155 lines
5.7 KiB
CMake
155 lines
5.7 KiB
CMake
# Copyright (c) 2020 Nordic Semiconductor ASA
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
# This file includes extra build system logic that is enabled when
|
|
# CONFIG_BOOTLOADER_MCUBOOT=y.
|
|
#
|
|
# It builds signed binaries using imgtool as a post-processing step
|
|
# after zephyr/zephyr.elf is created in the build directory.
|
|
#
|
|
# Since this file is brought in via include(), we do the work in a
|
|
# function to avoid polluting the top-level scope.
|
|
|
|
function(zephyr_runner_file type path)
|
|
# Property magic which makes west flash choose the signed build
|
|
# output of a given type.
|
|
set_target_properties(runners_yaml_props_target PROPERTIES "${type}_file" "${path}")
|
|
endfunction()
|
|
|
|
function(zephyr_mcuboot_tasks)
|
|
set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
|
|
set(keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")
|
|
|
|
# Check for misconfiguration.
|
|
if("${keyfile}" STREQUAL "")
|
|
# No signature key file, no signed binaries. No error, though:
|
|
# this is the documented behavior.
|
|
return()
|
|
endif()
|
|
|
|
if(NOT WEST)
|
|
# This feature requires west.
|
|
message(FATAL_ERROR "Can't sign images for MCUboot: west not found. To fix, install west and ensure it's on PATH.")
|
|
endif()
|
|
|
|
foreach(file keyfile keyfile_enc)
|
|
if(NOT "${${file}}" STREQUAL "")
|
|
if(NOT IS_ABSOLUTE "${${file}}")
|
|
# Relative paths are relative to 'west topdir'.
|
|
set(${file} "${WEST_TOPDIR}/${${file}}")
|
|
endif()
|
|
|
|
if(NOT EXISTS "${${file}}")
|
|
message(FATAL_ERROR "west sign can't find file ${${file}} (Note: Relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\")")
|
|
elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
|
|
message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
|
|
endif()
|
|
endif()
|
|
endforeach()
|
|
|
|
# Find imgtool. Even though west is installed, imgtool might not be.
|
|
# The user may also have a custom manifest which doesn't include
|
|
# MCUboot.
|
|
#
|
|
# Therefore, go with an explicitly installed imgtool first, falling
|
|
# back on mcuboot/scripts/imgtool.py.
|
|
if(IMGTOOL)
|
|
set(imgtool_path "${IMGTOOL}")
|
|
elseif(DEFINED ZEPHYR_MCUBOOT_MODULE_DIR)
|
|
set(IMGTOOL_PY "${ZEPHYR_MCUBOOT_MODULE_DIR}/scripts/imgtool.py")
|
|
if(EXISTS "${IMGTOOL_PY}")
|
|
set(imgtool_path "${IMGTOOL_PY}")
|
|
endif()
|
|
endif()
|
|
|
|
# No imgtool, no signed binaries.
|
|
if(NOT DEFINED imgtool_path)
|
|
message(FATAL_ERROR "Can't sign images for MCUboot: can't find imgtool. To fix, install imgtool with pip3, or add the mcuboot repository to the west manifest and ensure it has a scripts/imgtool.py file.")
|
|
return()
|
|
endif()
|
|
|
|
# Basic 'west sign' command and output format independent arguments.
|
|
set(west_sign ${WEST} sign --quiet --tool imgtool
|
|
--tool-path "${imgtool_path}"
|
|
--build-dir "${APPLICATION_BINARY_DIR}")
|
|
|
|
# Arguments to imgtool.
|
|
if(NOT CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS STREQUAL "")
|
|
# Separate extra arguments into the proper format for adding to
|
|
# extra_post_build_commands.
|
|
#
|
|
# Use UNIX_COMMAND syntax for uniform results across host
|
|
# platforms.
|
|
separate_arguments(imgtool_extra UNIX_COMMAND ${CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS})
|
|
else()
|
|
set(imgtool_extra)
|
|
endif()
|
|
set(imgtool_args -- --key "${keyfile}" ${imgtool_extra})
|
|
|
|
# Extensionless prefix of any output file.
|
|
set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
|
|
|
|
# List of additional build byproducts.
|
|
set(byproducts)
|
|
|
|
# 'west sign' arguments for confirmed, unconfirmed and encrypted images.
|
|
set(unconfirmed_args)
|
|
set(confirmed_args)
|
|
set(encrypted_args)
|
|
|
|
# Set up .bin outputs.
|
|
if(CONFIG_BUILD_OUTPUT_BIN)
|
|
list(APPEND unconfirmed_args --bin --sbin ${output}.signed.bin)
|
|
list(APPEND byproducts ${output}.signed.bin)
|
|
zephyr_runner_file(bin ${output}.signed.bin)
|
|
|
|
if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE)
|
|
list(APPEND confirmed_args --bin --sbin ${output}.signed.confirmed.bin)
|
|
list(APPEND byproducts ${output}.signed.confirmed.bin)
|
|
endif()
|
|
|
|
if(NOT "${keyfile_enc}" STREQUAL "")
|
|
list(APPEND encrypted_args --bin --sbin ${output}.signed.encrypted.bin)
|
|
list(APPEND byproducts ${output}.signed.encrypted.bin)
|
|
endif()
|
|
endif()
|
|
|
|
# Set up .hex outputs.
|
|
if(CONFIG_BUILD_OUTPUT_HEX)
|
|
list(APPEND unconfirmed_args --hex --shex ${output}.signed.hex)
|
|
list(APPEND byproducts ${output}.signed.hex)
|
|
zephyr_runner_file(hex ${output}.signed.hex)
|
|
|
|
if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE)
|
|
list(APPEND confirmed_args --hex --shex ${output}.signed.confirmed.hex)
|
|
list(APPEND byproducts ${output}.signed.confirmed.hex)
|
|
endif()
|
|
|
|
if(NOT "${keyfile_enc}" STREQUAL "")
|
|
list(APPEND encrypted_args --hex --shex ${output}.signed.encrypted.hex)
|
|
list(APPEND byproducts ${output}.signed.encrypted.hex)
|
|
endif()
|
|
endif()
|
|
|
|
# Add the west sign calls and their byproducts to the post-processing
|
|
# steps for zephyr.elf.
|
|
#
|
|
# CMake guarantees that multiple COMMANDs given to
|
|
# add_custom_command() are run in order, so adding the 'west sign'
|
|
# calls to the "extra_post_build_commands" property ensures they run
|
|
# after the commands which generate the unsigned versions.
|
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
|
|
${west_sign} ${unconfirmed_args} ${imgtool_args})
|
|
if(confirmed_args)
|
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
|
|
${west_sign} ${confirmed_args} ${imgtool_args} --pad --confirm)
|
|
endif()
|
|
if(encrypted_args)
|
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
|
|
${west_sign} ${encrypted_args} ${imgtool_args} --encrypt "${keyfile_enc}")
|
|
endif()
|
|
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts})
|
|
endfunction()
|
|
|
|
zephyr_mcuboot_tasks()
|