27f9cf85de
|
||
|---|---|---|
| .. | ||
| imgtool | ||
| policy | ||
| .gitignore | ||
| README.md | ||
| encrypted_image_runner.py | ||
README.md
Version of Python required is 3.7+
This directory contains scripts for adding signatures . These files are relevant to CY8CPROTO_064_SB target.
NOTE: Before starting work with Cypress Secure Boot enabled target please read User Guide https://www.cypress.com/secureboot-sdk-user-guide
UPGRADE IMAGES
Secure Boot enabled targets support image upgrades, if specified by policy. There are two types of upgrade images supported:
- signed, non encrypted
- signed, encrypted
The upgrade images types are determined by the following policy setting (firmware sections):
- "smif_id": should be set to 1 for CY8CPROTO_064_SB onboard SMIF, default is 0 - SMIF disabled
- "upgrade": true/false, - should be set to true if UPGRADE supported, false - if disabled
- "encrypt": true/false, - should be set to true if encrypted UPGRADE supported, false - if disabled
- "encrypt_key_id": 1, - should remain unchanged, means that Device Key will be used in ECDH/HKDF protocol
Requirements:
- Policy with _smif.json from policy/ folder should be used. For encrypted image:
- aes.key generated, as described in user guide
- dev_pub_key.pem must be placed in keys/ folder (this key is generated in provisioning procedure)
- secure_image_parameters.json file in the target directory must contain valid keys' paths
Non encrypted UPGRADE image Example policy for CY8CPROTO_064_SB:
"smif_id": 1,
"upgrade": true,
"encrypt": false,
"encrypt_key_id": 1,
Encrypted UPGRADE image:
Example policy for CY8CPROTO_064_SB:
"smif_id": 1,
"upgrade": true,
"encrypt": true,
"encrypt_key_id": 1,
Modified policy file should be used for provisioning the device, as described in User Guide.
Now mbed-os application or test can be built as described in section TESTS. Images for UPGRADE are generated at build time, according to policy.
- Non enrypted UPGRADE image file name ends with upgrade.hex
- Enrypted UPGRADE image file name ends with enc_upgrade.hex
Upgrade image can be programmed to target board using Daplink. Upgrade procedure is performed after first reset.
Encrypt generic image: The generic HEX file (for example one that is produced by mbed-os build system) can be converted into encrypted image by using encrypted_image_runner.py script located in sb-tools. Usage example:
python encrypted_image_runner.py --sdk-path . --hex-file someApplication.hex --key-priv keys/MCUBOOT_CM0P_KEY_PRIV.pem --key-pub keys/dev_pub_key.pem --key-aes keys/aes.key --ver 0.1 --img-id 3 --rlb-count 0 --slot-size 0x50000 --pad 1 --img-offset 402653184
- --sdk-path - Path to Secure Boot tools folder
- --key-priv - ECC Private key used for image signing and for generating shared secret as per ECDH/HKDF.
- --key-pub - ECC Public key used for image signing and for generating shared secret as per ECDH/HKDF. Only device Key can be used in current implementation. It is generated by provisioning procedure.
- --key-aes - AES128 key and IV file raw image will be encrypted with.
- --img-id - Image ID of encrypted image. Must match one mentioned in policy for UPGRADE image.
- --slot-size - Slot_1 (UPGRADE) size. Must match one mentioned in policy for UPGRADE image.
- --ver - Version of image. Make sure it matches one defined in secure_image_parameters.json for a given HEX.
- --rlb-count - Rollback counter. Make sure it matches one defined in secure_image_parameters.json for a given HEX.
- --img-offset - Starting address offset for UPGRADE image - passed as integer, as represented in policy
TESTS
-
Build and run tests for CY8CPROTO_064_SB target with command:
Run commands: mbed test --compile -m CY8CPROTO_064_SB -t GCC_ARM -n tests-mbed* -v