:
305
306 - **Image identifier:** The number of the image which the current image (whose
307   manifest area contains the dependency entry) depends on. The image identifier
308   starts from 0.
309
310 - **Minimum version:** The minimum version of other image must be present on
311   the device by the end of the upgrade (both images might be updated at the
312   same time).
313
314Dependencies can be added to the images at compile time with the following
315compile time switches:
316
317 - ``MCUBOOT_S_IMAGE_MIN_VER`` It is added to the non-secure image and specifies the
318   minimum required version of the secure image.
319 - ``MCUBOOT_NS_IMAGE_MIN_VER`` It is added to the secure image and specifies the
320   minimum required version of the non-secure image.
321
322Example of how to provide the secure image minimum version::
323
324    cmake -DTFM_PLATFORM=arm/musca_b1 -DMCUBOOT_S_IMAGE_MIN_VER=1.2.3+4 ..
325
326********************
327Signature algorithms
328********************
329MbedTLS library is used to sign the images. The list of supported signing
330algorithms:
331
332  - `RSA-2048`
333  - `RSA-3072`: default
334
335Example keys stored in:
336
337 - ``root-RSA-2048.pem``   : Used to sign single image (S+NS) or secure image
338   in case of multiple image boot
339 - ``root-RSA-2048_1.pem`` : Used to sign non-secure image in case of multiple
340   image boot
341 - ``root-RSA-3072.pem``   : Used to sign single image (S+NS) or secure image
342   in case of multiple image boot
343 - ``root-RSA-3072_1.pem`` : Used to sign non-secure image in case of multiple
344   image boot
345
346************************
347Build time configuration
348************************
349MCUBoot related compile time switches can be set by cmake variables.
350
351- BL2 (default: True):
352    - **True:** TF-M built together with bootloader. MCUBoot is executed after
353      reset and it authenticates TF-M and starts secure code.
354    - **False:** TF-M built without bootloader. Secure image linked to the
355      beginning of the device memory and executed after reset. If it is false
356      then using any of the further compile time switches is invalid.
357- MCUBOOT_UPGRADE_STRATEGY (default: "OVERWRITE_ONLY"):
358    - **"OVERWRITE_ONLY":** Default firmware upgrade operation with overwrite.
359    - **"SWAP_USING_SCRATCH":** Activate swapping firmware upgrade operation
360      with a scratch area in flash
361    - **"SWAP_USING_MOVE":** Activate swapping firmware upgrade operation
362      without a scratch area in flash
363    - **"DIRECT_XIP":** Activate direct execute-in-place firmware upgrade
364      operation.
365    - **"RAM_LOAD":** Activate RAM loading firmware upgrade operation, where
366      the latest image is copied to RAM and runs from there instead of being
367      executed in-place.
368- MCUBOOT_SIGNATURE_TYPE (default: RSA-3072):
369    - **RSA-2048:** Image is signed with RSA algorithm and signed with 2048 bit key.
370    - **RSA-3072:** Image is signed with RSA algorithm and signed with 3072 bit key.
371    - **EC-P256:** Image is signed with ECDSA P-256 algorithm.
372    - **EC-P384:** Image is signed with ECDSA P-384 algorithm.
373- MCUBOOT_IMAGE_NUMBER (default: 2):
374    - **1:** Single image boot, secure and non-secure images are signed and
375      updated together.
376    - **2:** Multiple image boot, secure and non-secure images are signed and
377      updatable independently.
378- MCUBOOT_HW_KEY (default: True):
379    - **True:** The hash of public key is provisioned to the SoC and the image
380      manifest contains the whole public key (imgtool uses
381      ``--public_key_format=full``). MCUBoot validates the key before using it
382      for firmware authentication, it calculates the hash of public key from the
383      manifest and compare against the retrieved key-hash from the hardware.
384      This way MCUBoot is independent from the public key(s).  Key(s) can be
385      provisioned any time and by different parties.
386    - **False:** The whole public key is embedded to the bootloader code and the
387      image manifest contains only the hash of the public key (imgtool uses
388      ``--public_key_format=hash``). MCUBoot validates the key before using it
389      for firmware authentication, it calculates the hash of built-in public key
390      and compare against the retrieved key-hash from the image manifest. After
391      this the bootloader can verify that the image was signed with a private
392      key that corresponds to the retrieved key-hash (it can have more public
393      keys embedded in and it may have to look for the matching one). All the
394      public key(s) must be known at MCUBoot build time.
395- MCUBOOT_BUILTIN_KEY (default: False):
396    - **True:** When enabled, the entire public key used for signature
397      verification must be provisioned to the target device. In this case,
398      neither the code nor the image metadata needs to contain any public
399      key data. During image validation only a key ID is passed to the verifier
400      function for the required key to be selected. The key handling is entirely
401      the responsibility of the underlying crypto library and the details of the
402      key handling mechanism are abstracted away from the boot code.
403- MCUBOOT_LOG_LEVEL:
404    Can be used to configure the level of logging in MCUBoot. The possible
405    values are the following:
406
407    - **OFF**
408    - **ERROR**
409    - **WARNING**
410    - **INFO**
411    - **DEBUG**
412
413    The logging in MCUBoot can be disabled and thus the code size can be reduced
414    by setting it to ``OFF``. Its value depends on the build type. If the build
415    type is ``Debug`` then default value is ``INFO``. In case of different kinds
416    of ``Release`` builds the default value is ``OFF``. The default value can
417    be overridden through the command line or in the CMake GUI regardless of the
418    build type.
419- MCUBOOT_ENC_IMAGES (default: False):
420    - **True:** Adds encrypted image support in the source and encrypts the
421      resulting image using the ``enc-rsa2048-pub.pem`` key found in the MCUBoot
422      repository.
423    - **False:** Doesn't add encrypted image support and doesn't encrypt the
424      image.
425
426    .. Note::
427        The decryption takes place during the upgrade process, when the images
428        are being moved between the slots. This means that boards that don't
429        already have an image on them with MCUBoot that has been compiled with
430        ``MCUBOOT_ENCRYPT_RSA`` enabled need special treatment. In order to load
431        an encrypted image to such boards, an upgrade needs to be executed. This
432        can be done by using MCUBoot, putting an image in the secondary image
433        area, and setting ``MCUBOOT_ENCRYPT_RSA`` to ``ON``. When using the
434        ``OVERWRITE_ONLY`` upgrade strategy, this is enough. When using
435        ``SWAP_USING_SCRATCH`` or ``SWAP_USING_MOVE``, an image is needed in
436        the primary image area as well, to trigger the update.
437
438    .. Danger::
439        DO NOT use the ``enc-rsa2048-pub.pem`` key in production code, it is
440        exclusively for testing!
441
442Image versioning
443================
444An image version number is written to its header by one of the Python scripts,
445and this number is used by the bootloader when the direct execute-in-place or
446the RAM loading mode is enabled. It is also used in case of multiple image boot
447when the bootloader checks the image dependencies if any have been added to the
448images.
449
450The version number of the image (single image boot) can manually be passed in
451through the command line in the cmake configuration step::
452
453    cmake -DTFM_PLATFORM=arm/musca_b1 -DIMAGE_VERSION_S=1.2.3+4 ..
454
455Alternatively, the version number can be less specific (e.g 1, 1.2, or 1.2.3),
456where the missing numbers are automatically set to zero. The image version
457number argument is optional, and if it is left out, then the version numbers of
458the image(s) being built in the same directory will automatically change. In
459this case, the last component (the build number) automatically increments from
460the previous one: 0.0.0+1 -> 0.0.0+2, for as many times as the build is re-ran,
461**until a number is explicitly provided**. If automatic versioning is in place
462and then an image version number is provided for the first time, the new number
463will take precedence and be used instead. All subsequent image versions are
464then set to the last number that has been specified, and the build number would
465stop incrementing. Any new version numbers that are provided will overwrite
466the previous one: 0.0.0+1 -> 0.0.0+2. Note: To re-apply automatic image
467versioning, please start a clean build without specifying the image version
468number at all. In case of multiple image boot there are separate compile time
469switches for both images to provide their version: ``IMAGE_VERSION_S`` and
470``IMAGE_VERSION_NS``. These must be used instead of ``IMAGE_VERSION_S``.
471
472Security counter
473================
474Each signed image contains a security counter in its manifest. It is used by the
475bootloader and its aim is to have an independent (from the image version)
476counter to ensure rollback protection by comparing the new image's security
477counter against the original (currently active) image's security counter during
478the image upgrade process. It is added to the manifest (to the TLV area that is
479appended to the end of the image) by one of the Python scripts when signing the
480image. The value of the security counter is security critical data and it is in
481the integrity protected part of the image. The last valid security counter
482should always be stored in a non-volatile and trusted component of the device
483and its value should always be increased if a security flaw was fixed in the
484current image version. The value of the security counter (single image boot) can
485be specified at build time in the cmake configuration step::
486
487    cmake -DTFM_PLATFORM=arm/musca_b1 -DSECURITY_COUNTER_S=42 ../
488
489The security counter can be independent from the image version, but not
490necessarily. Alternatively, if it is not specified at build time with the
491``SECURITY_COUNTER`` option the Python script will automatically generate it
492from the image version number (not including the build number) and this value
493will be added to the signed image. In case of multiple image boot there are
494separate compile time switches for both images to provide their security counter
495value: ``SECURITY_COUNTER_S`` and ``SECURITY_COUNTER_NS``. These must be used
496instead of ``SECURITY_COUNTER_S``. If these are not defined then the security
497counter values will be derived from the corresponding image version similar to
498the single image boot.
499
500***************************
501Signing the images manually
502***************************
503Normally the build system handles the signing (computing hash over the image
504and security critical manifest data and then signing the hash) of the firmware
505images. However, the images also can be signed manually by using the ``imgtool``
506Python program which is located in the MCUboot repository  in the ``scripts``
507folder or can be installed with the pip package manager.
508Issue the ``python3 imgtool.py sign --help`` command in the directory for more
509information about the mandatory and optional arguments. The tool takes an image
510in binary or Intel Hex format and adds a header and trailer that MCUBoot is
511expecting. In case of single image boot after a successful build the
512``tfm_s_ns.bin`` build artifact (contains the concatenated secure and non-secure
513images) must be passed to the script and in case of multiple image boot the
514``tfm_s.bin`` and ``tfm_ns.bin`` binaries can be passed to prepare the signed
515images.
516
517Signing the secure image manually in case of multiple image boot
518================================================================
519
520::
521
522    python3 bl2/ext/mcuboot/scripts/imgtool.py sign \
523        --layout <build_dir>/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.c.obj \
524        -k <tfm_dir>/bl2/ext/mcuboot/root-RSA-3072.pem \
525        --public-key-format full \
526        --align 1 \
527        -v 1.2.3+4 \
528        -d "(1,1.2.3+0)" \
529        -s 42 \
530        -H 0x400 \
531        <build_dir>/bin/tfm_s.bin \
532        <build_dir>/bin/tfm_s_signed.bin
533
534************************
535Testing firmware upgrade
536************************
537As downloading the new firmware image is out of scope for MCUBoot, the update
538process is started from a state where the original and the new image are already
539programmed to the appropriate memory slots. To generate the original and a new
540firmware package, TF-M is built twice with different build configurations.
541
542Overwriting firmware upgrade
543============================
544Run TF-M build twice with ``MCUBOOT_IMAGE_NUMBER`` set to "1" in both cases
545(single image boot), but with two different build configurations: default and
546regression. Save the artifacts between builds, because second run can overwrite
547original binaries. Download default build to the primary slot and regression
548build to the secondary slot.
549
550Executing firmware upgrade on FVP_MPS2_AEMv8M
551---------------------------------------------
552.. code-block:: bash
553
554    <ARM_DS_PATH>/sw/models/bin/FVP_MPS2_AEMv8M  \
555    --parameter fvp_mps2.platform_type=2 \
556    --parameter cpu0.baseline=0 \
557    --parameter cpu0.INITVTOR_S=0x10000000 \
558    --parameter cpu0.semihosting-enable=0 \
559    --parameter fvp_mps2.DISABLE_GATING=0 \
560    --parameter fvp_mps2.telnetterminal0.start_telnet=1 \
561    --parameter fvp_mps2.telnetterminal1.start_telnet=0 \
562    --parameter fvp_mps2.telnetterminal2.start_telnet=0 \
563    --parameter fvp_mps2.telnetterminal0.quiet=0 \
564    --parameter fvp_mps2.telnetterminal1.quiet=1 \
565    --parameter fvp_mps2.telnetterminal2.quiet=1 \
566    --application cpu0=<build_dir>/bin/bl2.axf \
567    --data cpu0=<default_build_dir>/bin/tfm_s_ns_signed.bin@0x10080000 \
568    --data cpu0=<regresssion_build_dir>/bin/tfm_s_ns_signed.bin@0x10180000
569
570Executing firmware upgrade on SSE 200 FPGA on MPS2 board
571--------------------------------------------------------
572
573::
574
575    TITLE: Versatile Express Images Configuration File
576    [IMAGES]
577    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
578    IMAGE0ADDRESS: 0x00000000
579    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
580    IMAGE1ADDRESS: 0x10080000
581    IMAGE1FILE: \Software\tfm_sig1.bin ; TF-M default test binary blob
582    IMAGE2ADDRESS: 0x10180000
583    IMAGE2FILE: \Software\tfm_sig2.bin ; TF-M regression test binary blob
584
585The following message will be shown in case of successful firmware upgrade:
586
587::
588
589    [INF] Starting bootloader
590    [INF] Swap type: test
591    [INF] Image upgrade secondary slot -> primary slot
592    [INF] Erasing the primary slot
593    [INF] Copying the secondary slot to the primary slot: 0x100000 bytes
594    [INF] Bootloader chainload address offset: 0x80000
595    [INF] Jumping to the first image slot
596    [Sec Thread] Secure image initializing!
597
598    #### Execute test suites for the Secure area ####
599    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
600    ...
601
602To update the secure and non-secure images separately (multiple image boot),
603set the ``MCUBOOT_IMAGE_NUMBER`` switch to "2" (this is the default
604configuration value) and follow the same instructions as in case of single image
605boot.
606
607Executing multiple firmware upgrades on SSE 200 FPGA on MPS2 board
608------------------------------------------------------------------
609
610::
611
612    TITLE: Versatile Express Images Configuration File
613    [IMAGES]
614    TOTALIMAGES: 4                     ;Number of Images (Max: 32)
615    IMAGE0ADDRESS: 0x00000000
616    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
617    IMAGE1ADDRESS: 0x10080000
618    IMAGE1FILE: \Software\tfm_sign.bin ; TF-M default test binary blob
619    IMAGE2ADDRESS: 0x10180000
620    IMAGE2FILE: \Software\tfm_ss1.bin  ; TF-M regression test secure (signed) image
621    IMAGE3ADDRESS: 0x10200000
622    IMAGE3FILE: \Software\tfm_nss1.bin ; TF-M regression test non-secure (signed) image
623
624Note that both the concatenated binary blob (the images are signed separately
625and then concatenated) and the separate signed images can be downloaded to the
626device because on this platform (AN521) both the primary slots and the secondary
627slots are contiguous areas in the Flash (see `Integration with TF-M`_). The
628following message will be shown in case of successful firmware upgrades:
629
630::
631
632    [INF] Starting bootloader
633    [INF] Swap type: test
634    [INF] Swap type: test
635    [INF] Image upgrade secondary slot -> primary slot
636    [INF] Erasing the primary slot
637    [INF] Copying the secondary slot to the primary slot: 0x80000 bytes
638    [INF] Image upgrade secondary slot -> primary slot
639    [INF] Erasing the primary slot
640    [INF] Copying the secondary slot to the primary slot: 0x80000 bytes
641    [INF] Bootloader chainload address offset: 0x80000
642    [INF] Jumping to the first image slot
643    [Sec Thread] Secure image initializing!
644    TFM level is: 1
645    [Sec Thread] Jumping to non-secure code...
646
647    #### Execute test suites for the Secure area ####
648    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
649    ...
650
651Swapping firmware upgrade
652=============================
653Follow the same instructions and platform related configurations as in case of
654overwriting build including these changes:
655
656- Set the ``MCUBOOT_UPGRADE_STRATEGY`` compile time switch to "SWAP"
657  before build.
658- Set the ``MCUBOOT_IMAGE_NUMBER`` compile time switch to "1" (single image
659  boot) or "2" (multiple image boot) before build.
660
661During single image boot the following message will be shown in case of
662successful firmware upgrade, ``Swap type: test`` indicates that images were
663swapped:
664
665::
666
667    [INF] Starting bootloader
668    [INF] Image 0: magic= good, copy_done=0x3, image_ok=0x3
669    [INF] Scratch: magic=  bad, copy_done=0x0, image_ok=0x2
670    [INF] Boot source: primary slot
671    [INF] Swap type: test
672    [INF] Bootloader chainload address offset: 0x80000
673    [INF] Jumping to the first image slot
674    [Sec Thread] Secure image initializing!
675
676    #### Execute test suites for the Secure area ####
677    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
678    ...
679
680Direct execute-in-place firmware upgrade
681========================================
682Follow the same instructions and platform related configurations as in case of
683overwriting build including these changes:
684
685- Set the ``MCUBOOT_UPGRADE_STRATEGY`` compile time switch to "DIRECT_XIP"
686  before build.
687- set ``MCUBOOT_EXECUTION_SLOT`` to ``1`` in the regression build dir.
688- Make sure the image version number was increased between the two build runs
689  either by specifying it manually or by checking in the build log that it was
690  incremented automatically.
691
692Executing firmware upgrade on FVP_MPS2_AEMv8M
693---------------------------------------------
694
695.. code-block:: bash
696
697    <ARM_DS_PATH>/sw/models/bin/FVP_MPS2_AEMv8M  \
698    --parameter fvp_mps2.platform_type=2 \
699    --parameter cpu0.baseline=0 \
700    --parameter cpu0.INITVTOR_S=0x10000000 \
701    --parameter cpu0.semihosting-enable=0 \
702    --parameter fvp_mps2.DISABLE_GATING=0 \
703    --parameter fvp_mps2.telnetterminal0.start_telnet=1 \
704    --parameter fvp_mps2.telnetterminal1.start_telnet=0 \
705    --parameter fvp_mps2.telnetterminal2.start_telnet=0 \
706    --parameter fvp_mps2.telnetterminal0.quiet=0 \
707    --parameter fvp_mps2.telnetterminal1.quiet=1 \
708    --parameter fvp_mps2.telnetterminal2.quiet=1 \
709    --application cpu0=<build_dir>/bin/bl2.axf \
710    --data cpu0=<default_build_dir>/bin/tfm_s_ns_signed.bin@0x10080000 \
711    --data cpu0=<regresssion_build_dir>/bin/tfm_s_ns_signed.bin@0x10180000
712
713Executing firmware upgrade on SSE 200 FPGA on MPS2 board
714--------------------------------------------------------
715
716::
717
718    TITLE: Versatile Express Images Configuration File
719    [IMAGES]
720    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
721    IMAGE0ADDRESS: 0x00000000
722    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
723    IMAGE1ADDRESS: 0x10080000
724    IMAGE1FILE: \Software\tfm_sign.bin ; TF-M default test binary blob
725    IMAGE2ADDRESS: 0x10180000
726    IMAGE2FILE: \Software\tfm_sig1.bin ; TF-M regression test binary blob
727
728Executing firmware upgrade on Musca-B1 and Musca-S1 boards
729----------------------------------------------------------
730After the two images have been built, they can be concatenated to create the
731combined image using ``srec_cat``:
732
733- Linux::
734
735    srec_cat bin/bl2.bin -Binary -offset 0xA000000 tfm_sign.bin -Binary -offset 0xA020000 tfm_sign_1.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
736
737- Windows::
738
739    srec_cat.exe bin\bl2.bin -Binary -offset 0xA000000 tfm_sign.bin -Binary -offset 0xA020000 tfm_sign_1.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
740
741The following message will be shown in case of successful firmware upgrade,
742notice that image with higher version number (``version=1.2.3.5``) is executed:
743
744::
745
746    [INF] Starting bootloader
747    [INF] Image 0: version=1.2.3.4, magic= good, image_ok=0x3
748    [INF] Image 1: version=1.2.3.5, magic= good, image_ok=0x3
749    [INF] Booting image from the secondary slot
750    [INF] Bootloader chainload address offset: 0xa0000
751    [INF] Jumping to the first image slot
752    [Sec Thread] Secure image initializing!
753
754    #### Execute test suites for the Secure area ####
755    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
756    ...
757
758Executing firmware upgrade on CoreLink SSE-200 Subsystem for MPS3 (AN524)
759-------------------------------------------------------------------------
760
761::
762
763    TITLE: Arm MPS3 FPGA prototyping board Images Configuration File
764
765    [IMAGES]
766    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
767
768    IMAGE0UPDATE: AUTO                 ;Image Update:NONE/AUTO/FORCE
769    IMAGE0ADDRESS: 0x00000000
770    IMAGE0FILE: \SOFTWARE\bl2.bin      ;BL2 bootloader
771    IMAGE1UPDATE: AUTO
772    IMAGE1ADDRESS: 0x00040000
773    IMAGE1FILE: \SOFTWARE\tfm_sig0.bin ;TF-M example application binary blob
774    IMAGE2UPDATE: AUTO
775    IMAGE2ADDRESS: 0x000C0000
776    IMAGE2FILE: \SOFTWARE\tfm_sig1.bin ;TF-M regression test binary blob
777
778RAM loading firmware upgrade
779============================
780To enable RAM loading, please set ``MCUBOOT_UPGRADE_STRATEGY`` to "RAM_LOAD"
781(either in the configuration file or through the command line), and then specify
782a destination load address in RAM where the image can be copied to and executed
783from. The ``S_IMAGE_LOAD_ADDRESS`` macro must be specified in the target
784dependent files, and if multiple image boot is enabled then
785``NS_IMAGE_LOAD_ADDRESS`` must also be defined. For example with Musca-S, its
786``flash_layout.h`` file in the ``platform`` folder should include ``#define
787S_IMAGE_LOAD_ADDRESS #0xA0020000``
788
789Executing firmware upgrade on Musca-S board
790--------------------------------------------
791After two images have been built, they can be concatenated to create the
792combined image using ``srec_cat``:
793
794- Linux::
795
796    srec_cat bin/bl2.bin -Binary -offset 0xA000000 tfm_sign_old.bin -Binary -offset 0xA020000 tfm_sign_new.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
797
798- Windows::
799
800    srec_cat.exe bin\bl2.bin -Binary -offset 0xA000000 tfm_sign_old.bin -Binary -offset 0xA020000 tfm_sign_new.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
801
802The following message will be shown in case of successful firmware upgrade when,
803RAM loading is enabled, notice that image with higher version number
804(``version=0.0.0.2``) is executed:
805
806::
807
808    [INF] Starting bootloader
809    [INF] Image 0: version=0.0.0.1, magic= good, image_ok=0x3
810    [INF] Image 1: version=0.0.0.2, magic= good, image_ok=0x3
811    [INF] Image has been copied from the secondary slot in flash to SRAM address 0xA0020000
812    [INF] Booting image from SRAM at address 0xA0020000
813    [INF] Bootloader chainload address offset: 0x20000
814    [INF] Jumping to the first image slot
815    [Sec Thread] Secure image initializing!
816
817--------------
818
819****************************************
820Integration with Firmware Update service
821****************************************
822The shim layer of the Firmware Update partition calls the APIs in
823bootutil_misc.c to control the image status.
824
825- Call ``boot_set_pending_multi()`` to make the image as a candidate image for
826  booting.
827- Call ``boot_set_confirmed_multi()`` to make the image as a permanent image.
828
829.. Note::
830    Currently, in direct-xip mode and ram-load mode, TF-M cannot get the
831    information of which slot contains the running image from the bootloader.
832    So the Firmware Update partition cannot decide where to write the new
833    image. As a result, the firmware update service is not supported in
834    direct-xip mode and ram-load mode.
835
836*Copyright (c) 2018-2024, Arm Limited. All rights reserved.*
837