modules: tfm: fix TFM_MCUBOOT_IMAGE_NUMBER == 1

Fix builds with `CONFIG_TFM_MCUBOOT_IMAGE_NUMBER=1`. The merged binary should be signed with the same argumements as a secure build, not a non-secure build, except with a different layout file generated by the TF-M build system. Fixes #68345. Signed-off-by: Jordan Yates <jordan@embeint.com>
2024-06-16 20:21:00 +10:00 · 2024-06-16 20:21:00 +10:00 · 1bbfbef88d
commit 1bbfbef88d
parent 0155c6f87f
2 changed files with 14 additions and 4 deletions
--- a/modules/trusted-firmware-m/CMakeLists.txt
+++ b/modules/trusted-firmware-m/CMakeLists.txt
@ -393,6 +393,7 @@ if (CONFIG_BUILD_WITH_TFM)

  if (CONFIG_TFM_BL2)
    set(PREPROCESSED_FILE_S "${TFM_BINARY_DIR}/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
+    set(PREPROCESSED_FILE_S_NS "${TFM_BINARY_DIR}/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o")
    set(PREPROCESSED_FILE_NS "${TFM_BINARY_DIR}/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
    set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot")
  endif()
@ -415,13 +416,19 @@ if (CONFIG_BUILD_WITH_TFM)
    if(PAD)
      set(pad_args --pad --pad-header)
    endif()
+    # Secure + Non-secure images are signed the same way as a secure only
+    # build, but with a different layout file.
+    set(layout_file ${PREPROCESSED_FILE_${SUFFIX}})
+    if(SUFFIX STREQUAL "S_NS")
+      set(SUFFIX "S")
+    endif()
    set (${OUT_ARG}
      # Add the MCUBoot script to the path so that if there is a version of imgtool in there then
      # it gets used over the system imgtool. Used so that imgtool from upstream
      # mcuboot is preferred over system imgtool
      ${CMAKE_COMMAND} -E env PYTHONPATH=${ZEPHYR_MCUBOOT_MODULE_DIR}/scripts
      ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-      --layout ${PREPROCESSED_FILE_${SUFFIX}}
+      --layout ${layout_file}
      -k ${CONFIG_TFM_KEY_FILE_${SUFFIX}}
      --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
      --align 1
@ -465,7 +472,7 @@ if (CONFIG_BUILD_WITH_TFM)
    )

  elseif(CONFIG_TFM_MCUBOOT_IMAGE_NUMBER STREQUAL "1")
-    tfm_sign(sign_cmd NS TRUE ${S_NS_FILE} ${S_NS_SIGNED_FILE})
+    tfm_sign(sign_cmd S_NS TRUE ${S_NS_FILE} ${S_NS_SIGNED_FILE})

    set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
      COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py
--- a/modules/trusted-firmware-m/Kconfig.tfm
+++ b/modules/trusted-firmware-m/Kconfig.tfm
@ -192,7 +192,9 @@ config TFM_IMAGE_VERSION_S
 	help
 	  MCUBoot may be configured to prevent rollback prevention based on image
 	  versions of both the secure firmware and non-secure firmware. This sets
-	  the secure firmware's version for rollback prevention.
+	  the secure firmware's version for rollback prevention. This version is
+	  also used for merged secure + non-secure builds
+	  (TFM_MCUBOOT_IMAGE_NUMBER == 1).

 config TFM_IMAGE_VERSION_NS
 	string "Version of the Non-Secure Image"
@ -250,7 +252,8 @@ config TFM_KEY_FILE_S
 	help
 	  The path and filename for the .pem file containing the private key
 	  that should be used by the BL2 bootloader when signing secure
-	  firmware images.
+	  firmware images. This key file is also used for merged secure +
+	  non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1).

 config TFM_KEY_FILE_NS
 	string "Path to private key used to sign non-secure firmware images."