1#-------------------------------------------------------------------------------
2# Copyright (c) 2023-2024, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7cmake_minimum_required(VERSION 3.21)
8
9# This CMake script is prepard by TF-M for building the non-secure side
10# application and not used in secure build a tree being for export only.
11# This file is renamed to spe/CMakeList.txt during installation phase
12
13include(spe_config)
14include(spe_export)
15
16set_target_properties(tfm_config psa_interface psa_crypto_config PROPERTIES IMPORTED_GLOBAL True)
17target_link_libraries(tfm_config INTERFACE psa_interface)
18
19# In actual NS integration, NS side build should include the source files
20# exported by TF-M build.
21set(INTERFACE_SRC_DIR    ${CMAKE_CURRENT_LIST_DIR}/interface/src)
22set(INTERFACE_INC_DIR    ${CMAKE_CURRENT_LIST_DIR}/interface/include)
23
24add_library(tfm_api_ns STATIC)
25
26target_sources(tfm_api_ns
27    PUBLIC
28        $<$<BOOL:${TFM_PARTITION_PLATFORM}>:${INTERFACE_SRC_DIR}/tfm_platform_api.c>
29        $<$<BOOL:${TFM_PARTITION_PROTECTED_STORAGE}>:${INTERFACE_SRC_DIR}/tfm_ps_api.c>
30        $<$<BOOL:${TFM_PARTITION_INTERNAL_TRUSTED_STORAGE}>:${INTERFACE_SRC_DIR}/tfm_its_api.c>
31        $<$<BOOL:${TFM_PARTITION_CRYPTO}>:${INTERFACE_SRC_DIR}/tfm_crypto_api.c>
32        $<$<BOOL:${TFM_PARTITION_INITIAL_ATTESTATION}>:${INTERFACE_SRC_DIR}/tfm_attest_api.c>
33        $<$<BOOL:${TFM_PARTITION_FIRMWARE_UPDATE}>:${INTERFACE_SRC_DIR}/tfm_fwu_api.c>
34)
35
36# Include interface headers exported by TF-M
37target_include_directories(tfm_api_ns
38    PUBLIC
39        ${INTERFACE_INC_DIR}
40        ${INTERFACE_INC_DIR}/crypto_keys
41)
42
43if (CONFIG_TFM_USE_TRUSTZONE)
44    add_library(tfm_api_ns_tz INTERFACE)
45
46    target_sources(tfm_api_ns_tz
47        INTERFACE
48            ${INTERFACE_SRC_DIR}/tfm_tz_psa_ns_api.c
49    )
50
51    target_link_libraries(tfm_api_ns_tz
52        INTERFACE
53            ${CMAKE_CURRENT_SOURCE_DIR}/interface/lib/s_veneers.o
54    )
55endif()
56
57if (TFM_PARTITION_NS_AGENT_MAILBOX)
58    add_library(tfm_api_ns_mailbox INTERFACE)
59
60    target_sources(tfm_api_ns_mailbox
61        INTERFACE
62            ${INTERFACE_SRC_DIR}/multi_core/tfm_multi_core_ns_api.c
63            ${INTERFACE_SRC_DIR}/multi_core/tfm_multi_core_psa_ns_api.c
64    )
65
66    target_include_directories(tfm_api_ns_mailbox
67        INTERFACE
68            ${INTERFACE_INC_DIR}/multi_core
69    )
70endif()
71
72if (TFM_PARTITION_CRYPTO)
73    target_link_libraries(tfm_api_ns
74        PUBLIC
75            psa_crypto_config
76    )
77endif()
78
79add_library(platform_region_defs INTERFACE)
80
81target_compile_definitions(platform_region_defs
82    INTERFACE
83        $<$<BOOL:${BL1}>:BL1>
84        $<$<BOOL:${BL2}>:BL2>
85        BL2_HEADER_SIZE=${BL2_HEADER_SIZE}
86        BL2_TRAILER_SIZE=${BL2_TRAILER_SIZE}
87        BL1_HEADER_SIZE=${BL1_HEADER_SIZE}
88        BL1_TRAILER_SIZE=${BL1_TRAILER_SIZE}
89        $<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}>
90        $<$<BOOL:${TEST_PSA_API}>:PSA_API_TEST_${TEST_PSA_API}>
91        $<$<OR:$<CONFIG:Debug>,$<CONFIG:relwithdebinfo>>:ENABLE_HEAP>
92)
93
94target_link_libraries(platform_region_defs
95    INTERFACE
96        tfm_config
97)
98
99add_subdirectory(platform)
100
101target_sources(platform_ns
102    PRIVATE
103        $<$<BOOL:${PLATFORM_DEFAULT_UART_STDOUT}>:${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/common/uart_stdout.c>
104)
105
106target_compile_definitions(platform_ns
107    PUBLIC
108        DOMAIN_NS=1
109        $<$<BOOL:${PLATFORM_DEFAULT_CRYPTO_KEYS}>:PLATFORM_DEFAULT_CRYPTO_KEYS>
110        $<$<STREQUAL:${CONFIG_TFM_FLOAT_ABI},hard>:CONFIG_TFM_FLOAT_ABI=2>
111        $<$<STREQUAL:${CONFIG_TFM_FLOAT_ABI},soft>:CONFIG_TFM_FLOAT_ABI=0>
112        $<$<BOOL:${CONFIG_TFM_ENABLE_CP10CP11}>:CONFIG_TFM_ENABLE_CP10CP11>
113)
114
115target_link_libraries(tfm_api_ns
116    PUBLIC
117        platform_region_defs
118        platform_ns
119)
120
121if(BL2 AND PLATFORM_DEFAULT_IMAGE_SIGNING)
122
123    find_package(Python3)
124
125    add_custom_target(tfm_s_ns_signed_bin
126        ALL
127        SOURCES ${CMAKE_BINARY_DIR}/tfm_s_ns_signed.bin
128    )
129
130    if (MCUBOOT_IMAGE_NUMBER GREATER 1)
131
132        add_custom_target(tfm_ns_signed_bin
133            SOURCES ${CMAKE_BINARY_DIR}/bin/tfm_ns_signed.bin
134        )
135        add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/bin/tfm_ns_signed.bin
136            DEPENDS tfm_ns_bin $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
137            DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,>
138            DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_ns.o
139            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts
140
141            #Sign non-secure binary image with provided secret key
142            COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts/wrapper/wrapper.py
143                --version ${MCUBOOT_IMAGE_VERSION_NS}
144                --layout ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_ns.o
145                --key ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_ns_signing_private_key.pem
146                --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
147                --align ${MCUBOOT_ALIGN_VAL}
148                --pad
149                --pad-header
150                -H ${BL2_HEADER_SIZE}
151                -s ${MCUBOOT_SECURITY_COUNTER_NS}
152                -L ${MCUBOOT_ENC_KEY_LEN}
153                -d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\"
154                $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
155                $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
156                $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_enc_key.pem>
157                $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
158                $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
159                ${CMAKE_BINARY_DIR}/bin/tfm_ns_signed.bin
160        )
161
162        # Create concatenated binary image from the two independently signed
163        # binary file. This only uses the local assemble.py script (not from
164        # upstream mcuboot) because that script is geared towards zephyr
165        # support
166        add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/tfm_s_ns_signed.bin
167            DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/bin/tfm_s_signed.bin
168            DEPENDS tfm_ns_signed_bin ${CMAKE_BINARY_DIR}/bin/tfm_ns_signed.bin
169            DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_s.o
170            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts
171
172            COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts/assemble.py
173                --layout ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_s.o
174                --secure ${CMAKE_CURRENT_SOURCE_DIR}/bin/tfm_s_signed.bin
175                --non_secure ${CMAKE_BINARY_DIR}/bin/tfm_ns_signed.bin
176                --output ${CMAKE_BINARY_DIR}/tfm_s_ns_signed.bin
177        )
178    else()
179        add_custom_target(tfm_s_ns_bin
180            SOURCES ${CMAKE_BINARY_DIR}/bin/tfm_s_ns.bin
181        )
182        add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/bin/tfm_s_ns.bin
183            DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/bin/tfm_s.bin
184            DEPENDS tfm_ns_bin $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
185            DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_s_ns.o
186            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts
187
188            # concatenate S + NS binaries into tfm_s_ns.bin
189            COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts/assemble.py
190                --layout ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_s_ns.o
191                --secure ${CMAKE_CURRENT_SOURCE_DIR}/bin/tfm_s.bin
192                --non_secure $<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
193                --output ${CMAKE_BINARY_DIR}/bin/tfm_s_ns.bin
194        )
195
196        add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/tfm_s_ns_signed.bin
197            DEPENDS tfm_s_ns_bin ${CMAKE_BINARY_DIR}/bin/tfm_s_ns.bin
198            DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_s_ns.o
199            DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,>
200            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts
201
202            # sign the combined tfm_s_ns.bin file
203            COMMAND ${Python3_EXECUTABLE}
204                ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts/wrapper/wrapper.py
205                --version ${MCUBOOT_IMAGE_VERSION_S}
206                --layout ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_s_ns.o
207                --key ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_s_signing_private_key.pem
208                --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
209                --align ${MCUBOOT_ALIGN_VAL}
210                --pad
211                --pad-header
212                -H ${BL2_HEADER_SIZE}
213                -s ${MCUBOOT_SECURITY_COUNTER_S}
214                -L ${MCUBOOT_ENC_KEY_LEN}
215                $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
216                $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
217                $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_enc_key.pem>
218                $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
219                ${CMAKE_BINARY_DIR}/bin/tfm_s_ns.bin
220                ${CMAKE_BINARY_DIR}/tfm_s_ns_signed.bin
221        )
222    endif()
223endif()
224