diff --git a/cmake/mcuboot.cmake b/cmake/mcuboot.cmake index 6dd0717f515782..25fa1827f33f7e 100644 --- a/cmake/mcuboot.cmake +++ b/cmake/mcuboot.cmake @@ -73,12 +73,30 @@ function(zephyr_mcuboot_tasks) return() endif() - # Basic 'west sign' command and output format independent arguments. - separate_arguments(west_sign_extra UNIX_COMMAND ${CONFIG_MCUBOOT_CMAKE_WEST_SIGN_PARAMS}) - set(west_sign ${WEST} sign ${west_sign_extra} - --tool imgtool - --tool-path "${imgtool_path}" - --build-dir "${APPLICATION_BINARY_DIR}") + # Fetch devicetree details for flash and slot information + dt_chosen(flash_node PROPERTY "zephyr,flash") + dt_nodelabel(slot0_flash NODELABEL "slot0_partition" REQUIRED) + dt_prop(slot_size PATH "${slot0_flash}" PROPERTY "reg" INDEX 1 REQUIRED) + dt_prop(write_block_size PATH "${flash_node}" PROPERTY "write-block-size") + + if(NOT write_block_size) + set(write_block_size 4) + message(WARNING "slot0_partition write block size devicetree parameter is missing, assuming write block size is 4") + endif() + + # If single slot mode, or if in firmware updater mode and this is the firmware updater image, + # use slot 0 information + if(NOT CONFIG_MCUBOOT_BOOTLOADER_MODE_SINGLE_APP AND (NOT CONFIG_MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER OR CONFIG_MCUBOOT_APPLICATION_FIRMWARE_UPDATER)) + # Slot 1 size is used instead of slot 0 size + set(slot_size) + dt_nodelabel(slot1_flash NODELABEL "slot1_partition" REQUIRED) + dt_prop(slot_size PATH "${slot1_flash}" PROPERTY "reg" INDEX 1 REQUIRED) + endif() + + # Basic 'imgtool sign' command with known image information. + set(imgtool_sign ${PYTHON_EXECUTABLE} ${imgtool_path} sign + --version ${CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION} --header-size ${CONFIG_ROM_START_OFFSET} + --slot-size ${slot_size}) # Arguments to imgtool. if(NOT CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS STREQUAL "") @@ -87,102 +105,90 @@ function(zephyr_mcuboot_tasks) # # Use UNIX_COMMAND syntax for uniform results across host # platforms. - separate_arguments(imgtool_extra UNIX_COMMAND ${CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS}) + separate_arguments(imgtool_args UNIX_COMMAND ${CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS}) else() - set(imgtool_extra) + set(imgtool_args) endif() if(NOT "${keyfile}" STREQUAL "") - set(imgtool_extra --key "${keyfile}" ${imgtool_extra}) + set(imgtool_args --key "${keyfile}" ${imgtool_args}) endif() # Use overwrite-only instead of swap upgrades. if(CONFIG_MCUBOOT_IMGTOOL_OVERWRITE_ONLY) - set(imgtool_extra --overwrite-only --align 1 ${imgtool_extra}) + set(imgtool_args --overwrite-only --align 1 ${imgtool_args}) + else() + set(imgtool_args --align ${write_block_size} ${imgtool_args}) endif() - set(imgtool_args -- ${imgtool_extra}) - # Extensionless prefix of any output file. set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}) # List of additional build byproducts. set(byproducts) - # 'west sign' arguments for confirmed, unconfirmed and encrypted images. - set(unconfirmed_args) - set(confirmed_args) - set(encrypted_args) - # Set up .bin outputs. if(CONFIG_BUILD_OUTPUT_BIN) - list(APPEND unconfirmed_args --bin --sbin ${output}.signed.bin) list(APPEND byproducts ${output}.signed.bin) zephyr_runner_file(bin ${output}.signed.bin) set(BYPRODUCT_KERNEL_SIGNED_BIN_NAME "${output}.signed.bin" CACHE FILEPATH "Signed kernel bin file" FORCE ) + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${imgtool_sign} ${imgtool_args} ${output}.bin ${output}.signed.bin) if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE) - list(APPEND confirmed_args --bin --sbin ${output}.signed.confirmed.bin) list(APPEND byproducts ${output}.signed.confirmed.bin) set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_BIN_NAME "${output}.signed.confirmed.bin" CACHE FILEPATH "Signed and confirmed kernel bin file" FORCE ) + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${imgtool_sign} ${imgtool_args} --pad --confirm ${output}.bin + ${output}.signed.confirmed.bin) endif() if(NOT "${keyfile_enc}" STREQUAL "") - list(APPEND encrypted_args --bin --sbin ${output}.signed.encrypted.bin) list(APPEND byproducts ${output}.signed.encrypted.bin) set(BYPRODUCT_KERNEL_SIGNED_ENCRYPTED_BIN_NAME "${output}.signed.encrypted.bin" CACHE FILEPATH "Signed and encrypted kernel bin file" FORCE ) + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc}" ${output}.bin + ${output}.signed.encrypted.bin) endif() endif() # Set up .hex outputs. if(CONFIG_BUILD_OUTPUT_HEX) - list(APPEND unconfirmed_args --hex --shex ${output}.signed.hex) list(APPEND byproducts ${output}.signed.hex) zephyr_runner_file(hex ${output}.signed.hex) set(BYPRODUCT_KERNEL_SIGNED_HEX_NAME "${output}.signed.hex" CACHE FILEPATH "Signed kernel hex file" FORCE ) + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${imgtool_sign} ${imgtool_args} ${output}.hex ${output}.signed.hex) if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE) - list(APPEND confirmed_args --hex --shex ${output}.signed.confirmed.hex) list(APPEND byproducts ${output}.signed.confirmed.hex) set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_HEX_NAME "${output}.signed.confirmed.hex" CACHE FILEPATH "Signed and confirmed kernel hex file" FORCE ) + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${imgtool_sign} ${imgtool_args} --pad --confirm ${output}.hex + ${output}.signed.confirmed.hex) endif() if(NOT "${keyfile_enc}" STREQUAL "") - list(APPEND encrypted_args --hex --shex ${output}.signed.encrypted.hex) list(APPEND byproducts ${output}.signed.encrypted.hex) set(BYPRODUCT_KERNEL_SIGNED_ENCRYPTED_HEX_NAME "${output}.signed.encrypted.hex" CACHE FILEPATH "Signed and encrypted kernel hex file" FORCE ) + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND + ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc}" ${output}.hex + ${output}.signed.encrypted.hex) endif() endif() - # Add the west sign calls and their byproducts to the post-processing - # steps for zephyr.elf. - # - # CMake guarantees that multiple COMMANDs given to - # add_custom_command() are run in order, so adding the 'west sign' - # calls to the "extra_post_build_commands" property ensures they run - # after the commands which generate the unsigned versions. - set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND - ${west_sign} ${unconfirmed_args} ${imgtool_args}) - if(confirmed_args) - set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND - ${west_sign} ${confirmed_args} ${imgtool_args} --pad --confirm) - endif() - if(encrypted_args) - set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND - ${west_sign} ${encrypted_args} ${imgtool_args} --encrypt "${keyfile_enc}") - endif() set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts}) endfunction() diff --git a/doc/build/index.rst b/doc/build/index.rst index 91bf4c6018c1f4..63e3bcc6dce023 100644 --- a/doc/build/index.rst +++ b/doc/build/index.rst @@ -16,3 +16,4 @@ Build and Configuration Systems sysbuild/index.rst version/index.rst flashing/index.rst + signing/index.rst diff --git a/doc/build/signing/index.rst b/doc/build/signing/index.rst new file mode 100644 index 00000000000000..03cd5fedc679e1 --- /dev/null +++ b/doc/build/signing/index.rst @@ -0,0 +1,108 @@ +.. _build-signing: + +Signing Binaries +################ + +Binaries can be optionally signed as part of a build automatically using CMake code, there is +also the ability to use ``west sign`` to sign binaries too, this page describes the former, the +latter is documented on :ref:`west-sign`. + +MCUboot / imgtool +***************** + +The Zephyr build system has special support for signing binaries for use with the `MCUboot`_ +bootloader using the `imgtool`_ program provided by its developers. You can both build and sign +this type of application binary in one step by setting some Kconfig options. If you do, +``west flash`` will use the signed binaries. + +Here is an example workflow, which builds and flashes MCUboot, as well as the +:zephyr:code-sample:`hello_world` application for chain-loading by MCUboot. Run these commands +from the :file:`zephyrproject` workspace you created in the :ref:`getting_started`. + +.. code-block:: console + + west build -b YOUR_BOARD zephyr/samples/hello_world --sysbuild -d build-hello-signed -- \ + -DSB_CONFIG_BOOTLOADER_MCUBOOT=y + + west flash -d build-hello-signed + +Notes on the above commands: + +- ``YOUR_BOARD`` should be changed to match your board +- The singing key value is the insecure default provided and used by MCUboot for development + and testing +- You can change the ``hello_world`` application directory to any other application that can be + loaded by MCUboot, such as the :zephyr:code-sample:`smp-svr` sample. + +For more information on these and other related configuration options, see: + +- ``SB_CONFIG_BOOTLOADER_MCUBOOT``: build the application for loading by MCUboot +- ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE``: the key file to use when singing images. If you have + your own key, change this appropriately +- :kconfig:option:`CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS`: optional additional command line arguments + for ``imgtool`` +- :kconfig:option:`CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE`: also generate a confirmed image, + which may be more useful for flashing in production environments than the OTA-able default image +- On Windows, if you get "Access denied" issues, the recommended fix is to run + ``pip3 install imgtool``, then retry with a pristine build directory. + +If your ``west flash`` :ref:`runner ` uses an image format supported by imgtool, you +should see something like this on your device's serial console when you run +``west flash -d build-hello-signed``: + +.. code-block:: none + + *** Booting Zephyr OS build zephyr-v2.3.0-2310-gcebac69c8ae1 *** + [00:00:00.004,669] mcuboot: Starting bootloader + [00:00:00.011,169] mcuboot: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3 + [00:00:00.021,636] mcuboot: Boot source: none + [00:00:00.027,374] mcuboot: Swap type: none + [00:00:00.115,142] mcuboot: Bootloader chainload address offset: 0xc000 + [00:00:00.123,168] mcuboot: Jumping to the first image slot + *** Booting Zephyr OS build zephyr-v2.3.0-2310-gcebac69c8ae1 *** + Hello World! nrf52840dk_nrf52840 + +Whether ``west flash`` supports this feature depends on your runner. The ``nrfjprog`` and +``pyocd`` runners work with the above flow. If your runner does not support this flow and you +would like it to, please send a patch or file an issue for adding support. + +.. _west-extending-signing: + +Extending signing externally +**************************** + +The signing script used when running ``west flash`` can be extended or replaced to change features +or introduce different signing mechanisms. By default with MCUboot enabled, signing is setup by +the :file:`cmake/mcuboot.cmake` file in Zephyr which adds extra post build commands for generating +the signed images. The file used for signing can be replaced from a sysbuild scope (if being used) +or from a zephyr/zephyr module scope, the priority of which is: + +* Sysbuild +* Zephyr property +* Default MCUboot script (if enabled) + +From sysbuild, ``-D_SIGNING_SCRIPT`` can be used to set a signing script for a specific +image or ``-DSIGNING_SCRIPT`` can be used to set a signing script for all images, for example: + +.. code-block:: console + + west build -b -DSIGNING_SCRIPT= + +The zephyr property method is achieved by adjusting the ``SIGNING_SCRIPT`` property on the +``zephyr_property_target``, ideally from by a module by using: + +.. code-block:: cmake + + if(CONFIG_BOOTLOADER_MCUBOOT) + set_target_properties(zephyr_property_target PROPERTIES SIGNING_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/custom_signing.cmake) + endif() + +This will include the custom signing CMake file instead of the default Zephyr one when projects +are built with MCUboot signing support enabled. The base Zephyr MCUboot signing file can be +used as a reference for creating a new signing system or extending the default behaviour. + +.. _MCUboot: + https://mcuboot.com/ + +.. _imgtool: + https://pypi.org/project/imgtool/ diff --git a/doc/develop/west/sign.rst b/doc/develop/west/sign.rst index 7de7bf7de1dd7d..9b17bf025bb10a 100644 --- a/doc/develop/west/sign.rst +++ b/doc/develop/west/sign.rst @@ -9,133 +9,6 @@ external tool. In some configurations, ``west sign`` is also used to invoke an external, post-processing tool that "stitches" the final components of the image together. Run ``west sign -h`` for command line help. -MCUboot / imgtool -***************** - -The Zephyr build system has special support for signing binaries for use with -the `MCUboot`_ bootloader using the `imgtool`_ program provided by its -developers. You can both build and sign this type of application binary in one -step by setting some Kconfig options. If you do, ``west flash`` will use the -signed binaries. - -If you use this feature, you don't need to run ``west sign`` yourself; the -build system will do it for you. - -Here is an example workflow, which builds and flashes MCUboot, as well as the -:zephyr:code-sample:`hello_world` application for chain-loading by MCUboot. Run these commands -from the :file:`zephyrproject` workspace you created in the -:ref:`getting_started`. - -.. code-block:: console - - west build -b YOUR_BOARD bootloader/mcuboot/boot/zephyr -d build-mcuboot - west build -b YOUR_BOARD zephyr/samples/hello_world -d build-hello-signed -- \ - -DCONFIG_BOOTLOADER_MCUBOOT=y \ - -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"bootloader/mcuboot/root-rsa-2048.pem\" - - west flash -d build-mcuboot - west flash -d build-hello-signed - -Notes on the above commands: - -- ``YOUR_BOARD`` should be changed to match your board -- The ``CONFIG_MCUBOOT_SIGNATURE_KEY_FILE`` value is the insecure default - provided and used by MCUboot for development and testing -- You can change the ``hello_world`` application directory to any other - application that can be loaded by MCUboot, such as the :zephyr:code-sample:`smp-svr` sample. - -For more information on these and other related configuration options, see: - -- :kconfig:option:`CONFIG_BOOTLOADER_MCUBOOT`: build the application for loading by - MCUboot -- :kconfig:option:`CONFIG_MCUBOOT_SIGNATURE_KEY_FILE`: the key file to use with ``west - sign``. If you have your own key, change this appropriately -- :kconfig:option:`CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS`: optional additional command line - arguments for ``imgtool`` -- :kconfig:option:`CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE`: also generate a confirmed - image, which may be more useful for flashing in production environments than - the OTA-able default image -- On Windows, if you get "Access denied" issues, the recommended fix is - to run ``pip3 install imgtool``, then retry with a pristine build directory. - -If your ``west flash`` :ref:`runner ` uses an image format -supported by imgtool, you should see something like this on your device's -serial console when you run ``west flash -d build-mcuboot``: - -.. code-block:: none - - *** Booting Zephyr OS build zephyr-v2.3.0-2310-gcebac69c8ae1 *** - [00:00:00.004,669] mcuboot: Starting bootloader - [00:00:00.011,169] mcuboot: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3 - [00:00:00.021,636] mcuboot: Boot source: none - [00:00:00.027,313] mcuboot: Failed reading image headers; Image=0 - [00:00:00.035,064] mcuboot: Unable to find bootable image - -Then, you should see something like this when you run ``west flash -d -build-hello-signed``: - -.. code-block:: none - - *** Booting Zephyr OS build zephyr-v2.3.0-2310-gcebac69c8ae1 *** - [00:00:00.004,669] mcuboot: Starting bootloader - [00:00:00.011,169] mcuboot: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3 - [00:00:00.021,636] mcuboot: Boot source: none - [00:00:00.027,374] mcuboot: Swap type: none - [00:00:00.115,142] mcuboot: Bootloader chainload address offset: 0xc000 - [00:00:00.123,168] mcuboot: Jumping to the first image slot - *** Booting Zephyr OS build zephyr-v2.3.0-2310-gcebac69c8ae1 *** - Hello World! nrf52840dk_nrf52840 - -Whether ``west flash`` supports this feature depends on your runner. The -``nrfjprog`` and ``pyocd`` runners work with the above flow. If your runner -does not support this flow and you would like it to, please send a patch or -file an issue for adding support. - -.. _west-extending-signing: - -Extending signing externally -**************************** - -The signing script used when running ``west flash`` can be extended or replaced -to change features or introduce different signing mechanisms. By default with -MCUboot enabled, signing is setup by the :file:`cmake/mcuboot.cmake` file in -Zephyr which adds extra post build commands for generating the signed images. -The file used for signing can be replaced from a sysbuild scope (if being used) -or from a zephyr/zephyr module scope, the priority of which is: - -* Sysbuild -* Zephyr property -* Default MCUboot script (if enabled) - -From sysbuild, ``-D_SIGNING_SCRIPT`` can be used to set a signing script -for a specific image or ``-DSIGNING_SCRIPT`` can be used to set a signing script -for all images, for example: - -.. code-block:: console - - west build -b -DSIGNING_SCRIPT= - -The zephyr property method is achieved by adjusting the ``SIGNING_SCRIPT`` property -on the ``zephyr_property_target``, ideally from by a module by using: - -.. code-block:: cmake - - if(CONFIG_BOOTLOADER_MCUBOOT) - set_target_properties(zephyr_property_target PROPERTIES SIGNING_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/custom_signing.cmake) - endif() - -This will include the custom signing CMake file instead of the default Zephyr -one when projects are built with MCUboot signing support enabled. The base -Zephyr MCUboot signing file can be used as a reference for creating a new -signing system or extending the default behaviour. - -.. _MCUboot: - https://mcuboot.com/ - -.. _imgtool: - https://pypi.org/project/imgtool/ - - rimage ****** diff --git a/doc/releases/migration-guide-4.0.rst b/doc/releases/migration-guide-4.0.rst index 7044aac712a58c..5905952ebae947 100644 --- a/doc/releases/migration-guide-4.0.rst +++ b/doc/releases/migration-guide-4.0.rst @@ -18,6 +18,12 @@ the :ref:`release notes`. Build System ************ +* Removed the ``CONFIG_MCUBOOT_CMAKE_WEST_SIGN_PARAMS`` Kconfig option as ``west sign`` is no + longer called by the build system when signing images for MCUboot. + +* The imgtool part of ``west sign`` has been deprecated, options to be supplied to imgtool when + signing should be set in :kconfig:option:`CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS` instead. + Kernel ****** diff --git a/doc/releases/release-notes-3.4.rst b/doc/releases/release-notes-3.4.rst index 3b96c3e8bb8c08..a8c3b6608e97ad 100644 --- a/doc/releases/release-notes-3.4.rst +++ b/doc/releases/release-notes-3.4.rst @@ -253,7 +253,7 @@ Deprecated in this release Stable API changes in this release ================================== -* Removed `bt_set_oob_data_flag` and replaced it with two new API calls: +* Removed ``bt_set_oob_data_flag`` and replaced it with two new API calls: * :c:func:`bt_le_oob_set_sc_flag` for setting/clearing OOB flag in SC pairing * :c:func:`bt_le_oob_set_legacy_flag` for setting/clearing OOB flag in legacy paring @@ -723,7 +723,7 @@ Build system and infrastructure * Babblesim is now included in the west manifest. Users can fetch it by enabling the ``babblesim`` group with west config. -* `west sign` now uses DT labels, of "fixed-partition" compatible nodes, to identify +* ``west sign`` now uses DT labels, of "fixed-partition" compatible nodes, to identify application image slots, instead of previously used DT node label properties. If you have been using custom partition layout for MCUboot, you will have to label your MCUboot slot partitions with proper DT node labels; for example partition @@ -1406,7 +1406,7 @@ MCUboot interactive Kconfig interfaces, the MCUboot options will now be located under ``Modules`` instead of under ``Boot Options``. -* Added :kconfig:option:`CONFIG_MCUBOOT_CMAKE_WEST_SIGN_PARAMS` that allows to pass arguments to +* Added ``CONFIG_MCUBOOT_CMAKE_WEST_SIGN_PARAMS`` that allows to pass arguments to west sign when invoked from cmake. Storage diff --git a/doc/releases/release-notes-4.0.rst b/doc/releases/release-notes-4.0.rst index b5bcacdb9e5c17..6abb872de24a58 100644 --- a/doc/releases/release-notes-4.0.rst +++ b/doc/releases/release-notes-4.0.rst @@ -144,6 +144,9 @@ Build system and Infrastructure * ``--vendor-prefixes`` * ``--edtlib-Werror`` +* Switched to using imgtool directly from the build system when signing images instead of calling + ``west sign``. + Documentation ************* diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot index b46c709d8ef446..a914ff1d5a84ba 100644 --- a/modules/Kconfig.mcuboot +++ b/modules/Kconfig.mcuboot @@ -35,18 +35,6 @@ config BOOTLOADER_MCUBOOT if BOOTLOADER_MCUBOOT -config MCUBOOT_CMAKE_WEST_SIGN_PARAMS - string "Extra parameters to west sign" - default "--quiet" - help - Parameters that are passed by cmake to west sign, just after - the command, before all other parameters needed for image - signing. - By default this is set to "--quiet" to prevent extra, non-error, - diagnostic messages from west sign. This does not affect signing - tool for which extra parameters are passed with - MCUBOOT_EXTRA_IMGTOOL_ARGS. - config MCUBOOT_SIGNATURE_KEY_FILE string "Path to the mcuboot signing key file" default "" @@ -256,6 +244,16 @@ config MCUBOOT_BOOTLOADER_NO_DOWNGRADE MCUBOOT_DOWNGRADE_PREVENTION option enabled. endif +config MCUBOOT_APPLICATION_FIRMWARE_UPDATER + bool "Application is firmware updater image" + depends on MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER + help + Select this if the current image is the firmware updater image. This will use slot 1 + information when signing the image. + + Note that the zephyr chosen node ``zephyr,code-partition`` should be set to + ``slot1_partition`` for this image. + endmenu # On board MCUboot operation mode endif # BOOTLOADER_MCUBOOT diff --git a/scripts/west_commands/sign.py b/scripts/west_commands/sign.py index 54fbe75d8fde70..5efbfa5e731390 100644 --- a/scripts/west_commands/sign.py +++ b/scripts/west_commands/sign.py @@ -129,7 +129,7 @@ def do_add_parser(self, parser_adder): group = parser.add_argument_group('tool control options') group.add_argument('-t', '--tool', choices=['imgtool', 'rimage'], help='''image signing tool name; imgtool and rimage - are currently supported''') + are currently supported (imgtool is deprecated)''') group.add_argument('-p', '--tool-path', default=None, help='''path to the tool itself, if needed''') group.add_argument('-D', '--tool-data', default=None, @@ -246,6 +246,8 @@ def sign(self, command, build_dir, build_conf, formats): args = command.args b = pathlib.Path(build_dir) + log.wrn("west sign using imgtool is deprecated and will be removed in a future release") + imgtool = self.find_imgtool(command, args) # The vector table offset and application version are set in Kconfig: appver = self.get_cfg(command, build_conf, 'CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION')