This applies only to `ARM_MUSCA_B1` target
When MCUBOOT repo: UPSTREAM was set as default as part of TF-M 1.1
release, few things were changed:
MCUBOOT_IMAGE_NUMBER: '2'
MCUBOOT_UPGRADE_STRATEGY: 'OVERWRITE_ONLY'
MCUBOOT_HW_KEY: 'On'(default)
Therefore the signing strategy for Non-secure image (Mbed OS)
needs to be done with its own private key, which is validated during
boot.
Signed-off-by: Vikas Katariya <vikas.katariya@arm.com>
Add TF-M to Mbed OS, replacing the previous PSA implementation for
TF-M-capable targets. This commit adds files imported from TF-M, without
modification. The version of TF-M imported can be found in
`features/FEATURE_PSA/TARGET_TFM/VERSION.txt`.
These changes switch to TF-M as the sole PSA implementation for v8-M and
dual core targets, with TF-M running on the secure side and Mbed OS
running on the non-secure side. Single core v7-M targets will continue
to have PSA implemented via PSA emulation, implemented by Mbed OS.
Move or remove many PSA-implementing files, as PSA will be provided by
TF-M on non-single-v7-M targets. Delete any files that are not relevant
for PSA emulation mode.
- Remove imported TF-M SPM
- Remove Mbed SPM and tests
- Remove Mbed-implemented PSA services and tests
- Remove PSA_SRV_IMPL, PSA_SRV_IPC, PSA_SRV_EMUL and NSPE.
- Replace PSA_SRV_EMUL and PSA_SRV_IMPL with MBED_PSA_SRV
- Remove any files autogenerated by
"tools/psa/generate_partition_code.py", which no longer exists.
Add new feature `PSA` to support PSA in Mbed OS.
Move the Mbed OS implementation of PSA services for v7-M targets (which
employ PSA emulation, and don't yet use TF-M) to
features/FEATURE_PSA/TARGET_MBED_PSA_SRV. Update the `requires`
attribute in TESTS/configs/baremetal.json to avoid breaking baremetal
testing builds.
Update .astyleignore to match new directory structure
Update Mbed TLS importer to place files into FEATURE_PSA
Create the following generic PSA targets:
* `PSA_Target` (Root level PSA generic target)
* `PSA_V7_M` (Single v7-M PSA generic target)
* `PSA_DUAL_CORE` (Dual-core PSA generic target)
* `PSA_V8_M` (v8-M PSA generic target)
Flatten MUSCA_NS and private MUSCA targets into public MUSCA targets.
Move mcuboot.bin to flat location (removing prebuilt folder)
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Currently, the final binary (TF-M + Mbed OS) is signed after
concatenating TF-M and Mbed OS binaries. But TF-M signs the images
separately and then concatenates them. Update the Musca B1 signing
strategy to match TF-M.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Make the MUSCA_B1 target TF-M compatible by doing the following:
- Add flash, region definitions, and preprocessed image macros from
TF-M (at version 6e7be077eabe "Core: Add lifecycle API")
- Update the MUSCA_B1 linker script to create a flash image
compatible with TF-M.
- Update the tfm/bin_utils/assemble.py signing script to work with
preprocessed image macros rather than flat C pre-processor defines
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Remove PSA v8-M S target binaries will be built outside of Mbed OS and
added in as binaries which NS targets consume. Mbed OS no longer
implements PSA for v8-M targets, so there is no reason for it to build
PSA S targets.
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Musca-B1 is a Cortex-M33 based target with security extension enabled.
- ARM_MUSCA_B1 is the non-secure target running mbed-os.
- ARM_MUSCA_B1_S is the secure target running TF-M.
- TF-M sources were imported and patched in previous commits.
- TF-M secure bootloader (McuBoot) for MUSCA_B1 is submitted by a
pre-built binary.
- A post-build hook concatenates The secure and non-secure binaries,
signs it and then concatenates the bootloader with the signed binary.
Change-Id: I4b36290941b5f0bb7aa7c12dda2f38b5c1e39ae2
Signed-off-by: Tamas Kaman <tamas.kaman@arm.com>
Signed-off-by: Gabor Abonyi <gabor.abonyi@arm.com>
Vikas Katariya
Devaraj Ranganna
Jaeden Amero
Tamas Kaman