Cypress: Add target CY8CKIT_064B0S2_4343W, update psoc6pdl, psoc6cm0p

[romanjoe]

Summary of changes

This is final PR to add Cypress new secure boot target CY8CKIT_064B0S2_4343W to mbed-os.

This PR also includes update of psoc6pdl and psoc6cm0p libraries for Cypress targets.

Impact of changes

• Target CY8CKIT_064B0S2_4343W BSP code will be added
• psoc6pdl will be updated - impacts all Cypress targets
• CY8CKIT_064S2_4343W, CY8CPROTO_064_SB, CYESKIT_064B0S2_4343W will be removed as obsolete due to production release of PSOC64 chips and thus new Secure Boot flow, represented in this PR
• Secure Boot post build scripts will be substituted to new implementation for this and all following Secure Boot targets
• psoc6cm0p will be updated - impacts all Cypress targets

All existing Cypress targets BSP will switched to new versions assets in next PRs.

Migration actions required

Configuration of mbed-os CI need to be updated per new post build hooks.

• CY8CKIT_064S2_4343W, CY8CPROTO_064_SB, CYESKIT_064B0S2_4343W will be removed as obsolete due to production release of PSOC64 chips and thus new Secure Boot flow, represented in this PR.

New release of mbed-os 6.0 will no longer support targets above, updated PSOC64 targets instead will be added to support new tools.

Documentation

---

Pull request type

[X] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

---

Test results

[] No Tests required for this change (E.g docs only update)
[X] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

Logs attached.
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-ARM-TEST_RESULTS.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-IAR_COMPILATION_LOG.txt.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-IAR_TEST_RESULTS.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-gcc.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-NETSOCKET_DNS.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-NETSOCKET_L3IP.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-NETSOCKET_TCP.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-NETSOCKET_TLS.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-NETSOCKET_UDP.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-NETWORK_INTERFACE.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-WIFI_TEST_RESULTS.txt
ww25.4-mbed-os-6.0-b0s2-pdl4266-cm0237-ARM-COMPILATION_LOG.txt.txt

---

Reviewers

---

[ciarmcom]

@romanjoe, thank you for your changes.
@maclobdell @ARMmbed/mbed-os-test @ARMmbed/mbed-os-maintainers @ARMmbed/mbed-os-tools @ARMmbed/mbed-os-hal please review.

[mergify]

This PR cannot be merged due to conflicts. Please rebase to resolve them.

[maclobdell]

@romanjoe @sreeharshaangara - Can you provide information on how to build? Do you need to add your own policy file in a specific location now?

I get the following error related to missing policy file.

Post-Build: mbed-os
M0 core image file found: .\targets\TARGET_Cypress\TARGET_PSOC6\TARGET_CY8CKIT_064B0S2_4343W\device\COMPONENT_CM4\hex\psoc6_02_cm0p_secure.hex.
Policy file C:\Users\maclob01\Documents\mbed-os\policy_single_CM0_CM4.json not found. Aborting.
[ERROR] Required policy file not found.
[mbed] WARNING: Python 3 is not yet fully supported: Python errors may occur when compiling, testing and exporting
---
[mbed] ERROR: "c:\users\maclob01\appdata\local\programs\python\python37\python.exe" returned error.
       Code: 1
       Path: "C:\Users\maclob01\Documents\mbed-os"
       Command: "c:\users\maclob01\appdata\local\programs\python\python37\python.exe -u C:\Users\maclob01\Documents\mbed-os\tools\make.py -t ARM -m CY8CKIT_064B0S2_4343W --source . --build .\BUILD\CY8CKIT_064B0S2_4343W\ARM"
       Tip: You could retry the last command with "-v" flag for verbose output
---
[mbed] Working path "C:\Users\maclob01\Documents\mbed-os" (program)

[romanjoe]

@romanjoe @sreeharshaangara - Can you provide information on how to build? Do you need to add your own policy file in a specific location now?

I get the following error related to missing policy file.

Post-Build: mbed-os
M0 core image file found: .\targets\TARGET_Cypress\TARGET_PSOC6\TARGET_CY8CKIT_064B0S2_4343W\device\COMPONENT_CM4\hex\psoc6_02_cm0p_secure.hex.
Policy file C:\Users\maclob01\Documents\mbed-os\policy_single_CM0_CM4.json not found. Aborting.
[ERROR] Required policy file not found.
[mbed] WARNING: Python 3 is not yet fully supported: Python errors may occur when compiling, testing and exporting
---
[mbed] ERROR: "c:\users\maclob01\appdata\local\programs\python\python37\python.exe" returned error.
       Code: 1
       Path: "C:\Users\maclob01\Documents\mbed-os"
       Command: "c:\users\maclob01\appdata\local\programs\python\python37\python.exe -u C:\Users\maclob01\Documents\mbed-os\tools\make.py -t ARM -m CY8CKIT_064B0S2_4343W --source . --build .\BUILD\CY8CKIT_064B0S2_4343W\ARM"
       Tip: You could retry the last command with "-v" flag for verbose output
---
[mbed] Working path "C:\Users\maclob01\Documents\mbed-os" (program)

Hi Mac,

Yes you need to have our updated security tools package - cysecuretools. I will try to provide it to you ASAP, as it is not released on PIP yet (will be in couple days).

[maclobdell]

For what it is worth, I approve this PR, as we would like to get this target into Mbed OS 6.1. We will perform Mbed Enabled validation after that.

[0xc0170]

@romanjoe Can you resolve conflicts please?

If this is targeting the next release, we shall have it all ready by end of today. I'll review now

[0xc0170]

Target BSP code will be added, psoc6pdl, psoc6cm0p will be updated via separate PRs, all Cypress targets will switch to new versions of that assets.

This is what I was going to ask, I haven't noticed these in separate PRs. It should be simplify the review in this one.

Pull request has been modified.

[0xc0170]

@romanjoe There are still conflicts

[romanjoe]

@sreeharshaangara @jamesbeyond yes, i see this exactly like that. Only need to provide ARM with latest cysecuretools, as soon as i know we have a plan to push it to PIP next week. But i believe we can provide internal version for now if it makes sense.

[sreeharshaangara]

@jamesbeyond let us know which option you prefer. We can send an early drop of tooling(before it is officially available on pypi next week).

The other option is that we can just send you a folder structure with dummy keys you can place; although this maybe painful in the longer run as we update tools/policies etc.

[0xc0170]

@romanjoe Can you email us the internal version that we could add to CI and test it on this PR? This PR should be green in asap

[0xc0170]

CI restarted

[mbed-ci]

Test run: FAILED

Summary: 2 of 3 test jobs failed
Build number : 2
Build artifacts

Failed test jobs:

• jenkins-ci/mbed-os-ci_build-ARM
• jenkins-ci/mbed-os-ci_build-GCC_ARM

[0xc0170]

If you can run two pre-build commands; the "cysecuretools -t 'Kit Name' init" command and the "cysecuretools -p ./policy/policy_single_cm0_cm4 create-keys" that should automatically populate the required PEM/JSON keys.

The latest failures: Policy file /builds/ws/mbed-os-ci_build-ARM@10/mbed-os/policy_single_CM0_CM4.json not found. We need this cysecuretools to produce new policy

[jamesbeyond]

Hi @romanjoe @sreeharshaangara,
I think we are going to need your new tool. other wise we can't make our CI pass.

I am not sure, are we able to wait this PR until next week? @0xc0170 ?
If not, an internal drop of new tool could be the only solution

[saheerb]

Hi @romanjoe @sreeharshaangara,

In CI, for building CYESKIT_064B0S2_4343W, we are doing the following:

• We have a pre-created pem file stored in a secure db. I don't exactly how was this created.
• We copy pre-created pem file from secure db to targets/TARGET_Cypress/TARGET_PSOC6/sb-tools/keys/USERAPP_CM4_KEY_PRIV.pem
• There is also a json file copied to: targets/TARGET_Cypress/TARGET_PSOC6/sb-tools/keys/USERAPP_CM4_KEY.json

We were wondering if we could use same approach for CY8CKIT_064B0S2_4343W such that there is minimal change needed for CI.

-Saheer

[saheerb]

@sreeharshaangara @romanjoe

I tried the cysecure tools drop sent to @jamesbeyond and it works in my dev enviornment for CY8CKIT_064B0S2_4343W target.

The current mbed-os CI is basically very close to the second approach you mentioned (copy static files needed at the time of build). The difference is, all the files except “sensitive/pem files” are already present in the mbed-os repository: https://github.com/ARMmbed/mbed-os/tree/master/targets/TARGET_Cypress/TARGET_PSOC6/sb-tools

Only “pem” files are copied to targets/TARGET_Cypress/TARGET_PSOC6/sb-tools/keys/USERAPP_CM4_KEY_PRIV.pem at the time of build.

I was wondering if (most of ) the files in secure_assets.zip can be directly committed to the repository under https://github.com/ARMmbed/mbed-os/tree/master/targets/TARGET_Cypress/TARGET_PSOC6/sb-tools as today?

The advantage with this approach is, if you have any new files or change in file format needed to build, you can update the source repo and hence avoiding mbed-os CI environmental updates.

[romanjoe]

Hi @saheerb @jamesbeyond

Let me explain a bit about our new tooling and how i see your CI support with it.

Cysecuretools rely on secure policy files as a main source of configuration of secure boot target. Policy files are supplies as defaults for psoc64 families. So by default after installation all files are located in installation folder of cysecuretools. For example /usr/local/lib/python3.7/site-packages/cysecuretools/targets/cyb06xxa/policy for 2M family which CY8CKIT_064B0S2_4343W belongs to.

Policy files (policy_single_CM0_CM4.json for example) contain paths to keys as relatives to policy files locations.

Considering all these the best approach for CI is:

1. cd to targets/TARGET_Cypress/TARGET_PSOC6/TARGET_CY8CKIT_064B0S2_4343W
2. Invoke cysecuretools -t cyb06xxa init - this command will copy policies, keys and other security related files to this folder. Policy file contains path to keys relative to targets/TARGET_Cypress/TARGET_PSOC6/TARGET_CY8CKIT_064B0S2_4343W from now, default is "key": "../keys/USERAPP_CM4_KEY.json"
3. Copy *.pem files from secure db to targets/TARGET_Cypress/TARGET_PSOC6/TARGET_CY8CKIT_064B0S2_4343W/keys
4. You are ready to go from now

sb-tools folder is deleted in this PR as deprecated tooling. Only cysecuretools will be supported from now and all Secure Boot targets will rely on it. We will update cysecuretools in future, add new features, etc. So it is best to have it integrated in CI right now to simplify following secure boot targets support in mbed-os.

Have secure boot related files committed to repo is not preferable, because default policies may be updated in future, certificates may change, etc.

[saheerb]

@romanjoe thanks

Will need to check this. Couple of questions, if we are going with this approach:

Where would you specify the dependency on cysecuretools? In requirements.txt? which is not commonplace for all the boards.

When is the new cysecuretools for these changes getting released in pypi?

[romanjoe]

@saheerb Release of cysecuretools is dependent from PyOCD update. Our other team works on this.

Regarding where to place requirement on cysecuretools - i need to sync with our application engineers with plans on this. @sreeharshaangara @ifyall - maybe you can comment here.

[0xc0170]

@romanjoe how can we get this in CI and green today? This is the last PR for 6.1 release.

[0xc0170]

Have secure boot related files committed to repo is not preferable, because default policies may be updated in future, certificates may change, etc.

We agreed to unblock this PR, let's drop in the files required for CI in targets folder as mentioned previously.
To have the CI tooling requires further discussion that should happen post 6.1. We shall schedule a call the next week to discuss this.

Please add required files in this PR and we will start CI asap.

[romanjoe]

@0xc0170 okay - i can upload security related files to target folder (policies, keys) to enable successful CI run, but CI PC still need to have cysecuretools package installed to enable signing - @sreeharshaangara sent it to you as zip archive. Is it possible for now?

Then i will need to delete all that security related files, as they should not go public in mbed-os, and rely on proper CI update.

[0xc0170]

wait a minute, I'll send you an email, to clarify few things

[mbed-ci]

Test run: FAILED

Summary: 2 of 3 test jobs failed
Build number : 3
Build artifacts

Failed test jobs:

• jenkins-ci/mbed-os-ci_build-ARM
• jenkins-ci/mbed-os-ci_build-GCC_ARM

[mbed-ci]

Test run: FAILED

Summary: 2 of 3 test jobs failed
Build number : 4
Build artifacts

Failed test jobs:

• jenkins-ci/mbed-os-ci_build-ARM
• jenkins-ci/mbed-os-ci_build-GCC_ARM

[mbed-ci]

Test run: FAILED

Summary: 2 of 3 test jobs failed
Build number : 5
Build artifacts

Failed test jobs:

• jenkins-ci/mbed-os-ci_build-ARM
• jenkins-ci/mbed-os-ci_build-GCC_ARM

[mbed-ci]

Test run: SUCCESS

Summary: 6 of 6 test jobs passed
Build number : 6
Build artifacts