This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TF-M, how to sign an image.bin in a multi-image configuration?


I'm trying to manually sign my code to run alongside TF-M, but with no success so far. I always get the following MCUboot error at boot time:

[INF] Starting bootloader
[INF] Swap type: none
[INF] Swap type: none
[ERR] Image in the primary slot is not valid!
[ERR] Unable to find bootable image

Before go any further with my code, I tried to sign the bin generated from compile the TF-M. I pick up the tm_s.bin and sign and flash it (tm_s_signed.bin) to the board. Again without success, I had the same error.

I am using the default keys (root-RSA-3072.pem to sign tm_s.bin) with the imgtool with the following command:

python sign -k .\trusted-firmware-m\bl2\ext\mcuboot\root-RSA-3072.pem --public-key-format full --align 8 -v 1.3.0 -H 0x400 --pad-header -S 0x2D000 --pad .\trusted-firmware-m\cmake_build_gcc_fix\bin\tfm_s.bin .\trusted-firmware-m\cmake_build_gcc_fix\bin\tfm_s_signed.bin

I think the problem might be a mismatch in the keys I used to sign the binary and those that MCUboot is using to validate the binary. The weird thing for me is that I'm using the same keys that come by default with MCUboot, so they supposedly must be equal. (I am using the {CMAKE_SOURCE_DIR} /bl2/ext/mcuboot/root-RSA-3072.pem key to sign tm_s.bin).

Can anyone help me out with this? What am I doing wrong? How can I sign a binary properly?

Thanks in advance!

Extra information:

  • Imgtool version 1.7.2, TF-M version 1.3.0
  • Board: STM32L552ZE-Q
  • TF-M configs: multi-image configuration, HW_key (entire public key embed in the image metadata)
  • I managed to find the problem after a lot of reading the MCUboot documentation. The problem is that, by default, TF-M has the flag MCUBOOT_MEASURED_BOOT active and this requires an extra flag in the imgtool command.

    It is needed to add the option --boot-record.