diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc index 5d22b464..d0265364 100644 --- a/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -18,7 +18,7 @@ TFA_BL2_RE_SIGN_BIN_SIZE = "0x2d000" TFA_FIP_RE_IMAGE_LOAD_ADDRESS = "0x68130000" TFA_FIP_RE_SIGN_BIN_SIZE = "0x00200000" RE_LAYOUT_WRAPPER_VERSION = "0.0.7" -TFM_SIGN_PRIVATE_KEY = "${S}/bl2/ext/mcuboot/root-RSA-3072_1.pem" +TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem" RE_IMAGE_OFFSET = "0x1000" # u-boot diff --git a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb index ad5ec958..76a7126b 100644 --- a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb +++ b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb @@ -6,8 +6,27 @@ LICENSE = "MIT" COMPATIBLE_MACHINE = "corstone1000" inherit image -inherit wic_nopt +inherit wic_nopt tfm_sign_image PACKAGE_INSTALL = "" IMAGE_FSTYPES += "wic wic.nopt" + +do_sign_images() { + # Sign TF-A BL2 + sign_host_image ${RECIPE_SYSROOT}/firmware/${TFA_BL2_BINARY} \ + ${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE} + + # Update BL2 in the FIP image + cp ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} . + fiptool update --tb-fw ${TFM_IMAGE_SIGN_DIR}/signed_${TFA_BL2_BINARY} \ + ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY} + + # Sign the FIP image + sign_host_image ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY} \ + ${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE} +} +do_sign_images[depends] = "\ + trusted-firmware-a:do_populate_sysroot \ + fiptool-native:do_populate_sysroot \ + " diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc index 341c8a27..3034680d 100644 --- a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc @@ -37,6 +37,3 @@ EXTRA_OEMAKE:append = " \ BL32=${RECIPE_SYSROOT}/lib/firmware/tee-pager_v2.bin \ LOG_LEVEL=50 \ " - -# trigger TF-M build so TF-A binaries get signed -do_deploy[depends]+= "virtual/trusted-firmware-m:do_prepare_recipe_sysroot" diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc index eb400e52..95c49d06 100644 --- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc @@ -25,25 +25,8 @@ SRC_URI += "git://github.com/OpenAMP/open-amp.git;protocol=https;branch=main;nam SRCREV_openamp = "347397decaa43372fc4d00f965640ebde042966d" EXTRA_OECMAKE += "-DLIBOPENAMP_SRC_PATH=${WORKDIR}/git/openamp -DLIBOPENAMP_BIN_PATH=${B}/libopenamp-build" -DEPENDS += "trusted-firmware-a" - -# adding host images signing support -require trusted-firmware-m-sign-host-images.inc - do_install() { install -D -p -m 0644 ${B}/install/outputs/tfm_s_signed.bin ${D}/firmware/tfm_s_signed.bin install -D -p -m 0644 ${B}/install/outputs/bl2_signed.bin ${D}/firmware/bl2_signed.bin install -D -p -m 0644 ${B}/install/outputs/bl1.bin ${D}/firmware/bl1.bin - - # - # Signing TF-A BL2 and the FIP image - # - - sign_host_image ${TFA_BL2_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE} - - fiptool update \ - --tb-fw ${D}/firmware/signed_${TFA_BL2_BINARY} \ - ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} - - sign_host_image ${TFA_FIP_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE} }