Thanks all.
I succeeded to merge and sign with Tamas’ commands.
I also succeeded to make it run on the board, but it stops after initializing the secure world.
Even if I just add a simple non secure application (hello world), I got these messages and only these:
[Sec Thread] Secure image initializing!
Booting TFM v1.1
[Crypto] MBEDTLS_TEST_NULL_ENTROPY is not suitable for production!
That I suppose they are the correct output from the secure world. I was expecting, after this, the output from the non secure world.
Am I missing something?
I tried also to use the sample application hello world but the result is the same.
Best,
Antonio
----
Date: Fri, 13 Nov 2020 15:35:30 +0000
From: Tamas Ban <Tamas.Ban@arm.com>
To: "tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.org>
Cc: nd <nd@arm.com>
Subject: Re: [TF-M] Combine secure and non-secure image
Message-ID:
<VI1PR08MB42069F5DD7AED23892CA5F08E2E60@VI1PR08MB4206.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Hi Antonio,
Required steps on Musca-A (only single image boot is supported by MCUboot due to RAM_LOAD upgrade mode limitation):
- Concatenate zephyr.bin + tfm_s.bin.
[ 93%] Generating tfm_s_ns.bin
cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/assemble.py --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -s /home/tamban01/repo/tf-m/build/bin/tfm_s.bin -n /home/tamban01/repo/tf-m/build/bin/tfm_ns.bin -o tfm_s_ns.bin
* Signing the concatenated binary:
[ 94%] Generating tfm_s_ns_signed.bin
cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/wrapper/wrapper.py -v 1.1.0 --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -k /home/tamban01/repo/tf-m/bl2/ext/mcuboot/root-RSA-3072.pem --public-key-format full --align 1 --pad --pad-header -H 0x400 -s auto -d "(0, 0.0.0+0)" -d "(1, 0.0.0+0)" tfm_s_ns.bin /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/tfm_s_ns_signed.bin
* Combine bl2.bin and tfm_s_ns.bin:
srec_cat build/bin/bl2.bin -Binary -offset 0x200000 build/bin/tfm_s_ns_signed.bin -Binary -offset 0x220000 -o tfm.hex -Intel
Tamas
From: Kevin Townsend <kevin.townsend@linaro.org>
Date: Friday, 13 November 2020 at 16:32
To: Antonio Ken IANNILLO <antonioken.iannillo@uni.lu>
Cc: "tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.org>
Subject: Re: [TF-M] Combine secure and non-secure image
Hi Antonio,
I'm not sure if this helps, but here is an example of how we sign the binaries for the MPS2 AN521, for example, after building the TF-M and Zephyr NS images, plus MCUBoot:
https://github.com/zephyrproject-rtos/zephyr/blob/966015f503d1438c25d59793762495452be5ebbc/boards/arm/mps2_an521/CMakeLists.txt
Best regards,
Kevin
On Fri, 13 Nov 2020 at 16:19, Antonio Ken IANNILLO via TF-M <tf-m@lists.trustedfirmware.org> wrote:
Hi all,
I abandoned the idea to build at once tf-m and zephyr and switched to separated compilations.
Now, I have both secure and non-secure binaries but I’m not sure how to concatenate and sign them.
I found the assemble.py script but I don’t know whether it is the correct one or where to find the signing_layout.
To be more specific, for my current target musca-a (going to switch to musca-s as soon as it arrives):
- I built TF-M
- I imported and included in my zephyr application both libpsa_api_ns.a and libtfm_s_veneers.a
- I build my zephyr application
Now (I suppose) I have to
· merge zephyr.bin with tfm_s.bin
· sign the merged binary
· concatenate with bl2
I could not find any reference how to correctly do these last steps.
Best,
--
--
TF-M mailing list
TF-M@lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m