TF-M, how to sign an image.bin in a multi-image configuration?


I'm trying to manually sign my code to run alongside TF-M, but with no success so far. I always get the following MCUboot error at boot time:

[INF] Starting bootloader
[INF] Swap type: none
[INF] Swap type: none
[ERR] Image in the primary slot is not valid!
[ERR] Unable to find bootable image

Before go any further with my code, I tried to sign the bin generated from compile the TF-M. I pick up the tm_s.bin and sign and flash it (tm_s_signed.bin) to the board. Again without success, I had the same error.

I am using the default keys (root-RSA-3072.pem to sign tm_s.bin) with the imgtool with the following command:

python sign -k .\trusted-firmware-m\bl2\ext\mcuboot\root-RSA-3072.pem --public-key-format full --align 8 -v 1.3.0 -H 0x400 --pad-header -S 0x2D000 --pad .\trusted-firmware-m\cmake_build_gcc_fix\bin\tfm_s.bin .\trusted-firmware-m\cmake_build_gcc_fix\bin\tfm_s_signed.bin

I think the problem might be a mismatch in the keys I used to sign the binary and those that MCUboot is using to validate the binary. The weird thing for me is that I'm using the same keys that come by default with MCUboot, so they supposedly must be equal. (I am using the {CMAKE_SOURCE_DIR} /bl2/ext/mcuboot/root-RSA-3072.pem key to sign tm_s.bin).

Can anyone help me out with this? What am I doing wrong? How can I sign a binary properly?

Thanks in advance!

Extra information:

  • Imgtool version 1.7.2, TF-M version 1.3.0
  • Board: STM32L552ZE-Q
  • TF-M configs: multi-image configuration, HW_key (entire public key embed in the image metadata)
More questions in this forum
There are no posts to show. This could be because there are no posts in this forum or due to a filter.