Scripts: Security enablement during west build #87669
Conversation
|
Hello @Aasimshaik11, and thank you very much for your first pull request to the Zephyr project! |
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
2 times, most recently
from
7541fb9 to
7052317
Compare
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
from
7052317 to
da52b68
Compare
boards/silabs/radio_boards/siwx917_rb4338a/Kconfig.siwx917_rb4338a
Outdated
Show resolved
Hide resolved
boards/silabs/radio_boards/siwx917_rb4338a/Kconfig.siwx917_rb4338a
Outdated
Show resolved
Hide resolved
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
4 times, most recently
from
726af6b to
b9ddd52
Compare
github-actions
bot
requested review from
carlescufi,
jhedberg,
Martinhoff-maker,
pdgendt and
swinslow
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
2 times, most recently
from
6015f25 to
d329322
Compare
|
Please, do not resolve comments as per the contribution guidelines. |
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
2 times, most recently
from
82ac254 to
2a2c05b
Compare
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
5 times, most recently
from
3672549 to
8dc4f06
Compare
| if SILABS_COMMANDER_SIGN | ||
| config M4_OTA_KEY | ||
| string "M4 OTA Key for Commander" | ||
| default "Full_OTA_KEY_in_HEX" | ||
| help | ||
| The OTA key (hex string) used for signing and encryption with Silicon Labs Commander. | ||
|
|
||
| config M4_PRIVATE_KEY | ||
| string "M4 Private Key Path for Commander" | ||
| default "Full_path_to_m4_private_key.pem" | ||
| help | ||
| Path to the private key file used for signing with Silicon Labs Commander, relative to the board directory. | ||
|
|
||
| config COMMANDER_PATH | ||
| string "Path to Silicon Labs Commander executable" | ||
| default "Full_path_to_SimplicityCommander-Linux/commander/commander" | ||
| help | ||
| Path to the Silicon Labs Commander executable, used for signing the firmware binary. | ||
| endif |
There was a problem hiding this comment.
These defaults do not make much sense IMO, if they are required, leave them as blank and throw an error during the build process.
Also help text needs to be indented with an additional 2 spaces after the tab.
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
5 times, most recently
from
46bdfdf to
c6cbbf6
Compare
| ) | ||
|
|
||
| # Add custom target to ensure signing is part of the build | ||
| add_custom_target(silabs_rps_sign_target |
There was a problem hiding this comment.
This is the user facing name. Don't we have a better name? signed-rps?
There was a problem hiding this comment.
BTW, what is the purpose of this target? The user can already run west sign. Why do we provide west build -t silabs_rps_sign_target?
It would be more useful if the signing process was included in the default build.
There was a problem hiding this comment.
Please, let the reviewer resolve the comments.
It would be more useful if the signing process was included in the default build.
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
from
c6cbbf6 to
f9c082c
Compare
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
3 times, most recently
from
2ac309f to
009ada8
Compare
scripts/west_commands/sign.py
Outdated
| west sign -t silabs_commander -- --mic YOUR_OTA_KEY --encrypt YOUR_OTA_KEY --sign YOUR_PRIVATE_KEY.pem | ||
| or west sign -t silabs_commander | ||
|
|
||
| For this to work, SILABS Commander tool must be installed in your PATH. |
There was a problem hiding this comment.
Silicon Labs (or possibly Silabs)
scripts/west_commands/sign.py
Outdated
| if line.strip().startswith('CONFIG_M4_OTA_KEY='): | ||
| m4_ota_key = line.split('=')[1].strip().strip('"') | ||
| elif line.strip().startswith('CONFIG_M4_PRIVATE_KEY='): | ||
| m4_private_key = line.split('=')[1].strip().strip('"') |
There was a problem hiding this comment.
Do you need this at all? Can't you use:
build_conf.get('CONFIG_M4_OTA_KEY')
build_conf.get('CONFIG_M4_PRIVATE_KEY')
There was a problem hiding this comment.
No need , I added the fallback initially to cover potential retrieval issues. Now using .get() will resolve them.
scripts/west_commands/sign.py
Outdated
| for path in default_paths: | ||
| if os.path.isfile(path): | ||
| commander_path = path | ||
| break |
There was a problem hiding this comment.
KISS.
The system already manage that for you. (/usr/bin and /usr/bin/local are already part of the default PATH. If they are not, it is not your job to fix it).
scripts/west_commands/sign.py
Outdated
| if not m4_private_key: | ||
| command.die("M4_PRIVATE_KEY not provided via --m4-private-key or set in prj.conf. Please specify --m4-private-key=/path/to/key or add CONFIG_M4_PRIVATE_KEY in prj.conf.") | ||
| if not commander_path: | ||
| command.die("Commander not found automatically. Please provide --commander-path=/path/to/commander or install it in your PATH.") |
There was a problem hiding this comment.
west sign already has the --tool-path option. Please use it:
def find_commandertool(cmd, args):
if args.tool_path:
commandertool = args.tool_path
if not os.path.isfile(commandertool):
cmd.die(f'--tool-path {commandertool}: no such file')
else:
commandertool = shutil.which('commander')
if not commandertool:
cmd.die('commander not found')
return commandertool
There was a problem hiding this comment.
I am not able to find find_commandertool in sign.py.
There was a problem hiding this comment.
I meant, you can write a such function.
scripts/west_commands/sign.py
Outdated
| command.die("ZEPHYR_BASE environment variable not set. Ensure you are running within a Zephyr build environment.") | ||
| workspace_base = pathlib.Path(zephyr_base) | ||
| if not workspace_base.is_dir(): | ||
| command.die(f"Invalid ZEPHYR_BASE directory: {workspace_base}. Please check your Zephyr setup.") |
There was a problem hiding this comment.
I am not a specialist of the west commands, but I believe you should use zephyr_ext_common to retrieve ZEPHYR_BASE.
scripts/west_commands/sign.py
Outdated
| kernel_name = build_conf.get('CONFIG_KERNEL_BIN_NAME', 'zephyr') | ||
|
|
||
| # Input and output files (using BUILD_DIR) | ||
| in_bin = b / 'zephyr' / f"{kernel_name}.bin.rps" # Raw binary input |
There was a problem hiding this comment.
The name in_bin, the comment Raw binary input and the error messages No unsigned .bin found are confusing.
In fact, the input is not a binary file. It is a .rps file.
| add_subdirectory(siwg917) | ||
| zephyr_include_directories(.) | ||
| zephyr_sources_ifdef(CONFIG_SOC_SERIES_SIWG917 soc.c) | ||
| zephyr_sources_ifdef(CONFIG_WISECONNECT_NETWORK_STACK nwp_init.c) |
There was a problem hiding this comment.
Redundant with soc/silabs/silabs_siwx91x/siwg917/CMakeLists.txt. BTW, nwp_init.c has been replaced by nwp.c a few weeks ago.
|
|
||
| # Custom signing with Silicon Labs Commander | ||
| if(CONFIG_SiWX91X_SILABS_COMMANDER_SIGN) | ||
| # Define input and output files |
There was a problem hiding this comment.
Which input files? Outdated comments are worse than no comments.
| # Custom signing with Silicon Labs Commander | ||
| if(CONFIG_SiWX91X_SILABS_COMMANDER_SIGN) | ||
| # Define input and output files | ||
| set(SIGNED_RPS ${PROJECT_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}.bin.rps) |
There was a problem hiding this comment.
Do you need absolute path? I believe you need it only because you change WORKING_DIRECTORY below. You can probably remove remove all this complexity.
| ) | ||
|
|
||
| # Add custom target to ensure signing is part of the build | ||
| add_custom_target(silabs_rps_sign_target |
There was a problem hiding this comment.
Please, let the reviewer resolve the comments.
It would be more useful if the signing process was included in the default build.
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
2 times, most recently
from
7123a51 to
964683e
Compare
Added changes to automate the signing of zephyr security using customtool during the west build process. Signed-off-by: Aasim Shaik <[email protected]>
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
from
964683e to
82595cd
Compare
Added changes to automate the signing of zephyr security using customtool during the west build process.