Scripts: Security enablement during west build

Added changes to automate the signing of zephyr security
using customtool during the west build process.

Signed-off-by: Aasim Shaik <[email protected]>

Author: Aasimshaik11

samples/basic/button/prj.conf

@@ -1 +1,6 @@
 CONFIG_GPIO=y
+# Enable Silicon Labs Commander signing
+CONFIG_SIWX91X_COMMANDER_SIGN=y
+CONFIG_M4_OTA_KEY="c2c538dad5d1992a49e427f743527382eb0225d6a6912f6292f240f62793b42b"
+CONFIG_M4_PRIVATE_KEY="/home/shaik-aasim/zephyrproject/zephyr/workspace/m4_private_key.pem"
+CONFIG_COMMANDER_PATH="commander"  # Relies on PATH

scripts/west_commands/sign.py

@@ -13,7 +13,6 @@
 import sys
 
 from elftools.elf.elffile import ELFFile
-
 from west import manifest
 from west.commands import Verbosity
 from west.util import quote_sh_list
@@ -79,6 +78,20 @@
 [rimage] sections in your west config file(s); this is especially useful
 when invoking west sign _indirectly_ through CMake/ninja. See how at
 https://docs.zephyrproject.org/latest/develop/west/sign.html
+
+silabs_commander
+-----
+
+To create a signed binary with the silabs_commander tool, run this from your build directory:
+
+   west sign -t silabs_commander -- --mic YOUR_OTA_KEY --encrypt YOUR_OTA_KEY --sign YOUR_PRIVATE_KEY.pem
+
+For this to work, either silabs_commander commander must be installed in your PATH.
+
+The input binary (zephyr.bin.rps) is signed using the specified OTA key and private key,
+producing zephyr.bin.rps by default. If CONFIG_M4_OTA_KEY and CONFIG_M4_PRIVATE_KEY are set
+in your build configuration, they will be used unless overridden by command-line arguments.
+Additional arguments after '--' are passed to silabs_commander directly.
 '''
 
 class ToggleAction(argparse.Action):
@@ -112,7 +125,7 @@ def do_add_parser(self, parser_adder):
 
         # general options
         group = parser.add_argument_group('tool control options')
-        group.add_argument('-t', '--tool', choices=['imgtool', 'rimage'],
+        group.add_argument('-t', '--tool', choices=['imgtool', 'rimage', 'silabs_commander'],
                            help='''image signing tool name; imgtool and rimage
                            are currently supported (imgtool is deprecated)''')
         group.add_argument('-p', '--tool-path', default=None,
@@ -195,6 +208,8 @@ def do_run(self, args, ignored):
             signer = ImgtoolSigner()
         elif args.tool == 'rimage':
             signer = RimageSigner()
+        elif args.tool == 'silabs_commander':
+            signer = SilabsRPSSigner()
         # (Add support for other signers here in elif blocks)
         else:
             if args.tool is None:
@@ -633,3 +648,111 @@ def sign(self, command, build_dir, build_conf, formats):
 
         os.remove(out_bin)
         os.rename(out_tmp, out_bin)
+
+class SilabsRPSSigner(Signer):
+    # Signer class for Silicon Labs Commander tool via west sign -t silabs_commander.
+    def get_security_configs(self, build_conf, args, command):
+        # Retrieve configurations, prioritizing command-line args, then build_conf
+        m4_ota_key = getattr(args, 'm4-ota-key', build_conf.get('CONFIG_M4_OTA_KEY'))
+        m4_private_key = getattr(args, 'm4-private-key', build_conf.get('CONFIG_M4_PRIVATE_KEY'))
+        # Fallback to directly read prj.conf if build_conf values are missing
+        if not m4_ota_key or not m4_private_key:
+            prj_conf_path = pathlib.Path(build_conf.build_dir) / 'prj.conf'
+            if prj_conf_path.exists():
+                with open(prj_conf_path, 'r') as f:
+                    for line in f:
+                        if line.strip().startswith('CONFIG_M4_OTA_KEY='):
+                            m4_ota_key = line.split('=')[1].strip().strip('"')
+                        elif line.strip().startswith('CONFIG_M4_PRIVATE_KEY='):
+                            m4_private_key = line.split('=')[1].strip().strip('"')
+        # Automatically detect Commander path, mimicking west flash
+        commander_path = getattr(args, 'commander-path', None)
+        if not commander_path:
+            # Try system PATH first, as west flash likely does
+            commander_path = shutil.which('commander')
+            if not commander_path:
+                # Fallback to common Silicon Labs default paths (adjust if known)
+                default_paths = [
+                    '/usr/bin/commander',
+                    '/usr/local/bin/commander',
+                    '/opt/SiliconLabs/Commander/commander'
+                ]
+                for path in default_paths:
+                    if os.path.isfile(path):
+                        commander_path = path
+                        break
+        # Validate required settings with fallback to prj.conf
+        if not m4_ota_key:
+            command.die("M4_OTA_KEY not provided via --m4-ota-key or set in prj.conf. Please specify --m4-ota-key=your_key or add CONFIG_M4_OTA_KEY in prj.conf.")
+        if not m4_private_key:
+            command.die("M4_PRIVATE_KEY not provided via --m4-private-key or set in prj.conf. Please specify --m4-private-key=/path/to/key or add CONFIG_M4_PRIVATE_KEY in prj.conf.")
+        if not commander_path:
+            command.die("Commander not found automatically. Please provide --commander-path=/path/to/commander or install it in your PATH.")
+        
+        return m4_ota_key, m4_private_key, commander_path
+
+    def sign(self, command, build_dir, build_conf, formats):
+        # Sign the Zephyr binary using Silicon Labs Commander.
+
+        self.command = command
+        args = command.args
+        b = pathlib.Path(build_dir)  # BUILD_DIR from -d option
+
+        # Check if signing is needed
+        if not formats:
+            if not args.quiet:
+                command.inf("No output formats specified, skipping signing.")
+            return
+
+        # Use ZEPHYR_BASE as the workspace base, provided by Zephyr's build system
+        zephyr_base = os.environ.get('ZEPHYR_BASE')
+        if not zephyr_base:
+            command.die("ZEPHYR_BASE environment variable not set. Ensure you are running within a Zephyr build environment.")
+        workspace_base = pathlib.Path(zephyr_base)
+        if not workspace_base.is_dir():
+            command.die(f"Invalid ZEPHYR_BASE directory: {workspace_base}. Please check your Zephyr setup.")
+
+        # Get kernel binary name (default to 'zephyr')
+        kernel_name = build_conf.get('CONFIG_KERNEL_BIN_NAME', 'zephyr')
+
+        # Input and output files (using BUILD_DIR)
+        in_bin = b / 'zephyr' / f"{kernel_name}.bin.rps"  # Raw binary input
+        out_rps = args.sbin or (b / 'zephyr' / f"{kernel_name}.bin.rps")  # Signed output
+
+        # Check if input binary exists
+        if not in_bin.is_file():
+            command.die(f"No unsigned .bin found at {in_bin}")
+
+        # Load configuration
+        m4_ota_key, m4_private_key, commander_path = self.get_security_configs(build_conf, args, command)
+
+        # Resolve paths
+        tool_path = pathlib.Path(commander_path)
+        if not tool_path.is_file():
+            command.die(f"Commander not found at {tool_path}. Please ensure it is installed or provide --commander-path.")
+
+        private_key_path = pathlib.Path(m4_private_key)
+        if not private_key_path.is_file():
+            command.die(f"Private key not found at {private_key_path}. Please ensure the path is correct.")
+
+        # Build the commander signing command
+        sign_base = [
+            str(tool_path),
+            "rps",
+            "convert",
+            str(out_rps),
+            "--app", str(in_bin),
+            "--mic", m4_ota_key,
+            "--encrypt", m4_ota_key,
+            "--sign", str(private_key_path)
+        ]
+
+        sign_base.extend(args.tool_args)
+
+        try:
+            subprocess.check_call(sign_base, stdout=subprocess.PIPE if args.quiet else None, stderr=subprocess.PIPE if args.quiet else None)
+        except subprocess.CalledProcessError as e:
+            command.die(f"Commander signing failed with exit code {e.returncode}")
+
+        if not args.quiet:
+            command.inf(f"Successfully generated signed file: {out_rps}")

soc/silabs/silabs_siwx91x/CMakeLists.txt

@@ -1,7 +1,12 @@
 # Copyright (c) 2024 Silicon Laboratories Inc.
 # SPDX-License-Identifier: Apache-2.0
 
+include(west)  # Add this at the top or before using ${WEST}
+
 add_subdirectory(siwg917)
+zephyr_include_directories(.)
+zephyr_sources_ifdef(CONFIG_SOC_SERIES_SIWG917 soc.c)
+zephyr_sources_ifdef(CONFIG_WISECONNECT_NETWORK_STACK nwp_init.c)
 
 # Necessary to not overwrite NWP Firmware
 math(EXPR FLASH_LOAD_ADDRESS "(${CONFIG_FLASH_BASE_ADDRESS}) + (${CONFIG_FLASH_LOAD_OFFSET})")
@@ -12,3 +17,36 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
     ${KERNEL_BIN_NAME}
     ${KERNEL_BIN_NAME}.rps
 )
+
+# Custom signing with Silicon Labs Commander
+if(CONFIG_SiWX91X_SILABS_COMMANDER_SIGN)
+    # Define input and output files
+    set(SIGNED_RPS ${PROJECT_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}.bin.rps)
+
+    # Define the west sign command with explicit working directory and environment
+    set(WEST_SIGN_CMD
+        ${CMAKE_COMMAND} -E env "PATH=$ENV{PATH}:$ENV{WEST_ROOT}/bin" "ZEPHYR_WORKSPACE_ROOT=${CMAKE_CURRENT_SOURCE_DIR}"
+        ${WEST} sign
+        -t silabs_commander
+        -d ${CMAKE_BINARY_DIR}
+        --sbin ${SIGNED_RPS}
+    )
+
+    # Add custom command to invoke west sign during build
+    add_custom_command(
+        OUTPUT ${SIGNED_RPS}
+        COMMAND ${CMAKE_COMMAND} -E echo "Forcing execution in ${PROJECT_BINARY_DIR}"
+        COMMAND ${WEST_SIGN_CMD}
+        DEPENDS zephyr_final
+        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}  # Ensure working directory is set
+        COMMENT "Signing binary with 'west sign -t silabs_commander' to generate ${KERNEL_BIN_NAME}.bin.rps"
+        VERBATIM
+    )
+
+    # Add custom target to ensure signing is part of the build
+    add_custom_target(silabs_commander_sign
+        ALL
+        DEPENDS ${SIGNED_RPS}
+        COMMENT "Ensuring signing with Silicon Labs Commander is complete"
+    )
+endif()

soc/silabs/silabs_siwx91x/Kconfig

@@ -14,3 +14,19 @@ config SOC_SILABS_SLEEPTIMER
 	bool
 	help
 	  The Sleeptimer HAL module is used for SIWX91X.
+
+config SIWX91X_SILABS_COMMANDER_SIGN
+	bool "Enable signing of Zephyr binary with Silicon Labs Commander"
+	depends on BUILD_OUTPUT_BIN
+	help
+		Activates the signing process for the Zephyr binary using Silicon Labs Commander during the build process.
+
+config M4_OTA_KEY
+	string "OTA Key for Commander (sourced from prj.conf)"
+	help
+		Specifies the OTA key (in hex format) for signing and encryption with Silicon Labs Commander, retrieved from prj.conf.
+
+config M4_PRIVATE_KEY
+	string "Private Key Path for Commander (sourced from prj.conf)"
+	help
+		Defines the path to the private key file for signing with Silicon Labs Commander, obtained from prj.conf, relative to the board directory.