M2354: Fix compile error with TF-M integration (mbed-ce#325)

* M2354: Fix compile error with TF-M In CMake, mbed-psa moves out of mbed-core, its library type changing to STATIC from INTERFACE. Following this modification, the platform TF-M code relying on mbed-psa needs to explicitly specify the dependency through target_link_libraries(). * M2354: Enable OUTPUT_EXT set to either bin or hex Update post-build script to enable OUTPUT_EXT can be set to "bin" or "hex" in targets.json5. * NUVOTON: Locate correct python3 command path across platforms shutil.which("python3") can locate incorrect path when there are multiple python3 installations. Instead, follow the link below, use sys.executable. https://docs.python.org/3/library/sys.html#sys.executable

Author: ccli8

targets/TARGET_NUVOTON/TARGET_M2354/TARGET_TFM/CMakeLists.txt

@@ -18,3 +18,8 @@ target_sources(mbed-m2354-tfm
  platform_extra_secure_compat.c
  tfm_ns_interface.c
 )
+
+target_link_libraries(mbed-m2354-tfm
+ INTERFACE
+ mbed-psa
+)

targets/TARGET_NUVOTON/scripts/NUVOTON.py

@@ -24,20 +24,21 @@
 import argparse
 from intelhex import IntelHex
 from datetime import datetime
+import sys
 
 SCRIPT_DIR = dirname(abspath(__file__))
 MBED_OS_ROOT = abspath(path_join(SCRIPT_DIR, os.pardir, os.pardir, os.pardir))
 
-def tfm_sign_image(tfm_import_path, signing_key, signing_key_1, non_secure_bin):
+def tfm_sign_image(tfm_import_path, signing_key, signing_key_1, non_secure_binhex):
  SECURE_ROOT = abspath(tfm_import_path)
 
  secure_bin = path_join(SECURE_ROOT, 'tfm_s.bin') 
  assert os.path.isfile(secure_bin)
 
- non_secure_bin = abspath(non_secure_bin)
- assert os.path.isfile(non_secure_bin)
+ non_secure_binhex = abspath(non_secure_binhex)
+ assert os.path.isfile(non_secure_binhex)
 
- build_dir = dirname(non_secure_bin)
+ build_dir = dirname(non_secure_binhex)
  tempdir = path_join(build_dir, 'temp')
  if not isdir(tempdir):
  os.makedirs(tempdir)
@@ -46,13 +47,20 @@ def tfm_sign_image(tfm_import_path, signing_key, signing_key_1, non_secure_bin):
 
  bl2_bin = path_join(SECURE_ROOT, 'bl2.bin')
  s_bin_basename = splitext(basename(secure_bin))[0]
- ns_bin_basename = splitext(basename(non_secure_bin))[0]
+ ns_bin_basename = splitext(basename(non_secure_binhex))[0]
 
  signing_key = path_join(SECURE_ROOT, 'signing_key', signing_key)
  assert os.path.isfile(signing_key)
 
+ # Create non_secure_bin for signing if non_secure_binhex is hex
+ non_secure_bin = splitext(non_secure_binhex)[0] + ".bin"
+ if os.path.splitext(non_secure_binhex)[1].lower() == ".hex":
+ non_secure_ih = IntelHex()
+ non_secure_ih.loadhex(non_secure_binhex)
+ non_secure_ih.tobinfile(non_secure_bin)
+
  # Find Python 3 command name across platforms
- python3_cmd = "python3" if shutil.which("python3") is not None else "python"
+ python3_cmd = sys.executable
 
  # Specify image version
  #
@@ -162,7 +170,7 @@ def tfm_sign_image(tfm_import_path, signing_key, signing_key_1, non_secure_bin):
  signed_concat_bin = abspath(path_join(tempdir, 'tfm_s_signed_' + ns_bin_basename + '_signed_concat' + '.bin'))
  s_update_bin = abspath(path_join(build_dir, s_bin_basename + '_update' + '.bin'))
  ns_update_bin = abspath(path_join(build_dir, ns_bin_basename + '_update' + '.bin'))
- 
+
  #1. Run wrapper to sign the secure TF-M binary
  cmd_wrapper[pos_wrapper_signing_key] = signing_key
  cmd_wrapper[pos_wrapper_layout] = image_macros_s
@@ -206,8 +214,8 @@ def tfm_sign_image(tfm_import_path, signing_key, signing_key_1, non_secure_bin):
  out_ih = IntelHex()
  out_ih.loadbin(bl2_bin)
  out_ih.loadbin(signed_concat_bin, flash_area_0_offset)
- out_ih.tofile(splitext(non_secure_bin)[0] + ".hex", 'hex')
- out_ih.tobinfile(non_secure_bin)
+ out_ih.tofile(splitext(non_secure_binhex)[0] + ".bin", 'bin')
+ out_ih.tofile(splitext(non_secure_binhex)[0] + ".hex", 'hex')
 
  # Generate firmware update file for PSA Firmware Update
  shutil.copy(s_signed_bin, s_update_bin)
@@ -250,8 +258,8 @@ def tfm_sign_image(tfm_import_path, signing_key, signing_key_1, non_secure_bin):
  out_ih = IntelHex()
  out_ih.loadbin(bl2_bin)
  out_ih.loadbin(concat_signed_bin, flash_area_0_offset)
- out_ih.tofile(splitext(non_secure_bin)[0] + ".hex", 'hex')
- out_ih.tobinfile(non_secure_bin)
+ out_ih.tofile(splitext(non_secure_binhex)[0] + ".bin", 'bin')
+ out_ih.tofile(splitext(non_secure_binhex)[0] + ".hex", 'hex')
 
  # Generate firmware update file for PSA Firmware Update
  shutil.copy(concat_signed_bin, update_bin)
@@ -357,7 +365,7 @@ def parse_args():
  )
 
  parser_tfm_sign_image.add_argument(
- "--non-secure-bin",
+ "--non-secure-binhex",
  help="Path to the non-secure binary",
  required=True
  )
@@ -368,4 +376,4 @@ def parse_args():
 
 if __name__ == "__main__":
  args = parse_args()
- args.func(args.tfm_import_path, args.signing_key, args.signing_key_1, args.non_secure_bin)
+ args.func(args.tfm_import_path, args.signing_key, args.signing_key_1, args.non_secure_binhex)

targets/TARGET_NUVOTON/scripts/mbed_set_post_build_nuvoton.cmake

@@ -30,7 +30,7 @@ macro(mbed_post_build_nuvoton_tfm_sign_image
  --tfm-import-path ${tfm_import_path}
  --signing_key ${signing_key}
  --signing_key_1 ${signing_key_1}
- --non-secure-bin $<TARGET_FILE_DIR:${target}>/$<TARGET_FILE_BASE_NAME:${target}>.bin
+ --non-secure-binhex $<TARGET_FILE_DIR:${target}>/$<TARGET_FILE_BASE_NAME:${target}>.${MBED_OUTPUT_EXT}
  )
  else()
  add_custom_command(
@@ -43,7 +43,7 @@ macro(mbed_post_build_nuvoton_tfm_sign_image
  tfm_sign_image
  --tfm-import-path ${tfm_import_path}
  --signing_key ${signing_key}
- --non-secure-bin $<TARGET_FILE_DIR:${target}>/$<TARGET_FILE_BASE_NAME:${target}>.bin
+ --non-secure-binhex $<TARGET_FILE_DIR:${target}>/$<TARGET_FILE_BASE_NAME:${target}>.${MBED_OUTPUT_EXT}
  )
  endif()
  endfunction()