-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmake: mcuboot: Use imgtool instead of west for signing #78983
Open
nordicjm
wants to merge
8
commits into
zephyrproject-rtos:main
Choose a base branch
from
nordicjm:mcubootsingingimgtool
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
170b458
modules: mcuboot: Add Kconfig for firmware updater image
nordicjm aa86bc3
cmake: mcuboot: Use imgtool instead of west for signing
nordicjm 7574167
doc: release: 3.4: Remove Kconfig option usage for removed Kconfig
nordicjm 15572de
doc: release: 3.4: Use double backticks
nordicjm dd9e5d8
scripts: west_commands: sign: Deprecate imgtool signing
nordicjm 8da4318
doc: release: 4.0: Add note on imgtool west sign change
nordicjm f54d3f3
doc: migration: 4.0: Add notes on deprecation of imgtool west sign
nordicjm 6e43321
doc: build: Add signing page
nordicjm File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,3 +16,4 @@ Build and Configuration Systems | |
sysbuild/index.rst | ||
version/index.rst | ||
flashing/index.rst | ||
signing/index.rst |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
.. _build-signing: | ||
|
||
Signing Binaries | ||
################ | ||
|
||
Binaries can be optionally signed as part of a build automatically using CMake code, there is | ||
also the ability to use ``west sign`` to sign binaries too, this page describes the former, the | ||
latter is documented on :ref:`west-sign`. | ||
|
||
MCUboot / imgtool | ||
***************** | ||
|
||
The Zephyr build system has special support for signing binaries for use with the `MCUboot`_ | ||
bootloader using the `imgtool`_ program provided by its developers. You can both build and sign | ||
this type of application binary in one step by setting some Kconfig options. If you do, | ||
``west flash`` will use the signed binaries. | ||
|
||
Here is an example workflow, which builds and flashes MCUboot, as well as the | ||
:zephyr:code-sample:`hello_world` application for chain-loading by MCUboot. Run these commands | ||
from the :file:`zephyrproject` workspace you created in the :ref:`getting_started`. | ||
|
||
.. code-block:: console | ||
|
||
west build -b YOUR_BOARD zephyr/samples/hello_world --sysbuild -d build-hello-signed -- \ | ||
-DSB_CONFIG_BOOTLOADER_MCUBOOT=y | ||
|
||
west flash -d build-hello-signed | ||
|
||
Notes on the above commands: | ||
|
||
- ``YOUR_BOARD`` should be changed to match your board | ||
- The singing key value is the insecure default provided and used by MCUboot for development | ||
and testing | ||
- You can change the ``hello_world`` application directory to any other application that can be | ||
loaded by MCUboot, such as the :zephyr:code-sample:`smp-svr` sample. | ||
|
||
For more information on these and other related configuration options, see: | ||
|
||
- ``SB_CONFIG_BOOTLOADER_MCUBOOT``: build the application for loading by MCUboot | ||
- ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE``: the key file to use when singing images. If you have | ||
your own key, change this appropriately | ||
- :kconfig:option:`CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS`: optional additional command line arguments | ||
for ``imgtool`` | ||
- :kconfig:option:`CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE`: also generate a confirmed image, | ||
which may be more useful for flashing in production environments than the OTA-able default image | ||
- On Windows, if you get "Access denied" issues, the recommended fix is to run | ||
``pip3 install imgtool``, then retry with a pristine build directory. | ||
|
||
If your ``west flash`` :ref:`runner <west-runner>` uses an image format supported by imgtool, you | ||
should see something like this on your device's serial console when you run | ||
``west flash -d build-hello-signed``: | ||
|
||
.. code-block:: none | ||
|
||
*** Booting Zephyr OS build zephyr-v2.3.0-2310-gcebac69c8ae1 *** | ||
[00:00:00.004,669] <inf> mcuboot: Starting bootloader | ||
[00:00:00.011,169] <inf> mcuboot: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3 | ||
[00:00:00.021,636] <inf> mcuboot: Boot source: none | ||
[00:00:00.027,374] <inf> mcuboot: Swap type: none | ||
[00:00:00.115,142] <inf> mcuboot: Bootloader chainload address offset: 0xc000 | ||
[00:00:00.123,168] <inf> mcuboot: Jumping to the first image slot | ||
*** Booting Zephyr OS build zephyr-v2.3.0-2310-gcebac69c8ae1 *** | ||
Hello World! nrf52840dk_nrf52840 | ||
|
||
Whether ``west flash`` supports this feature depends on your runner. The ``nrfjprog`` and | ||
``pyocd`` runners work with the above flow. If your runner does not support this flow and you | ||
would like it to, please send a patch or file an issue for adding support. | ||
|
||
.. _west-extending-signing: | ||
|
||
Extending signing externally | ||
**************************** | ||
|
||
The signing script used when running ``west flash`` can be extended or replaced to change features | ||
or introduce different signing mechanisms. By default with MCUboot enabled, signing is setup by | ||
the :file:`cmake/mcuboot.cmake` file in Zephyr which adds extra post build commands for generating | ||
the signed images. The file used for signing can be replaced from a sysbuild scope (if being used) | ||
or from a zephyr/zephyr module scope, the priority of which is: | ||
|
||
* Sysbuild | ||
* Zephyr property | ||
* Default MCUboot script (if enabled) | ||
|
||
From sysbuild, ``-D<target>_SIGNING_SCRIPT`` can be used to set a signing script for a specific | ||
image or ``-DSIGNING_SCRIPT`` can be used to set a signing script for all images, for example: | ||
|
||
.. code-block:: console | ||
|
||
west build -b <board> <application> -DSIGNING_SCRIPT=<file> | ||
|
||
The zephyr property method is achieved by adjusting the ``SIGNING_SCRIPT`` property on the | ||
``zephyr_property_target``, ideally from by a module by using: | ||
|
||
.. code-block:: cmake | ||
|
||
if(CONFIG_BOOTLOADER_MCUBOOT) | ||
set_target_properties(zephyr_property_target PROPERTIES SIGNING_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/custom_signing.cmake) | ||
endif() | ||
|
||
This will include the custom signing CMake file instead of the default Zephyr one when projects | ||
are built with MCUboot signing support enabled. The base Zephyr MCUboot signing file can be | ||
used as a reference for creating a new signing system or extending the default behaviour. | ||
|
||
.. _MCUboot: | ||
https://mcuboot.com/ | ||
|
||
.. _imgtool: | ||
https://pypi.org/project/imgtool/ |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor nit, quite a long line.