soc: cyw20829: add support of Secure LCS

sreeramIfx · kartben · commit 968704e6b773 · 2025-05-24T06:00:57.000+02:00
Enable support of SECURE LCS stage. In this stage, the protection
state is set to “secure”. A secured device will boot only when the
authentication of its flash boot and application code succeeds

Signed-off-by: Sreeram Tatapudi &lt;sreeram.praveen@infineon.com&gt;
diff --git a/soc/infineon/cat1b/cyw20829/CMakeLists.txt b/soc/infineon/cat1b/cyw20829/CMakeLists.txt
@@ -16,20 +16,89 @@ zephyr_compile_definitions(COMPONENT_CM33)
 zephyr_compile_definitions(FLASH_BOOT)
 zephyr_compile_definitions(CY_PDL_FLASH_BOOT)
 
-# Use custome linker script
+# Use custom linker script
 set(SOC_LINKER_SCRIPT ${ZEPHYR_BASE}/soc/infineon/cat1b/cyw20829/linker.ld CACHE INTERNAL "")
 
 # Get sram_bootstrap address and size
 dt_nodelabel(sram_bootstrap NODELABEL "sram_bootstrap")
 dt_reg_addr(bootstrap_dst_addr PATH ${sram_bootstrap})
 dt_reg_size(bootstrap_size PATH ${sram_bootstrap})
 
+set(gen_app_header_args)
+set(app_signed_enc_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
+
+if(CONFIG_INFINEON_SECURE_LCS OR (DEFINED CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE) OR (DEFINED CONFIG_MCUBOOT_SIGNATURE_KEY_FILE))
+  # Check cysecuretools
+  find_program(CYSECURETOOLS cysecuretools REQUIRED)
+  message("-- Found cysecuretools: ${CYSECURETOOLS}")
+
+  # Locate CySecureTools policy file
+  if(IS_ABSOLUTE "${CONFIG_INFINEON_SECURE_POLICY}")
+    cmake_path(SET cysecuretools_policy "${CONFIG_INFINEON_SECURE_POLICY}")
+  else()
+    find_file(
+      cysecuretools_policy
+      NAMES
+        "${CONFIG_INFINEON_SECURE_POLICY}"
+      PATHS
+        "${APPLICATION_SOURCE_DIR}"
+        "${WEST_TOPDIR}"
+        "${SOC_FULL_DIR}/cyw20829"
+      NO_DEFAULT_PATH
+      )
+  endif()
+
+  if(NOT IS_ABSOLUTE "${cysecuretools_policy}" OR NOT EXISTS "${cysecuretools_policy}")
+    message(FATAL_ERROR "Can't find policy file \"${CONFIG_INFINEON_SECURE_POLICY}\" "
+                        "(Note: Relative paths are searched through "
+                        "APPLICATION_SOURCE_DIR=\"${APPLICATION_SOURCE_DIR}\" "
+                        "and WEST_TOPDIR=\"${WEST_TOPDIR}\")")
+  endif()
+
+  message("-- Using cysecuretools policy: ${cysecuretools_policy}")
+  set(CYSECURETOOLS_POLICY ${cysecuretools_policy} CACHE PATH "cysecuretools policy")
+endif()
+
+if(CONFIG_INFINEON_SECURE_LCS)
+  #
+  # Additional postbuild action for SECURE LCS
+  #
+  set(gen_app_header_args ${gen_app_header_args} --secure_lcs True)
+  set(app_signed_path ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.signed)
+  set(app_signed_enc_path "${app_signed_path}")
+
+  if(CONFIG_INFINEON_SMIF_ENCRYPTION)
+    set(gen_app_header_args ${gen_app_header_args} --smif-config ${ZEPHYR_BINARY_DIR}/nonce-output.bin)
+    set(enc_option --encrypt --nonce-output nonce-output.bin)
+    # The encrypted image file path generated by cysecuretools
+    set(app_signed_enc_path "${app_signed_path}_encrypted")
+  endif()
+
+  set(bin2hex_option bin2hex --image ${app_signed_enc_path}.bin --output ${app_signed_enc_path}.hex --offset 0x60000030)
+
+  # Sign Zephyr L1 app in SECURE LCS
+  set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+    COMMAND ${CYSECURETOOLS} -q -t cyw20829
+      -p ${cysecuretools_policy} sign-image --image-format bootrom_next_app
+      -i ${ZEPHYR_BINARY_DIR}/${KERNEL_BIN_NAME} -k 0 -o ${app_signed_path}.bin
+      --slot-size ${CONFIG_FLASH_LOAD_SIZE} --app-addr 0x08000030
+      ${enc_option} ${bin2hex_option}
+    )
+endif()
+
+# By default the MCUboot header size if set to 0x400 by the cysecuretools
+# https://github.com/Infineon/edgeprotecttools/blob/master/docs/README_GENERAL.md#sign-image
+set(mcuboot_header_offset 0)
+if((DEFINED CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE) OR (DEFINED CONFIG_MCUBOOT_SIGNATURE_KEY_FILE))
+set(mcuboot_header_offset 0x400)
+endif()
+
 # Calculate the place in flash
 math(EXPR flash_addr_offset
-  "${CONFIG_CYW20829_FLASH_SAHB_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET} + ${CONFIG_ROM_START_OFFSET}"
+  "${CONFIG_CYW20829_FLASH_SAHB_ADDR} + ${CONFIG_FLASH_LOAD_OFFSET} + ${mcuboot_header_offset}"
   OUTPUT_FORMAT HEXADECIMAL
 )
-set(gen_app_header_args --flash_addr_offset ${flash_addr_offset})
+set(gen_app_header_args ${gen_app_header_args} --flash_addr_offset ${flash_addr_offset} )
 
 # Generate platform specific header (TOC2, l1_desc, etc)
 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
@@ -45,7 +114,13 @@ set(MERGED_FILE ${CMAKE_BINARY_DIR}/zephyr/zephyr_merged.hex  CACHE PATH "merged
 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
   COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py
     -o ${MERGED_FILE}
-    ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex
+    ${app_signed_enc_path}.hex ${ZEPHYR_BINARY_DIR}/app_header.hex
   )
 
 set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${MERGED_FILE})
+
+# Use custom mcuboot cmake for sign/encrypt by using cysecuretools
+if(CONFIG_BOOTLOADER_MCUBOOT)
+  set_target_properties(zephyr_property_target PROPERTIES SIGNING_SCRIPT
+    ${CMAKE_CURRENT_LIST_DIR}/mcuboot.cmake)
+endif()
diff --git a/soc/infineon/cat1b/cyw20829/Kconfig b/soc/infineon/cat1b/cyw20829/Kconfig
@@ -17,6 +17,27 @@ config SOC_SERIES_CYW20829
 	select BUILD_OUTPUT_BIN
 	select SOC_EARLY_INIT_HOOK
 
+config INFINEON_SECURE_LCS
+	bool "Secure LCS stage support"
+	help
+	  Enable support of SECURE LCS stage. In this stage, the protection
+	  state is set to “secure”. A secured device will boot only when the
+	  authentication of its flash boot and application code succeeds.
+
+config INFINEON_SECURE_POLICY
+	string "Path to policy JSON file"
+	default "default_policy.json"
+	help
+	  Policy is a text file in JSON format that contains a set of properties
+	  for the device configuration (e.g., enabling/disabling debug access ports,
+	  SMIF configuration, keys information, etc).
+
+config INFINEON_SMIF_ENCRYPTION
+	bool "SMIF encryption support"
+	depends on INFINEON_SECURE_LCS
+	help
+	  Enables SMIF encryption.
+
 config CYW20829_FLASH_SAHB_ADDR
 	hex
 	default $(dt_nodelabel_reg_addr_hex,flash_sahb)
diff --git a/tests/application_development/vector_table_relocation/src/main.c b/tests/application_development/vector_table_relocation/src/main.c
@@ -27,7 +27,7 @@
 
 #if (defined(CONFIG_ARM_MPU) && !defined(CONFIG_CPU_HAS_NXP_SYSMPU))
 #include <cmsis_core.h>
-void disable_mpu_rasr_xn(void)
+static void disable_mpu_rasr_xn(void)
 {
 	uint32_t index;
 	/* Kept the max index as 8(irrespective of soc) because the sram

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@`
`27`	`27`
`28`	`28`	`#if (defined(CONFIG_ARM_MPU) && !defined(CONFIG_CPU_HAS_NXP_SYSMPU))`
`29`	`29`	`#include <cmsis_core.h>`
`30`		`-void disable_mpu_rasr_xn(void)`
	`30`	`+static void disable_mpu_rasr_xn(void)`
`31`	`31`	`{`
`32`	`32`	`uint32_t index;`
`33`	`33`	`/* Kept the max index as 8(irrespective of soc) because the sram`