boards: arm: mps2_an521: Add TFM support

This commit adds support for TF-M to the MPS2 AN521.

When the CONFIG_BUILD_WITH_TFM flag is set, a secure and
non-secure processing environment image pair will be
generated, with the Zephyr application image running on
the non-secure side.

The secure and non-secure binary images will be signed
for use with the BL2 secure bootloader.

An additional .hex file is also generated to enable
running QEMU with the AN521 binaries, `tfm_qemu.hex`,
which can be executed with the `-t run` option with
west,  or `run` with ninja or make.

When configured for use with TF-M, the
`mps2_an521_nonsecure` board definition should be used.

Signed-off-by: Karl Zhang <karl.zhang@linaro.org>

boards/arm/mps2_an521/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019 Linaro Limited
+# Copyright (c) 2019,2020 Linaro Limited
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -7,3 +7,82 @@
 zephyr_library()
 zephyr_library_sources(pinmux.c)
 zephyr_library_include_directories(${ZEPHYR_BASE}/drivers)
+
+if (CONFIG_BUILD_WITH_TFM)
+	# Set default image versions if not defined elsewhere
+	if (NOT DEFINED TFM_IMAGE_VERSION_S)
+		set(TFM_IMAGE_VERSION_S 0.0.0+0)
+	endif()
+
+	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
+		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
+	endif()
+
+	set(PREPROCESSED_FILE "${CMAKE_BINARY_DIR}/tfm/image_macros_preprocessed")
+	set(TFM_MCUBOOT_DIR "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot")
+
+	# Configure which format (full or hash) to include the public key in
+	# the image manifest
+	set(TFM_PUBLIC_KEY_FORMAT "full")
+
+	# Set srec_cat binary name
+	find_program(SREC_CAT srec_cat)
+	if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
+	    message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
+	endif()
+
+	#Create and sign for concatenated binary image, should align with the TF-M BL2
+	set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+
+		#Sign secure binary image with public key
+		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/imgtool.py
+		ARGS sign
+			 --layout ${PREPROCESSED_FILE}_s.c
+			 -k ${CONFIG_TFM_KEY_FILE_S}
+			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
+			 --align 1
+			 -v ${TFM_IMAGE_VERSION_S}
+			 ${ADD_NS_IMAGE_MIN_VER}
+			 ${ADD_SECURITY_COUNTER_S}
+			 -H 0x400
+			 ${CMAKE_BINARY_DIR}/tfm/install/outputs/AN521/tfm_s.bin
+			 ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
+
+		#Sign non-secure binary image with public key
+		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/imgtool.py
+		ARGS sign
+			 --layout ${PREPROCESSED_FILE}_ns.c
+			 -k ${CONFIG_TFM_KEY_FILE_NS}
+			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
+			 --align 1
+			 -v ${TFM_IMAGE_VERSION_NS}
+			 ${ADD_S_IMAGE_MIN_VER}
+			 ${ADD_SECURITY_COUNTER_NS}
+			 -H 0x400
+			 ${CMAKE_BINARY_DIR}/zephyr/zephyr.bin
+			 ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
+
+		#Create concatenated binary image from the two independently signed binary file
+		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
+		ARGS --layout ${PREPROCESSED_FILE}_s.c
+			 -s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
+			 -n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
+			 -o ${CMAKE_BINARY_DIR}/tfm_sign.bin
+
+		#Copy mcuboot.bin
+		COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/mcuboot.bin ${CMAKE_BINARY_DIR}
+
+		#Merge mcuboot.bin and tfm_sign.bin for QEMU
+		COMMAND ${SREC_CAT}
+		ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
+			${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
+			-offset 0x80000
+			-o ${CMAKE_BINARY_DIR}/tfm_qemu.bin -Binary
+
+		#Convert tfm_qemu.bin to .hex with an appropriate offset
+		COMMAND ${SREC_CAT}
+		ARGS ${CMAKE_BINARY_DIR}/tfm_qemu.bin -binary
+			-offset 0x10000000
+			-o ${CMAKE_BINARY_DIR}/tfm_qemu.hex -intel --line-length=44
+	)
+endif()

boards/arm/mps2_an521/board.cmake

@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 set(EMU_PLATFORM qemu)
+set(TFM_TARGET_PLATFORM "AN521")
 
 set(QEMU_CPU_TYPE_${ARCH} cortex-m33)
 set(QEMU_FLAGS_${ARCH}

boards/arm/mps2_an521/doc/index.rst

@@ -30,7 +30,7 @@ More information about the board can be found at the `MPS2 FPGA Website`_.
    This board configuration makes no claims about its suitability for use
    with actual MPS2 hardware systems using AN521, or any other hardware
    system. It has been tested on actual hardware, but its primary purpose is
-   for use with QEMU and unit tests.
+   for use with QEMU and unit tests for the ARM Cortex-M33.
 
 Hardware
 ********
@@ -380,9 +380,10 @@ The process requires five steps:
 4. Merge the two binaries together and sign them.
 5. Concatenate the bootloader with the signed image blob.
 
-To build tfm as secure image, refer to `Trusted Firmware M Guide`_.
-Follow the build steps for AN521 target while replacing the platform with
-``-DTARGET_PLATFORM=AN521`` and compiler (if required) with ``-DCOMPILER=GNUARM``
+To build tfm, refer to `Trusted Firmware M Guide`_. Follow the build steps
+for the AN521 target while replacing the platform with
+``-DTARGET_PLATFORM=AN521`` and the compiler (if required) with
+``-DCOMPILER=GNUARM``.
 
 Copy over tfm as a library to the Zephyr project source and create a shortcut
 for the secure veneers and necessary header files. All files are in the install
@@ -391,15 +392,15 @@ folder after TF-M has been built.
 Uploading an application to MPS2+ AN521
 ---------------------------------------
 
-Applications can be elf, hex or bin format. The binaries were flashed while
-the board boot up, all files were stored in the on-board Micro SD card in
-advance. The Motherboard Configuration Controller (MCC) will responsible for
-loading the FPGA image and binaries.
+Applications can be in elf, hex or bin format. The binaries are flashed when
+the board boots up, using files stored on the on-board Micro SD card. The
+Motherboard Configuration Controller (MCC) is responsible for loading the FPGA
+image and binaries.
 
 Connect the MPS2+ to your host computer using the USB port. You should see a
 USB connection exposing a Mass Storage (``V2M_MPS2`` by default).
 
-The update needs 3 steps:
+The update requires 3 steps:
 
 1. Copy application files to ``<MPS2 device name>/SOFTWARE/``.
 2. Open ``<MPS2 device name>/MB/HBI0263C/AN521/images.txt``.