Scripts: Security enablement during west build

Added changes to automate the signing of zephyr security
using customtool during the west build process.

Signed-off-by: Aasim Shaik <[email protected]>

Author: Aasimshaik11

CMakeLists.txt

@@ -8,9 +8,6 @@
 #
 # To see a list of typical targets execute "make usage"
 # More info can be located in ./README.rst
-# Comments in this file are targeted only to the developer, do not
-# expect to learn how to build the kernel reading this file.
-
 if(NOT DEFINED ZEPHYR_BINARY_DIR)
   message(FATAL_ERROR "A user error has occurred.
 cmake was invoked with '${CMAKE_CURRENT_LIST_DIR}' specified as the source directory,
@@ -2303,3 +2300,92 @@ build_info(zephyr version VALUE ${PROJECT_VERSION_STR})
 build_info(zephyr zephyr-base VALUE ${ZEPHYR_BASE})
 
 yaml_save(NAME build_info)
+# Locate the .west/config file (assuming it's in the workspace root, i.e., $PWD)
+set(WEST_CONFIG_FILE "$ENV{PWD}/.west/config")
+
+# Read the config file content and extract signing parameters
+if(EXISTS ${WEST_CONFIG_FILE})
+    file(READ ${WEST_CONFIG_FILE} WEST_CONFIG_CONTENT)
+    # Extract sign_firmware value from [sign] section
+    string(REGEX MATCH "sign_firmware = ([0-1])" SIGN_FIRMWARE_MATCH "${WEST_CONFIG_CONTENT}")
+    if(CMAKE_MATCH_1)
+        set(SIGN_FIRMWARE ${CMAKE_MATCH_1})
+    else()
+        set(SIGN_FIRMWARE 0)  # Default to 0 if not found
+    endif()
+
+    # Extract tool path from [sign.customtool] section, ensure absolute path
+    string(REGEX MATCH "tool-path = ([^\n]+)" TOOL_PATH_MATCH "${WEST_CONFIG_CONTENT}")
+    if(CMAKE_MATCH_1)
+        set(CUSTOM_SIGN_TOOL_PATH "${CMAKE_MATCH_1}")
+    else()
+        # Use absolute path based on $ENV{PWD}
+        set(CUSTOM_SIGN_TOOL_PATH "$ENV{PWD}/zephyr/scripts/west_commands/sign_rps.py")
+    endif()
+
+    # Extract m4_ota_key from [sign.customtool] section
+    string(REGEX MATCH "m4-ota-key = ([^\n]+)" M4_OTA_KEY_MATCH "${WEST_CONFIG_CONTENT}")
+    set(M4_OTA_KEY "${CMAKE_MATCH_1}")
+
+    # Extract m4_private_key from [sign.customtool] section
+    string(REGEX MATCH "m4-private-key = ([^\n]+)" M4_PRIVATE_KEY_MATCH "${WEST_CONFIG_CONTENT}")
+    set(M4_PRIVATE_KEY "${CMAKE_MATCH_1}")
+else()
+    message(WARNING "West config file not found at ${WEST_CONFIG_FILE}. Using default signing settings.")
+    set(SIGN_FIRMWARE 0)  # Default to 0 if config file is missing
+endif()
+
+# Ensure CUSTOM_SIGN_TOOL_PATH is absolute
+if(NOT IS_ABSOLUTE "${CUSTOM_SIGN_TOOL_PATH}")
+    set(CUSTOM_SIGN_TOOL_PATH "$ENV{PWD}/zephyr/scripts/west_commands/sign_rps.py")
+endif()
+
+message(STATUS "SIGN_FIRMWARE = ${SIGN_FIRMWARE}")
+message(STATUS "CUSTOM_SIGN_TOOL_PATH = ${CUSTOM_SIGN_TOOL_PATH}")
+message(STATUS "M4_OTA_KEY = ${M4_OTA_KEY}")
+message(STATUS "M4_PRIVATE_KEY = ${M4_PRIVATE_KEY}")
+
+# Define paths for input, intermediate, and output files
+set(ZEPHYR_BIN "${CMAKE_BINARY_DIR}/zephyr/zephyr.bin.rps")  # Input file
+set(ZEPHYR_SIGNED_RPS "${CMAKE_BINARY_DIR}/zephyr/zephyr.signed.rps")  # Blank signed file
+set(ZEPHYR_BIN_RPS "${CMAKE_BINARY_DIR}/zephyr/zephyr.bin.rps")  # Final output file
+
+# Conditionally define the custom signing command
+if(SIGN_FIRMWARE EQUAL 1)
+    # Define the custom signing command with conditions
+    add_custom_command(
+        OUTPUT ${ZEPHYR_BIN_RPS} ${ZEPHYR_SIGNED_RPS}
+        COMMAND ${CMAKE_COMMAND} -E echo "Checking custom signing conditions after build..."
+        COMMAND sh -c "if [ -f '${ZEPHYR_BIN}' ] && [ ! -f '${ZEPHYR_SIGNED_RPS}' ]; then \
+            echo 'Conditions met: sign_firmware=1, zephyr.bin exists, zephyr.signed.bin does not exist'; \
+            touch '${ZEPHYR_SIGNED_RPS}' && \
+            ${PYTHON_EXECUTABLE} '${CUSTOM_SIGN_TOOL_PATH}' \
+                --input '${ZEPHYR_BIN}' \
+                --output '${ZEPHYR_BIN_RPS}' \
+                --m4_ota_key '${M4_OTA_KEY}' \
+                --m4_private_key '${M4_PRIVATE_KEY}'; \
+            else \
+                echo 'Skipping signing: conditions not met'; \
+                echo 'zephyr.bin exists? ' && ls -l '${ZEPHYR_BIN}' || echo 'No'; \
+                echo 'zephyr.signed.bin exists? ' && ls -l '${ZEPHYR_SIGNED_RPS}' || echo 'No'; \
+            fi"
+        WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+        DEPENDS ${logical_target_for_zephyr_elf}  # Ensure this runs after the final ELF is built
+        COMMENT "Custom signing of ${ZEPHYR_BIN} to ${ZEPHYR_BIN_RPS}, creating blank ${ZEPHYR_SIGNED_RPS}"
+        VERBATIM
+    )
+
+    # Add a custom target to trigger the signing
+    add_custom_target(custom_signing
+        DEPENDS ${ZEPHYR_BIN_RPS} ${ZEPHYR_SIGNED_RPS}
+    )
+
+    # Ensure signing runs post-build by adding it to the final target dependencies
+    add_custom_target(final_custom_signing ALL
+        DEPENDS ${logical_target_for_zephyr_elf} custom_signing
+        COMMENT "Ensuring custom signing runs post-build"
+    )
+else()
+    message(STATUS "Custom firmware signing skipped (sign_firmware = 0)")
+endif()
+

scripts/west_commands/sign.py

@@ -13,7 +13,8 @@
 import sys
 
 from elftools.elf.elffile import ELFFile
-
+# custom tool signer
+from west.configuration import config
 from west import manifest
 from west.commands import Verbosity
 from west.util import quote_sh_list
@@ -112,10 +113,10 @@ def do_add_parser(self, parser_adder):
 
         # general options
         group = parser.add_argument_group('tool control options')
-        group.add_argument('-t', '--tool', choices=['imgtool', 'rimage'],
+        group.add_argument('-t', '--tool', choices=['imgtool', 'rimage', 'customtool'],
                            help='''image signing tool name; imgtool and rimage
                            are currently supported (imgtool is deprecated)''')
-        group.add_argument('-p', '--tool-path', default=None,
+        group.add_argument('-p', '--tool-path', default='/zephyr/scripts/west_commands/sign_rps.py',
                            help='''path to the tool itself, if needed''')
         group.add_argument('-D', '--tool-data', default=None,
                            help='''path to a tool-specific data/configuration directory, if needed''')
@@ -195,6 +196,8 @@ def do_run(self, args, ignored):
             signer = ImgtoolSigner()
         elif args.tool == 'rimage':
             signer = RimageSigner()
+        elif args.tool == 'customtool':
+            signer = CustomToolSigner()
         # (Add support for other signers here in elif blocks)
         else:
             if args.tool is None:
@@ -633,3 +636,48 @@ def sign(self, command, build_dir, build_conf, formats):
 
         os.remove(out_bin)
         os.rename(out_tmp, out_bin)
+class CustomToolSigner(Signer):
+    def sign(self, command, build_dir, build_conf, formats):
+        if not formats:
+            return
+        args = command.args
+        b = pathlib.Path(build_dir)
+        kernel_name = 'zephyr'  # Default if build_conf is None
+        if build_conf:
+            kernel_name = build_conf.get('CONFIG_KERNEL_BIN_NAME', 'zephyr')
+        in_bin = b / 'zephyr' / f'{kernel_name}.bin.rps'
+        out_bin = args.sbin or str(b / 'zephyr' / 'zephyr.bin.rps')
+        if not in_bin.is_file():
+            command.die(f"no unsigned .bin found at {in_bin}")
+        # Retrieve values from .west/config [sign.customtool]
+        m4_ota_key = config.get('sign.customtool', 'm4-ota-key', fallback=None)
+        m4_private_key = config.get('sign.customtool', 'm4-private-key', fallback=None)
+        tool_path_rel = config.get('sign.customtool', 'tool-path', fallback=None)
+        # Validate required values
+        if not m4_ota_key:
+            command.die("Missing 'm4-ota-key' in .west/config [sign.customtool] section")
+        if not m4_private_key:
+            command.die("Missing 'm4-private-key' in .west/config [sign.customtool] section")
+        if not tool_path_rel:
+            command.die("Missing 'tool-path' in .west/config [sign.customtool] section")
+        # Resolve tool-path relative to workspace root (directory containing .west/)
+        tool_path = os.path.abspath(os.path.join(os.environ['PWD'], tool_path_rel))
+        # Debug output to verify path
+        if not args.quiet:
+            command.inf(f"Resolved tool_path: {tool_path}")
+        # Ensure tool_path is executable
+        if not os.path.isfile(tool_path) or not os.access(tool_path, os.X_OK):
+            command.die(f"Tool path {tool_path} is not a valid executable file")
+        load_rps_command = [
+            sys.executable, tool_path,
+            '--input', str(in_bin),
+            '--output', out_bin,
+            '--m4_ota_key', m4_ota_key,
+            '--m4_private_key', m4_private_key,
+        ] + args.tool_args
+        if not args.quiet:
+            command.inf(f"Running signing command: {' '.join(load_rps_command)}")
+        try:
+            subprocess.check_call(load_rps_command, stdout=subprocess.PIPE if args.quiet else None)
+        except subprocess.CalledProcessError as e:
+            command.die(f"Signing failed with exit code {e.returncode}")

scripts/west_commands/sign_rps.py

@@ -0,0 +1,39 @@
+#SPDX - License - Identifier : Apache - 2.0#!/ usr / bin / env python3
+#Copyright(c) 2018 Foundries.io
+#
+import argparse
+import os
+import subprocess
+from west.configuration import config
+parser = argparse.ArgumentParser(description = "Sign a Zephyr binary using SimplicityCommander")
+parser.add_argument('--m4_ota_key', help = "M4 OTA Key (hex string)")
+parser.add_argument('--m4_private_key', help = "M4 Private Key (file path)")
+parser.add_argument('--input', required = True, help = "Input file path")
+parser.add_argument('--output', required = True, help = "Output file path")
+args = parser.parse_args()
+#Get the workspace root by navigating up from $PWD to the 'workspace' directory
+workspace_root = os.path.abspath(os.path.join(os.environ['PWD'], '..')) #Go up one level from 'build' to 'workspace'
+SL_COMMANDER_PATH = os.path.join(workspace_root, 'SimplicityCommander-Linux/commander/commander')
+#Check if SimplicityCommander exists and is executable
+if not os.path.isfile(SL_COMMANDER_PATH) or not os.access(SL_COMMANDER_PATH, os.X_OK) :
+	raise FileNotFoundError(f "SimplicityCommander not found or not executable at '{SL_COMMANDER_PATH}'. "
+"Please ensure it exists and is executable at '<workspace_root>/SimplicityCommander-Linux/commander/commander'.")
+#Keep m4_ota_key and m4_private_key configurable via.west / config as in original code
+m4_ota_key = args.m4_ota_key or config.get('sign.customtool', 'm4-ota-key', fallback = None)
+m4_private_key = args.m4_private_key or config.get('sign.customtool', 'm4-private-key', fallback = None)
+if not m4_ota_key or not m4_private_key:
+	raise ValueError("Missing required values: m4-ota-key or m4-private-key must be provided via args or .west/config [sign.customtool]")
+if not os.path.isabs(m4_private_key) :
+	m4_private_key = os.path.abspath(os.path.join(workspace_root, 'zephyr', m4_private_key))
+def commander_function(command_list) :
+	print(f"Running commander command: {' '.join(command_list)}")
+	process = subprocess.run(command_list, stdout = subprocess.PIPE, stderr = subprocess.PIPE)
+	stdout = process.stdout.decode('utf-8')
+	stderr = process.stderr.decode('utf-8')
+	print(f"STDOUT: {stdout}")
+	print(f"STDERR: {stderr}")
+	process.check_returncode() #Raises CalledProcessError if non - zero exit
+SECURE_M4_RPS = 1
+if SECURE_M4_RPS:create_m4_secure_rps =[SL_COMMANDER_PATH, 'rps', 'convert', args.output, '--app', args.input, '--mic', m4_ota_key, '--encrypt', m4_ota_key, '--sign', m4_private_key]
+if SECURE_M4_RPS:commander_function(create_m4_secure_rps)
+print(f"Signed {args.input} -> {args.output}")