BL2: Add Key ID to image for the built in keys

maulik-arm · adeaarm · commit d1afad03f3b5 · 2025-06-19T12:09:53.000Z
When MCUBOOT_BUILTIN_KEY is enabled, add the key id to the image
so that it can be parsed by mcuboot to identify the key used to
sign the image.

Signed-off-by: Maulik Patel &lt;maulik.patel@arm.com&gt;
Change-Id: I6872b8a88e0292f7964a57a0219e913d599f9f95
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
@@ -194,30 +194,39 @@ if (PLATFORM_DEFAULT_IMAGE_SIGNING)
     add_custom_target(tfm_s_signed_bin
         SOURCES tfm_s_signed.bin
     )
+
+    set(wrapper_args
+        -v ${MCUBOOT_IMAGE_VERSION_S}
+        --layout $<TARGET_OBJECTS:signing_layout_s>
+        -k ${MCUBOOT_KEY_S}
+        --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
+        --align ${MCUBOOT_ALIGN_VAL}
+        --pad
+        --pad-header
+        -H ${BL2_HEADER_SIZE}
+        -s ${MCUBOOT_SECURITY_COUNTER_S}
+        -L ${MCUBOOT_ENC_KEY_LEN}
+        -d \"\(1,${MCUBOOT_NS_IMAGE_MIN_VER}\)\"
+        $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
+        $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
+        $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
+        $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
+        $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
+        ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin
+    )
+
+    if(MCUBOOT_BUILTIN_KEY)
+        set(TFM_S_KEY_ID 0)
+        set(wrapper_args ${wrapper_args} --psa-key-ids ${TFM_S_KEY_ID})
+    endif()
+
     add_custom_command(OUTPUT tfm_s_signed.bin
         DEPENDS tfm_s_bin signing_layout_s
         DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,>
         WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
 
         #Sign secure binary image with provided secret key
-        COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py
-            -v ${MCUBOOT_IMAGE_VERSION_S}
-            --layout $<TARGET_OBJECTS:signing_layout_s>
-            -k ${MCUBOOT_KEY_S}
-            --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
-            --align ${MCUBOOT_ALIGN_VAL}
-            --pad
-            --pad-header
-            -H ${BL2_HEADER_SIZE}
-            -s ${MCUBOOT_SECURITY_COUNTER_S}
-            -L ${MCUBOOT_ENC_KEY_LEN}
-            -d \"\(1,${MCUBOOT_NS_IMAGE_MIN_VER}\)\"
-            $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
-            $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
-            $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
-            $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
-            $<TARGET_FILE_DIR:tfm_s>/tfm_s.bin
-            ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin
+        COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/wrapper/wrapper.py ${wrapper_args}
         COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/tfm_s_signed.bin $<TARGET_FILE_DIR:bl2>
     )
 
diff --git a/bl2/ext/mcuboot/scripts/wrapper/wrapper.py b/bl2/ext/mcuboot/scripts/wrapper/wrapper.py
@@ -1,11 +1,11 @@
 #! /usr/bin/env python3
 #
-# -----------------------------------------------------------------------------
-# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+#-------------------------------------------------------------------------------
+# SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
-# -----------------------------------------------------------------------------
+#-------------------------------------------------------------------------------
 
 import re
 import os
@@ -86,14 +86,16 @@
 @click.option('--public-key-format', type=click.Choice(['hash', 'full']),
               default='hash', help='In what format to add the public key to '
               'the image manifest: full key or hash of the key.')
+@click.option('--psa-key-ids', multiple=True, type=int, required=False,
+              help='List of integer key IDs for each signature.')
 @click.option('-k', '--key', metavar='filename')
 @click.command(help='''Create a signed or unsigned image\n
                INFILE and OUTFILE are parsed as Intel HEX if the params have
                .hex extension, otherwise binary format is used''')
 def wrap(key, align, version, header_size, pad_header, layout, pad, confirm,
          max_sectors, overwrite_only, endian, encrypt, infile, outfile,
          dependencies, hex_addr, erased_val, save_enctlv, public_key_format,
-         security_counter, encrypt_keylen, measured_boot_record):
+         security_counter, encrypt_keylen, measured_boot_record, psa_key_ids):
 
     slot_size = macro_parser.evaluate_macro(layout, sign_bin_size_re, 0, 1)
     load_addr = macro_parser.evaluate_macro(layout, load_addr_re, 0, 1)
@@ -128,6 +130,7 @@ def wrap(key, align, version, header_size, pad_header, layout, pad, confirm,
                               max_align=max_align)
 
     img.load(infile)
+    img.set_key_ids(psa_key_ids)
     key = imgtool.main.load_key(key) if key else None
     enckey = imgtool.main.load_key(encrypt) if encrypt else None
     if enckey and key:
diff --git a/cmake/spe-CMakeLists.cmake b/cmake/spe-CMakeLists.cmake
@@ -163,6 +163,31 @@ if(BL2 AND PLATFORM_DEFAULT_IMAGE_SIGNING)
 
     if (MCUBOOT_IMAGE_NUMBER GREATER 1)
 
+        set(wrapper_args
+            --version ${MCUBOOT_IMAGE_VERSION_NS}
+            --layout ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_ns.o
+            --key ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_ns_signing_private_key.pem
+            --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
+            --align ${MCUBOOT_ALIGN_VAL}
+            --pad
+            --pad-header
+            -H ${BL2_HEADER_SIZE}
+            -s ${MCUBOOT_SECURITY_COUNTER_NS}
+            -L ${MCUBOOT_ENC_KEY_LEN}
+            -d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\"
+            $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
+            $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
+            $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_enc_key.pem>
+            $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
+            $<TARGET_FILE_DIR:${NS_TARGET_NAME}>/${NS_TARGET_NAME}.bin
+            ${CMAKE_BINARY_DIR}/bin/${NS_TARGET_NAME}_signed.bin
+        )
+
+        if(MCUBOOT_BUILTIN_KEY)
+            set(TFM_NS_KEY_ID 1)
+            set(wrapper_args ${wrapper_args} --psa-key-ids ${TFM_NS_KEY_ID})
+        endif()
+
         add_custom_target(${NS_TARGET_NAME}_signed_bin
             SOURCES ${CMAKE_BINARY_DIR}/bin/${NS_TARGET_NAME}_signed.bin
         )
@@ -172,24 +197,7 @@ if(BL2 AND PLATFORM_DEFAULT_IMAGE_SIGNING)
             WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts
 
             #Sign non-secure binary image with provided secret key
-            COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts/wrapper/wrapper.py
-                --version ${MCUBOOT_IMAGE_VERSION_NS}
-                --layout ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/layout_files/signing_layout_ns.o
-                --key ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_ns_signing_private_key.pem
-                --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
-                --align ${MCUBOOT_ALIGN_VAL}
-                --pad
-                --pad-header
-                -H ${BL2_HEADER_SIZE}
-                -s ${MCUBOOT_SECURITY_COUNTER_NS}
-                -L ${MCUBOOT_ENC_KEY_LEN}
-                -d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\"
-                $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
-                $<$<BOOL:${MCUBOOT_CONFIRM_IMAGE}>:--confirm>
-                $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${CMAKE_CURRENT_SOURCE_DIR}/image_signing/keys/image_enc_key.pem>
-                $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
-                $<TARGET_FILE_DIR:${NS_TARGET_NAME}>/${NS_TARGET_NAME}.bin
-                ${CMAKE_BINARY_DIR}/bin/${NS_TARGET_NAME}_signed.bin
+            COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/image_signing/scripts/wrapper/wrapper.py ${wrapper_args}
         )
 
         # Create concatenated binary image from the two independently signed
