1#------------------------------------------------------------------------------ 2# Copyright (c) 2020-2023, Arm Limited. All rights reserved. 3# 4# SPDX-License-Identifier: BSD-3-Clause 5# 6#------------------------------------------------------------------------------ 7 8cmake_minimum_required(VERSION 3.21) 9 10add_library(mcuboot_config INTERFACE) 11 12set(MCUBOOT_KEY_ENC "${MCUBOOT_PATH}/enc-rsa2048-pub.pem" CACHE FILEPATH "Path to key with which to encrypt binary") 13 14# Add/process CBOR encoded measured boot data (MCUBOOT_MEASURED_BOOT) only if 15# the store encoded measurements config is enabled. Otherwise, unencoded 16# measurements are stored in the shared data area and must be processed at 17# runtime. 18if (CONFIG_TFM_BOOT_STORE_MEASUREMENTS AND CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS) 19 set(MCUBOOT_MEASURED_BOOT ON) 20endif() 21 22add_subdirectory("${MCUBOOT_PATH}/boot/bootutil" bootutil) 23 24target_include_directories(bootutil 25 PUBLIC 26 include 27 config 28) 29 30target_link_libraries(bootutil 31 PUBLIC 32 mcuboot_config 33 platform_bl2 34 bl2_mbedcrypto 35) 36 37target_compile_options(bootutil 38 PRIVATE 39 ${BL2_COMPILER_CP_FLAG} 40) 41 42target_compile_definitions(bootutil 43 PRIVATE 44 $<$<BOOL:${DEFAULT_MCUBOOT_FLASH_MAP}>:DEFAULT_MCUBOOT_FLASH_MAP> 45) 46 47target_include_directories(mcuboot_config 48 INTERFACE 49 $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}> # for mcuboot_config.h only 50) 51 52target_include_directories(bl2 53 PUBLIC 54 $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include> 55) 56 57target_sources(bl2 58 PRIVATE 59 ${CMAKE_CURRENT_SOURCE_DIR}/bl2_main.c 60 ${CMAKE_CURRENT_SOURCE_DIR}/keys.c 61 ${CMAKE_CURRENT_SOURCE_DIR}/flash_map_extended.c 62 ${CMAKE_CURRENT_SOURCE_DIR}/flash_map_legacy.c 63) 64 65target_compile_definitions(bl2 66 PRIVATE 67 MCUBOOT_SIGNATURE_TYPE=${MCUBOOT_SIGNATURE_TYPE} 68) 69 70target_link_libraries(bl2 71 PUBLIC 72 bootutil 73) 74 75set(MCUBOOT_ALLOWED_LOG_LEVELS OFF ERROR WARNING INFO DEBUG) 76list(FIND MCUBOOT_ALLOWED_LOG_LEVELS ${MCUBOOT_LOG_LEVEL} LOG_LEVEL_ID) 77 78if (MCUBOOT_ALIGN_VAL GREATER 8) 79set (MCUBOOT_BOOT_MAX_ALIGN ${MCUBOOT_ALIGN_VAL}) 80else() 81set (MCUBOOT_BOOT_MAX_ALIGN 8) 82endif() 83 84configure_file(include/mcuboot_config/mcuboot_config.h.in 85 ${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h 86 @ONLY) 87 88############################### IMAGE SIGNING ################################## 89 90if (PLATFORM_DEFAULT_IMAGE_SIGNING) 91 find_package(Python3) 92 if(MCUBOOT_GENERATE_SIGNING_KEYPAIR) 93 string(REGEX MATCH "[0-9]*$" SIG_LEN ${MCUBOOT_SIGNATURE_TYPE}) 94 add_custom_target(generated_private_key 95 SOURCES 96 generated_private_key_s.pem 97 generated_private_key_ns.pem 98 ) 99 100 add_custom_command(OUTPUT generated_private_key_s.pem 101 COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py 102 keygen 103 -k generated_private_key_s.pem 104 -t rsa-${SIG_LEN} 105 COMMAND ${CMAKE_COMMAND} -E copy generated_private_key_s.pem $<TARGET_FILE_DIR:bl2> 106 ) 107 add_custom_command(OUTPUT generated_private_key_ns.pem 108 COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py 109 keygen 110 -k generated_private_key_ns.pem 111 -t rsa-${SIG_LEN} 112 COMMAND ${CMAKE_COMMAND} -E copy generated_private_key_ns.pem $<TARGET_FILE_DIR:bl2> 113 ) 114 set(MCUBOOT_KEY_S $<TARGET_FILE_DIR:bl2>/generated_private_key_s.pem CACHE FILEPATH "" FORCE) 115 set(MCUBOOT_KEY_NS $<TARGET_FILE_DIR:bl2>/generated_private_key_ns.pem CACHE FILEPATH "" FORCE) 116 endif() 117 118 add_custom_target(public_key ALL 119 SOURCES 120 image_s_signing_public_key.pem 121 image_ns_signing_public_key.pem 122 ) 123 add_custom_command(OUTPUT image_s_signing_public_key.pem 124 # If MCUBOOT_GENERATE_SIGNING_KEYPAIR=ON then the command should depend on that 125 # to make sure that the key is generated and copied to the MCUBOOT_KEY_S path. 126 DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,> 127 COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py 128 getpub 129 -k ${MCUBOOT_KEY_S} 130 -e pem 131 -o image_s_signing_public_key.pem 132 COMMAND ${CMAKE_COMMAND} -E copy image_s_signing_public_key.pem $<TARGET_FILE_DIR:bl2> 133 ) 134 add_custom_command(OUTPUT image_ns_signing_public_key.pem 135 # If MCUBOOT_GENERATE_SIGNING_KEYPAIR=ON then the command should depend on that 136 # to make sure that the key is generated and copied to the MCUBOOT_KEY_NS path. 137 DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,> 138 COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py 139 getpub 140 -k ${MCUBOOT_KEY_NS} 141 -e pem 142 -o image_ns_signing_public_key.pem 143 COMMAND ${CMAKE_COMMAND} -E copy image_ns_signing_public_key.pem $<TARGET_FILE_DIR:bl2> 144 ) 145 146 set(IMAGE_TYPE "S_IMAGE") 147 set(FLASH_AREA_NUM ${MCUBOOT_S_IMAGE_FLASH_AREA_NUM}) 148 if (MCUBOOT_IMAGE_NUMBER GREATER 1) 149 configure_file(signing_layout.c.in signing_layout_s.c @ONLY) 150 add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s.c) 151 else() 152 # Imgtool script requires the s_ns sufix. Since only one sigining layout is 153 # used in this mode the signing_layout_s target's source file is renamed. 154 configure_file(signing_layout.c.in signing_layout_s_ns.c @ONLY) 155 add_library(signing_layout_s OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_s_ns.c) 156 endif() 157 158 target_compile_options(signing_layout_s 159 PRIVATE 160 $<$<C_COMPILER_ID:GNU>:-E\;-xc> 161 $<$<C_COMPILER_ID:ARMClang>:-E\;-xc> 162 $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_s>> 163 ) 164 target_compile_definitions(signing_layout_s 165 PRIVATE 166 $<$<BOOL:${BL2}>:BL2> 167 $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}> 168 $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},DIRECT_XIP>:IMAGE_ROM_FIXED> 169 ) 170 target_link_libraries(signing_layout_s 171 PRIVATE 172 platform_bl2 173 ) 174 175 add_custom_target(tfm_s_signed_bin 176 SOURCES tfm_s_signed.bin 177 ) 178 add_custom_command(OUTPUT tfm_s_signed.bin 179 DEPENDS $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin 180 DEPENDS tfm_s_bin signing_layout_s 181 DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,> 182 WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts 183 184 #Sign secure binary image with provided secret key 185 COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py 186 -v ${MCUBOOT_IMAGE_VERSION_S} 187 --layout $<TARGET_OBJECTS:signing_layout_s> 188 -k ${MCUBOOT_KEY_S} 189 --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> 190 --align ${MCUBOOT_ALIGN_VAL} 191 --pad 192 --pad-header 193 -H ${BL2_HEADER_SIZE} 194 -s ${MCUBOOT_SECURITY_COUNTER_S} 195 -L ${MCUBOOT_ENC_KEY_LEN} 196 -d \"\(1,${MCUBOOT_NS_IMAGE_MIN_VER}\)\" 197 $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only> 198 $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm> 199 $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}> 200 $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record> 201 $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin 202 ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin 203 COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin $<TARGET_FILE_DIR:bl2> 204 ) 205 206 set(IMAGE_TYPE "NS_IMAGE") 207 set(FLASH_AREA_NUM ${MCUBOOT_NS_IMAGE_FLASH_AREA_NUM}) 208 configure_file(signing_layout.c.in signing_layout_ns.c @ONLY) 209 210 add_library(signing_layout_ns OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout_ns.c) 211 target_compile_options(signing_layout_ns 212 PRIVATE 213 $<$<C_COMPILER_ID:GNU>:-E\;-xc> 214 $<$<C_COMPILER_ID:ARMClang>:-E\;-xc> 215 $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_ns>> 216 ) 217 target_compile_definitions(signing_layout_ns 218 PRIVATE 219 $<$<BOOL:${BL2}>:BL2> 220 $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}> 221 $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},DIRECT_XIP>:IMAGE_ROM_FIXED> 222 ) 223 target_link_libraries(signing_layout_ns 224 PRIVATE 225 platform_bl2 226 ) 227 228 add_custom_target(signed_images 229 ALL 230 DEPENDS tfm_s_signed_bin 231 ) 232 233endif() 234
