Hi Antonio,

 

This might be helpful in addition to Tamas:

https://ci.trustedfirmware.org/view/TF-M/job/tf-m-build-docs-nightly/lastStableBuild/artifact/trusted-firmware-m/build/install/doc/user_guide/html/docs/getting_started/tfm_user_guide.html#execute-tf-m-example-and-regression-tests-on-musca-test-chip-boards

 

The best,

Anton

 

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Tamas Ban via TF-M
Sent: 13 November 2020 15:36
To: tf-m@lists.trustedfirmware.org
Cc: nd <nd@arm.com>
Subject: Re: [TF-M] Combine secure and non-secure image

 

Hi Antonio,

 

Required steps on Musca-A (only single image boot is supported by MCUboot due to RAM_LOAD upgrade mode limitation):


- Concatenate zephyr.bin + tfm_s.bin.

 

[ 93%] Generating tfm_s_ns.bin

cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/assemble.py --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -s /home/tamban01/repo/tf-m/build/bin/tfm_s.bin -n /home/tamban01/repo/tf-m/build/bin/tfm_ns.bin -o tfm_s_ns.bin

 

 

[ 94%] Generating tfm_s_ns_signed.bin

cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/wrapper/wrapper.py -v 1.1.0 --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -k /home/tamban01/repo/tf-m/bl2/ext/mcuboot/root-RSA-3072.pem --public-key-format full --align 1 --pad --pad-header -H 0x400 -s auto -d "(0, 0.0.0+0)" -d "(1, 0.0.0+0)"   tfm_s_ns.bin /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/tfm_s_ns_signed.bin

 

 

srec_cat build/bin/bl2.bin -Binary -offset 0x200000 build/bin/tfm_s_ns_signed.bin -Binary -offset 0x220000 -o tfm.hex -Intel

 

Tamas

 

 

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Kevin Townsend via TF-M
Sent: 2020. november 13., péntek 16:33
To: Antonio Ken IANNILLO <antonioken.iannillo@uni.lu>
Cc: tf-m@lists.trustedfirmware.org
Subject: Re: [TF-M] Combine secure and non-secure image

 

Hi Antonio,

 

I'm not sure if this helps, but here is an example of how we sign the binaries for the MPS2 AN521, for example, after building the TF-M and Zephyr NS images, plus MCUBoot:

https://github.com/zephyrproject-rtos/zephyr/blob/966015f503d1438c25d59793762495452be5ebbc/boards/arm/mps2_an521/CMakeLists.txt

Best regards,

Kevin

 

On Fri, 13 Nov 2020 at 16:19, Antonio Ken IANNILLO via TF-M <tf-m@lists.trustedfirmware.org> wrote:

Hi all,

I abandoned the idea to build at once tf-m and zephyr and switched to separated compilations.

Now, I have both secure and non-secure binaries but I’m not sure how to concatenate and sign them.

I found the assemble.py script but I don’t know whether it is the correct one or where to find the signing_layout.

 

To be more specific, for my current target musca-a (going to switch to musca-s as soon as it arrives):

  • I built TF-M
  • I imported and included in my zephyr application both libpsa_api_ns.a and libtfm_s_veneers.a
  • I build my zephyr application

Now (I suppose) I have to

·       merge zephyr.bin with tfm_s.bin

·       sign the merged binary

·       concatenate with bl2

I could not find any reference how to correctly do these last steps.

 

Best,

-- 

Antonio Ken Iannillo

Research Scientist – SEDAN group

SnT – Interdisciplinary Centre for Security, Reliability and Trust

UNIVERSITÉ DU LUXEMBOURG

 

CAMPUS KIRCHBERG
29, avenue John F. Kennedy 
L-1855 Luxembourg Kirchberg
T +352 46 66 44 9660

 

Join the conversation

News | Twitter | Linkedin

www.uni.lu/snt

--
TF-M mailing list
TF-M@lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m