Scripts: Security enablement during west build #87669
Conversation
|
Hello @Aasimshaik11, and thank you very much for your first pull request to the Zephyr project! |
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
2 times, most recently
from
7541fb9 to
7052317
Compare
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
from
7052317 to
da52b68
Compare
CMakeLists.txt
Outdated
There was a problem hiding this comment.
Please revert these unrelated changes.
| @@ -3,3 +3,25 @@ | |||
|
|
|||
| config BOARD_SIWX917_RB4338A | |||
| select SOC_PART_NUMBER_SIWG917M111MGTBA | |||
|
|
|||
| # Kconfig.board for SiWx917 RB4338A | |||
There was a problem hiding this comment.
Unnecessary comment, please remove.
|
|
||
| # Kconfig.board for SiWx917 RB4338A | ||
|
|
||
| config SIGNING_ENABLED |
There was a problem hiding this comment.
Signing support should be a property of the SiWx91x SoC, not of the board. All of this must move to soc/silabs/silabs_siwx91x/, and the Kconfig options must be renamed to show that they apply to 91x only.
| @@ -11,3 +11,71 @@ include(${ZEPHYR_BASE}/boards/common/silabs_commander.board.cmake) | |||
| # Once started, it should be possible to reset the device with "monitor reset" | |||
| board_runner_args(jlink "--device=Si917" "--speed=10000") | |||
| include(${ZEPHYR_BASE}/boards/common/jlink.board.cmake) | |||
|
|
|||
| # Custom signing with Silicon Labs Commander | |||
|
|
||
| # Define paths and keys from Kconfig | ||
| set(WORKSPACE_ROOT $ENV{PWD}) | ||
| set(SL_COMMANDER_PATH $ENV{PWD}/SimplicityCommander-Linux/commander/commander) |
There was a problem hiding this comment.
You can't hardcode the path to Commander. You must assume that it exists on PATH.
scripts/west_commands/sign.py
Outdated
| @@ -79,6 +80,21 @@ | |||
| [rimage] sections in your west config file(s); this is especially useful | |||
| when invoking west sign _indirectly_ through CMake/ninja. See how at | |||
| https://docs.zephyrproject.org/latest/develop/west/sign.html | |||
|
|
|||
| sirps | |||
There was a problem hiding this comment.
This should be silabs_rps or silabs_commander_rps for consistency with the silabs_commander runner.
scripts/west_commands/sign.py
Outdated
|
|
||
| # Primary source: Board Kconfig defaults | ||
| board_dir = cache.get('BOARD_DIR') # Fallback to PWD if BOARD_DIR missing | ||
| board_kconfig = pathlib.Path(board_dir) / 'Kconfig.siwx917_r4338a' |
There was a problem hiding this comment.
You can't hard-code the board Kconfig path, this must generically work for all SiWx91x based boards.
| message(STATUS "Private key found at '${M4_PRIVATE_KEY}'") | ||
| endif() | ||
|
|
||
| # Define the commander signing command |
There was a problem hiding this comment.
Why is this calling Commander directly, and not invoking west sign?
There was a problem hiding this comment.
The direct call to Silicon Labs Commander in board.cmake is intentional to integrate signing into the west build process, ensuring that zephyr.bin.rps is generated automatically as part of the build output for SiWx917-based boards. This approach is used to meet hardware requirements where a signed binary is mandatory for flashing or execution. Invoking west sign would require a separate post-build step, which we avoid here to streamline the workflow and guarantee that the signed artifact is available immediately after west build, consistent with the board’s firmware deployment needs.
There was a problem hiding this comment.
Why would a post-build step need to be separately invoked just because it's calling west instead of Commander? There is no difference if west sign or commander is called as a custom command.
There was a problem hiding this comment.
Yeah, that's right. We can do that too, But there will be extra call of west sign that's it.
If west sign used:
Cmakefile -> west sign -> sign.py -> commander for signing
If not west sign:
Cmake -> Commander
There was a problem hiding this comment.
IMO it would be better to call west sign, in order to avoid duplicating the implementation. The overhead of an extra call is well worth avoiding two implementations of the same logic.
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
4 times, most recently
from
726af6b to
b9ddd52
Compare
github-actions
bot
requested review from
carlescufi,
jhedberg,
Martinhoff-maker,
pdgendt and
swinslow
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
2 times, most recently
from
6015f25 to
d329322
Compare
|
Please, do not resolve comments as per the contribution guidelines. |
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
2 times, most recently
from
82ac254 to
2a2c05b
Compare
| default "Give_full_path_to_SimplicityCommander-Linux/commander/commander" | ||
| depends on SILABS_COMMANDER_SIGN | ||
| help | ||
| Path to the Silicon Labs Commander executable, relative to the current working directory (e.g., $ENV{PWD}), used for signing the firmware binary. |
There was a problem hiding this comment.
Kconfig files are indented with one tab. The help message is indented with one tab + 2 spaces.
The help text word-warped at 80 columns.
scripts/west_commands/sign.py
Outdated
| @@ -633,3 +648,144 @@ def sign(self, command, build_dir, build_conf, formats): | |||
|
|
|||
| os.remove(out_bin) | |||
| os.rename(out_tmp, out_bin) | |||
|
|
|||
| class Silabs_rpsSigner(Signer): | |||
There was a problem hiding this comment.
SilabsRPSSigner is this fine?
scripts/west_commands/sign.py
Outdated
| elif current_config == 'M4_PRIVATE_KEY': | ||
| m4_private_key = value | ||
| elif current_config == 'COMMANDER_PATH': | ||
| commander_path = value |
There was a problem hiding this comment.
6 level of indentation is a lot, especially in a function of 125 lines. Probably you could introduce a subfunction.
scripts/west_commands/sign.py
Outdated
| workspace_base = pathlib.Path(os.getcwd()) | ||
| if not args.quiet: | ||
| command.inf(f"ZEPHYR_WORKSPACE_ROOT not set, using current directory: {workspace_base}") | ||
| soc_dir = 'GIVE PATH FOR KCONFIG.SOC AFTER WORKSPACE' # Same relative path |
There was a problem hiding this comment.
Is it temporary code?
| if(CONFIG_SILABS_COMMANDER_SIGN) | ||
|
|
||
| # Define input and output files | ||
| set(ZEPHYR_BINARY ${CMAKE_BINARY_DIR}/zephyr/zephyr.bin) |
There was a problem hiding this comment.
WHat is the difference with ${KERNEL_BIN_NAME}?
There was a problem hiding this comment.
It takes the Kernel name which is already defined.
There was a problem hiding this comment.
Please, let the reviewer resolve the comments. I think this is a valid point, instead of hard-coding the path, use the existing CMake variable.
| COMMENT "Ensuring signing with Silicon Labs Commander is complete" | ||
| ) | ||
| else() | ||
| message(STATUS "CONFIG_SIGNING_ENABLED is not enabled") |
There was a problem hiding this comment.
I believe we have to manage the non-signed binaries.
There was a problem hiding this comment.
If signed_binary is needed for the user it do's that by checking the variable CONFIG_SIGNING_ENABLED.
If not it goes through with the default one.
| set(SIGNED_RPS ${CMAKE_BINARY_DIR}/zephyr/zephyr.bin.rps) | ||
|
|
||
| # Use $ENV{PWD} as working directory | ||
| set(WORKSPACE_ROOT ${CMAKE_CURRENT_SOURCE_DIR}) |
There was a problem hiding this comment.
What is the purpose of creating a variable with the exact same value of an existing variable?
| set(WORKSPACE_ROOT ${CMAKE_CURRENT_SOURCE_DIR}) | ||
|
|
||
| # Define the west sign command with explicit working directory and environment | ||
| set(west_sign_cmd |
There was a problem hiding this comment.
All the variables are uppercase in CMakeLists.txt
|
|
||
| # Define input and output files | ||
| set(ZEPHYR_BINARY ${CMAKE_BINARY_DIR}/zephyr/zephyr.bin) | ||
| set(SIGNED_RPS ${CMAKE_BINARY_DIR}/zephyr/zephyr.bin.rps) |
There was a problem hiding this comment.
Be consistent in the variable names.
| ${WEST} sign | ||
| -t silabs_rps | ||
| -d ${CMAKE_BINARY_DIR} | ||
| --sbin ${SIGNED_RPS} |
There was a problem hiding this comment.
You have to handle `CONFIG_FLASH_LOAD_OFFSET``
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
3 times, most recently
from
46bdfdf to
c6cbbf6
Compare
scripts/west_commands/sign.py
Outdated
| @@ -112,7 +125,7 @@ def do_add_parser(self, parser_adder): | |||
|
|
|||
| # general options | |||
| group = parser.add_argument_group('tool control options') | |||
| group.add_argument('-t', '--tool', choices=['imgtool', 'rimage'], | |||
| group.add_argument('-t', '--tool', choices=['imgtool', 'rimage', 'silabs_rps'], | |||
There was a problem hiding this comment.
The name of the binary the user install is commander. This tool is referenced with silabs_commander in Zephyr. I suggest to not introduce a new naming scheme.
scripts/west_commands/sign.py
Outdated
| @@ -633,3 +648,147 @@ def sign(self, command, build_dir, build_conf, formats): | |||
|
|
|||
| os.remove(out_bin) | |||
| os.rename(out_tmp, out_bin) | |||
|
|
|||
| class SilabsRPSSigner(Signer): | |||
| """Signer class for Silicon Labs Commander tool via west sign -t silabs_rps.""" | |||
There was a problem hiding this comment.
This file tends to use usual comments (starting with #) rather than docstring. Let's be consistent.
scripts/west_commands/sign.py
Outdated
| commander_path = value | ||
| else: | ||
| if not args.quiet: | ||
| command.inf(f"No Kconfig.defconfig found at {soc_kconfig}. Using default values.") |
There was a problem hiding this comment.
Why don't you retrieve the values from build_conf?
scripts/west_commands/sign.py
Outdated
| if not m4_private_key: | ||
| command.die("M4_PRIVATE_KEY not set in Kconfig.defconfig and no --m4-private-key provided.") | ||
| if not commander_path: | ||
| command.die("COMMANDER_PATH not set in Kconfig.defconfig and no --commander-path provided.") |
There was a problem hiding this comment.
get_security_config() never return unset values. So, can any of these condition happen?
scripts/west_commands/sign.py
Outdated
| if not m4_private_key: | ||
| command.die("M4_PRIVATE_KEY not set in Kconfig.defconfig and no --m4-private-key provided.") | ||
| if not commander_path: | ||
| command.die("COMMANDER_PATH not set in Kconfig.defconfig and no --commander-path provided.") |
There was a problem hiding this comment.
BTW, why do you enforce the user to provide the name of the commander command. It is very likely commander.
| default "Full_path_to_m4_private_key.pem" | ||
|
|
||
| config COMMANDER_PATH | ||
| default "Full_path_to_SimplicityCommander-Linux/commander/commander" |
There was a problem hiding this comment.
Nope, the usual user will have commander in hs PATH.
| default "Full_OTA_KEY_in_HEX" | ||
|
|
||
| config M4_PRIVATE_KEY | ||
| default "Full_path_to_m4_private_key.pem" |
There was a problem hiding this comment.
Why do you provide default values if they are not correct?
| @@ -13,6 +13,21 @@ configdefault SYS_CLOCK_TICKS_PER_SEC | |||
| default 128 if !TICKLESS_KERNEL && SILABS_SLEEPTIMER_TIMER | |||
| default 1024 if SILABS_SLEEPTIMER_TIMER | |||
|
|
|||
| config SILABS_COMMANDER_SIGN | |||
| default n | |||
There was a problem hiding this comment.
n is already the default.
scripts/west_commands/sign.py
Outdated
| parser = subparsers.add_parser('silabs_rps', help='Sign with Silicon Labs Commander') | ||
| parser.add_argument('--m4-ota-key', help='OTA key for signing (overrides Kconfig.defconfig default)') | ||
| parser.add_argument('--m4-private-key', help='Absolute path to private key file (overrides Kconfig.defconfig default)') | ||
| parser.add_argument('--commander-path', help='Absolute path to Commander executable (overrides Kconfig.defconfig default)') |
There was a problem hiding this comment.
These option should override CONFIG_M4_OTA_KEY, CONFIG_M4_PRIVATE_KEY and CONFIG_COMMANDER_PATH.
| ) | ||
|
|
||
| # Add custom target to ensure signing is part of the build | ||
| add_custom_target(silabs_rps_sign_target |
There was a problem hiding this comment.
This is the user facing name. Don't we have a better name? signed-rps?
There was a problem hiding this comment.
BTW, what is the purpose of this target? The user can already run west sign. Why do we provide west build -t silabs_rps_sign_target?
It would be more useful if the signing process was included in the default build.
There was a problem hiding this comment.
Please, let the reviewer resolve the comments.
It would be more useful if the signing process was included in the default build.
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
from
c6cbbf6 to
f9c082c
Compare
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
3 times, most recently
from
2ac309f to
009ada8
Compare
scripts/west_commands/sign.py
Outdated
| west sign -t silabs_commander -- --mic YOUR_OTA_KEY --encrypt YOUR_OTA_KEY --sign YOUR_PRIVATE_KEY.pem | ||
| or west sign -t silabs_commander | ||
|
|
||
| For this to work, SILABS Commander tool must be installed in your PATH. |
There was a problem hiding this comment.
Silicon Labs (or possibly Silabs)
scripts/west_commands/sign.py
Outdated
| if line.strip().startswith('CONFIG_M4_OTA_KEY='): | ||
| m4_ota_key = line.split('=')[1].strip().strip('"') | ||
| elif line.strip().startswith('CONFIG_M4_PRIVATE_KEY='): | ||
| m4_private_key = line.split('=')[1].strip().strip('"') |
There was a problem hiding this comment.
Do you need this at all? Can't you use:
build_conf.get('CONFIG_M4_OTA_KEY')
build_conf.get('CONFIG_M4_PRIVATE_KEY')
There was a problem hiding this comment.
No need , I added the fallback initially to cover potential retrieval issues. Now using .get() will resolve them.
scripts/west_commands/sign.py
Outdated
| for path in default_paths: | ||
| if os.path.isfile(path): | ||
| commander_path = path | ||
| break |
There was a problem hiding this comment.
KISS.
The system already manage that for you. (/usr/bin and /usr/bin/local are already part of the default PATH. If they are not, it is not your job to fix it).
scripts/west_commands/sign.py
Outdated
| if not m4_private_key: | ||
| command.die("M4_PRIVATE_KEY not provided via --m4-private-key or set in prj.conf. Please specify --m4-private-key=/path/to/key or add CONFIG_M4_PRIVATE_KEY in prj.conf.") | ||
| if not commander_path: | ||
| command.die("Commander not found automatically. Please provide --commander-path=/path/to/commander or install it in your PATH.") |
There was a problem hiding this comment.
west sign already has the --tool-path option. Please use it:
def find_commandertool(cmd, args):
if args.tool_path:
commandertool = args.tool_path
if not os.path.isfile(commandertool):
cmd.die(f'--tool-path {commandertool}: no such file')
else:
commandertool = shutil.which('commander')
if not commandertool:
cmd.die('commander not found')
return commandertool
There was a problem hiding this comment.
I am not able to find find_commandertool in sign.py.
There was a problem hiding this comment.
I meant, you can write a such function.
scripts/west_commands/sign.py
Outdated
| command.die("ZEPHYR_BASE environment variable not set. Ensure you are running within a Zephyr build environment.") | ||
| workspace_base = pathlib.Path(zephyr_base) | ||
| if not workspace_base.is_dir(): | ||
| command.die(f"Invalid ZEPHYR_BASE directory: {workspace_base}. Please check your Zephyr setup.") |
There was a problem hiding this comment.
I am not a specialist of the west commands, but I believe you should use zephyr_ext_common to retrieve ZEPHYR_BASE.
scripts/west_commands/sign.py
Outdated
| kernel_name = build_conf.get('CONFIG_KERNEL_BIN_NAME', 'zephyr') | ||
|
|
||
| # Input and output files (using BUILD_DIR) | ||
| in_bin = b / 'zephyr' / f"{kernel_name}.bin.rps" # Raw binary input |
There was a problem hiding this comment.
The name in_bin, the comment Raw binary input and the error messages No unsigned .bin found are confusing.
In fact, the input is not a binary file. It is a .rps file.
| add_subdirectory(siwg917) | ||
| zephyr_include_directories(.) | ||
| zephyr_sources_ifdef(CONFIG_SOC_SERIES_SIWG917 soc.c) | ||
| zephyr_sources_ifdef(CONFIG_WISECONNECT_NETWORK_STACK nwp_init.c) |
There was a problem hiding this comment.
Redundant with soc/silabs/silabs_siwx91x/siwg917/CMakeLists.txt. BTW, nwp_init.c has been replaced by nwp.c a few weeks ago.
|
|
||
| # Custom signing with Silicon Labs Commander | ||
| if(CONFIG_SiWX91X_SILABS_COMMANDER_SIGN) | ||
| # Define input and output files |
There was a problem hiding this comment.
Which input files? Outdated comments are worse than no comments.
| # Custom signing with Silicon Labs Commander | ||
| if(CONFIG_SiWX91X_SILABS_COMMANDER_SIGN) | ||
| # Define input and output files | ||
| set(SIGNED_RPS ${PROJECT_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}.bin.rps) |
There was a problem hiding this comment.
Do you need absolute path? I believe you need it only because you change WORKING_DIRECTORY below. You can probably remove remove all this complexity.
| ) | ||
|
|
||
| # Add custom target to ensure signing is part of the build | ||
| add_custom_target(silabs_rps_sign_target |
There was a problem hiding this comment.
Please, let the reviewer resolve the comments.
It would be more useful if the signing process was included in the default build.
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
3 times, most recently
from
964683e to
82595cd
Compare
scripts/west_commands/sign.py
Outdated
| @@ -23,6 +22,7 @@ | |||
| from runners.core import BuildConfiguration | |||
| from zcmake import CMakeCache | |||
| from zephyr_ext_common import Forceable, ZEPHYR_SCRIPTS | |||
| from zephyr_ext_common import ZEPHYR_BASE | |||
There was a problem hiding this comment.
This import can be added to the above line instead of adding a new one.
soc/silabs/silabs_siwx91x/Kconfig
Outdated
| help | ||
| Activates the signing process for the Zephyr binary using Silicon Labs Commander during the build process. | ||
|
|
||
| config M4_OTA_KEY |
There was a problem hiding this comment.
These options should be SIWX91X_OTA_KEY and SIWX91X_PRIVATE_KEY in my opinion, in order to be properly namespaced.
scripts/west_commands/sign.py
Outdated
|
|
||
| # Resolve paths | ||
| tool_path = pathlib.Path(commander_path) | ||
| if not tool_path.is_file(): |
There was a problem hiding this comment.
This check seems to duplicate what's already been done in find_commandertool, so it should never happen. Consider making use of this detailed error message in the earlier check and removing it from here.
| add_subdirectory(siwg917) | ||
| zephyr_include_directories(.) |
There was a problem hiding this comment.
What is the purpose of changing the include path of the CMake build? This seems unrelated to signing support.
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
from
82595cd to
7107751
Compare
There was a problem hiding this comment.
I have resolved all the comments from @asmellby , @jerome-pouiller , @jhedberg , and @pdgendt . Could you mark these comments as resolved and provide any further suggestions or approval for my PR?
Added changes to automate the signing of zephyr security using customtool during the west build process. Signed-off-by: Aasim Shaik <[email protected]>
Aasimshaik11
force-pushed
the
zephyr-boot-security
branch
from
7107751 to
69b832a
Compare
|
Re-assigned to Silabs maintainers. |
| @@ -12,3 +14,31 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands | |||
| ${KERNEL_BIN_NAME} | |||
| ${KERNEL_BIN_NAME}.rps | |||
| ) | |||
|
|
|||
| # Custom signing with Silicon Labs Commander | |||
| if(CONFIG_SiWX91X_SILABS_COMMANDER_SIGN) | |||
There was a problem hiding this comment.
typo: SiWX91X -> SIWX91X (lowercase i)
|
|
||
| # Set the flash file based on signing is enabled or not. | ||
| set(FLASH_FILE ${PROJECT_BINARY_DIR}/zephyr_signed.bin.rps) | ||
| if(NOT EXISTS ${FLASH_FILE}) |
There was a problem hiding this comment.
Don't you think we should rather test CONFIG_SIWX91X_SILABS_COMMANDER_SIGN ?
| # Set the flash file based on signing is enabled or not. | ||
| set(FLASH_FILE ${PROJECT_BINARY_DIR}/zephyr_signed.bin.rps) | ||
| if(NOT EXISTS ${FLASH_FILE}) | ||
| set(FLASH_FILE ${PROJECT_BINARY_DIR}/zephyr.bin.rps) |
There was a problem hiding this comment.
Later in the script we refer to ${KERNEL_BIN_NAME}.rps or to ${CONFIG_KERNEL_BIN_NAME}_signed.bin.rps
|
|
||
| To create a signed binary with the silabs_commander tool, run this from your build directory: | ||
|
|
||
| west sign -t silabs_commander -- --mic YOUR_OTA_KEY --encrypt YOUR_OTA_KEY --sign YOUR_PRIVATE_KEY.pem |
There was a problem hiding this comment.
I believe this does not match with get_security_configs().
| "--app", str(input_rps), | ||
| "--mic", siwx91x_ota_key, | ||
| "--encrypt", siwx91x_private_key, | ||
| "--sign", str(private_key_path) |
There was a problem hiding this comment.
Can you explain the difference between siwx91x_private_key and str(private_key_path)?
|
|
||
| private_key_path = pathlib.Path(siwx91x_private_key) | ||
| if not private_key_path.is_file(): | ||
| command.die(f"Private key not found at {private_key_path}. Please ensure the path is correct.") |
There was a problem hiding this comment.
I suggest to group this check with the other related ones in get_security_configs().
| # Define the west sign command with explicit working directory and environment | ||
| set(WEST_SIGN_CMD | ||
| ${CMAKE_COMMAND} -E chdir ${CMAKE_BINARY_DIR} # Explicitly set working directory | ||
| ${CMAKE_COMMAND} -E env "PATH=$ENV{PATH}:$ENV{WEST_ROOT}/bin" "ZEPHYR_WORKSPACE_ROOT=${CMAKE_CURRENT_SOURCE_DIR}" |
There was a problem hiding this comment.
I believe my previous comment is still relevant.
| ALL | ||
| DEPENDS ${KERNEL_BIN_NAME}.rps | ||
| COMMENT "Ensuring signing with Silicon Labs Commander is complete" | ||
| ) |
There was a problem hiding this comment.
I believe this target is useless (the user can run west sign). However, you can add some entries to extra_post_build_commands to launch the signature automatically with west build.
| # Add custom command to invoke west sign during build | ||
| add_custom_command( | ||
| OUTPUT ${KERNEL_BIN_NAME}.rps | ||
| COMMAND ${CMAKE_COMMAND} -E echo "Forcing execution in ${PROJECT_BINARY_DIR}" |
There was a problem hiding this comment.
Is this trace relevant? I believe it bring any useful information to the user.
| config SIWX91X_PRIVATE_KEY | ||
| string "Private Key Path for Signing (sourced from prj.conf)" | ||
| help | ||
| Path to private key file for signing with Silicon Labs Commander, from prj.conf, relative to board directory. |
There was a problem hiding this comment.
These options should not be displayed to the user if SOC_FAMILY_SILABS_SIWX91X is not selected. You need to if SOC_FAMILY_SILABS_SIWX91X.
Added changes to automate the signing of zephyr security using customtool during the west build process.