[PATCH v2] mx8m: csf.sh: use vars for keys to avoid file edits when signing
Peng Fan
peng.fan at oss.nxp.com
Fri Jun 16 03:18:32 CEST 2023
On 6/15/2023 11:21 PM, Tim Harvey wrote:
> Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button
>
>
> The csf_spl.txt and csf_fit.txt templates contain file paths which must
> be edited for the location of your NXP CST generated key files.
>
> Streamline the process of signing an image by assigning unique var names
> to these which can be expended from env variables in the csf.sh script.
>
> The following vars are used:
> SRK_TABLE - full path to SRK_1_2_3_4_table.bin
> CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
>
> Additionally provide an example of running the csf.sh script.
>
> Signed-off-by: Tim Harvey <tharvey at gateworks.com>
> Reviewed-by: Fabio Estevam <festevam at denx.de>
> ---
> v2:
> - fix typo: s/SKK_TABLE/SRK_TABLE
> - add Fabio's rb tag
> ---
> doc/imx/habv4/csf_examples/mx8m/csf.sh | 21 +++++++++++++++++++
> doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 12 +++++------
> doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 12 +++++------
> doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 10 +++++++++
> 4 files changed, 43 insertions(+), 12 deletions(-)
>
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> index 7a9a05e63392..c4e610adf1c4 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> @@ -22,6 +22,27 @@
> cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
> cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
>
> +# update File Paths from env vars
> +if ! [ -r $CSF_KEY ]; then
> + echo "Error: \$CSF_KEY not found"
> + exit 1
> +fi
> +if ! [ -r $IMG_KEY ]; then
> + echo "Error: \$IMG_KEY not found"
> + exit 1
> +fi
> +if ! [ -r $SRK_TABLE ]; then
> + echo "Error: \$SRK_TABLE not found"
> + exit 1
> +fi
> +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
> +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
> +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
> +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
> +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
> +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
> +
> +# update SPL Blocks
> spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s at .*=@@p" .config) - 0x40)) )
> spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
> sed -i "/Blocks = / s at .*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> index cd1d4070a5e5..dfcfb777c248 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> @@ -7,21 +7,21 @@
> Signature Format = CMS
>
> [Install SRK]
> - # FIXME: Adjust path here
> - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
> + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
> + File = "$SRK_TABLE"
> Source index = 0
>
> [Install CSFK]
> - # FIXME: Adjust path here
> - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> + File = "$CSF_KEY"
>
> [Authenticate CSF]
>
> [Install Key]
> Verification index = 0
> Target Index = 2
> - # FIXME: Adjust path here
> - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> + File = "$IMG_KEY"
>
> [Authenticate Data]
> Verification index = 2
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> index 00e34f6b1b95..88fa420a5fa0 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> @@ -7,13 +7,13 @@
> Signature Format = CMS
>
> [Install SRK]
> - # FIXME: Adjust path here
> - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
> + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
> + File = "$SRK_TABLE"
> Source index = 0
>
> [Install CSFK]
> - # FIXME: Adjust path here
> - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> + File = "$CSF_KEY"
>
> [Authenticate CSF]
>
> @@ -24,8 +24,8 @@
> [Install Key]
> Verification index = 0
> Target Index = 2
> - # FIXME: Adjust path here
> - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> + File = "$IMG_KEY"
>
> [Authenticate Data]
> Verification index = 2
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 3e3d38440f94..e789bae55940 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -251,6 +251,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
> ```
>
> The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
> +and can be used as follows to modify flash.bin to be signed
> +(adjust paths as needed):
> +```
> +export CST_DIR=/usr/src/cst-3.3.1/
> +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> +export PATH=$CST_DIR/linux64/bin:$PATH
> +/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
> +```
>
Reviewed-by: Peng Fan <peng.fan at nxp.com>
It will be better if add SRK programming fuse in guide.
Thanks,
Peng.
> 1.4 Closing the device
> -----------------------
> --
> 2.25.1
>
More information about the U-Boot
mailing list