Thanks all.
I succeeded to merge and sign with Tamas’ commands.
I also succeeded to make it run on the board, but it stops after initializing the secure world.
Even if I just add a simple non secure application (hello world), I got these messages and only these:
[Sec Thread] Secure image initializing!
Booting TFM v1.1
[Crypto] MBEDTLS_TEST_NULL_ENTROPY is not suitable for production!
That I suppose they are the correct output from the secure world. I was expecting, after this, the output from the non secure world.
Am I missing something?
I tried also to use the sample application hello world but the result is the same.
Best,
Antonio
----
Date: Fri, 13 Nov 2020 15:35:30 +0000
From: Tamas Ban Tamas.Ban@arm.com
To: "tf-m@lists.trustedfirmware.org" tf-m@lists.trustedfirmware.org
Cc: nd nd@arm.com
Subject: Re: [TF-M] Combine secure and non-secure image
Message-ID:
VI1PR08MB42069F5DD7AED23892CA5F08E2E60@VI1PR08MB4206.eurprd08.prod.outlook.com
Content-Type: text/plain; charset="utf-8"
Hi Antonio,
Required steps on Musca-A (only single image boot is supported by MCUboot due to RAM_LOAD upgrade mode limitation):
- Concatenate zephyr.bin + tfm_s.bin.
[ 93%] Generating tfm_s_ns.bin
cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/assemble.py --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -s /home/tamban01/repo/tf-m/build/bin/tfm_s.bin -n /home/tamban01/repo/tf-m/build/bin/tfm_ns.bin -o tfm_s_ns.bin
* Signing the concatenated binary:
[ 94%] Generating tfm_s_ns_signed.bin
cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/wrapper/wrapper.py -v 1.1.0 --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -k /home/tamban01/repo/tf-m/bl2/ext/mcuboot/root-RSA-3072.pem --public-key-format full --align 1 --pad --pad-header -H 0x400 -s auto -d "(0, 0.0.0+0)" -d "(1, 0.0.0+0)" tfm_s_ns.bin /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/tfm_s_ns_signed.bin
* Combine bl2.bin and tfm_s_ns.bin:
srec_cat build/bin/bl2.bin -Binary -offset 0x200000 build/bin/tfm_s_ns_signed.bin -Binary -offset 0x220000 -o tfm.hex -Intel
Tamas
From: Kevin Townsend kevin.townsend@linaro.org Date: Friday, 13 November 2020 at 16:32 To: Antonio Ken IANNILLO antonioken.iannillo@uni.lu Cc: "tf-m@lists.trustedfirmware.org" tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Combine secure and non-secure image
Hi Antonio,
I'm not sure if this helps, but here is an example of how we sign the binaries for the MPS2 AN521, for example, after building the TF-M and Zephyr NS images, plus MCUBoot:
https://github.com/zephyrproject-rtos/zephyr/blob/966015f503d1438c25d5979376...
Best regards,
Kevin
On Fri, 13 Nov 2020 at 16:19, Antonio Ken IANNILLO via TF-M tf-m@lists.trustedfirmware.org wrote:
Hi all,
I abandoned the idea to build at once tf-m and zephyr and switched to separated compilations.
Now, I have both secure and non-secure binaries but I’m not sure how to concatenate and sign them.
I found the assemble.py script but I don’t know whether it is the correct one or where to find the signing_layout.
To be more specific, for my current target musca-a (going to switch to musca-s as soon as it arrives): I built TF-M I imported and included in my zephyr application both libpsa_api_ns.a and libtfm_s_veneers.a I build my zephyr application Now (I suppose) I have to
· merge zephyr.bin with tfm_s.bin
· sign the merged binary
· concatenate with bl2
I could not find any reference how to correctly do these last steps.
Best,