[PATCH 1/6] arm/trusted-firmware-m: Synchronize with 1.7.0 release

[PATCH 1/6] arm/trusted-firmware-m: Synchronize with 1.7.0 release

[Peter Hoyes]

From: Peter Hoyes <Peter.Hoyes@arm.com>

Update the TF-M image signing scripts to use the TF-M 1.7.0 sources, so
it is in sync with the TF-M recipe itself.

Synchronize the trusted-firmware-m and -scripts Python dependencies
with the in-repo requirements.txt files. This requires a recipe to be
carried for pyhsslms.

1.7.0 introduces the --measured-boot-record argument to the image
signing script, which is required to maintain existing behavior. Add it
to the arguments in the tfm_sign_image bbclass.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 meta-arm/classes/tfm_sign_image.bbclass            |  1 +
 .../trusted-firmware-m/trusted-firmware-m_1.7.0.bb | 14 ++++++++++----
 .../python/python3-pyhsslms_1.1.1.bb               | 10 ++++++++++
 ... => trusted-firmware-m-scripts-native_1.7.0.bb} | 14 +++++++++++---
 4 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
 rename meta-arm/recipes-devtools/trusted-firmware-m-scripts/{trusted-firmware-m-scripts-native_1.6.0.bb => trusted-firmware-m-scripts-native_1.7.0.bb} (64%)

diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index 542b708b..a5c41ae3 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -72,6 +72,7 @@ EOF
             --align 1 \
             --pad \
             --pad-header \
+            --measured-boot-record \
             -H ${RE_IMAGE_OFFSET} \
             -s auto \
             "${1}" \
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
index f4219be6..8df21339 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
@@ -59,15 +59,21 @@ INHIBIT_DEFAULT_DEPS = "1"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
+# See tools/requirements.txt for Python dependencies
 DEPENDS += "cmake-native \
             ninja-native \
             gcc-arm-none-eabi-native \
-            python3-intelhex-native \
-            python3-jinja2-native \
-            python3-pyyaml-native \
+            python3-cbor2-native \
             python3-click-native \
             python3-cryptography-native \
-            python3-cbor2-native"
+            python3-pyasn1-native \
+            python3-imgtool-native \
+            python3-jinja2-native \
+            python3-pyyaml-native \
+            python3-pyhsslms-native \
+            python3-ecdsa-native \
+            python3-kconfiglib-native \
+"
 
 S = "${WORKDIR}/git/tfm"
 B = "${WORKDIR}/build"
diff --git a/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb b/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
new file mode 100644
index 00000000..6012ab2d
--- /dev/null
+++ b/meta-arm/recipes-devtools/python/python3-pyhsslms_1.1.1.bb
@@ -0,0 +1,10 @@
+SUMMARY = "Pure-Python implementation of HSS/LMS Digital Signatures (RFC 8554)"
+HOMEPAGE ="https://pypi.org/project/pyhsslms"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=58f6f7065b99f9d01d56e759256a6f1b"
+
+inherit pypi python_setuptools_build_meta
+PYPI_PACKAGE = "pyhsslms"
+SRC_URI[sha256sum] = "58bf03e34c6f9d5a3cfd77875d0a1356d4f23d7ad6ffd129b1e60de1208db753"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
similarity index 64%
rename from meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
rename to meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
index db35ecf7..f30c3b52 100644
--- a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
@@ -1,9 +1,9 @@
 
 SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
 SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH}"
-# Use the wrapper script from TF-Mv1.6.0
+# Use the wrapper script from TF-Mv1.7.0
 SRCBRANCH ?= "master"
-SRCREV = "7387d88158701a3c51ad51c90a05326ee12847a8"
+SRCREV = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
 
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
@@ -12,7 +12,15 @@ S = "${WORKDIR}/git"
 
 inherit native
 
-RDEPENDS:${PN} = "python3-imgtool-native python3-click-native"
+# See bl2/ext/mcuboot/scripts/requirements.txt
+RDEPENDS:${PN} = "\
+    python3-cryptography-native \
+    python3-pyasn1-native \
+    python3-pyyaml-native \
+    python3-cbor2-native \
+    python3-imgtool-native \
+    python3-click-native \
+"
 
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"
-- 
2.34.1

[PATCH 2/6] arm/classes: Factor out image signing arguments in tfm_image_sign

[Peter Hoyes]

From: Peter Hoyes <Peter.Hoyes@arm.com>

Factor out the image signing arguments in tfm_image_sign.bbclass into
its own variable, TFM_IMAGE_SIGN_ARGS, so that it can be customized on a
per-machine basis if necessary.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 meta-arm/classes/tfm_sign_image.bbclass | 26 +++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index a5c41ae3..5ba57dc8 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -35,6 +35,21 @@ DEPENDS += "trusted-firmware-m-scripts-native"
 # right path until this is relocated automatically.
 export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
 
+# The arguments passed to the TF-M image signing script. Override this variable
+# in an image recipe to customize the arguments.
+TFM_IMAGE_SIGN_ARGS ?= "\
+    -v ${RE_LAYOUT_WRAPPER_VERSION} \
+    --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
+    -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
+    --public-key-format full \
+    --align 1 \
+    --pad \
+    --pad-header \
+    --measured-boot-record \
+    -H ${RE_IMAGE_OFFSET} \
+    -s auto \
+"
+
 #
 # sign_host_image
 #
@@ -65,16 +80,7 @@ EOF
     host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")"
 
     ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
-            -v ${RE_LAYOUT_WRAPPER_VERSION} \
-            --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
-            -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
-            --public-key-format full \
-            --align 1 \
-            --pad \
-            --pad-header \
-            --measured-boot-record \
-            -H ${RE_IMAGE_OFFSET} \
-            -s auto \
+            ${TFM_IMAGE_SIGN_ARGS} \
             "${1}" \
             "${host_binary_signed}"
 }
-- 
2.34.1

[PATCH 3/6] arm/trusted-firmware-m: Create common inc file for src definitions

[Peter Hoyes]

From: Peter Hoyes <Peter.Hoyes@arm.com>

To try and prevent trusted-firmware-m and trusted-firmware-m-scripts
from becoming out of sync in the future, create a common
trusted-firmware-m-1.7.0-src.inc which defines all the repositories and
their SHAs for both. Include this file in both recipes.

Add a SUMMARY and DESCRIPTION to trusted-firmware-m-scripts.

Update mbedtls to 3.2.1 (the recommended version for TF-M 1.7.0)

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../trusted-firmware-m-1.7.0-src.inc          | 41 +++++++++++++++++++
 .../trusted-firmware-m_1.7.0.bb               | 40 ++----------------
 ...trusted-firmware-m-scripts-native_1.7.0.bb | 14 ++-----
 3 files changed, 48 insertions(+), 47 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc

diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
new file mode 100644
index 00000000..7d5b4b53
--- /dev/null
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
@@ -0,0 +1,41 @@
+# Common src definitions for trusted-firmware-m and trusted-firmware-m-scripts
+
+LICENSE = "BSD-2-Clause & BSD-3-Clause & Apache-2.0"
+
+LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
+                    file://../tf-m-tests/license.rst;md5=02d06ffb8d9f099ff4961c0cb0183a18 \
+                    file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \
+                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
+
+SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_TESTS ?= "git://git.trustedfirmware.org/TF-M/tf-m-tests.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS ?= "git://github.com/ARMmbed/mbedtls.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT ?= "git://github.com/mcu-tools/mcuboot.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_QCBOR ?= "git://github.com/laurencelundblade/QCBOR.git;protocol=https"
+SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_TESTS};branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS};branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT};branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_QCBOR};branch=${SRCBRANCH_qcbor};name=qcbor;destsuffix=git/qcbor \
+            "
+
+# The required dependencies are documented in tf-m/config/config_default.cmake
+# TF-Mv1.7.0
+SRCBRANCH_tfm ?= "master"
+SRCREV_tfm = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
+# TF-Mv1.7.0
+SRCBRANCH_tfm-tests ?= "master"
+SRCREV_tfm-tests = "4c4b58041c6c01670266690538a780b4a23d08b8"
+# mbedtls-3.2.1
+SRCBRANCH_mbedtls ?= "master"
+SRCREV_mbedtls = "869298bffeea13b205343361b7a7daf2b210e33d"
+# v1.9.0
+SRCBRANCH_mcuboot ?= "main"
+SRCREV_mcuboot = "c657cbea75f2bb1faf1fceacf972a0537a8d26dd"
+# qcbor
+SRCBRANCH_qcbor ?= "master"
+SRCREV_qcbor = "b0e7033268e88c9f27146fa9a1415ef4c19ebaff"
+
+SRCREV_FORMAT = "tfm"
+
+S = "${WORKDIR}/git/tfm"
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
index 8df21339..799c5d56 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
@@ -8,42 +8,9 @@ DESCRIPTION = "Trusted Firmware-M"
 HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
 PROVIDES = "virtual/trusted-firmware-m"
 
-LICENSE = "BSD-2-Clause & BSD-3-Clause & Apache-2.0"
-
-LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
-                    file://../tf-m-tests/license.rst;md5=02d06ffb8d9f099ff4961c0cb0183a18 \
-                    file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \
-                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
-
-SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_TESTS ?= "git://git.trustedfirmware.org/TF-M/tf-m-tests.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS ?= "git://github.com/ARMmbed/mbedtls.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT ?= "git://github.com/mcu-tools/mcuboot.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_QCBOR ?= "git://github.com/laurencelundblade/QCBOR.git;protocol=https"
-SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_TESTS};branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS};branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT};branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_QCBOR};branch=${SRCBRANCH_qcbor};name=qcbor;destsuffix=git/qcbor \
-            file://rwx.patch \
-            "
-
-# The required dependencies are documented in tf-m/config/config_default.cmake
-# TF-Mv1.7.0
-SRCBRANCH_tfm ?= "master"
-SRCREV_tfm = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
-# mbedtls-3.2.0
-SRCBRANCH_mbedtls ?= "master"
-SRCREV_mbedtls = "869298bffeea13b205343361b7a7daf2b210e33d"
-# TF-Mv1.7.0
-SRCBRANCH_tfm-tests ?= "master"
-SRCREV_tfm-tests = "4c4b58041c6c01670266690538a780b4a23d08b8"
-# v1.9.0
-SRCBRANCH_mcuboot ?= "main"
-SRCREV_mcuboot = "c657cbea75f2bb1faf1fceacf972a0537a8d26dd"
-# qcbor
-SRCBRANCH_qcbor ?= "master"
-SRCREV_qcbor = "b0e7033268e88c9f27146fa9a1415ef4c19ebaff"
+require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
+
+SRC_URI += "file://rwx.patch"
 
 UPSTREAM_CHECK_GITTAGREGEX = "^TF-Mv(?P<pver>\d+(\.\d+)+)$"
 
@@ -75,7 +42,6 @@ DEPENDS += "cmake-native \
             python3-kconfiglib-native \
 "
 
-S = "${WORKDIR}/git/tfm"
 B = "${WORKDIR}/build"
 
 # Build for debug (set TFM_DEBUG to 1 to activate)
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
index f30c3b52..cd273593 100644
--- a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
@@ -1,14 +1,8 @@
+SUMMARY = "Trusted Firmware image signing scripts"
+DESCRIPTION = "Trusted Firmware-M image signing scripts"
+HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
 
-SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
-SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH}"
-# Use the wrapper script from TF-Mv1.7.0
-SRCBRANCH ?= "master"
-SRCREV = "b725a1346cdb9ec75b1adcdc4c84705881e8fd4e"
-
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
-
-S = "${WORKDIR}/git"
+require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
 
 inherit native
 
-- 
2.34.1

[PATCH 4/6] arm/trusted-firmware-m: Create inc file for common config

[Peter Hoyes]

From: Peter Hoyes <Peter.Hoyes@arm.com>

To simplify adding support for new versions of TF-M in the future,
create a common .inc file with the non-version-specific configuration.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../trusted-firmware-m/trusted-firmware-m.inc | 118 +++++++++++++++++
 .../trusted-firmware-m_1.7.0.bb               | 120 +-----------------
 2 files changed, 119 insertions(+), 119 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc

diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
new file mode 100644
index 00000000..9062df8c
--- /dev/null
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
@@ -0,0 +1,118 @@
+# SPDX-License-Identifier: MIT
+#
+# Copyright (c) 2020 Arm Limited
+#
+
+SUMMARY = "Trusted Firmware for Cortex-M"
+DESCRIPTION = "Trusted Firmware-M"
+HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
+PROVIDES = "virtual/trusted-firmware-m"
+
+SRC_URI += "file://rwx.patch"
+
+UPSTREAM_CHECK_GITTAGREGEX = "^TF-Mv(?P<pver>\d+(\.\d+)+)$"
+
+# Note to future readers of this recipe: until the CMakeLists don't abuse
+# installation (see do_install) there is no point in trying to inherit
+# cmake here. You can easily short-circuit the toolchain but the install
+# is so convoluted there's no gain.
+
+inherit python3native deploy
+
+# Baremetal and we bring a compiler below
+INHIBIT_DEFAULT_DEPS = "1"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+# See tools/requirements.txt for Python dependencies
+DEPENDS += "cmake-native \
+            ninja-native \
+            gcc-arm-none-eabi-native \
+            python3-cbor2-native \
+            python3-click-native \
+            python3-cryptography-native \
+            python3-pyasn1-native \
+            python3-imgtool-native \
+            python3-jinja2-native \
+            python3-pyyaml-native \
+            python3-pyhsslms-native \
+            python3-ecdsa-native \
+            python3-kconfiglib-native \
+"
+
+B = "${WORKDIR}/build"
+
+# Build for debug (set TFM_DEBUG to 1 to activate)
+TFM_DEBUG ?= "0"
+
+# Platform must be set, ideally in the machine configuration.
+TFM_PLATFORM ?= ""
+python() {
+    if not d.getVar("TFM_PLATFORM"):
+        raise bb.parse.SkipRecipe("TFM_PLATFORM needs to be set")
+}
+
+PACKAGECONFIG ??= ""
+# Whether to integrate the test suite
+PACKAGECONFIG[test-secure] = "-DTEST_S=ON,-DTEST_S=OFF"
+PACKAGECONFIG[test-nonsecure] = "-DTEST_NS=ON,-DTEST_NS=OFF"
+
+# Currently we only support using the Arm binary GCC
+EXTRA_OECMAKE += "-DTFM_TOOLCHAIN_FILE=${S}/toolchain_GNUARM.cmake"
+
+# Don't let FetchContent download more sources during do_configure
+EXTRA_OECMAKE += "-DFETCHCONTENT_FULLY_DISCONNECTED=ON"
+
+# Add platform parameters
+EXTRA_OECMAKE += "-DTFM_PLATFORM=${TFM_PLATFORM}"
+
+# Handle TFM_DEBUG parameter
+EXTRA_OECMAKE += "${@bb.utils.contains('TFM_DEBUG', '1', '-DCMAKE_BUILD_TYPE=Debug', '-DCMAKE_BUILD_TYPE=Release', d)}"
+
+# Verbose builds
+EXTRA_OECMAKE += "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON"
+
+EXTRA_OECMAKE += "-DMBEDCRYPTO_PATH=${S}/../mbedtls -DTFM_TEST_REPO_PATH=${S}/../tf-m-tests -DMCUBOOT_PATH=${S}/../mcuboot -DQCBOR_PATH=${S}/../qcbor"
+
+export CMAKE_BUILD_PARALLEL_LEVEL = "${@oe.utils.parallel_make(d, False)}"
+
+# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+do_configure[cleandirs] = "${B}"
+do_configure() {
+    cmake -GNinja -S ${S} -B ${B} ${EXTRA_OECMAKE} ${PACKAGECONFIG_CONFARGS}
+}
+
+# Invoke install here as there's no point in splitting compile from install: the
+# first thing the build does is 'install' inside the build tree thus causing a
+# rebuild. It also overrides the install prefix to be in the build tree, so you
+# can't use the usual install prefix variables.
+do_compile() {
+    cmake --build ${B} -- install
+}
+do_compile[progress] = "outof:^\[(\d+)/(\d+)\]\s+"
+
+do_install() {
+    # TODO install headers and static libraries when we know how they're used
+    install -d -m 755 ${D}/firmware
+    install -m 0644 ${B}/bin/* ${D}/firmware/
+}
+
+FILES:${PN} = "/firmware"
+SYSROOT_DIRS += "/firmware"
+
+addtask deploy after do_install
+do_deploy() {
+    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
+}
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN} += "buildpaths"
diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
index 799c5d56..32e6ed34 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb
@@ -1,120 +1,2 @@
-# SPDX-License-Identifier: MIT
-#
-# Copyright (c) 2020 Arm Limited
-#
-
-SUMMARY = "Trusted Firmware for Cortex-M"
-DESCRIPTION = "Trusted Firmware-M"
-HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
-PROVIDES = "virtual/trusted-firmware-m"
-
 require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
-
-SRC_URI += "file://rwx.patch"
-
-UPSTREAM_CHECK_GITTAGREGEX = "^TF-Mv(?P<pver>\d+(\.\d+)+)$"
-
-# Note to future readers of this recipe: until the CMakeLists don't abuse
-# installation (see do_install) there is no point in trying to inherit
-# cmake here. You can easily short-circuit the toolchain but the install
-# is so convoluted there's no gain.
-
-inherit python3native deploy
-
-# Baremetal and we bring a compiler below
-INHIBIT_DEFAULT_DEPS = "1"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
-
-# See tools/requirements.txt for Python dependencies
-DEPENDS += "cmake-native \
-            ninja-native \
-            gcc-arm-none-eabi-native \
-            python3-cbor2-native \
-            python3-click-native \
-            python3-cryptography-native \
-            python3-pyasn1-native \
-            python3-imgtool-native \
-            python3-jinja2-native \
-            python3-pyyaml-native \
-            python3-pyhsslms-native \
-            python3-ecdsa-native \
-            python3-kconfiglib-native \
-"
-
-B = "${WORKDIR}/build"
-
-# Build for debug (set TFM_DEBUG to 1 to activate)
-TFM_DEBUG ?= "0"
-
-# Platform must be set, ideally in the machine configuration.
-TFM_PLATFORM ?= ""
-python() {
-    if not d.getVar("TFM_PLATFORM"):
-        raise bb.parse.SkipRecipe("TFM_PLATFORM needs to be set")
-}
-
-PACKAGECONFIG ??= ""
-# Whether to integrate the test suite
-PACKAGECONFIG[test-secure] = "-DTEST_S=ON,-DTEST_S=OFF"
-PACKAGECONFIG[test-nonsecure] = "-DTEST_NS=ON,-DTEST_NS=OFF"
-
-# Currently we only support using the Arm binary GCC
-EXTRA_OECMAKE += "-DTFM_TOOLCHAIN_FILE=${S}/toolchain_GNUARM.cmake"
-
-# Don't let FetchContent download more sources during do_configure
-EXTRA_OECMAKE += "-DFETCHCONTENT_FULLY_DISCONNECTED=ON"
-
-# Add platform parameters
-EXTRA_OECMAKE += "-DTFM_PLATFORM=${TFM_PLATFORM}"
-
-# Handle TFM_DEBUG parameter
-EXTRA_OECMAKE += "${@bb.utils.contains('TFM_DEBUG', '1', '-DCMAKE_BUILD_TYPE=Debug', '-DCMAKE_BUILD_TYPE=Release', d)}"
-
-# Verbose builds
-EXTRA_OECMAKE += "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON"
-
-EXTRA_OECMAKE += "-DMBEDCRYPTO_PATH=${S}/../mbedtls -DTFM_TEST_REPO_PATH=${S}/../tf-m-tests -DMCUBOOT_PATH=${S}/../mcuboot -DQCBOR_PATH=${S}/../qcbor"
-
-export CMAKE_BUILD_PARALLEL_LEVEL = "${@oe.utils.parallel_make(d, False)}"
-
-# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
-CFLAGS[unexport] = "1"
-LDFLAGS[unexport] = "1"
-AS[unexport] = "1"
-LD[unexport] = "1"
-
-# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
-# right path until this is relocated automatically.
-export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
-
-do_configure[cleandirs] = "${B}"
-do_configure() {
-    cmake -GNinja -S ${S} -B ${B} ${EXTRA_OECMAKE} ${PACKAGECONFIG_CONFARGS}
-}
-
-# Invoke install here as there's no point in splitting compile from install: the
-# first thing the build does is 'install' inside the build tree thus causing a
-# rebuild. It also overrides the install prefix to be in the build tree, so you
-# can't use the usual install prefix variables.
-do_compile() {
-    cmake --build ${B} -- install
-}
-do_compile[progress] = "outof:^\[(\d+)/(\d+)\]\s+"
-
-do_install() {
-    # TODO install headers and static libraries when we know how they're used
-    install -d -m 755 ${D}/firmware
-    install -m 0644 ${B}/bin/* ${D}/firmware/
-}
-
-FILES:${PN} = "/firmware"
-SYSROOT_DIRS += "/firmware"
-
-addtask deploy after do_install
-do_deploy() {
-    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
-}
-
-# Build paths are currently embedded
-INSANE_SKIP:${PN} += "buildpaths"
+require recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
-- 
2.34.1

[PATCH 5/6] arm/trusted-firmware-m-scripts: Create inc file for common config

[Peter Hoyes]

From: Peter Hoyes <Peter.Hoyes@arm.com>

To simplify adding support for new versions of TF-M scripts in the
future, create a common .inc file with the non-version-specific
configuration.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../trusted-firmware-m-scripts-native.inc     | 25 +++++++++++++++++
 ...trusted-firmware-m-scripts-native_1.7.0.bb | 27 +------------------
 2 files changed, 26 insertions(+), 26 deletions(-)
 create mode 100644 meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc

diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc
new file mode 100644
index 00000000..afe655f8
--- /dev/null
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc
@@ -0,0 +1,25 @@
+SUMMARY = "Trusted Firmware image signing scripts"
+DESCRIPTION = "Trusted Firmware-M image signing scripts"
+HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
+
+inherit native
+
+# See bl2/ext/mcuboot/scripts/requirements.txt
+RDEPENDS:${PN} = "\
+    python3-cryptography-native \
+    python3-pyasn1-native \
+    python3-pyyaml-native \
+    python3-cbor2-native \
+    python3-imgtool-native \
+    python3-click-native \
+"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+    install -d ${D}/${libdir}
+    cp -rf ${S}/bl2/ext/mcuboot/scripts/ ${D}/${libdir}/tfm-scripts
+    cp -rf ${S}/bl2/ext/mcuboot/*.pem ${D}/${libdir}/tfm-scripts
+}
+FILES:${PN} = "${libdir}/tfm-scripts"
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
index cd273593..2e9e5249 100644
--- a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.7.0.bb
@@ -1,27 +1,2 @@
-SUMMARY = "Trusted Firmware image signing scripts"
-DESCRIPTION = "Trusted Firmware-M image signing scripts"
-HOMEPAGE = "https://git.trustedfirmware.org/trusted-firmware-m.git"
-
 require recipes-bsp/trusted-firmware-m/trusted-firmware-m-1.7.0-src.inc
-
-inherit native
-
-# See bl2/ext/mcuboot/scripts/requirements.txt
-RDEPENDS:${PN} = "\
-    python3-cryptography-native \
-    python3-pyasn1-native \
-    python3-pyyaml-native \
-    python3-cbor2-native \
-    python3-imgtool-native \
-    python3-click-native \
-"
-
-do_configure[noexec] = "1"
-do_compile[noexec] = "1"
-
-do_install() {
-    install -d ${D}/${libdir}
-    cp -rf ${S}/bl2/ext/mcuboot/scripts/ ${D}/${libdir}/tfm-scripts
-    cp -rf ${S}/bl2/ext/mcuboot/*.pem ${D}/${libdir}/tfm-scripts
-}
-FILES:${PN} = "${libdir}/tfm-scripts"
+require recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native.inc
-- 
2.34.1

[PATCH 6/6] arm/classes: Add sstate support to tfm_sign_images

[Peter Hoyes]

From: Peter Hoyes <Peter.Hoyes@arm.com>

Defining a task called do_deploy in an image recipe causes the
license_image bbclass in OE-core to think the recipe is not an image
recipe, which causes errors with license information collection if you
have an image recipe which depends on an image recipe using this
bbclass.

To fix this, and to add support for caching the signed binaries, use a
single task, do_sign_images (and its setscene task). The implementation
is based on deploy.bbclass, so the sstate is responsible for installing
the signed binaries in ${DEPLOY_DIR_IMAGE}, but using a different name
so that license information collection still works as expected.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
---
 .../recipes-bsp/images/corstone1000-image.bb  |  3 +-
 meta-arm/classes/tfm_sign_image.bbclass       | 28 +++++++++----------
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
index 932b1619..3a1639ea 100644
--- a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
+++ b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
@@ -24,7 +24,8 @@ do_sign_images() {
 
     # Update BL2 in the FIP image
     cp ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} .
-    fiptool update --tb-fw ${TFM_IMAGE_SIGN_DIR}/signed_${TFA_BL2_BINARY} \
+    fiptool update --tb-fw \
+        ${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_${TFA_BL2_BINARY} \
         ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY}
 
     # Sign the FIP image
diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index 5ba57dc8..24df7682 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -6,28 +6,28 @@
 #  * Write the signing logic, which may call the function sign_host_image,
 #    described below
 
-inherit python3native deploy
+inherit python3native
 
 # The output and working directory
 TFM_IMAGE_SIGN_DIR = "${WORKDIR}/tfm-signed-images"
+TFM_IMAGE_SIGN_DEPLOY_DIR = "${WORKDIR}/deploy-tfm-signed-images"
 
+SSTATETASKS += "do_sign_images"
+do_sign_images[sstate-inputdirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR}"
+do_sign_images[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
+do_sign_images[cleandirs] = "${TFM_IMAGE_SIGN_DEPLOY_DIR} ${TFM_IMAGE_SIGN_DIR}"
+do_sign_images[stamp-extra-info] = "${MACHINE_ARCH}"
 tfm_sign_image_do_sign_images() {
     :
 }
-addtask sign_images after do_configure before do_compile
-do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DIR}"
+addtask sign_images after do_prepare_recipe_sysroot before do_image
+EXPORT_FUNCTIONS do_sign_images
 
-tfm_sign_image_do_deploy() {
-    :
-}
-addtask deploy after do_sign_images
-
-deploy_signed_images() {
-    cp ${TFM_IMAGE_SIGN_DIR}/signed_* ${DEPLOYDIR}/
+python do_sign_images_setscene () {
+    sstate_setscene(d)
 }
-do_deploy[postfuncs] += "deploy_signed_images"
-
-EXPORT_FUNCTIONS do_sign_images do_deploy
+addtask do_sign_images_setscene
 
 DEPENDS += "trusted-firmware-m-scripts-native"
 
@@ -77,7 +77,7 @@ enum image_attributes {
 };
 EOF
 
-    host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")"
+    host_binary_signed="${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_$(basename "${1}")"
 
     ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
             ${TFM_IMAGE_SIGN_ARGS} \
-- 
2.34.1

Re: [PATCH 1/6] arm/trusted-firmware-m: Synchronize with 1.7.0 release

[Jon Mason]

On Wed, 22 Feb 2023 12:04:36 +0000, Peter Hoyes wrote:
> Update the TF-M image signing scripts to use the TF-M 1.7.0 sources, so
> it is in sync with the TF-M recipe itself.
> 
> Synchronize the trusted-firmware-m and -scripts Python dependencies
> with the in-repo requirements.txt files. This requires a recipe to be
> carried for pyhsslms.
> 
> [...]

Applied, thanks!

[1/6] arm/trusted-firmware-m: Synchronize with 1.7.0 release
      commit: 1f6d2b269298e6174179b0a55be9d82d5cf65c1f
[2/6] arm/classes: Factor out image signing arguments in tfm_image_sign
      commit: 81aaae5754da4f904335f60cf8d14efb42de3668
[3/6] arm/trusted-firmware-m: Create common inc file for src definitions
      commit: de82f2269b7cb57105930dc05a4b711c8b4943d2
[4/6] arm/trusted-firmware-m: Create inc file for common config
      commit: 064a97e74598b5a7d7109cedec1aa8cdc8989869
[5/6] arm/trusted-firmware-m-scripts: Create inc file for common config
      commit: f474a0fee9cfca3207796e132afe5bf7e6d4390f
[6/6] arm/classes: Add sstate support to tfm_sign_images
      commit: 19767152e3bfb427a135f5366fc5b496341f121d

Best regards,
-- 
Jon Mason <jon.mason@arm.com>