CMakeLists.txt: Provide common routine for post-build commands

[anangl]

... so that those commands are not duplicated in particular boards that
support building with TF-M.

Signed-off-by: Andrzej Głąbek andrzej.glabek@nordicsemi.no

[ioannisg]

@erwango @oyvindronningstad FYI.

This is the tf-m module counterpart patch of #28806. It only groups together the post-build actions when we build a "non-secure" platform with tfm support.

Tested on mps2 and stm32 platforms.

[microbuilder]

@agansari Do you mind having a look at this for the LPC while I'm out? Thanks!

[agansari]

@agansari Do you mind having a look at this for the LPC while I'm out? Thanks!

Tested on LPC, works OK.

[galak]

This feels a little backwards to me, while I get the benefit of having this in common, is it possible that common cmake code can live in Zephyr?

[galak]

@tejlmand any thoughts on how this might live purely in the zephyr tree in a common place? Would it make sense to have modules/tfm.cmake and place this in there?

[tejlmand]

Those two variables may not be set, that depends on current variables in the scope of the caller, and may lead to unexpected behavior depending on the location from where this function is called.

Probably this should be arguments to the function.

[anangl]

This was copied from the mps2_an521 board's CMakeLists.txt. Looking at it now, I don't know how it was supposed to work. Perhaps I should add here:

 if (TFM_NS_IMAGE_MIN_VER) set(ADD_NS_IMAGE_MIN_VER "-d \"(1,${TFM_NS_IMAGE_MIN_VER})\"") else() set(ADD_NS_IMAGE_MIN_VER "") endif() if (TFM_SECURITY_COUNTER_S) set(ADD_SECURITY_COUNTER_S "-s ${TFM_SECURITY_COUNTER_S}") else() set(ADD_SECURITY_COUNTER_S "") endif() 

basing on what is done in MCUBoot.cmake:

trusted-firmware-m/trusted-firmware-m/bl2/ext/mcuboot/MCUBoot.cmake

Lines 127 to 131 in 143df67

	if (NS_IMAGE_MIN_VER)
	set(ADD_NS_IMAGE_MIN_VER "-d \"(1,${NS_IMAGE_MIN_VER})\"")
	else()
	set(ADD_NS_IMAGE_MIN_VER "")
	endif()

trusted-firmware-m/trusted-firmware-m/bl2/ext/mcuboot/MCUBoot.cmake

Lines 92 to 96 in 143df67

	if (SECURITY_COUNTER_S)
	set(ADD_SECURITY_COUNTER_S "-s ${SECURITY_COUNTER_S}")
	else()
	set(ADD_SECURITY_COUNTER_S "")
	endif()

[tejlmand]

@microbuilder you took over from @karl-zh, do you have any comments on this ?

[tejlmand]

For reference: https://github.com/zephyrproject-rtos/zephyr/blame/12e1fd653deab52cef5b1679ba631c35b2a55286/boards/arm/mps2_an521/CMakeLists.txt#L45-L46

[tejlmand]

The TFM_TARGET_PLATFORM variable may not be set, that depends on current scope of the caller.
This may lead to unexpected behavior depending on the location from where this function is called.
Same comment applies to L133.

Probably this should be an argument to the function.

[anangl]

This variable is supposed to be set in the respective board definition, for example in mps2_an521/board.cmake:

set(TFM_TARGET_PLATFORM "AN521") 

How about adding here a check like:

 if(NOT DEFINED TFM_TARGET_PLATFORM) message(FATAL_ERROR "TFM_TARGET_PLATFORM is not set") endif() 

[tejlmand]

We are having CMake cached variables and CONFIG_<name> Kconfig variables available as globals.
If we start having other variables semi globally available throughout modules, then things becomes much harder to keep track of.

So unless this is Kconfig setting, I would like it to be passed by the caller.

[tejlmand]

Not sure exactly where / which target will call this function, but I think it would be better to have this as a macro which actually adds this as a real post build step, like:

macro(sign_trusted_firmware target <other args>) if(NOT CONFIG_TFM_BL2_FALSE) <existing code> add_custom_command(TARGET ${target} POST_BUILD COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/imgtool.py sign <existing additional args> ) <and so on> endif() endmacro() 

Then users won't need to handle a out_commands variable and decide what to do with it.

The reason to suggest a macro here, instead of a function, has to do with the add_custom_commnad(... POST_BUILD ..) must be called in same CMakeLists directory as the target.

Also, feel free to find a better name.
Not sure if: sign_trusted_firmware is the best name.

If this is purely a Zephyr macro, then maybe it should be called zephyr_<something>.

[tejlmand]

Not sure exactly where / which target will call this function, but I think it would be better to have this as a macro which actually adds this as a real post build step, like:

I should of course look here:
https://github.com/zephyrproject-rtos/zephyr/pull/28806/files

and that actually means this will be hard to change, due to the nature of:
extra_post_build_commands

If changing that, then we are looking into a completely different task.

[tejlmand]

This feels a little backwards to me, while I get the benefit of having this in common, is it possible that common cmake code can live in Zephyr?

This code only makes sense together with TFM.
So I think this is at the right place.

Of course, one could consider to have a <tfm_module>/cmake/extensions.cmake for module functions, but then that should be a general principle for all modules.
But I would do such cleanups if we move Zephyr module code into Zephyr, as discussed here:
zephyrproject-rtos/zephyr#27185

[tejlmand]

I discovered the tfm_sign.bin is used here:

trusted-firmware-m/CMakeLists.txt

Line 156 in 7316751

-o ${CMAKE_BINARY_DIR}/tfm_sign.bin

we should not have such a hard coded dependency between module code and CMake code in Zephyr, as that will break if out files are renamed in one place, but not the other.

Instead tfm_sign.bin should be returned as an out value (or provided as argument).
Note: I have not checked if there are more such names.

[galak]

This code only makes sense together with TFM.
So I think this is at the right place.

Of course, one could consider to have a <tfm_module>/cmake/extensions.cmake for module functions, but then that should be a general principle for all modules.
But I would do such cleanups if we move Zephyr module code into Zephyr, as discussed here:
zephyrproject-rtos/zephyr#27185

There was a general feeling in the process group about trying to have glue code, etc for modules live in the zephyr code base instead of with the module. I get that the cmake integration isn't exactly glue code, and I've got no issue with it being in the module repo. But wanted to ask the question.

[tejlmand]

There was a general feeling in the process group about trying to have glue code, etc for modules live in the zephyr code base instead of with the module. I get that the cmake integration isn't exactly glue code, and I've got no issue with it being in the module repo. But wanted to ask the question.

I know, just think that cleanup is outside the scope of this PR, and we should take a look at the exact structure we want in Zephyr for such code.
Some modules could end up with a lot a CMake code in Zephyr, if the end goal is to have modules with no to minimal Zephyr specific code in the module repo.

[ioannisg]

@tejlmand @anangl @oyvindronningstad @galak is this old PR still applicable ?

[anangl]

@tejlmand @anangl @oyvindronningstad @galak is this old PR still applicable ?

No. At least the PR here does not make much sense, as the modified code has been moved to the main Zephyr repository.

[ioannisg]

@tejlmand @anangl @oyvindronningstad @galak is this old PR still applicable ?

No. At least the PR here does not make much sense, as the modified code has been moved to the main Zephyr repository.

But how about doing this work in the main repository? Is this applicable?

[oyvindronningstad]

@tejlmand @anangl @oyvindronningstad @galak is this old PR still applicable ?

No. At least the PR here does not make much sense, as the modified code has been moved to the main Zephyr repository.

But how about doing this work in the main repository? Is this applicable?

It's done already