diff --git a/IDE/AURIX/README.md b/IDE/AURIX/README.md index 0818921df..a767879a7 100644 --- a/IDE/AURIX/README.md +++ b/IDE/AURIX/README.md @@ -20,6 +20,7 @@ This example demonstrates using wolfBoot on the Infineon AURIX TC3xx family of m - [Load and run the wolfBoot demo in TRACE32](#load-and-run-the-wolfboot-demo-in-trace32) - [wolfHSM Compatibility](#wolfhsm-compatibility) - [Building wolfBoot with wolfHSM](#building-wolfboot-with-wolfhsm) + - [Building: Command Sequence](#building-command-sequence) - [Troubleshooting](#troubleshooting) - [WSL "bad interpreter" error](#wsl-bad-interpreter-error) - [Post Quantum: ML-DSA](#post-quantum-ml-dsa) @@ -276,6 +277,55 @@ IDE/AURIX/wolfHSM-infineon-tc3xx/ 3. Provide the `--hsm` global option to the `wbaurixtool.sh` script when invoking it, so the wolfHSM projects are used instead of the standard wolfBoot projects 4. If using the default build options in [wolfBoot-tc3xx-wolfHSM](./wolfBoot-tc3xx-wolfHSM/), wolfBoot will expect the public key for image verification to be stored at a specific keyId for the wolfBoot client ID. You can use [whnvmtool](https://github.com/wolfSSL/wolfHSM/tree/main/tools/whnvmtool) to generate a loadable NVM image that contains the required keys automatically via `wbaurixtool.sh` through the `nvm` subcommand. This generates an NVM image containing the generated image signing key based on the [wolfBoot-wolfHSM-keys.nvminit](../../tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit) configuration file, which can then be loaded to the device via a flash programming tool. See the `whnvmtool` documentation and the documentation included in your wolfHSM AURIX release for more details. Note: if you want to use the standard wolfBoot keystore functionality in conjunction with wolfHSM for testing purposes (doesn't require pre-loading keys on the HSM) you can configure wolfBoot to send the keys to the HSM on-the-fly as ephemeral keys. To do this, ensure `WOLFBOOT_USE_WOLFHSM_PUBKEY_ID` is **NOT** defined, and add the `--localkeys` argument to then `./wbaurixtool.sh keygen` command, which invokes the `keygen` tool without the default `--nolocalkeys` option. +## Building: Command Sequence + +The following pseudo command sequence shows a brief overview of the commands needed to build wolfBoot on AURIX (optionally with wolfHSM). The signature and hashing algorithms used in the example are ECC 256 and SHA 256 and specified explicitly for clarity. Note that these algorithms are the default, so do not need to be explicitly specified. Optional arguments are shown in square brackets (e.g. if targeting wolfHSM, the `--hsm` option must be provided as a global option to `wbaurixtool.sh`). + +```sh +# Navigate to wolfBoot directory +WOLFBOOT_DIR=/path/to/wolfBoot +SCRIPTS_DIR=$WOLFBOOT_DIR/tools/scripts/tc3xx +cd $WOLFBOOT_DIR + +# Copy source files to appropriate location as listed in the steps above +# ... + +# Start with a clean build +make clean && make keysclean && cd $WOLFBOOT_DIR/tools/keytools && make clean +cd $SCRIPTS_DIR && ./aurixtool.sh clean +# Delete any build artifacts in wolfBoot-tc3xx (or wolfBoot-tc3xx-wolfHSM) and test-app (or test-app-wolfHSM) AURIX Studio projects +# ... + +# Make keytools (NOTE: THIS OVERRIDES TARGET.H WITH SIM VALUES) +cd $WOLFBOOT_DIR +make keytools + + +# Generate target.h +cd $SCRIPTS_DIR +./aurixtool.sh target + +# Generate keys, as well as configuration macros and linker script based on the selected signature algorithm +./aurixtool.sh [--hsm] keygen --sign-algo ecc256 --hash-algo sha256 macros lcf + +# If using wolfHSM, generate key NVM image +./aurixtool.sh nvm +# Load NVM image hexfile to the device +# ... + +# Build wolfHSM AURIX Studio project +# .... + +# Build test-app AURIX Studio project +# .... + +# Sign test app +./aurixtool.sh [--hsm] sign --sign-algo ecc256 --hash-algo sha256 [--debug] + +# Load wolfBoot + app in Lauterbach using tools/scripts/tc3xx/wolfBoot-loadAll-XXX.cmm +# ... +``` + ## Troubleshooting ### WSL "bad interpreter" error