From 97c7e9f08e6643884cf078a60cf54a8243fbe5cf Mon Sep 17 00:00:00 2001
From: Peter Hoyes <Peter.Hoyes@arm.com>
Date: Mon, 3 Oct 2022 12:29:58 +0100
Subject: [PATCH] arm/classes: Migrate TF-M image signing to bbclass

Introduce a new recipe for the TF-M signing scripts.

To make the functionality easier to reuse, move the logic that is
currently in trusted-firmware-m-sign-host-images.inc to
tfm_sign_image.bbclass. This bbclass DEPENDS on
trusted-firmware-m-scrpits-native.

tfm_sign_image.bbclass can be inherited in image recipes to sign
artifacts.

Issue-Id: SCM-4964
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Change-Id: I74aaab5db1a43fedf13ea2564c2f31af207ae924
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 .../trusted-firmware-m-sign-host-images.inc   | 50 ------------
 meta-arm/classes/tfm_sign_image.bbclass       | 79 +++++++++++++++++++
 ...trusted-firmware-m-scripts-native_1.6.0.bb | 24 ++++++
 3 files changed, 103 insertions(+), 50 deletions(-)
 delete mode 100644 meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc
 create mode 100644 meta-arm/classes/tfm_sign_image.bbclass
 create mode 100644 meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb

diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc
deleted file mode 100644
index 49af3568..00000000
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc
+++ /dev/null
@@ -1,50 +0,0 @@
-# Signing host images using TF-M tools
-
-DEPENDS += "python3-imgtool-native fiptool-native"
-
-#
-# sign_host_image
-#
-# Description:
-#
-# A generic function that signs a host image
-# using MCUBOOT format
-#
-# Arguments:
-#
-# $1 ... host binary to sign
-# $2 ... host binary path
-# $3 ... load address of the given binary
-# $4 ... signed binary size
-#
-# Note: The signed binary is copied to ${D}/firmware
-#
-sign_host_image() {
-
-    host_binary_filename="`basename -s .bin ${1}`"
-    host_binary_layout="${host_binary_filename}_ns"
-
-    cat << EOF > ${B}/${host_binary_layout}
-enum image_attributes {
-    RE_IMAGE_LOAD_ADDRESS = ${3},
-    RE_SIGN_BIN_SIZE = ${4},
-};
-EOF
-
-    host_binary="${2}/`basename ${1}`"
-    host_binary_signed="${D}/firmware/signed_`basename ${1}`"
-
-    ${PYTHON} ${S}/bl2/ext/mcuboot/scripts/wrapper/wrapper.py \
-            -v ${RE_LAYOUT_WRAPPER_VERSION} \
-            --layout ${B}/${host_binary_layout} \
-            -k  ${TFM_SIGN_PRIVATE_KEY} \
-            --public-key-format full \
-            --align 1 \
-            --pad \
-            --pad-header \
-            -H ${RE_IMAGE_OFFSET} \
-            -s auto \
-            ${host_binary} \
-            ${host_binary_signed}
-
-}
diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
new file mode 100644
index 00000000..542b708b
--- /dev/null
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -0,0 +1,79 @@
+# Functionality to sign binary images using the wrapper script bundled with
+# TF-M. Signed images are written to the deploy directory by default.
+# To use:
+#  * Inherit this class
+#  * Override the do_sign_images task
+#  * Write the signing logic, which may call the function sign_host_image,
+#    described below
+
+inherit python3native deploy
+
+# The output and working directory
+TFM_IMAGE_SIGN_DIR = "${WORKDIR}/tfm-signed-images"
+
+tfm_sign_image_do_sign_images() {
+    :
+}
+addtask sign_images after do_configure before do_compile
+do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DIR}"
+
+tfm_sign_image_do_deploy() {
+    :
+}
+addtask deploy after do_sign_images
+
+deploy_signed_images() {
+    cp ${TFM_IMAGE_SIGN_DIR}/signed_* ${DEPLOYDIR}/
+}
+do_deploy[postfuncs] += "deploy_signed_images"
+
+EXPORT_FUNCTIONS do_sign_images do_deploy
+
+DEPENDS += "trusted-firmware-m-scripts-native"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+#
+# sign_host_image
+#
+# Description:
+#
+# A generic function that signs a host image
+# using MCUBOOT format
+#
+# Arguments:
+#
+# $1 ... path of binary to sign
+# $2 ... load address of the given binary
+# $3 ... signed binary size
+#
+# Note: The signed binary is copied to ${TFM_IMAGE_SIGN_DIR}
+#
+sign_host_image() {
+    host_binary_filename="$(basename -s .bin "${1}")"
+    host_binary_layout="${host_binary_filename}_ns"
+
+    cat << EOF > ${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}
+enum image_attributes {
+    RE_IMAGE_LOAD_ADDRESS = ${2},
+    RE_SIGN_BIN_SIZE = ${3},
+};
+EOF
+
+    host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")"
+
+    ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
+            -v ${RE_LAYOUT_WRAPPER_VERSION} \
+            --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
+            -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
+            --public-key-format full \
+            --align 1 \
+            --pad \
+            --pad-header \
+            -H ${RE_IMAGE_OFFSET} \
+            -s auto \
+            "${1}" \
+            "${host_binary_signed}"
+}
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
new file mode 100644
index 00000000..453d456a
--- /dev/null
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
@@ -0,0 +1,24 @@
+
+SRC_URI = "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https;branch=${SRCBRANCH}"
+# Use the wrapper script from TF-Mv1.6.0
+SRCBRANCH ?= "release/1.6.x"
+SRCREV = "7387d88158701a3c51ad51c90a05326ee12847a8"
+
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
+
+S = "${WORKDIR}/git"
+
+inherit native
+
+RDEPENDS:${PN} = "python3-imgtool-native python3-click-native"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+    install -d ${D}/${libdir}
+    cp -rf ${S}/bl2/ext/mcuboot/scripts/ ${D}/${libdir}/tfm-scripts
+    cp -rf ${S}/bl2/ext/mcuboot/*.pem ${D}/${libdir}/tfm-scripts
+}
+FILES:${PN} = "${libdir}/tfm-scripts"