[PATCH v2] mx8m: csf.sh: use vars for keys to avoid file edits when signing

Peng Fan peng.fan at oss.nxp.com
Fri Jun 16 03:18:32 CEST 2023 


On 6/15/2023 11:21 PM, Tim Harvey wrote:
> Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button
> 
> 
> The csf_spl.txt and csf_fit.txt templates contain file paths which must
> be edited for the location of your NXP CST generated key files.
> 
> Streamline the process of signing an image by assigning unique var names
> to these which can be expended from env variables in the csf.sh script.
> 
> The following vars are used:
>   SRK_TABLE - full path to SRK_1_2_3_4_table.bin
>   CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
>   IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> 
> Additionally provide an example of running the csf.sh script.
> 
> Signed-off-by: Tim Harvey <tharvey at gateworks.com>
> Reviewed-by: Fabio Estevam <festevam at denx.de>
> ---
> v2:
>   - fix typo: s/SKK_TABLE/SRK_TABLE
>   - add Fabio's rb tag
> ---
>   doc/imx/habv4/csf_examples/mx8m/csf.sh        | 21 +++++++++++++++++++
>   doc/imx/habv4/csf_examples/mx8m/csf_fit.txt   | 12 +++++------
>   doc/imx/habv4/csf_examples/mx8m/csf_spl.txt   | 12 +++++------
>   doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 10 +++++++++
>   4 files changed, 43 insertions(+), 12 deletions(-)
> 
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> index 7a9a05e63392..c4e610adf1c4 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> @@ -22,6 +22,27 @@
>   cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
>   cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
> 
> +# update File Paths from env vars
> +if ! [ -r $CSF_KEY ]; then
> +       echo "Error: \$CSF_KEY not found"
> +       exit 1
> +fi
> +if ! [ -r $IMG_KEY ]; then
> +       echo "Error: \$IMG_KEY not found"
> +       exit 1
> +fi
> +if ! [ -r $SRK_TABLE ]; then
> +       echo "Error: \$SRK_TABLE not found"
> +       exit 1
> +fi
> +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
> +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
> +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
> +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
> +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
> +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
> +
> +# update SPL Blocks
>   spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s at .*=@@p" .config) - 0x40)) )
>   spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
>   sed -i "/Blocks = / s at .*@  Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> index cd1d4070a5e5..dfcfb777c248 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> @@ -7,21 +7,21 @@
>     Signature Format = CMS
> 
>   [Install SRK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
> +  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
> +  File = "$SRK_TABLE"
>     Source index = 0
> 
>   [Install CSFK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$CSF_KEY"
> 
>   [Authenticate CSF]
> 
>   [Install Key]
>     Verification index = 0
>     Target Index = 2
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$IMG_KEY"
> 
>   [Authenticate Data]
>     Verification index = 2
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> index 00e34f6b1b95..88fa420a5fa0 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> @@ -7,13 +7,13 @@
>     Signature Format = CMS
> 
>   [Install SRK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
> +  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
> +  File = "$SRK_TABLE"
>     Source index = 0
> 
>   [Install CSFK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$CSF_KEY"
> 
>   [Authenticate CSF]
> 
> @@ -24,8 +24,8 @@
>   [Install Key]
>     Verification index = 0
>     Target Index = 2
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$IMG_KEY"
> 
>   [Authenticate Data]
>     Verification index = 2
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 3e3d38440f94..e789bae55940 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -251,6 +251,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
>   ```
> 
>   The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
> +and can be used as follows to modify flash.bin to be signed
> +(adjust paths as needed):
> +```
> +export CST_DIR=/usr/src/cst-3.3.1/
> +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> +export PATH=$CST_DIR/linux64/bin:$PATH
> +/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
> +```
> 

Reviewed-by: Peng Fan <peng.fan at nxp.com>

It will be better if add SRK programming fuse in guide.

Thanks,
Peng.

>   1.4 Closing the device
>   -----------------------
> --
> 2.25.1
>

More information about the U-Boot mailing list