Scripts: Security enablement during west build

Added changes to automate the signing of zephyr security
using customtool during the west build process.

Signed-off-by: Aasim Shaik <[email protected]>

Author: Aasimshaik11

boards/silabs/radio_boards/siwx917_rb4338a/board.cmake

@@ -1,8 +1,14 @@
 # Copyright (c) 2024 Silicon Laboratories Inc.
 # SPDX-License-Identifier: Apache-2.0
+# Set the flash file based on signing is enabled or not.
 
+if(CONFIG_SIWX91X_SILABS_COMMANDER_SIGN)
+    set(FLASH_FILE ${PROJECT_BINARY_DIR}/${KERNEL_NAME}_signed.bin.rps)
+else()
+    set(FLASH_FILE ${PROJECT_BINARY_DIR}/${KERNEL_BIN_NAME}.rps)
+endif()
 board_runner_args(silabs_commander "--device=SiWG917M111GTBA" "--file-type=bin"
-    "--file=${PROJECT_BINARY_DIR}/${KERNEL_BIN_NAME}.rps")
+    "--file=${FLASH_FILE}")
 include(${ZEPHYR_BASE}/boards/common/silabs_commander.board.cmake)
 
 # It is not possible to load/flash a firmware using JLink, but it is possible to

scripts/west_commands/sign.py

@@ -13,7 +13,6 @@
 import sys
 
 from elftools.elf.elffile import ELFFile
-
 from west import manifest
 from west.commands import Verbosity
 from west.util import quote_sh_list
@@ -79,6 +78,20 @@
 [rimage] sections in your west config file(s); this is especially useful
 when invoking west sign _indirectly_ through CMake/ninja. See how at
 https://docs.zephyrproject.org/latest/develop/west/sign.html
+
+silabs_commander
+-----
+
+To create a signed binary with the silabs_commander tool, run this from your build directory:
+
+   west sign -t silabs_commander
+
+For this to work, Silabs Commander tool must be installed in your PATH.
+
+The input binary (zephyr.bin.rps) is signed using the specified OTA key and private key,
+producing zephyr_signed.bin.rps by default. If CONFIG_SIWX91X_OTA_KEY and CONFIG_SIWX91X_PRIVATE_KEY are set
+in your build configuration, they will be used unless overridden by command-line arguments.
+Additional arguments after '--' are passed to silabs_commander directly.
 '''
 
 class ToggleAction(argparse.Action):
@@ -112,8 +125,8 @@ def do_add_parser(self, parser_adder):
 
         # general options
         group = parser.add_argument_group('tool control options')
-        group.add_argument('-t', '--tool', choices=['imgtool', 'rimage'],
-                           help='''image signing tool name; imgtool and rimage
+        group.add_argument('-t', '--tool', choices=['imgtool', 'rimage', 'silabs_commander'],
+                           help='''image signing tool name; imgtool , rimage and silabs_commander
                            are currently supported (imgtool is deprecated)''')
         group.add_argument('-p', '--tool-path', default=None,
                            help='''path to the tool itself, if needed''')
@@ -195,6 +208,8 @@ def do_run(self, args, ignored):
             signer = ImgtoolSigner()
         elif args.tool == 'rimage':
             signer = RimageSigner()
+        elif args.tool == 'silabs_commander':
+            signer = SilabsRPSSigner()
         # (Add support for other signers here in elif blocks)
         else:
             if args.tool is None:
@@ -633,3 +648,74 @@ def sign(self, command, build_dir, build_conf, formats):
 
         os.remove(out_bin)
         os.rename(out_tmp, out_bin)
+
+class SilabsRPSSigner(Signer):
+    # Signer class for Silicon Labs Commander tool via west sign -t silabs_commander.
+    def find_commandertool(self, cmd, args):
+        if args.tool_path:
+            commandertool = args.tool_path
+            if not os.path.isfile(commandertool):
+                cmd.die(f'--tool-path {commandertool}: no such file')
+        else:
+            commandertool = shutil.which('commander')
+            if not commandertool:
+                cmd.die(f'SILABS "commander" not found in PATH, try "--tool-path"? Cannot sign {args}')
+        return commandertool
+
+    def get_security_configs(self, build_conf, args, command):
+        # Retrieve configurations, prioritizing command-line args, then build_conf
+        siwx91x_ota_key = getattr(args, 'siwx91x-ota-key', build_conf.get('CONFIG_SIWX91X_OTA_KEY'))
+        siwx91x_private_key = getattr(args, 'siwx91x-private-key', build_conf.get('CONFIG_SIWX91X_PRIVATE_KEY'))
+
+        # Refer find_commandertool() function to identify the Commander tool.
+        commander_path = self.find_commandertool(command, args)
+        # Validate required settings
+        if not siwx91x_ota_key:
+            command.die("SIWX91X_OTA_KEY not provided. Use --siwx91x-ota-key=your_key or add CONFIG_SIWX91X_OTA_KEY in prj.conf.")
+        if not siwx91x_private_key:
+            command.die("SIWX91X_PRIVATE_KEY not provided. Use --siwx91x-private-key=/path/to/key or add CONFIG_SIWX91X_PRIVATE_KEY in prj.conf.")
+
+        # Validate private key path
+        if not os.path.isfile(siwx91x_private_key):
+            command.die(f"Private key not found at {siwx91x_private_key}. Please ensure the path is correct.")
+
+        return siwx91x_ota_key, commander_path, siwx91x_private_key
+
+    def sign(self, command, build_dir, build_conf, formats):
+        """Sign the Zephyr binary using Silicon Labs Commander.
+
+        :param command: The Sign instance (provides args and utility methods)
+        :param build_dir: The build directory path
+        :param build_conf: BuildConfiguration object for the build directory
+        :param formats: List of formats to generate (e.g., ['bin', 'rps'])
+        """
+        self.command = command
+        args = command.args
+        b = pathlib.Path(build_dir)
+        kernel_name = build_conf.get('CONFIG_KERNEL_BIN_NAME')
+        # Setting the input and output paths
+        input_rps = b / 'zephyr' / f'{kernel_name}.bin.rps'
+        output_rps = args.sbin or (b / 'zephyr' / f'{kernel_name}_signed.bin.rps')
+
+        # Check if input binary exists
+        if not input_rps.is_file():
+            command.die(f"No .rps found at {input_rps}. Ensure the build generated kernel_name.bin.rps in {b / 'zephyr'}")
+
+        # Load configuration
+        siwx91x_ota_key, commander_path, siwx91x_private_key = self.get_security_configs(build_conf, args, command)
+
+        # Build the Silicon Labs Commander signing command
+        sign_base = [
+            commander_path,
+            "rps",
+            "convert",
+            str(output_rps),
+            "--app", str(input_rps),
+            "--mic", siwx91x_ota_key,
+            "--encrypt", siwx91x_ota_key,
+            "--sign", siwx91x_private_key,
+            *args.tool_args
+        ]
+
+        command.inf("Running command:", ' '.join(sign_base))
+        subprocess.run(sign_base, check=True)

soc/silabs/silabs_siwx91x/CMakeLists.txt

@@ -1,6 +1,8 @@
 # Copyright (c) 2024 Silicon Laboratories Inc.
 # SPDX-License-Identifier: Apache-2.0
 
+include(west)  # Add this at the top or before using ${WEST}
+
 add_subdirectory(siwg917)
 
 # Necessary to not overwrite NWP Firmware
@@ -12,3 +14,12 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
     ${KERNEL_BIN_NAME}
     ${KERNEL_BIN_NAME}.rps
 )
+
+# Custom signing with Silicon Labs Commander
+if(CONFIG_SIWX91X_SILABS_COMMANDER_SIGN)
+    # Necessary to invoke west sign after build
+    set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+        COMMAND ${WEST} sign -t silabs_commander --build-dir ${CMAKE_BINARY_DIR} --sbin ${PROJECT_BINARY_DIR}/${KERNEL_NAME}_signed.bin.rps
+        DEPENDS zephyr_final
+    )
+endif()

soc/silabs/silabs_siwx91x/Kconfig

@@ -28,3 +28,23 @@ config SIWX91X_NWP_INIT_PRIORITY
 	  Wi-Fi and crypto.
 
 endif # SOC_FAMILY_SILABS_SIWX91X
+
+if SOC_FAMILY_SILABS_SIWX91X
+config SIWX91X_SILABS_COMMANDER_SIGN
+	bool "Silicon Labs Commander Signing Support"
+	depends on BUILD_OUTPUT_BIN
+	help
+	  Activates signing of Zephyr binary with Silicon Labs Commander during build process.
+	  For more information refer this
+	  "https://www.silabs.com/documents/public/user-guides/ug574-siwx917-soc-manufacturing-utility-user-guide.pdf"
+
+config SIWX91X_OTA_KEY
+	string "OTA Key for Encryption."
+	help
+	  Specifies Over the Air key (hex) for encryption with Silicon Labs Commander.
+
+config SIWX91X_PRIVATE_KEY
+	string "Private Key Path for Signing."
+	help
+	  Path to private key file for signing with Silicon Labs Commander.
+endif