arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-08-01 19:38:33 +00:00
Code Issues Releases Wiki Activity
fbee0ffb3e
trezor-firmware/nordic/trezor/scripts/build_sign_flash.sh
tychovrahe 19752f781a feat(nordic): implement multisig fw signatures 
[no changelog]
2025-07-22 14:04:28 +02:00

126 lines
4.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Script builds, signs, and/or flashes Nordic board with optional debug or production overlays
# Run this in `nordic/trezor` to sign and mergehex final image with mcuboot
# This charade serves to differentiate commands run under poetry shell and ncs shell since their pythons are not compatible
# Update the OPTSTRING to include 'a:'
OPTSTRING=":b:a:pdsfc"
APP_DIR="trezor-ble"
BOARD=
SIGN=0
FLASH=0
PRISTINE=
DEBUG=
PRODUCTION=
fatal() {
echo "$@"
exit 1
}
run_under_ncs_subshell() {
# In the subshell, toolchain environment is sourced then the command is run
(source <(nrfutil toolchain-manager env | perl -pe 's/^(\w+)\s*:\s*(.*)/export \1=\2/'); bash -x -c "$@") \
|| fatal "Error in subshell"
}
usage() {
echo "$0 [-b board_name] [-a app_dir] [-p] [-d] [-r] [-s] [-f]"
cat <<END
Parameters:
-b board_name: build with board name as param
-a app_dir: specify application directory (default: trezor-ble)
-p: production build
-d: use debug overlay when building
-c: clean build (pristine)
-s: sign result
-f: flash board
Each of build/sign/flash can be done in one run or separately, but the sequence must follow to make sense.
END
}
while getopts ${OPTSTRING} opt; do
case ${opt} in
b)
BOARD="$OPTARG"
;;
a)
APP_DIR="$OPTARG"
;;
c)
PRISTINE="--pristine"
;;
d)
DEBUG="-- -DOVERLAY_CONFIG=debug.conf -Dmcuboot_EXTRA_CONF_FILE=\"$PWD/$APP_DIR/sysbuild/mcuboot.conf;$PWD/$APP_DIR/sysbuild/mcuboot_debug.conf\""
;;
p)
PRODUCTION="-- -DOVERLAY_CONFIG=prod.conf -Dmcuboot_EXTRA_CONF_FILE=\"$PWD/$APP_DIR/sysbuild/mcuboot.conf;$PWD/$APP_DIR/sysbuild/mcuboot_prod.conf\""
;;
s)
SIGN=1
;;
f)
FLASH=1
;;
?)
usage
exit 2
;;
esac
done
if [ -n "$BOARD" ]; then
run_under_ncs_subshell \
"west build ./$APP_DIR -b $BOARD --sysbuild $PRISTINE $DEBUG $PRODUCTION"
fi
get_version_from_file() {
local version_file="$APP_DIR/VERSION"
if [ ! -f "$version_file" ]; then
echo "Error: VERSION file not found at $version_file" >&2
exit 1
fi
# Read version components
local major=$(grep "VERSION_MAJOR" "$version_file" | cut -d'=' -f2 | tr -d ' ')
local minor=$(grep "VERSION_MINOR" "$version_file" | cut -d'=' -f2 | tr -d ' ')
local patch=$(grep "PATCHLEVEL" "$version_file" | cut -d'=' -f2 | tr -d ' ')
local tweak=$(grep "VERSION_TWEAK" "$version_file" | cut -d'=' -f2 | tr -d ' ')
# Format version string as major.minor.patch+tweak
local version="$major.$minor.$patch+$tweak"
echo "$version"
}
VERSION=$(get_version_from_file)
# Update paths in signing and flashing commands
if [ "$SIGN" -eq 1 ]; then
run_under_ncs_subshell \
"imgtool sign --version $VERSION --align 4 --header-size 0x200 -S 0x6c000 --pad-header build/$APP_DIR/zephyr/zephyr.bin build/$APP_DIR/zephyr/zephyr.prep.bin --custom-tlv 0x00A2 0x03 && \
imgtool sign --version $VERSION --align 4 --header-size 0x200 -S 0x6c000 --pad-header build/$APP_DIR/zephyr/zephyr.hex build/$APP_DIR/zephyr/zephyr.prep.hex --custom-tlv 0x00A2 0x03 && \
../bootloader/mcuboot/scripts/imgtool.py dumpinfo ./build/$APP_DIR/zephyr/zephyr.prep.bin > ./build/$APP_DIR/zephyr/dump.txt"
HASH=$(python ./scripts/extract_hash.py ./build/$APP_DIR/zephyr/dump.txt)
SIGNATURE0=$(hash_signer -d "$HASH" -s0)
SIGNATURE1=$(hash_signer -d "$HASH" -s1)
echo "Signed hash $HASH, signature0 $SIGNATURE0, signature1 $SIGNATURE1"
run_under_ncs_subshell \
"python ./scripts/insert_signatures.py ./build/$APP_DIR/zephyr/zephyr.prep.hex $SIGNATURE0 $SIGNATURE1 -o ./build/$APP_DIR/zephyr/zephyr.signed_trz.hex && \
python ./scripts/insert_signatures.py ./build/$APP_DIR/zephyr/zephyr.prep.bin $SIGNATURE0 $SIGNATURE1 -o ./build/$APP_DIR/zephyr/zephyr.signed_trz.bin && \
python ../zephyr/scripts/build/mergehex.py build/mcuboot/zephyr/zephyr.hex build/$APP_DIR/zephyr/zephyr.signed_trz.hex -o build/zephyr.merged.signed_trz.hex"
fi
if [ "$FLASH" -eq 1 ]; then
run_under_ncs_subshell \
'west flash --hex-file ./build/zephyr.merged.signed_trz.hex'
fi
Reference in New Issue View Git Blame Copy Permalink