[PATCH 2/2] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing

Tim Harvey tharvey at gateworks.com
Fri Apr 26 17:30:23 CEST 2024 

On Thu, Apr 25, 2024 at 4:07 PM Marek Vasut <marex at denx.de> wrote:
>
> Update documentation and use nxp_imx8mcst binman etype for signing
> of flash.bin instead of previous horrible shell scripting.

Hi Marek,

To be completely fair we are just replacing a shell script and
template file with a python script
(tools/binman/etype/nxp_imx8mcst.py) which also creates the template
file.

I could care less about shell vs python but do put huge value in the
idea of making signing easier and doing so without modification of
U-Boot code. The current implementation requires a couple of things to
be enabled in defconfig which can be done with a seperate
'out-of-tree' defconfig but this new proposed implementation requires
changing a u-boot.dtsi which is a tracked file.

>
> Signed-off-by: Marek Vasut <marex at denx.de>
> ---
> Cc: "NXP i.MX U-Boot Team" <uboot-imx at nxp.com>
> Cc: Adam Ford <aford173 at gmail.com>
> Cc: Alper Nebi Yasak <alpernebiyasak at gmail.com>
> Cc: Andrejs Cainikovs <andrejs.cainikovs at toradex.com>
> Cc: Angus Ainslie <angus at akkea.ca>
> Cc: Emanuele Ghidoli <emanuele.ghidoli at toradex.com>
> Cc: Fabio Estevam <festevam at gmail.com>
> Cc: Francesco Dolcini <francesco.dolcini at toradex.com>
> Cc: Marcel Ziswiler <marcel.ziswiler at toradex.com>
> Cc: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
> Cc: Simon Glass <sjg at chromium.org>
> Cc: Stefan Eichenberger <stefan.eichenberger at toradex.com>
> Cc: Stefano Babic <sbabic at denx.de>
> Cc: Tim Harvey <tharvey at gateworks.com>
> Cc: Tom Rini <trini at konsulko.com>
> Cc: kernel at puri.sm
> Cc: u-boot at dh-electronics.com
> Cc: u-boot at lists.denx.de
> ---
>  doc/imx/habv4/csf_examples/mx8m/csf.sh        |  92 ------------
>  doc/imx/habv4/csf_examples/mx8m/csf_fit.txt   |  30 ----
>  doc/imx/habv4/csf_examples/mx8m/csf_spl.txt   |  33 ----
>  doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 141 +++++++-----------
>  4 files changed, 55 insertions(+), 241 deletions(-)
>  delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh
>  delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
>  delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
>
<snip>

> +to authenticate, which keys to install, use and etc. The CSF is generated
> +using the CST Code Signing Tool based on input configuration file. This tool
> +input configuration file is generated using binman, and the tool is invoked
> +from binman as well.
> +
> +The SPL and fitImage sections of the generated image are signed separately.
> +The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst
> +etype, by adding the following modification into the binman node:
> +

Can we avoid having to modify code to sign an image? If we add a
Kconfig then you can wrap the following changes with an ifdef.

I've run into a similar issues enabling OPTEE and was able to wrap the
entries with ifdefs with the exception of one that requires a unique
load address which I guess requires another Kconfig to solve [1]

Best Regards,

Tim
[1] https://patchwork.ozlabs.org/project/uboot/patch/20230622173006.3921891-1-tharvey@gateworks.com/

> +"
> +    diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi
> +    index c4c1a177102..ccd44bf9d0b 100644
> +    --- a/arch/arm/dts/imx8mp-u-boot.dtsi
> +    +++ b/arch/arm/dts/imx8mp-u-boot.dtsi
> +    @@ -86,6 +86,12 @@
> +            section {
> +                    pad-byte = <0x00>;
> +
> +    +               nxp-imx8mcst at 0 {
> +    +                       filename = "u-boot-spl-mkimage.signed.bin";
> +    +                       nxp,loader-address = <CONFIG_SPL_TEXT_BASE>;
> +    +                       nxp,unlock;
> +    +                       args;   /* Needed by mkimage etype superclass */
> +    +
> +                    nxp-imx8mimage {
> +                            filename = "u-boot-spl-mkimage.bin";
> +                            nxp,boot-from = "sd";
> +    @@ -129,6 +135,14 @@
> +                            };
> +                    };
> +
> +    +               };
> +    +
> +    +               nxp-imx8mcst at 1 {
> +    +                       filename = "u-boot-fit.signed.bin";
> +    +                       nxp,loader-address = <CONFIG_SPL_LOAD_FIT_ADDRESS>;
> +    +                       offset = <0x58000>;
> +    +                       args;   /* Needed by mkimage etype superclass */
> +    +
> +                    fit {
> +                            description = "Configuration to load ATF before U-Boot";
> +     #ifndef CONFIG_IMX_HAB
> +    @@ -191,5 +205,6 @@
> +                                    };
> +                            };
> +                    };
> +    +               };
> +            };
> +     };
> +"
> +
> +Build of flash.bin target then produces a signed flash.bin automatically.
>
>  1.4 Closing the device
>  -----------------------
> --
> 2.43.0
>

More information about the U-Boot mailing list