From patchwork Mon Oct  3 11:29:57 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 13453
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C60B0C43219
	for <webhook@archiver.kernel.org>; Mon,  3 Oct 2022 11:29:29 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web09.17956.1664796566869701460
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 03 Oct 2022 04:29:27 -0700
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E31D2139F;
	Mon,  3 Oct 2022 04:29:32 -0700 (PDT)
Received: from e125920.arm.com (unknown [10.57.80.219])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 59A4B3F67D;
	Mon,  3 Oct 2022 04:29:25 -0700 (PDT)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: diego.sueiro@arm.com,
	Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 1/3] arm-bsp/trusted-firmware-m: Make branch names
 configurable
Date: Mon,  3 Oct 2022 12:29:57 +0100
Message-Id: <20221003112959.2123869-1-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 03 Oct 2022 11:29:29 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/3891

From: Peter Hoyes <Peter.Hoyes@arm.com>

In order to support overriding the branch names in other layers, extract
the branch name for each repository and set using default assignment.

Issue-Id: SCM-4964
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Change-Id: I09d0c1f1d012c1abb84648ad974883bbdaa1db7a
---
 .../trusted-firmware-m/trusted-firmware-m_1.6.0.bb    | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb
index bda27713..c10efd5a 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb
@@ -16,20 +16,23 @@ LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
                     file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
 
 SRC_URI  = "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https;branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
-            git://git.trustedfirmware.org/TF-M/tf-m-tests.git;protocol=https;branch=release/1.6.x;name=tfm-tests;destsuffix=git/tf-m-tests \
-            git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master;name=mbedtls;destsuffix=git/mbedtls \
-            git://github.com/mcu-tools/mcuboot.git;protocol=https;branch=main;name=mcuboot;destsuffix=git/mcuboot \
+            git://git.trustedfirmware.org/TF-M/tf-m-tests.git;protocol=https;branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
+            git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
+            git://github.com/mcu-tools/mcuboot.git;protocol=https;branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
             "
 
 # The required dependencies are documented in tf-m/config/config_default.cmake
 # TF-Mv1.6.0
-SRCBRANCH_tfm = "release/1.6.x"
+SRCBRANCH_tfm ?= "release/1.6.x"
 SRCREV_tfm = "7387d88158701a3c51ad51c90a05326ee12847a8"
 # mbedtls-3.1.0
+SRCBRANCH_mbedtls ?= "master"
 SRCREV_mbedtls = "d65aeb37349ad1a50e0f6c9b694d4b5290d60e49"
 # TF-Mv1.6.0
+SRCBRANCH_tfm-tests ?= "release/1.6.x"
 SRCREV_tfm-tests = "723905d46019596f3f2df66d79b5d6bff6f3f213"
 # v1.9.0
+SRCBRANCH_mcuboot ?= "main"
 SRCREV_mcuboot = "c657cbea75f2bb1faf1fceacf972a0537a8d26dd"
 
 UPSTREAM_CHECK_GITTAGREGEX = "^TF-Mv(?P<pver>\d+(\.\d+)+)$"

From patchwork Mon Oct  3 11:29:58 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 13454
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C5BD3C433F5
	for <webhook@archiver.kernel.org>; Mon,  3 Oct 2022 11:29:29 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web09.17957.1664796568854551002
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 03 Oct 2022 04:29:29 -0700
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3B1A6139F;
	Mon,  3 Oct 2022 04:29:35 -0700 (PDT)
Received: from e125920.arm.com (unknown [10.57.80.219])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9EE643F67D;
	Mon,  3 Oct 2022 04:29:27 -0700 (PDT)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: diego.sueiro@arm.com,
	Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 2/3] arm/classes: Migrate TF-M image signing to bbclass
Date: Mon,  3 Oct 2022 12:29:58 +0100
Message-Id: <20221003112959.2123869-2-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221003112959.2123869-1-peter.hoyes@arm.com>
References: <20221003112959.2123869-1-peter.hoyes@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 03 Oct 2022 11:29:29 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/3892

From: Peter Hoyes <Peter.Hoyes@arm.com>

Introduce a new recipe for the TF-M signing scripts.

To make the functionality easier to reuse, move the logic that is
currently in trusted-firmware-m-sign-host-images.inc to
tfm_sign_image.bbclass. This bbclass DEPENDS on
trusted-firmware-m-scrpits-native.

tfm_sign_image.bbclass can be inherited in image recipes to sign
artifacts.

Issue-Id: SCM-4964
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Change-Id: I74aaab5db1a43fedf13ea2564c2f31af207ae924
---
 .../trusted-firmware-m-sign-host-images.inc   | 50 ------------
 meta-arm/classes/tfm_sign_image.bbclass       | 79 +++++++++++++++++++
 ...trusted-firmware-m-scripts-native_1.6.0.bb | 24 ++++++
 3 files changed, 103 insertions(+), 50 deletions(-)
 delete mode 100644 meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc
 create mode 100644 meta-arm/classes/tfm_sign_image.bbclass
 create mode 100644 meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb

diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc
deleted file mode 100644
index 49af3568..00000000
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-sign-host-images.inc
+++ /dev/null
@@ -1,50 +0,0 @@
-# Signing host images using TF-M tools
-
-DEPENDS += "python3-imgtool-native fiptool-native"
-
-#
-# sign_host_image
-#
-# Description:
-#
-# A generic function that signs a host image
-# using MCUBOOT format
-#
-# Arguments:
-#
-# $1 ... host binary to sign
-# $2 ... host binary path
-# $3 ... load address of the given binary
-# $4 ... signed binary size
-#
-# Note: The signed binary is copied to ${D}/firmware
-#
-sign_host_image() {
-
-    host_binary_filename="`basename -s .bin ${1}`"
-    host_binary_layout="${host_binary_filename}_ns"
-
-    cat << EOF > ${B}/${host_binary_layout}
-enum image_attributes {
-    RE_IMAGE_LOAD_ADDRESS = ${3},
-    RE_SIGN_BIN_SIZE = ${4},
-};
-EOF
-
-    host_binary="${2}/`basename ${1}`"
-    host_binary_signed="${D}/firmware/signed_`basename ${1}`"
-
-    ${PYTHON} ${S}/bl2/ext/mcuboot/scripts/wrapper/wrapper.py \
-            -v ${RE_LAYOUT_WRAPPER_VERSION} \
-            --layout ${B}/${host_binary_layout} \
-            -k  ${TFM_SIGN_PRIVATE_KEY} \
-            --public-key-format full \
-            --align 1 \
-            --pad \
-            --pad-header \
-            -H ${RE_IMAGE_OFFSET} \
-            -s auto \
-            ${host_binary} \
-            ${host_binary_signed}
-
-}
diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
new file mode 100644
index 00000000..542b708b
--- /dev/null
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -0,0 +1,79 @@
+# Functionality to sign binary images using the wrapper script bundled with
+# TF-M. Signed images are written to the deploy directory by default.
+# To use:
+#  * Inherit this class
+#  * Override the do_sign_images task
+#  * Write the signing logic, which may call the function sign_host_image,
+#    described below
+
+inherit python3native deploy
+
+# The output and working directory
+TFM_IMAGE_SIGN_DIR = "${WORKDIR}/tfm-signed-images"
+
+tfm_sign_image_do_sign_images() {
+    :
+}
+addtask sign_images after do_configure before do_compile
+do_sign_images[dirs] = "${TFM_IMAGE_SIGN_DIR}"
+
+tfm_sign_image_do_deploy() {
+    :
+}
+addtask deploy after do_sign_images
+
+deploy_signed_images() {
+    cp ${TFM_IMAGE_SIGN_DIR}/signed_* ${DEPLOYDIR}/
+}
+do_deploy[postfuncs] += "deploy_signed_images"
+
+EXPORT_FUNCTIONS do_sign_images do_deploy
+
+DEPENDS += "trusted-firmware-m-scripts-native"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+#
+# sign_host_image
+#
+# Description:
+#
+# A generic function that signs a host image
+# using MCUBOOT format
+#
+# Arguments:
+#
+# $1 ... path of binary to sign
+# $2 ... load address of the given binary
+# $3 ... signed binary size
+#
+# Note: The signed binary is copied to ${TFM_IMAGE_SIGN_DIR}
+#
+sign_host_image() {
+    host_binary_filename="$(basename -s .bin "${1}")"
+    host_binary_layout="${host_binary_filename}_ns"
+
+    cat << EOF > ${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}
+enum image_attributes {
+    RE_IMAGE_LOAD_ADDRESS = ${2},
+    RE_SIGN_BIN_SIZE = ${3},
+};
+EOF
+
+    host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")"
+
+    ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
+            -v ${RE_LAYOUT_WRAPPER_VERSION} \
+            --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
+            -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
+            --public-key-format full \
+            --align 1 \
+            --pad \
+            --pad-header \
+            -H ${RE_IMAGE_OFFSET} \
+            -s auto \
+            "${1}" \
+            "${host_binary_signed}"
+}
diff --git a/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
new file mode 100644
index 00000000..453d456a
--- /dev/null
+++ b/meta-arm/recipes-devtools/trusted-firmware-m-scripts/trusted-firmware-m-scripts-native_1.6.0.bb
@@ -0,0 +1,24 @@
+
+SRC_URI = "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https;branch=${SRCBRANCH}"
+# Use the wrapper script from TF-Mv1.6.0
+SRCBRANCH ?= "release/1.6.x"
+SRCREV = "7387d88158701a3c51ad51c90a05326ee12847a8"
+
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
+
+S = "${WORKDIR}/git"
+
+inherit native
+
+RDEPENDS:${PN} = "python3-imgtool-native python3-click-native"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+    install -d ${D}/${libdir}
+    cp -rf ${S}/bl2/ext/mcuboot/scripts/ ${D}/${libdir}/tfm-scripts
+    cp -rf ${S}/bl2/ext/mcuboot/*.pem ${D}/${libdir}/tfm-scripts
+}
+FILES:${PN} = "${libdir}/tfm-scripts"

From patchwork Mon Oct  3 11:29:59 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hoyes <peter.hoyes@arm.com>
X-Patchwork-Id: 13455
Return-Path: <peter.hoyes@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C497DC433FE
	for <webhook@archiver.kernel.org>; Mon,  3 Oct 2022 11:29:39 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web09.17958.1664796571708910640
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 03 Oct 2022 04:29:31 -0700
Authentication-Results: mx.groups.io;
 dkim=missing;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: peter.hoyes@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3EE06139F;
	Mon,  3 Oct 2022 04:29:37 -0700 (PDT)
Received: from e125920.arm.com (unknown [10.57.80.219])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AA8E33F67D;
	Mon,  3 Oct 2022 04:29:29 -0700 (PDT)
From: Peter Hoyes <peter.hoyes@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: diego.sueiro@arm.com,
	Peter Hoyes <Peter.Hoyes@arm.com>
Subject: [PATCH 3/3] arm-bsp/corstone1000: Refactor image signing to use new
 bbclass
Date: Mon,  3 Oct 2022 12:29:59 +0100
Message-Id: <20221003112959.2123869-3-peter.hoyes@arm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221003112959.2123869-1-peter.hoyes@arm.com>
References: <20221003112959.2123869-1-peter.hoyes@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 03 Oct 2022 11:29:39 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/3893

From: Peter Hoyes <Peter.Hoyes@arm.com>

The prevoius commit refactored trusted-firmware-m-sign-host-images.inc
into tfm_sign_image.bbclass.

Move the image signing logic from the TF-M bbappend to
corstone1000-image.bb, using the new bbclass.

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Change-Id: Ib76dce2ba9102e343d0611d929250d1d8aee518b
---
 .../conf/machine/include/corstone1000.inc     |  2 +-
 .../recipes-bsp/images/corstone1000-image.bb  | 21 ++++++++++++++++++-
 .../trusted-firmware-a-corstone1000.inc       |  3 ---
 .../trusted-firmware-m-corstone1000.inc       | 17 ---------------
 4 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc
index 5d22b464..d0265364 100644
--- a/meta-arm-bsp/conf/machine/include/corstone1000.inc
+++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc
@@ -18,7 +18,7 @@ TFA_BL2_RE_SIGN_BIN_SIZE = "0x2d000"
 TFA_FIP_RE_IMAGE_LOAD_ADDRESS = "0x68130000"
 TFA_FIP_RE_SIGN_BIN_SIZE = "0x00200000"
 RE_LAYOUT_WRAPPER_VERSION = "0.0.7"
-TFM_SIGN_PRIVATE_KEY = "${S}/bl2/ext/mcuboot/root-RSA-3072_1.pem"
+TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
 RE_IMAGE_OFFSET = "0x1000"
 
 # u-boot
diff --git a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
index ad5ec958..76a7126b 100644
--- a/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
+++ b/meta-arm-bsp/recipes-bsp/images/corstone1000-image.bb
@@ -6,8 +6,27 @@ LICENSE = "MIT"
 COMPATIBLE_MACHINE = "corstone1000"
 
 inherit image
-inherit wic_nopt
+inherit wic_nopt tfm_sign_image
 
 PACKAGE_INSTALL = ""
 
 IMAGE_FSTYPES += "wic wic.nopt"
+
+do_sign_images() {
+    # Sign TF-A BL2
+    sign_host_image ${RECIPE_SYSROOT}/firmware/${TFA_BL2_BINARY} \
+        ${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE}
+
+    # Update BL2 in the FIP image
+    cp ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} .
+    fiptool update --tb-fw ${TFM_IMAGE_SIGN_DIR}/signed_${TFA_BL2_BINARY} \
+        ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY}
+
+    # Sign the FIP image
+    sign_host_image ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY} \
+        ${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE}
+}
+do_sign_images[depends] = "\
+    trusted-firmware-a:do_populate_sysroot \
+    fiptool-native:do_populate_sysroot \
+    "
diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc
index 341c8a27..3034680d 100644
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc
@@ -37,6 +37,3 @@ EXTRA_OEMAKE:append = " \
                         BL32=${RECIPE_SYSROOT}/lib/firmware/tee-pager_v2.bin \
                         LOG_LEVEL=50 \
                         "
-
-# trigger TF-M build so TF-A binaries get signed
-do_deploy[depends]+= "virtual/trusted-firmware-m:do_prepare_recipe_sysroot"
diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
index eb400e52..95c49d06 100644
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
@@ -25,25 +25,8 @@ SRC_URI += "git://github.com/OpenAMP/open-amp.git;protocol=https;branch=main;nam
 SRCREV_openamp = "347397decaa43372fc4d00f965640ebde042966d"
 EXTRA_OECMAKE += "-DLIBOPENAMP_SRC_PATH=${WORKDIR}/git/openamp -DLIBOPENAMP_BIN_PATH=${B}/libopenamp-build"
 
-DEPENDS += "trusted-firmware-a"
-
-# adding host images signing support
-require trusted-firmware-m-sign-host-images.inc
-
 do_install() {
   install -D -p -m 0644 ${B}/install/outputs/tfm_s_signed.bin ${D}/firmware/tfm_s_signed.bin
   install -D -p -m 0644 ${B}/install/outputs/bl2_signed.bin ${D}/firmware/bl2_signed.bin
   install -D -p -m 0644 ${B}/install/outputs/bl1.bin ${D}/firmware/bl1.bin
-
-  #
-  # Signing TF-A BL2 and the FIP image
-  #
-
-  sign_host_image ${TFA_BL2_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE}
-
-  fiptool update \
-      --tb-fw ${D}/firmware/signed_${TFA_BL2_BINARY} \
-      ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY}
-
-  sign_host_image ${TFA_FIP_BINARY} ${RECIPE_SYSROOT}/firmware ${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE}
 }