Update Mbed CMakeLists.txt for Mbed CE

Signed-off-by: Jamie Smith <[email protected]>

Author: multiplemonomials

boot/mbed/CMakeLists.txt

@@ -1,10 +1,11 @@
 # Copyright (c) 2021 ARM Limited. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# Mbed-MCUboot Port
+# Pull in functions for working with imgtool
+include(mcuboot_imgtool.cmake)
 
+# Mbed-MCUboot Port
 cmake_minimum_required(VERSION 3.19.0 FATAL_ERROR)
-
 get_filename_component(BOOT_UTIL_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../bootutil REALPATH)
 
 set(LIB_TARGET mbed-mcuboot)
@@ -13,49 +14,46 @@ set(LIB_BOOTUTIL bootutil)
 add_library(${LIB_TARGET} STATIC)
 
 target_include_directories(${LIB_TARGET}
-    PUBLIC
-        include
-        ${BOOT_UTIL_DIR}/include
-        ${BOOT_UTIL_DIR}/src
+  PUBLIC
+    include
+    ${BOOT_UTIL_DIR}/src
 )
 
 target_sources(${LIB_TARGET}
-    PRIVATE
-        mcuboot_main.cpp
-        app_enc_keys.c
-        src/flash_map_backend.cpp
-        src/secondary_bd.cpp
+  PRIVATE
+    mcuboot_main.cpp
+    app_enc_keys.c
+    src/flash_map_backend.cpp
+    src/secondary_bd.cpp
 )
 
 target_link_libraries(${LIB_TARGET}
-    PUBLIC
-        bootutil  # Cross-dependency
-        mbed-mbedtls
-        mbed-storage-flashiap
-        mbed-storage-blockdevice
+  PUBLIC
+    bootutil  # Cross-dependency
+    mbed-mbedtls
+    mbed-storage-flashiap
+    mbed-storage-blockdevice
+    mbed-core-flags
 )
 
-if("_RTE_" IN_LIST MBED_CONFIG_DEFINITIONS)
-    target_link_libraries(${LIB_TARGET}
-    PUBLIC
-        mbed-os
-    )
-else()
-    target_link_libraries(${LIB_TARGET}
-    PUBLIC
-        mbed-baremetal
-    )
+# Add signing key generated source file
+mcuboot_generate_signing_keys_file(${CMAKE_CURRENT_BINARY_DIR}/signing_keys.c)
+target_sources(${LIB_TARGET} PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/signing_keys.c)
+
+if("MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS)
+  mcuboot_generate_encryption_key_file(${CMAKE_CURRENT_BINARY_DIR}/enc_keys.c)
+  target_sources(${LIB_TARGET} PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/enc_keys.c)
 endif()
 
 # The cross-dependency requires that bootutil have access to the mbed port's
 # include directory and is linked with the appropriate mbed-specific libraries.
 target_include_directories(${LIB_BOOTUTIL}
-    PUBLIC
-        include
+  PUBLIC
+    include
 )
 
 target_link_libraries(${LIB_BOOTUTIL}
-    PUBLIC
-        mbed-mcuboot
-        mbed-mbedtls
+  PUBLIC
+    mbed-mcuboot
+    mbed-mbedtls
 )

boot/mbed/include/flash_map_backend/flash_map_backend.h

@@ -152,6 +152,11 @@ uint8_t flash_area_erased_val(const struct flash_area * fap);
 
 /*
  * Given flash area ID, return info about sectors within the area.
+ *
+ * Note: the sectors array has size MCUBOOT_MAX_IMG_SECTORS, and only that many elements should
+ * be stored into it.  However, if the flash area has more than MCUBOOT_MAX_IMG_SECTORS sectors,
+ * the count variable should be set to indicate the real sector count.  This will trigger the appropriate
+ * warning to be printed.
  */
 int flash_area_get_sectors(int fa_id, uint32_t *count,
   struct flash_sector *sectors);

boot/mbed/include/mcuboot_config/mcuboot_logging.h

@@ -36,6 +36,8 @@
 #define MCUBOOT_LOG_LEVEL MCUBOOT_LOG_LEVEL_OFF
 #endif
 
+// Set Mbed log level appropriately if not already set
+#ifndef MBED_TRACE_MAX_LEVEL
 #if MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_ERROR
 #define MBED_TRACE_MAX_LEVEL TRACE_LEVEL_ERROR
 #elif MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_WARNING
@@ -45,6 +47,7 @@
 #elif MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_DEBUG
 #define MBED_TRACE_MAX_LEVEL TRACE_LEVEL_DEBUG
 #endif
+#endif
 
 #define TRACE_GROUP "MCUb"
 #include "mbed-trace/mbed_trace.h"

boot/mbed/mbed_lib.json

@@ -88,7 +88,7 @@
             "value": true
         },
         "max-img-sectors": {
-            "help": "Maximum number of flash sectors per image slot. Target-dependent, please set on a per-target basis.",
+            "help": "Maximum number of flash sectors per image slot. This should be set to account for the sector sizes of both the main and secondary block devices. Target-dependent, please set on a per-target basis.",
             "macro_name": "MCUBOOT_MAX_IMG_SECTORS",
             "required": true
         },
@@ -119,7 +119,7 @@
             "value": null
         },
         "encrypt-rsa": {
-            "help": "Encrypt images using RSA (NOT TESTED)",
+            "help": "Encrypt update images using RSA",
             "macro_name": "MCUBOOT_ENCRYPT_RSA",
             "accepted_values": [true, null],
             "value": null
@@ -189,6 +189,11 @@
         "xip-secondary-slot-address": {
             "help": "Specify start address for secondary slot address in XIP-accessible memory. This is required if direct-xip is enabled.",
             "value": null
+        },
+        "flash-block-size": {
+            "help": "Size in bytes of a programmable block of the flash memory.",
+            "macro_name": "MCUBOOT_BOOT_MAX_ALIGN",
+            "value": 8
         }
     }
 }

boot/mbed/mcuboot_imgtool.cmake

@@ -0,0 +1,219 @@
+# Copyright (c) 2024 Jamie Smith
+# SPDX-License-Identifier: Apache-2.0
+
+check_python_package(imgtool.main MCUBOOT_IMGTOOL_FOUND)
+
+get_filename_component(IMGTOOL_SCRIPTS_DIR ${CMAKE_CURRENT_LIST_DIR}/../../scripts REALPATH)
+
+# Find or install imgtool
+
+if(NOT MCUBOOT_IMGTOOL_FOUND)
+  # If we are using the Mbed venv, we can install asn1tools automatically
+  if(MBED_CREATE_PYTHON_VENV)
+    message(STATUS "mcuboot: Installing imgtool into Mbed's Python virtualenv")
+    execute_process(
+      COMMAND ${Python3_EXECUTABLE} -m pip install ${IMGTOOL_SCRIPTS_DIR}
+      COMMAND_ERROR_IS_FATAL ANY
+    )
+  else()
+    message(FATAL_ERROR "The mcuboot imgtool python package needs to be installed (from mcuboot/scripts/) into Mbed's python interpreter (${Python3_EXECUTABLE})")
+  endif()
+endif()
+
+# Signing key
+set(MCUBOOT_SIGNING_KEY "" CACHE STRING "Path to key file (.pem) used to sign firmware updates for your device. The public key will be stored in the bootloader. This file must be kept safe!")
+
+# Make sure the signing key path is absolute for EXISTS, relative to the top level build dir
+get_filename_component(MCUBOOT_SIGNING_KEY_ABSPATH "${MCUBOOT_SIGNING_KEY}" ABSOLUTE BASE_DIR ${CMAKE_SOURCE_DIR})
+set(MCUBOOT_SIGNING_KEY_ABSPATH ${MCUBOOT_SIGNING_KEY_ABSPATH} CACHE INTERNAL "Absolute version of MCUBOOT_SIGNING_KEY" FORCE)
+
+if("${MCUBOOT_SIGNING_KEY}" STREQUAL "" OR NOT EXISTS "${MCUBOOT_SIGNING_KEY_ABSPATH}")
+  message(FATAL_ERROR "Must specify path to valid image signing key via MCUBOOT_SIGNING_KEY CMake option in order to build this project.")
+endif()
+
+# Encryption key
+if("MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS)
+  set(MCUBOOT_ENCRYPTION_KEY "" CACHE STRING "Path to key file (.pem) used to encrypt firmware updates for your device. The private key will be stored in the bootloader. This file must be kept safe!")
+
+  # Make sure the signing key path is absolute for EXISTS, relative to the top level build dir
+  get_filename_component(MCUBOOT_ENCRYPTION_KEY_ABSPATH "${MCUBOOT_ENCRYPTION_KEY}" ABSOLUTE BASE_DIR ${CMAKE_SOURCE_DIR})
+  set(MCUBOOT_ENCRYPTION_KEY_ABSPATH ${MCUBOOT_ENCRYPTION_KEY_ABSPATH} CACHE INTERNAL "Absolute version of MCUBOOT_ENCRYPTION_KEY" FORCE)
+
+  if("${MCUBOOT_ENCRYPTION_KEY}" STREQUAL "" OR NOT EXISTS "${MCUBOOT_ENCRYPTION_KEY_ABSPATH}")
+    message(FATAL_ERROR "Since mcuboot.encrypt-rsa is enabled, you must specify the path to a valid image encryption key via the MCUBOOT_ENCRYPTION_KEY CMake option in order to build this project.")
+  endif()
+endif()
+
+# Imgtool usage functions
+
+#
+# Generate a signed image hex file for the given executable target.
+#
+function(_mcuboot_generate_image TARGET IMAGE_TYPE IMAGE_BASE_PATH)
+  if("${MBED_OUTPUT_EXT}" STREQUAL "bin")
+    message(FATAL_ERROR "Hex file output must be enabled to use mcuboot.  Set MBED_OUTPUT_EXT to empty string after including app.cmake in your top level CMakeLists.txt!")
+  endif()
+
+  if("${PROJECT_VERSION}" STREQUAL "")
+    message(FATAL_ERROR "You must set the project version to sign images by passing a version number into your app's project() command!")
+  endif()
+
+  # mbed_generate_bin_hex() puts the hex file at the following path
+  set(TARGET_HEX_FILE ${CMAKE_CURRENT_BINARY_DIR}/$<TARGET_FILE_BASE_NAME:${TARGET}>.hex)
+
+  # Grab header size
+  if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_HEADER_SIZE=(0x[0-9A-Fa-f]+)")
+    message(FATAL_ERROR "Couldn't find MCUBOOT_HEADER_SIZE in Mbed configuration!")
+  endif()
+  set(HEADER_SIZE_HEX ${CMAKE_MATCH_1})
+
+  # Grab slot size
+  if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_SLOT_SIZE=(0x[0-9A-Fa-f]+)")
+    message(FATAL_ERROR "Couldn't find MCUBOOT_SLOT_SIZE in Mbed configuration!")
+  endif()
+  set(SLOT_SIZE_HEX ${CMAKE_MATCH_1})
+
+  get_property(objcopy GLOBAL PROPERTY ELF2BIN)
+
+  if(${IMAGE_TYPE} STREQUAL "update" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS)
+    set(IMGTOOL_EXTRA_ARGS --encrypt ${MCUBOOT_ENCRYPTION_KEY_ABSPATH})
+  elseif(${IMAGE_TYPE} STREQUAL "initial" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS)
+    # If encryption is enabled, generate unencrypted initial image which supports encryption.
+    # See https://github.com/mbed-ce/mbed-os/issues/401#issuecomment-2567099213
+    set(IMGTOOL_EXTRA_ARGS --clear)
+  else()
+    set(IMGTOOL_EXTRA_ARGS "")
+  endif()
+
+  add_custom_command(
+    TARGET ${TARGET}
+    POST_BUILD
+    DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH}
+    COMMAND
+      ${Python3_EXECUTABLE} -m imgtool.main
+      sign
+      --key ${MCUBOOT_SIGNING_KEY_ABSPATH} # this specifies the file containing the keys used to sign/verify the application
+      --align 4 # this lets mcuboot know the intrinsic alignment of the flash (32-bits = 4 byte alignment)
+      --version ${PROJECT_VERSION} # this sets the version number of the application
+      --header-size ${HEADER_SIZE_HEX} # this must be the same as the value specified in mcuboot.header-size configuration
+      --pad-header # this tells imgtool to insert the entire header, including any necessary padding bytes.
+      --slot-size ${SLOT_SIZE_HEX} # this specifies the maximum size of the application ("slot size"). It must be the same as the configured mcuboot.slot-size!
+      ${IMGTOOL_EXTRA_ARGS}
+      ${TARGET_HEX_FILE} ${IMAGE_BASE_PATH}.hex
+
+    COMMAND
+      ${CMAKE_COMMAND} -E echo "-- built: ${IMAGE_BASE_PATH}.hex"
+
+    # Also generate bin file
+    COMMAND
+      ${objcopy} -I ihex -O binary ${IMAGE_BASE_PATH}.hex ${IMAGE_BASE_PATH}.bin
+
+    COMMAND
+      ${CMAKE_COMMAND} -E echo "-- built: ${IMAGE_BASE_PATH}.bin"
+
+    COMMENT "Generating mcuboot ${IMAGE_TYPE} image for ${TARGET}..."
+    WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+    VERBATIM
+  )
+endfunction(_mcuboot_generate_image)
+
+#
+# Generate an initial image hex file for the given executable target.
+# This initial image is what should be flashed to a blank device (along with the bootloader).
+# A flash target (ninja flash-${TARGET}-initial-image) will also be created.
+#
+# NOTE: This function must be called *after* mbed_set_post_build() for the target!
+#
+# If you wish to specify the base name of the initial image, pass that as the second argument to
+# this function.  Otherwise, it will default to $<target name>-initial-image
+#
+function(mcuboot_generate_initial_image TARGET) # optional 2nd arg: initial image base filename
+  # Figure out file path
+  if("${ARGN}" STREQUAL "")
+    set(INITIAL_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/$<TARGET_FILE_BASE_NAME:${TARGET}>-initial-image)
+  else()
+    set(INITIAL_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/${ARGN})
+  endif()
+
+  _mcuboot_generate_image(${TARGET} initial ${INITIAL_IMAGE_BASE_PATH})
+
+  # Create a flash target.
+  # We need to be slightly creative here -- Mbed thinks that the application start address
+  # is <primary slot address> + <header size>, but we actually want to upload to <primary slot address>.
+  # So we need to temporarily override MBED_UPLOAD_BASE_ADDR with an offset value
+  if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_HEADER_SIZE=(0x[0-9A-Fa-f]+)")
+    message(FATAL_ERROR "Couldn't find MCUBOOT_HEADER_SIZE in Mbed configuration!")
+  endif()
+  set(HEADER_SIZE_HEX ${CMAKE_MATCH_1})
+  math(EXPR MBED_UPLOAD_BASE_ADDR "${MBED_UPLOAD_BASE_ADDR} - ${HEADER_SIZE_HEX}" OUTPUT_FORMAT HEXADECIMAL)
+
+  gen_upload_target(${TARGET}-initial-image ${INITIAL_IMAGE_BASE_PATH}.bin)
+  if(TARGET flash-${TARGET}-initial-image)
+    add_dependencies(flash-${TARGET}-initial-image ${TARGET})
+  endif()
+endfunction(mcuboot_generate_initial_image)
+
+#
+# Generate an update image hex file for the given executable target.
+# This image is what should be flashed to the secondary block device and passed to
+# mcuboot as an update file.
+#
+# NOTE: This function must be called *after* mbed_set_post_build() for the target!
+#
+# NOTE 2: The hex file produced by this function will still "declare" its address as the primary slot
+# address. This can cause issues if you pass it to a tool that uses this offset to decide where to load it.
+# If this is a problem, we recommend the "arm-none-eabi-objcopy --change-addresses" command to change this address.
+#
+# If you wish to specify the base name of the update image, pass that as the second argument to
+# this function.  Otherwise, it will default to $<target name>-update-image
+#
+function(mcuboot_generate_update_image TARGET) # optional 2nd arg: update image base filename
+  # Figure out file path
+  if("${ARGN}" STREQUAL "")
+    set(UPDATE_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/$<TARGET_FILE_BASE_NAME:${TARGET}>-update-image)
+  else()
+    set(UPDATE_IMAGE_BASE_PATH${CMAKE_CURRENT_BINARY_DIR}/${ARGN})
+  endif()
+
+  _mcuboot_generate_image(${TARGET} update ${UPDATE_IMAGE_BASE_PATH})
+endfunction(mcuboot_generate_update_image)
+
+#
+# Generate a C source file with signing keys in it at the given location.
+# The file should be added as a source file to a library built in the same directory.
+#
+function(mcuboot_generate_signing_keys_file SIGNING_KEYS_C_PATH)
+  add_custom_command(
+    OUTPUT ${SIGNING_KEYS_C_PATH}
+    COMMAND
+      ${Python3_EXECUTABLE} -m imgtool.main
+      getpub
+      --key ${MCUBOOT_SIGNING_KEY_ABSPATH}
+      --output ${SIGNING_KEYS_C_PATH}
+
+    DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH}
+    COMMENT "Converting signing key to C source..."
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    VERBATIM
+  )
+endfunction(mcuboot_generate_signing_keys_file)
+
+#
+# Generate a C source file with the encryption private key in it at the given location.
+# The file should be added as a source file to a library built in the same directory.
+#
+function(mcuboot_generate_encryption_key_file ENC_KEY_C_PATH)
+  add_custom_command(
+    OUTPUT ${ENC_KEY_C_PATH}
+    COMMAND
+      ${Python3_EXECUTABLE} -m imgtool.main
+      getpriv
+      --key ${MCUBOOT_SIGNING_KEY_ABSPATH}
+      > ${ENC_KEY_C_PATH}
+
+    DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH}
+    COMMENT "Converting encryption key to C source..."
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    VERBATIM
+  )
+endfunction(mcuboot_generate_encryption_key_file)

boot/mbed/mcuboot_main.cpp

@@ -19,6 +19,7 @@
 #if MCUBOOT_BOOTLOADER_BUILD
 
 #include <stdlib.h>
+#include <cinttypes>
 #include "bootutil/bootutil.h"
 #include "bootutil/image.h"
 #include "hal/serial_api.h"
@@ -83,7 +84,7 @@ int main()
     // Workaround: The extra \n ensures the last trace gets flushed
     // before mbed_start_application() destroys the stack and jumps
     // to the application
-    tr_info("Booting firmware image at 0x%x\n", address);
+    tr_info("Booting firmware image at 0x%" PRIx32 "\n", address);
 
     // Run the application in the primary slot
     // Add header size offset to calculate the actual start address of application