mbed-os/targets/TARGET_Cypress/TARGET_PSOC6/sb-tools/README.md

#### Version of Python required is 3.7+

This directory contains scripts for adding signatures .
These files are relevant to CY8CPROTO_064_SB target.

**_NOTE_:**  Before starting work with Cypress Secure Boot enabled target please read User Guide https://www.cypress.com/secureboot-sdk-user-guide

## UPGRADE IMAGES

Secure Boot enabled targets support image upgrades, if specified by policy. There are two types of upgrade images supported:
- signed, non encrypted
- signed, encrypted

The upgrade images types are determined by the following policy setting (firmware sections):

- **_"smif_id":_** should be set to 1 for CY8CPROTO_064_SB onboard SMIF, default is 0 - SMIF disabled
- **_"upgrade":_** true/false, - should be set to *true* if UPGRADE supported, *false* - if disabled
- **_"encrypt":_** true/false, - should be set to *true* if encrypted UPGRADE supported, *false* - if disabled
- **_"encrypt_key_id":_** 1, - should remain unchanged, means that Device Key will be used in ECDH/HKDF protocol

Requirements:
- Policy with **_smif.json** from policy/ folder should be used.
For encrypted image:
- aes.key generated, as described in user guide
- dev_pub_key.pem must be placed in keys/ folder (this key is generated in provisioning procedure)
- secure_image_parameters.json file in the target directory must contain valid keys' paths

Non encrypted UPGRADE image 
**_Example policy for CY8CPROTO_064_SB:_**
        
        "smif_id": 1,
        "upgrade": true,
        "encrypt": false,
        "encrypt_key_id": 1,

Encrypted UPGRADE image:

**_Example policy for CY8CPROTO_064_SB:_**
        
        "smif_id": 1,
        "upgrade": true,
        "encrypt": true,
        "encrypt_key_id": 1,

Modified policy file should be used for provisioning the device, as described in User Guide.

Now mbed-os application or test can be built as described in section **TESTS**. Images for UPGRADE are generated at build time, according to policy.

- Non enrypted UPGRADE image file name ends with **_upgrade.hex_**
- Enrypted UPGRADE image file name ends with **_enc_upgrade.hex_**

Upgrade image can be programmed to target board using Daplink. Upgrade procedure is performed after first reset.

**_Encrypt generic image:_**
The generic HEX file (for example one that is produced by mbed-os build system) can be converted into encrypted image by using encrypted_image_runner.py script located in sb-tools. Usage example:

        python encrypted_image_runner.py --sdk-path . --hex-file someApplication.hex --key-priv keys/MCUBOOT_CM0P_KEY_PRIV.pem --key-pub keys/dev_pub_key.pem --key-aes keys/aes.key --ver 0.1 --img-id 3 --rlb-count 0 --slot-size 0x50000 --pad 1 --img-offset 402653184
    
- **_--sdk-path_** - Path to Secure Boot tools folder
- **_--key-priv_** - ECC Private key used for image signing and for generating shared secret as per ECDH/HKDF.
- **_--key-pub_** - ECC Public key used for image signing and for generating shared secret as per ECDH/HKDF. Only device Key can be used in current implementation. It is generated by provisioning procedure.
- **_--key-aes_** - AES128 key and IV file raw image will be encrypted with.
- **_--img-id_** - Image ID of encrypted image. Must match one mentioned in policy for UPGRADE image.
- **_--slot-size_** - Slot_1 (UPGRADE) size. Must match one mentioned in policy for UPGRADE image.
- **_--ver_** - Version of image. Make sure it matches one defined in secure_image_parameters.json for a given HEX.
- **_--rlb-count_** - Rollback counter. Make sure it matches one defined in secure_image_parameters.json for a given HEX.
- **_--img-offset_** - Starting address offset for UPGRADE image - passed as integer, as represented in policy

# TESTS
        
1.  Build and run tests for CY8CPROTO_064_SB target with command:

        Run commands:
        mbed test --compile -m CY8CPROTO_064_SB -t GCC_ARM -n tests-mbed* -v