cmake: Generate confirmed images in Direct XIP

If building with revert functionality, generate the confirmed images so
the application will boot after flashing the default set of artifacts.

Ref: NCSIDB-1208

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

cmake/sysbuild/image_signing.cmake

@@ -93,12 +93,6 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_sign ${PYTHON_EXECUTABLE} ${IMGTOOL} sign --version ${CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION} --align ${write_block_size} --slot-size ${slot_size} --header-size ${CONFIG_ROM_START_OFFSET} ${imgtool_rom_command})
   endif()
 
-  set(imgtool_directxip_hex_command)
-
-  if(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
-    set(imgtool_directxip_hex_command --confirm)
-  endif()
-
   # Arguments to imgtool.
   if(NOT CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS STREQUAL "")
     # Separate extra arguments into the proper format for adding to
@@ -208,6 +202,25 @@ function(zephyr_mcuboot_tasks)
         ${imgtool_sign} ${imgtool_args} ${imgtool_bin_extra} ${imgtool_encrypt_extra_args} --encrypt
         "${keyfile_enc}" ${input_arg} ${output}.encrypted.bin)
     endif()
+
+    # Generate and use the confirmed image in Direct XIP with revert, so the
+    # default application will boot after flashing.
+    if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE OR CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
+      list(APPEND byproducts ${output}.confirmed.bin)
+      zephyr_runner_file(bin ${output}.confirmed.bin)
+      set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_BIN_NAME "${output}.confirmed.bin"
+        CACHE FILEPATH "Signed and confirmed kernel bin file" FORCE
+      )
+      if("${keyfile_enc}" STREQUAL "")
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_sign} ${imgtool_args} ${imgtool_bin_extra} --pad --confirm ${input_arg}
+          ${output}.confirmed.bin)
+      else()
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_sign} ${imgtool_args} ${imgtool_bin_extra} ${imgtool_encrypt_extra_args}
+          --encrypt "${keyfile_enc}" --clear --pad --confirm ${input_arg} ${output}.confirmed.bin)
+      endif()
+    endif()
   endif()
 
   # Set up .hex outputs.
@@ -236,12 +249,11 @@ function(zephyr_mcuboot_tasks)
     # after the commands which generate the unsigned versions.
     if("${keyfile_enc}" STREQUAL "")
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
-        ${imgtool_sign} ${imgtool_args} ${imgtool_directxip_hex_command} ${imgtool_hex_extra}
-        ${input_arg} ${output}.hex)
+        ${imgtool_sign} ${imgtool_args} ${imgtool_hex_extra} ${input_arg} ${output}.hex)
     else()
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
-        ${imgtool_sign} ${imgtool_args} ${imgtool_directxip_hex_command} ${imgtool_hex_extra}
-        ${imgtool_encrypt_extra_args} --encrypt "${keyfile_enc}" --clear ${input_arg} ${output}.hex)
+        ${imgtool_sign} ${imgtool_args} ${imgtool_hex_extra} ${imgtool_encrypt_extra_args} --encrypt
+        "${keyfile_enc}" --clear ${input_arg} ${output}.hex)
 
       list(APPEND byproducts ${output}.encrypted.hex)
       set(BYPRODUCT_KERNEL_SIGNED_ENCRYPTED_HEX_NAME "${output}.encrypted.hex"
@@ -252,6 +264,27 @@ function(zephyr_mcuboot_tasks)
         ${imgtool_sign} ${imgtool_args} ${imgtool_hex_extra} ${imgtool_encrypt_extra_args} --encrypt
         "${keyfile_enc}" ${input_arg} ${output}.encrypted.hex)
     endif()
+
+    # Generate and use the confirmed image in Direct XIP with revert, so the
+    # default application will boot after flashing.
+    if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE OR CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
+      list(APPEND byproducts ${output}.confirmed.hex)
+      if((NOT CONFIG_PARTITION_MANAGER_ENABLED) OR CONFIG_NCS_IS_VARIANT_IMAGE)
+        zephyr_runner_file(hex ${output}.confirmed.hex)
+      endif()
+      set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_HEX_NAME "${output}.confirmed.hex"
+        CACHE FILEPATH "Signed and confirmed kernel hex file" FORCE
+      )
+      if("${keyfile_enc}" STREQUAL "")
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_sign} ${imgtool_args} ${imgtool_hex_extra} --pad --confirm ${input_arg}
+          ${output}.confirmed.hex)
+      else()
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_sign} ${imgtool_args} ${imgtool_hex_extra} ${imgtool_encrypt_extra_args}
+          --encrypt "${keyfile_enc}" --clear --pad --confirm ${input_arg} ${output}.confirmed.hex)
+      endif()
+    endif()
   endif()
 
   set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts})

cmake/sysbuild/image_signing_split.cmake

@@ -245,6 +245,40 @@ function(zephyr_mcuboot_tasks)
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
         ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py -o ${output_merged}.encrypted.hex ${output_internal}.encrypted.hex ${output_external}.encrypted.hex)
     endif()
+
+    if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE OR CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
+      list(APPEND byproducts ${output_merged}.confirmed.hex)
+      if(CONFIG_NCS_IS_VARIANT_IMAGE)
+        zephyr_runner_file(hex ${output_merged}.confirmed.hex)
+      endif()
+      set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_HEX_NAME "${output_merged}.confirmed.hex"
+        CACHE FILEPATH "Signed and confirmed kernel hex file" FORCE
+      )
+
+      if("${keyfile_enc}" STREQUAL "")
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_internal_sign} ${imgtool_args} --pad --confirm ${input_internal_arg}.hex
+          ${output_internal}.confirmed.hex)
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_external_sign} ${imgtool_args} --pad --confirm ${output_external}.hex
+          ${output_external}.confirmed.hex)
+        # Combine the signed confirmed hex files into a single output hex file
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py -o ${output_merged}.confirmed.hex ${output_internal}.confirmed.hex ${output_external}.confirmed.hex)
+      else()
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_internal_sign} ${imgtool_args} ${imgtool_encrypt_extra_args} --encrypt
+          "${keyfile_enc}" --clear --pad --confirm ${input_internal_arg}
+          ${output_internal}.confirmed.hex)
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${imgtool_external_sign} ${imgtool_args} ${imgtool_encrypt_extra_args} --encrypt
+          "${keyfile_enc}" --clear --pad --confirm ${input_external_arg}
+          ${output_external}.confirmed.hex)
+        # Combine the signed confirmed hex files into a single output hex file
+        set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+          ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py -o ${output_merged}.confirmed.hex ${output_internal}.confirmed.hex ${output_external}.confirmed.hex)
+      endif()
+    endif()
   endif()
 
   # Set up .bin outputs.
@@ -261,6 +295,19 @@ function(zephyr_mcuboot_tasks)
       CACHE FILEPATH "Signed kernel bin files" FORCE
     )
 
+    if(CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE OR CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
+      set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+        ${CMAKE_OBJCOPY} --input-target=ihex --output-target=binary ${output_internal}.confirmed.hex ${output_internal}.confirmed.bin)
+      set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+        ${CMAKE_OBJCOPY} --input-target=ihex --output-target=binary ${output_external}.confirmed.hex ${output_external}.confirmed.bin)
+
+      list(APPEND byproducts "${output_internal}.confirmed.bin;${output_external}.confirmed.bin")
+
+      set(BYPRODUCT_KERNEL_SIGNED_CONFIRMED_BIN_NAME "${output_internal}.confirmed.bin;${output_external}.confirmed.bin"
+        CACHE FILEPATH "Signed kernel bin files" FORCE
+      )
+    endif()
+
     if(NOT "${keyfile_enc}" STREQUAL "")
       # Instead of re-signing, convert the encrypted hex files to binary using objcopy
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND

cmake/sysbuild/partition_manager.cmake

@@ -256,7 +256,10 @@ function(partition_manager)
       # So for each domain we should just include the generated hex file.
       # Those are available thorugh sysbuild_get, but not locally as there is no parent image.
       list(APPEND explicitly_assigned ${part})
-      sysbuild_get(${part}_PM_HEX_FILE IMAGE ${part} VAR BYPRODUCT_KERNEL_SIGNED_HEX_NAME CACHE)
+      sysbuild_get(${part}_PM_HEX_FILE IMAGE ${part} VAR BYPRODUCT_KERNEL_SIGNED_CONFIRMED_HEX_NAME CACHE)
+      if(NOT ${part}_PM_HEX_FILE)
+        sysbuild_get(${part}_PM_HEX_FILE IMAGE ${part} VAR BYPRODUCT_KERNEL_SIGNED_HEX_NAME CACHE)
+      endif()
       if(NOT ${part}_PM_HEX_FILE)
         sysbuild_get(${part}_PM_HEX_FILE IMAGE ${part} VAR BYPRODUCT_KERNEL_HEX_NAME CACHE)
       endif()