[PATCH 1/6] arm/trusted-firmware-m: Synchronize with 1.7.0 release

From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 1/6] arm/trusted-firmware-m: Synchronize with 1.7.0 release
Date: Wed, 22 Feb 2023 12:04:36 +0000	[thread overview]
Message-ID: <20230222120441.2684534-1-peter.hoyes@arm.com> (raw)

From: Peter Hoyes <Peter.Hoyes@arm.com>

Update the TF-M image signing scripts to use the TF-M 1.7.0 sources, so
it is in sync with the TF-M recipe itself.

Synchronize the trusted-firmware-m and -scripts Python dependencies
with the in-repo requirements.txt files. This requires a recipe to be
carried for pyhsslms.

1.7.0 introduces the --measured-boot-record argument to the image
signing script, which is required to maintain existing behavior. Add it
to the arguments in the tfm_sign_image bbclass.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 meta-arm/classes/tfm_sign_image.bbclass            |  1 +
 .../trusted-firmware-m/trusted-firmware-m_1.7.0.bb | 14 ++++++++++----
 .../python/python3-pyhsslms_1.1.1.bb               | 10 ++++++++++
 ... => trusted-firmware-m-scripts-native_1.7.0.bb} | 14 +++++++++++---
 4 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
 rename meta-arm/recipes-devtools/trusted-firmware-m-scripts/{trusted-firmware-m-scripts-native_1.6.0.bb => trusted-firmware-m-scripts-native_1.7.0.bb} (64%)

diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index 542b708b..a5c41ae3 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -72,6 +72,7 @@ EOF
             --align 1 \
             --pad \
             --pad-header \
+            --measured-boot-record \
             -H ${RE_IMAGE_OFFSET} \
             -s auto \
             "${1}" \
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
index f4219be6..8df21339 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
@@ -59,15 +59,21 @@ INHIBIT_DEFAULT_DEPS = "1"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
+# See tools/requirements.txt for Python dependencies
 DEPENDS += "cmake-native \
             ninja-native \
             gcc-arm-none-eabi-native \
-            python3-intelhex-native \
-            python3-jinja2-native \
-            python3-pyyaml-native \
+            python3-cbor2-native \
             python3-click-native \
             python3-cryptography-native \
-            python3-cbor2-native"
+            python3-pyasn1-native \
+            python3-imgtool-native \
+            python3-jinja2-native \
+            python3-pyyaml-native \
+            python3-pyhsslms-native \
+            python3-ecdsa-native \
+            python3-kconfiglib-native \
+"
 
 S = "${WORKDIR}/git/tfm"
 B = "${WORKDIR}/build"
diff --git a/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb b/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
new file mode 100644
index 00000000..6012ab2d
--- /dev/null
+++ b/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
@@ -0,0 +1,10 @@
+SUMMARY = "Pure-Python implementation of HSS/LMS Digital Signatures (RFC 8554)"
+HOMEPAGE ="https://pypi.org/project/pyhsslms"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=58f6f7065b99f9d01d56e759256a6f1b"
+
+inherit pypi python_setuptools_build_meta
+PYPI_PACKAGE = "pyhsslms"
+SRC_URI[sha256sum] = "58bf03e34c6f9d5a3cfd77875d0a1356d4f23d7ad6ffd129b1e60de1208db753"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
similarity index 64%
rename from meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
rename to meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
index db35ecf7..f30c3b52 100644
--- a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
@@ -1,9 +1,9 @@
 
 SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
 SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH}"
-# Use the wrapper script from TF-Mv1.6.0
+# Use the wrapper script from TF-Mv1.7.0
 SRCBRANCH ?= "master"
-SRCREV = "7387d88158701a3c51ad51c90a05326ee12847a8"
+SRCREV = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
 
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
@@ -12,7 +12,15 @@ S = "${WORKDIR}/git"
 
 inherit native
 
-RDEPENDS:${PN} = "python3-imgtool-native python3-click-native"
+# See bl2/ext/mcuboot/scripts/requirements.txt
+RDEPENDS:${PN} = "\
+    python3-cryptography-native \
+    python3-pyasn1-native \
+    python3-pyyaml-native \
+    python3-cbor2-native \
+    python3-imgtool-native \
+    python3-click-native \
+"
 
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"
-- 
2.34.1


