Hi Antonio,
Required steps on Musca-A (only single image boot is supported by MCUboot due to RAM_LOAD upgrade mode limitation):
- Concatenate zephyr.bin + tfm_s.bin.
[ 93%] Generating tfm_s_ns.bin cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/assemble.py --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -s /home/tamban01/repo/tf-m/build/bin/tfm_s.bin -n /home/tamban01/repo/tf-m/build/bin/tfm_ns.bin -o tfm_s_ns.bin
* Signing the concatenated binary:
[ 94%] Generating tfm_s_ns_signed.bin cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/wrapper/wrapper.py -v 1.1.0 --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -k /home/tamban01/repo/tf-m/bl2/ext/mcuboot/root-RSA-3072.pem --public-key-format full --align 1 --pad --pad-header -H 0x400 -s auto -d "(0, 0.0.0+0)" -d "(1, 0.0.0+0)" tfm_s_ns.bin /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/tfm_s_ns_signed.bin
* Combine bl2.bin and tfm_s_ns.bin:
srec_cat build/bin/bl2.bin -Binary -offset 0x200000 build/bin/tfm_s_ns_signed.bin -Binary -offset 0x220000 -o tfm.hex -Intel
Tamas
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Kevin Townsend via TF-M Sent: 2020. november 13., péntek 16:33 To: Antonio Ken IANNILLO antonioken.iannillo@uni.lu Cc: tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Combine secure and non-secure image
Hi Antonio,
I'm not sure if this helps, but here is an example of how we sign the binaries for the MPS2 AN521, for example, after building the TF-M and Zephyr NS images, plus MCUBoot:
https://github.com/zephyrproject-rtos/zephyr/blob/966015f503d1438c25d5979376... Best regards, Kevin
On Fri, 13 Nov 2020 at 16:19, Antonio Ken IANNILLO via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> wrote: Hi all, I abandoned the idea to build at once tf-m and zephyr and switched to separated compilations. Now, I have both secure and non-secure binaries but I’m not sure how to concatenate and sign them. I found the assemble.py script but I don’t know whether it is the correct one or where to find the signing_layout.
To be more specific, for my current target musca-a (going to switch to musca-s as soon as it arrives):
* I built TF-M * I imported and included in my zephyr application both libpsa_api_ns.a and libtfm_s_veneers.a * I build my zephyr application Now (I suppose) I have to
· merge zephyr.bin with tfm_s.bin
· sign the merged binary
· concatenate with bl2 I could not find any reference how to correctly do these last steps.
Best, -- Antonio Ken Iannillo Research Scientist – SEDAN group SnT – Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITÉ DU LUXEMBOURG
CAMPUS KIRCHBERG 29, avenue John F. Kennedy L-1855 Luxembourg Kirchberg T +352 46 66 44 9660
Join the conversation Newshttps://wwwen.uni.lu/snt/news_events | Twitterhttps://twitter.com/SnT_uni_lu | Linkedinhttps://www.linkedin.com/school/snt-lu/ www.uni.lu/snthttp://www.uni.lu/snt -- TF-M mailing list TF-M@lists.trustedfirmware.orgmailto:TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m