1###########
2Secure boot
3###########
4
5.. toctree::
6    :maxdepth: 1
7
8    BL1 Immutable bootloader <bl1.rst>
9    Rollback Protection      <secure_boot_rollback_protection.rst>
10    HW Key integration       <secure_boot_hw_key_integration.rst>
11
12For secure devices it is security critical to enforce firmware authenticity to
13protect against execution of malicious software. This is implemented by building
14a trust chain where each step in the execution chain authenticates the next
15step before execution. The chain of trust is based on a "Root of Trust" which
16is implemented using asymmetric cryptography. The Root of Trust is a combination
17of an immutable bootloader and a public key (ROTPK).
18
19.. Warning::
20    In order to implement a proper chain of trust functionality, it is
21    mandatory that the first stage bootloader and ROTPK is stored in an
22    **immutable** way. To achieve this the bootloader code must be stored and
23    executed from ROM or such part of flash memory which supports write
24    protection. ROTPK can be stored in a one-time-programmable (OTP) memory. If
25    the SoC has a built-in BL1 (immutable) bootloader and the immutability of
26    TF-M secure boot code is not guaranteed then TF-M secure boot code must be
27    authenticated by BL1 bootloader before execution. If immutability of root
28    of trust (first stage bootloader + ROTPK) is not ensured then there is a
29    risk that the secure boot process could be bypassed, which could lead to
30    arbitrary code execution on the device. Current TF-M secure boot code is
31    intended to be a second stage bootloader, therefore it requires
32    authentication before execution. If TF-M secure boot code is used as a first
33    stage bootloader then it must be stored according to the above requirements.
34
35*******************************
36Second stage bootloader in TF-M
37*******************************
38By default, the MCUboot project from
39`GitHub <https://github.com/mcu-tools/mcuboot>`__ is used as the secure
40bootloader in TF-M. The repository is going to be automatically downloaded by
41CMake. The version downloaded can be controlled by the ``MCUBOOT_VERSION``
42CMake variable. If you wish to use a locally downloaded copy, the CMake variable
43``MCUBOOT_PATH`` can be set to its location. This document contains information
44about how MCUboot has been integrated to TF-M. For further information about
45MCUboot design please refer to the `MCUBoot homepage <https://www.trustedfirmware.org/projects/mcuboot/index.html>`__.
46
47Bootloader is started when CPU is released from reset. It runs in secure mode.
48It authenticates the firmware image by hash (SHA-256) and digital signature
49(RSA-3072) validation. Public key, that the checks happens against, can be built
50into the bootloader image or can be provisioned to the SoC during manufacturing.
51Metadata of the image is delivered together with the image itself in a header
52and trailer section. In case of successful authentication, bootloader passes
53execution to the secure image. Execution never returns to bootloader until
54next reset.
55
56A default RSA key pair is stored in the repository, public key is in ``keys.c``
57and private key is in ``root-RSA-3072.pem``.
58
59.. Danger::
60    DO NOT use the default keys in a production code, they are exclusively
61    for testing!
62
63The private key must be stored in a safe place outside of the repository.
64``imgtool.py`` (found in the ``scripts`` directory in the MCUBoot repository,
65or installed through the pip package manager) can be used to generate new key
66pairs.
67
68The bootloader can handle the secure and non-secure images independently
69(multiple image boot) or together (single image boot). In case of multiple image
70boot they are signed independently with different keys and they can be updated
71separately. In case of single image boot the secure and non-secure image is
72handled as a single blob, therefore they must be contiguous in the device
73memory. In this case they are signed together and also they can be updated only
74together. In order to have the same artefacts at the end of the build regardless
75of how the images are handled (independently or together) the images are always
76concatenated. In case of single image boot they are concatenated first and then
77signed. In case of multiple image boot they are separately signed first and then
78concatenated. Preparation of payload is done by Python scripts:
79``bl2/ext/mcuboot/scripts/``. At the end of a successful build the signed TF-M
80payload can be found in: ``<build_dir>/bin/tfm_s_ns_signed.bin``
81
82*********************
83Integration with TF-M
84*********************
85MCUBoot assumes a predefined memory layout which is described below (applicable
86for AN521). It is mandatory to define the primary slot and the secondary slot
87partitions, but their size and location can be changed::
88
89    - 0x0000_0000 - 0x0007_FFFF:    BL2 bootloader - MCUBoot
90    - 0x0008_0000 - 0x000F_FFFF:    Primary slot : Single binary blob:
91                                    Secure + Non-Secure image;
92                                    Primary memory partition
93      - 0x0008_0000 - 0x0008_03FF:  Common image header
94      - 0x0008_0400 - 0x0008_xxxx:  Secure image
95      - 0x0008_xxxx - 0x0010_03FF:  Padding (with 0xFF)
96      - 0x0010_0400 - 0x0010_xxxx:  Non-secure image
97      - 0x0010_xxxx - 0x0010_xxxx:  Hash value(SHA256), RSA signature and other
98                                    metadata of combined image
99
100    - 0x0018_0000 - 0x0027_FFFF:    Secondary slot : Secure + Non-Secure image;
101                                    Secondary memory partition, structured
102                                    identically to the primary slot
103    - 0x0028_0000 - 0x0037_FFFF:    Scratch area, only used during image
104                                    swapping
105
106Multiple image boot requires a slightly different layout::
107
108    - 0x0000_0000 - 0x0007_FFFF:    BL2 bootloader - MCUBoot
109    - 0x0008_0000 - 0x000F_FFFF:    Primary slot : Secure image
110      - 0x0008_0000 - 0x0008_03FF:  Secure image header
111      - 0x0008_0400 - 0x000x_xxxx:  Secure image
112      - 0x000x_xxxx - 0x000x_xxxx:  Hash value(SHA256), RSA signature and other
113                                    metadata of secure image
114
115    - 0x0010_0000 - 0x0017_FFFF:    Primary slot : Non-secure image
116      - 0x0010_0000 - 0x0010_03FF:  Non-secure image header
117      - 0x0010_0400 - 0x001x_xxxx:  Non-secure image
118      - 0x001x_xxxx - 0x001x_xxxx:  Hash value(SHA256), RSA signature and other
119                                    metadata of non-secure image
120
121    - 0x0018_0000 - 0x001F_FFFF:    Secondary slot : Secure image
122    - 0x0020_0000 - 0x0027_FFFF:    Secondary slot : Non-secure image
123
124    - 0x0028_0000 - 0x002F_FFFF:    Scratch area, only used during image
125                                    swapping, used for secure and non-secure
126                                    image as well
127
128**************************
129Firmware upgrade operation
130**************************
131MCUBoot handles only the firmware authenticity check after start-up and the
132firmware switch part of the firmware update process. Downloading the new version
133of the firmware is out-of-scope for MCUBoot. MCUBoot supports three different
134ways to switch to the new firmware and it is assumed that firmware images are
135executed-in-place (XIP). The default behaviour is the overwrite-based image
136upgrade. In this case the active firmware is always executed from the primary
137slot and the secondary slot is a staging area for new images. Before executing
138the new firmware image, the content of the primary slot must be overwritten with
139the content of the secondary slot (the new firmware image). The second option is
140the image swapping strategy when the content of the two memory slots must be
141physically swapped. This needs the scratch area to be defined in the memory
142layout. The third option is the direct execute-in-place version, which
143eliminates the complexity of image swapping and its administration. Active image
144can be executed from either memory slot, but new firmware must be linked to the
145address space of the proper (currently inactive) memory slot.
146
147Overwrite operation
148===================
149Active image is stored in the primary slot, and this image is started always by
150the bootloader. Therefore images must be linked to the primary slot. If the
151bootloader finds a valid image in the secondary slot, which is marked for
152upgrade, then the content of the primary slot will be simply overwritten with
153the content of the secondary slot, before starting the new image from the
154primary slot. After the content of the primary slot has been successfully
155overwritten, the header and trailer of the new image in the secondary slot is
156erased to prevent the triggering of another unnecessary image upgrade after a
157restart. The overwrite operation is fail-safe and resistant to power-cut
158failures. For more details please refer to the MCUBoot
159`documentation <https://docs.mcuboot.com/>`__.
160
161Swapping operation
162==================
163This operation can be set with the ``MCUBOOT_UPGRADE_STRATEGY`` compile time
164switch (see `Build time configuration`_). With swapping image upgrade strategy
165the active image is also stored in the primary slot and it will always be
166started by the bootloader. If the bootloader finds a valid image in the
167secondary slot, which is marked for upgrade, then contents of the primary slot
168and the secondary slot will be swapped, before starting the new image from the
169primary slot. Scratch area is used as a temporary storage place during image
170swapping. Update mark from the secondary slot is removed when the swapping is
171successful. The boot loader can revert the swapping as a fall-back mechanism to
172recover the previous working firmware version after a faulty update. The swap
173operation is fail-safe and resistant to power-cut failures. For more details
174please refer to the MCUBoot
175`documentation <https://docs.mcuboot.com/>`__.
176
177.. Note::
178
179    After a successful image upgrade, user can mark the image as "OK"
180    at runtime by explicitly calling ``psa_fwu_accept``. When this happens,
181    the swap is made "permanent" and MCUBoot will then still choose to run it
182    during the next boot.
183
184    TF-M does not set the image_ok flag, because it is user's duty to determine
185    whether the image is acceptable. Therefore the bootloader will always
186    perform a "revert" (swap the images back) during the next boot.
187
188Direct execute-in-place operation
189=================================
190This operation can be set with the ``MCUBOOT_UPGRADE_STRATEGY`` compile time
191switch (see `Build time configuration`_). When enabling direct-xip operation
192then the active image flag is moved between slots during firmware upgrade. If
193firmware is executed-in-place (XIP), then two firmware images must be generated.
194One of them is linked to be executed from the primary slot memory region and the
195other from the secondary slot. The firmware upgrade client, which downloads the
196new image, must be aware, which slot hosts the active firmware and which acts as
197a staging area and it is responsible for downloading the proper firmware image.
198At boot time MCUBoot inspects the version number in the image header and passes
199execution to the newer firmware version. New image must be marked for upgrade
200which is automatically done by Python scripts at compile time. Image
201verification is done the same way in all operational modes. If new image fails
202during authentication then MCUBoot erases the memory slot and starts the other
203image, after successful authentication.
204
205To select which slot the image is to be executed from, set
206``MCUBOOT_EXECUTION_SLOT`` to the desired index. It is suggested that you create
207two build directories when building images using this mode, as intermediate
208dependencies cannot be reused due to changes in the flash layout.
209
210.. Note::
211
212    Only single image boot is supported with direct-xip upgrade mode.
213
214RAM Loading firmware upgrade
215============================
216Musca-S supports an image upgrade mode that is separate to the other (overwrite,
217swapping and dirext-xip) modes. This is the ``RAM load`` mode (please refer
218to the table below). Like the direct-xip mode, this selects the newest image
219by reading the image version numbers in the image headers, but instead of
220executing it in place, the newest image is copied to RAM for execution. The load
221address, the location in RAM where the image is copied to, is stored in the
222image header.
223
224Summary of different modes for image upgrade
225============================================
226Different implementations of the image upgrade operation (whether through
227overwriting, swapping, direct-xip or loading into RAM and executing from
228there) are supported by the platforms. The table below shows which of these
229modes are supported by which platforms:
230
231+---------------------+-----------------+----------------------------------------------------------+
232|                     | Without BL2 [1]_| With BL2 [2]_                                            |
233+=====================+=================+===============+==========+================+==============+
234|                     | XIP             | XIP           | XIP      | XIP            | Not XIP      |
235+---------------------+-----------------+---------------+----------+----------------+--------------+
236|                     |                 | Overwrite [3]_| Swap [4]_| direct-xip [5]_| RAM load [6]_|
237+---------------------+-----------------+---------------+----------+----------------+--------------+
238| AN521               | Yes             | Yes           | Yes      | Yes            | No           |
239+---------------------+-----------------+---------------+----------+----------------+--------------+
240| AN519               | Yes             | Yes           | Yes      | Yes            | No           |
241+---------------------+-----------------+---------------+----------+----------------+--------------+
242| FVP_SSE300_MPS3     | No              | Yes           | Yes      | Yes            | No           |
243+---------------------+-----------------+---------------+----------+----------------+--------------+
244| Corstone-310 FVP    | Yes             | Yes           | Yes      | Yes            | No           |
245+---------------------+-----------------+---------------+----------+----------------+--------------+
246| LPC55S69            | Yes             | Yes           | No       | Yes            | No           |
247+---------------------+-----------------+---------------+----------+----------------+--------------+
248| Musca-B1            | Yes             | Yes           | Yes      | Yes            | No           |
249+---------------------+-----------------+---------------+----------+----------------+--------------+
250| AN524               | Yes             | No            | No       | Yes            | No           |
251+---------------------+-----------------+---------------+----------+----------------+--------------+
252| AN547               | No              | Yes           | Yes      | Yes            | No           |
253+---------------------+-----------------+---------------+----------+----------------+--------------+
254| AN552               | No              | Yes           | Yes      | Yes            | No           |
255+---------------------+-----------------+---------------+----------+----------------+--------------+
256| PSoC64              | Yes             | No            | No       | No             | No           |
257+---------------------+-----------------+---------------+----------+----------------+--------------+
258| STM_DISCO_L562QE    | No              | Yes           | No       | No             | No           |
259+---------------------+-----------------+---------------+----------+----------------+--------------+
260| STM_NUCLEO_L552ZE_Q | No              | Yes           | No       | No             | No           |
261+---------------------+-----------------+---------------+----------+----------------+--------------+
262| nRF9160 DK          | Yes             | Yes           | No       | No             | No           |
263+---------------------+-----------------+---------------+----------+----------------+--------------+
264| nRF5340 DK          | Yes             | Yes           | No       | No             | No           |
265+---------------------+-----------------+---------------+----------+----------------+--------------+
266| RSE                 | No              | No            | No       | No             | Yes          |
267+---------------------+-----------------+---------------+----------+----------------+--------------+
268
269.. [1] To disable BL2, please set the ``BL2`` cmake option to ``OFF``
270
271.. [2] BL2 is enabled by default
272
273.. [3] The image executes in-place (XIP) and is in Overwrite mode for image
274    update by default
275
276.. [4] To enable XIP Swap mode, assign the "SWAP_USING_SCRATCH" or
277    "SWAP_USING_MOVE" string to the ``MCUBOOT_UPGRADE_STRATEGY``
278    configuration variable in the build configuration file, or include this
279    macro definition in the command line
280
281.. [5] To enable direct-xip, assign the "DIRECT_XIP" string to the
282    ``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the build
283    configuration file, or include this macro definition in the command line
284
285.. [6] To enable RAM load, assign the "RAM_LOAD" string to the
286    ``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the build
287    configuration file, or include this macro definition in the command line
288
289*******************
290Multiple image boot
291*******************
292It is possible to update the firmware images independently to support the
293scenario when secure and non-secure images are provided by different vendors.
294Multiple image boot is supported only together with the overwrite and swap
295firmware upgrade modes.
296
297It is possible to describe the dependencies of the images on each other in
298order to avoid a faulty upgrade when incompatible versions would be installed.
299These dependencies are part of the image manifest area.
300The dependencies are composed from two parts:
301
302 - **Image identifier:** The number of the image which the current image (whose
303   manifest area contains the dependency entry) depends on. The image identifier
304   starts from 0.
305
306 - **Minimum version:** The minimum version of other image must be present on
307   the device by the end of the upgrade (both images might be updated at the
308   same time).
309
310Dependencies can be added to the images at compile time with the following
311compile time switches:
312
313 - ``MCUBOOT_S_IMAGE_MIN_VER`` It is added to the non-secure image and specifies the
314   minimum required version of the secure image.
315 - ``MCUBOOT_NS_IMAGE_MIN_VER`` It is added to the secure image and specifies the
316   minimum required version of the non-secure image.
317
318Example of how to provide the secure image minimum version::
319
320    cmake -DTFM_PLATFORM=arm/musca_b1 -DMCUBOOT_S_IMAGE_MIN_VER=1.2.3+4 ..
321
322********************
323Signature algorithms
324********************
325MbedTLS library is used to sign the images. The list of supported signing
326algorithms:
327
328  - `RSA-2048`
329  - `RSA-3072`: default
330
331Example keys stored in:
332
333 - ``root-RSA-2048.pem``   : Used to sign single image (S+NS) or secure image
334   in case of multiple image boot
335 - ``root-RSA-2048_1.pem`` : Used to sign non-secure image in case of multiple
336   image boot
337 - ``root-RSA-3072.pem``   : Used to sign single image (S+NS) or secure image
338   in case of multiple image boot
339 - ``root-RSA-3072_1.pem`` : Used to sign non-secure image in case of multiple
340   image boot
341
342************************
343Build time configuration
344************************
345MCUBoot related compile time switches can be set by cmake variables.
346
347- BL2 (default: True):
348    - **True:** TF-M built together with bootloader. MCUBoot is executed after
349      reset and it authenticates TF-M and starts secure code.
350    - **False:** TF-M built without bootloader. Secure image linked to the
351      beginning of the device memory and executed after reset. If it is false
352      then using any of the further compile time switches is invalid.
353- MCUBOOT_UPGRADE_STRATEGY (default: "OVERWRITE_ONLY"):
354    - **"OVERWRITE_ONLY":** Default firmware upgrade operation with overwrite.
355    - **"SWAP_USING_SCRATCH":** Activate swapping firmware upgrade operation
356      with a scratch area in flash
357    - **"SWAP_USING_MOVE":** Activate swapping firmware upgrade operation
358      without a scratch area in flash
359    - **"DIRECT_XIP":** Activate direct execute-in-place firmware upgrade
360      operation.
361    - **"RAM_LOAD":** Activate RAM loading firmware upgrade operation, where
362      the latest image is copied to RAM and runs from there instead of being
363      executed in-place.
364- MCUBOOT_SIGNATURE_TYPE (default: RSA-3072):
365    - **RSA-2048:** Image is signed with RSA algorithm and signed with 2048 bit key.
366    - **RSA-3072:** Image is signed with RSA algorithm and signed with 3072 bit key.
367    - **EC-P256:** Image is signed with ECDSA P-256 algorithm.
368    - **EC-P384:** Image is signed with ECDSA P-384 algorithm.
369- MCUBOOT_IMAGE_NUMBER (default: 2):
370    - **1:** Single image boot, secure and non-secure images are signed and
371      updated together.
372    - **2:** Multiple image boot, secure and non-secure images are signed and
373      updatable independently.
374- MCUBOOT_HW_KEY (default: True):
375    - **True:** The hash of public key is provisioned to the SoC and the image
376      manifest contains the whole public key (imgtool uses
377      ``--public_key_format=full``). MCUBoot validates the key before using it
378      for firmware authentication, it calculates the hash of public key from the
379      manifest and compare against the retrieved key-hash from the hardware.
380      This way MCUBoot is independent from the public key(s).  Key(s) can be
381      provisioned any time and by different parties.
382    - **False:** The whole public key is embedded to the bootloader code and the
383      image manifest contains only the hash of the public key (imgtool uses
384      ``--public_key_format=hash``). MCUBoot validates the key before using it
385      for firmware authentication, it calculates the hash of built-in public key
386      and compare against the retrieved key-hash from the image manifest. After
387      this the bootloader can verify that the image was signed with a private
388      key that corresponds to the retrieved key-hash (it can have more public
389      keys embedded in and it may have to look for the matching one). All the
390      public key(s) must be known at MCUBoot build time.
391- MCUBOOT_BUILTIN_KEY (default: False):
392    - **True:** When enabled, the entire public key used for signature
393      verification must be provisioned to the target device. In this case,
394      neither the code nor the image metadata needs to contain any public
395      key data. During image validation only a key ID is passed to the verifier
396      function for the required key to be selected. The key handling is entirely
397      the responsibility of the underlying crypto library and the details of the
398      key handling mechanism are abstracted away from the boot code.
399- TFM_BL2_LOG_LEVEL:
400    Can be used to configure the level of logging in BL2/MCUBoot. The possible
401    values are the following:
402
403    - **LOG_LEVEL_NONE**
404    - **LOG_LEVEL_ERROR**
405    - **LOG_LEVEL_WARNING**
406    - **LOG_LEVEL_INFO**
407    - **LOG_LEVEL_VERBOSE**
408
409    The logging in MCUBoot can be disabled and thus the code size can be reduced
410    by setting it to ``LOG_LEVEL_NONE``. Its value depends on the build type. If the build
411    type is ``Debug`` then default value is ``LOG_LEVEL_INFO``. In case of different kinds
412    of ``Release`` builds the default value is ``LOG_LEVEL_NONE``. The default value can
413    be overridden through the command line or in the CMake GUI regardless of the
414    build type.
415- MCUBOOT_ENC_IMAGES (default: False):
416    - **True:** Adds encrypted image support in the source and encrypts the
417      resulting image using the ``enc-rsa2048-pub.pem`` key found in the MCUBoot
418      repository.
419    - **False:** Doesn't add encrypted image support and doesn't encrypt the
420      image.
421
422    .. Note::
423        The decryption takes place during the upgrade process, when the images
424        are being moved between the slots. This means that boards that don't
425        already have an image on them with MCUBoot that has been compiled with
426        ``MCUBOOT_ENCRYPT_RSA`` enabled need special treatment. In order to load
427        an encrypted image to such boards, an upgrade needs to be executed. This
428        can be done by using MCUBoot, putting an image in the secondary image
429        area, and setting ``MCUBOOT_ENCRYPT_RSA`` to ``ON``. When using the
430        ``OVERWRITE_ONLY`` upgrade strategy, this is enough. When using
431        ``SWAP_USING_SCRATCH`` or ``SWAP_USING_MOVE``, an image is needed in
432        the primary image area as well, to trigger the update.
433
434    .. Danger::
435        DO NOT use the ``enc-rsa2048-pub.pem`` key in production code, it is
436        exclusively for testing!
437
438Image versioning
439================
440An image version number is written to its header by one of the Python scripts,
441and this number is used by the bootloader when the direct execute-in-place or
442the RAM loading mode is enabled. It is also used in case of multiple image boot
443when the bootloader checks the image dependencies if any have been added to the
444images.
445
446The version number of the image (single image boot) can manually be passed in
447through the command line in the cmake configuration step::
448
449    cmake -DTFM_PLATFORM=arm/musca_b1 -DIMAGE_VERSION_S=1.2.3+4 ..
450
451Alternatively, the version number can be less specific (e.g 1, 1.2, or 1.2.3),
452where the missing numbers are automatically set to zero. The image version
453number argument is optional, and if it is left out, then the version numbers of
454the image(s) being built in the same directory will automatically change. In
455this case, the last component (the build number) automatically increments from
456the previous one: 0.0.0+1 -> 0.0.0+2, for as many times as the build is re-ran,
457**until a number is explicitly provided**. If automatic versioning is in place
458and then an image version number is provided for the first time, the new number
459will take precedence and be used instead. All subsequent image versions are
460then set to the last number that has been specified, and the build number would
461stop incrementing. Any new version numbers that are provided will overwrite
462the previous one: 0.0.0+1 -> 0.0.0+2. Note: To re-apply automatic image
463versioning, please start a clean build without specifying the image version
464number at all. In case of multiple image boot there are separate compile time
465switches for both images to provide their version: ``IMAGE_VERSION_S`` and
466``IMAGE_VERSION_NS``. These must be used instead of ``IMAGE_VERSION_S``.
467
468Security counter
469================
470Each signed image contains a security counter in its manifest. It is used by the
471bootloader and its aim is to have an independent (from the image version)
472counter to ensure rollback protection by comparing the new image's security
473counter against the original (currently active) image's security counter during
474the image upgrade process. It is added to the manifest (to the TLV area that is
475appended to the end of the image) by one of the Python scripts when signing the
476image. The value of the security counter is security critical data and it is in
477the integrity protected part of the image. The last valid security counter
478should always be stored in a non-volatile and trusted component of the device
479and its value should always be increased if a security flaw was fixed in the
480current image version. The value of the security counter (single image boot) can
481be specified at build time in the cmake configuration step::
482
483    cmake -DTFM_PLATFORM=arm/musca_b1 -DSECURITY_COUNTER_S=42 ../
484
485The security counter can be independent from the image version, but not
486necessarily. Alternatively, if it is not specified at build time with the
487``SECURITY_COUNTER`` option the Python script will automatically generate it
488from the image version number (not including the build number) and this value
489will be added to the signed image. In case of multiple image boot there are
490separate compile time switches for both images to provide their security counter
491value: ``SECURITY_COUNTER_S`` and ``SECURITY_COUNTER_NS``. These must be used
492instead of ``SECURITY_COUNTER_S``. If these are not defined then the security
493counter values will be derived from the corresponding image version similar to
494the single image boot.
495
496***************************
497Signing the images manually
498***************************
499Normally the build system handles the signing (computing hash over the image
500and security critical manifest data and then signing the hash) of the firmware
501images. However, the images also can be signed manually by using the ``imgtool``
502Python program which is located in the MCUboot repository  in the ``scripts``
503folder or can be installed with the pip package manager.
504Issue the ``python3 imgtool.py sign --help`` command in the directory for more
505information about the mandatory and optional arguments. The tool takes an image
506in binary or Intel Hex format and adds a header and trailer that MCUBoot is
507expecting. In case of single image boot after a successful build the
508``tfm_s_ns.bin`` build artifact (contains the concatenated secure and non-secure
509images) must be passed to the script and in case of multiple image boot the
510``tfm_s.bin`` and ``tfm_ns.bin`` binaries can be passed to prepare the signed
511images.
512
513Signing the secure image manually in case of multiple image boot
514================================================================
515
516::
517
518    python3 bl2/ext/mcuboot/scripts/imgtool.py sign \
519        --layout <build_dir>/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.c.obj \
520        -k <tfm_dir>/bl2/ext/mcuboot/root-RSA-3072.pem \
521        --public-key-format full \
522        --align 1 \
523        -v 1.2.3+4 \
524        -d "(1,1.2.3+0)" \
525        -s 42 \
526        -H 0x400 \
527        <build_dir>/bin/tfm_s.bin \
528        <build_dir>/bin/tfm_s_signed.bin
529
530************************
531Testing firmware upgrade
532************************
533As downloading the new firmware image is out of scope for MCUBoot, the update
534process is started from a state where the original and the new image are already
535programmed to the appropriate memory slots. To generate the original and a new
536firmware package, TF-M is built twice with different build configurations.
537
538Overwriting firmware upgrade
539============================
540Run TF-M build twice with ``MCUBOOT_IMAGE_NUMBER`` set to "1" in both cases
541(single image boot), but with two different build configurations: default and
542regression. Save the artifacts between builds, because second run can overwrite
543original binaries. Download default build to the primary slot and regression
544build to the secondary slot.
545
546Executing firmware upgrade on FVP_MPS2_AEMv8M
547---------------------------------------------
548.. code-block:: bash
549
550    <ARM_DS_PATH>/sw/models/bin/FVP_MPS2_AEMv8M  \
551    --parameter fvp_mps2.platform_type=2 \
552    --parameter cpu0.baseline=0 \
553    --parameter cpu0.INITVTOR_S=0x10000000 \
554    --parameter cpu0.semihosting-enable=0 \
555    --parameter fvp_mps2.DISABLE_GATING=0 \
556    --parameter fvp_mps2.telnetterminal0.start_telnet=1 \
557    --parameter fvp_mps2.telnetterminal1.start_telnet=0 \
558    --parameter fvp_mps2.telnetterminal2.start_telnet=0 \
559    --parameter fvp_mps2.telnetterminal0.quiet=0 \
560    --parameter fvp_mps2.telnetterminal1.quiet=1 \
561    --parameter fvp_mps2.telnetterminal2.quiet=1 \
562    --application cpu0=<build_dir>/bin/bl2.axf \
563    --data cpu0=<default_build_dir>/bin/tfm_s_ns_signed.bin@0x10080000 \
564    --data cpu0=<regresssion_build_dir>/bin/tfm_s_ns_signed.bin@0x10180000
565
566Executing firmware upgrade on SSE 200 FPGA on MPS2 board
567--------------------------------------------------------
568
569::
570
571    TITLE: Versatile Express Images Configuration File
572    [IMAGES]
573    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
574    IMAGE0ADDRESS: 0x00000000
575    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
576    IMAGE1ADDRESS: 0x10080000
577    IMAGE1FILE: \Software\tfm_sig1.bin ; TF-M default test binary blob
578    IMAGE2ADDRESS: 0x10180000
579    IMAGE2FILE: \Software\tfm_sig2.bin ; TF-M regression test binary blob
580
581The following message will be shown in case of successful firmware upgrade:
582
583::
584
585    [INF] Starting bootloader
586    [INF] Swap type: test
587    [INF] Image upgrade secondary slot -> primary slot
588    [INF] Erasing the primary slot
589    [INF] Copying the secondary slot to the primary slot: 0x100000 bytes
590    [INF] Bootloader chainload address offset: 0x80000
591    [INF] Jumping to the first image slot
592    [Sec Thread] Secure image initializing!
593
594    #### Execute test suites for the Secure area ####
595    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
596    ...
597
598To update the secure and non-secure images separately (multiple image boot),
599set the ``MCUBOOT_IMAGE_NUMBER`` switch to "2" (this is the default
600configuration value) and follow the same instructions as in case of single image
601boot.
602
603Executing multiple firmware upgrades on SSE 200 FPGA on MPS2 board
604------------------------------------------------------------------
605
606::
607
608    TITLE: Versatile Express Images Configuration File
609    [IMAGES]
610    TOTALIMAGES: 4                     ;Number of Images (Max: 32)
611    IMAGE0ADDRESS: 0x00000000
612    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
613    IMAGE1ADDRESS: 0x10080000
614    IMAGE1FILE: \Software\tfm_sign.bin ; TF-M default test binary blob
615    IMAGE2ADDRESS: 0x10180000
616    IMAGE2FILE: \Software\tfm_ss1.bin  ; TF-M regression test secure (signed) image
617    IMAGE3ADDRESS: 0x10200000
618    IMAGE3FILE: \Software\tfm_nss1.bin ; TF-M regression test non-secure (signed) image
619
620Note that both the concatenated binary blob (the images are signed separately
621and then concatenated) and the separate signed images can be downloaded to the
622device because on this platform (AN521) both the primary slots and the secondary
623slots are contiguous areas in the Flash (see `Integration with TF-M`_). The
624following message will be shown in case of successful firmware upgrades:
625
626::
627
628    [INF] Starting bootloader
629    [INF] Swap type: test
630    [INF] Swap type: test
631    [INF] Image upgrade secondary slot -> primary slot
632    [INF] Erasing the primary slot
633    [INF] Copying the secondary slot to the primary slot: 0x80000 bytes
634    [INF] Image upgrade secondary slot -> primary slot
635    [INF] Erasing the primary slot
636    [INF] Copying the secondary slot to the primary slot: 0x80000 bytes
637    [INF] Bootloader chainload address offset: 0x80000
638    [INF] Jumping to the first image slot
639    [Sec Thread] Secure image initializing!
640    TFM level is: 1
641    [Sec Thread] Jumping to non-secure code...
642
643    #### Execute test suites for the Secure area ####
644    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
645    ...
646
647Swapping firmware upgrade
648=============================
649Follow the same instructions and platform related configurations as in case of
650overwriting build including these changes:
651
652- Set the ``MCUBOOT_UPGRADE_STRATEGY`` compile time switch to "SWAP"
653  before build.
654- Set the ``MCUBOOT_IMAGE_NUMBER`` compile time switch to "1" (single image
655  boot) or "2" (multiple image boot) before build.
656
657During single image boot the following message will be shown in case of
658successful firmware upgrade, ``Swap type: test`` indicates that images were
659swapped:
660
661::
662
663    [INF] Starting bootloader
664    [INF] Image 0: magic= good, copy_done=0x3, image_ok=0x3
665    [INF] Scratch: magic=  bad, copy_done=0x0, image_ok=0x2
666    [INF] Boot source: primary slot
667    [INF] Swap type: test
668    [INF] Bootloader chainload address offset: 0x80000
669    [INF] Jumping to the first image slot
670    [Sec Thread] Secure image initializing!
671
672    #### Execute test suites for the Secure area ####
673    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
674    ...
675
676Direct execute-in-place firmware upgrade
677========================================
678Follow the same instructions and platform related configurations as in case of
679overwriting build including these changes:
680
681- Set the ``MCUBOOT_UPGRADE_STRATEGY`` compile time switch to "DIRECT_XIP"
682  before build.
683- set ``MCUBOOT_EXECUTION_SLOT`` to ``1`` in the regression build dir.
684- Make sure the image version number was increased between the two build runs
685  either by specifying it manually or by checking in the build log that it was
686  incremented automatically.
687
688Executing firmware upgrade on FVP_MPS2_AEMv8M
689---------------------------------------------
690
691.. code-block:: bash
692
693    <ARM_DS_PATH>/sw/models/bin/FVP_MPS2_AEMv8M  \
694    --parameter fvp_mps2.platform_type=2 \
695    --parameter cpu0.baseline=0 \
696    --parameter cpu0.INITVTOR_S=0x10000000 \
697    --parameter cpu0.semihosting-enable=0 \
698    --parameter fvp_mps2.DISABLE_GATING=0 \
699    --parameter fvp_mps2.telnetterminal0.start_telnet=1 \
700    --parameter fvp_mps2.telnetterminal1.start_telnet=0 \
701    --parameter fvp_mps2.telnetterminal2.start_telnet=0 \
702    --parameter fvp_mps2.telnetterminal0.quiet=0 \
703    --parameter fvp_mps2.telnetterminal1.quiet=1 \
704    --parameter fvp_mps2.telnetterminal2.quiet=1 \
705    --application cpu0=<build_dir>/bin/bl2.axf \
706    --data cpu0=<default_build_dir>/bin/tfm_s_ns_signed.bin@0x10080000 \
707    --data cpu0=<regresssion_build_dir>/bin/tfm_s_ns_signed.bin@0x10180000
708
709Executing firmware upgrade on SSE 200 FPGA on MPS2 board
710--------------------------------------------------------
711
712::
713
714    TITLE: Versatile Express Images Configuration File
715    [IMAGES]
716    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
717    IMAGE0ADDRESS: 0x00000000
718    IMAGE0FILE: \Software\bl2.axf      ; BL2 bootloader
719    IMAGE1ADDRESS: 0x10080000
720    IMAGE1FILE: \Software\tfm_sign.bin ; TF-M default test binary blob
721    IMAGE2ADDRESS: 0x10180000
722    IMAGE2FILE: \Software\tfm_sig1.bin ; TF-M regression test binary blob
723
724Executing firmware upgrade on Musca-B1 boards
725---------------------------------------------
726After the two images have been built, they can be concatenated to create the
727combined image using ``srec_cat``:
728
729- Linux::
730
731    srec_cat bin/bl2.bin -Binary -offset 0xA000000 tfm_sign.bin -Binary -offset 0xA020000 tfm_sign_1.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
732
733- Windows::
734
735    srec_cat.exe bin\bl2.bin -Binary -offset 0xA000000 tfm_sign.bin -Binary -offset 0xA020000 tfm_sign_1.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
736
737The following message will be shown in case of successful firmware upgrade,
738notice that image with higher version number (``version=1.2.3.5``) is executed:
739
740::
741
742    [INF] Starting bootloader
743    [INF] Image 0: version=1.2.3.4, magic= good, image_ok=0x3
744    [INF] Image 1: version=1.2.3.5, magic= good, image_ok=0x3
745    [INF] Booting image from the secondary slot
746    [INF] Bootloader chainload address offset: 0xa0000
747    [INF] Jumping to the first image slot
748    [Sec Thread] Secure image initializing!
749
750    #### Execute test suites for the Secure area ####
751    Running Test Suite PSA protected storage S interface tests (TFM_PS_TEST_2XXX)...
752    ...
753
754Executing firmware upgrade on CoreLink SSE-200 Subsystem for MPS3 (AN524)
755-------------------------------------------------------------------------
756
757::
758
759    TITLE: Arm MPS3 FPGA prototyping board Images Configuration File
760
761    [IMAGES]
762    TOTALIMAGES: 3                     ;Number of Images (Max: 32)
763
764    IMAGE0UPDATE: AUTO                 ;Image Update:NONE/AUTO/FORCE
765    IMAGE0ADDRESS: 0x00000000
766    IMAGE0FILE: \SOFTWARE\bl2.bin      ;BL2 bootloader
767    IMAGE1UPDATE: AUTO
768    IMAGE1ADDRESS: 0x00040000
769    IMAGE1FILE: \SOFTWARE\tfm_sig0.bin ;TF-M example application binary blob
770    IMAGE2UPDATE: AUTO
771    IMAGE2ADDRESS: 0x000C0000
772    IMAGE2FILE: \SOFTWARE\tfm_sig1.bin ;TF-M regression test binary blob
773
774RAM loading firmware upgrade
775============================
776To enable RAM loading, please set ``MCUBOOT_UPGRADE_STRATEGY`` to "RAM_LOAD"
777(either in the configuration file or through the command line), and then specify
778a destination load address in RAM where the image can be copied to and executed
779from. The ``S_IMAGE_LOAD_ADDRESS`` macro must be specified in the target
780dependent files, and if multiple image boot is enabled then
781``NS_IMAGE_LOAD_ADDRESS`` must also be defined. For example with Musca-S, its
782``flash_layout.h`` file in the ``platform`` folder should include ``#define
783S_IMAGE_LOAD_ADDRESS #0xA0020000``
784
785Executing firmware upgrade on Musca-S board
786--------------------------------------------
787After two images have been built, they can be concatenated to create the
788combined image using ``srec_cat``:
789
790- Linux::
791
792    srec_cat bin/bl2.bin -Binary -offset 0xA000000 tfm_sign_old.bin -Binary -offset 0xA020000 tfm_sign_new.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
793
794- Windows::
795
796    srec_cat.exe bin\bl2.bin -Binary -offset 0xA000000 tfm_sign_old.bin -Binary -offset 0xA020000 tfm_sign_new.bin -Binary -offset 0xA100000 -o tfm.hex -Intel
797
798The following message will be shown in case of successful firmware upgrade when,
799RAM loading is enabled, notice that image with higher version number
800(``version=0.0.0.2``) is executed:
801
802::
803
804    [INF] Starting bootloader
805    [INF] Image 0: version=0.0.0.1, magic= good, image_ok=0x3
806    [INF] Image 1: version=0.0.0.2, magic= good, image_ok=0x3
807    [INF] Image has been copied from the secondary slot in flash to SRAM address 0xA0020000
808    [INF] Booting image from SRAM at address 0xA0020000
809    [INF] Bootloader chainload address offset: 0x20000
810    [INF] Jumping to the first image slot
811    [Sec Thread] Secure image initializing!
812
813--------------
814
815****************************************
816Integration with Firmware Update service
817****************************************
818The shim layer of the Firmware Update partition calls the APIs in
819bootutil_misc.c to control the image status.
820
821- Call ``boot_set_pending_multi()`` to make the image as a candidate image for
822  booting.
823- Call ``boot_set_confirmed_multi()`` to make the image as a permanent image.
824
825.. Note::
826    Currently, in direct-xip mode and ram-load mode, TF-M cannot get the
827    information of which slot contains the running image from the bootloader.
828    So the Firmware Update partition cannot decide where to write the new
829    image. As a result, the firmware update service is not supported in
830    direct-xip mode and ram-load mode.
831
832*SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors*
833
834*SPDX-License-Identifier: BSD-3-Clause*
835