[PATCH 2/2] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing

Fri Apr 26 19:02:44 CEST 2024

On 4/26/24 6:00 PM, Tom Rini wrote:
> On Fri, Apr 26, 2024 at 08:56:29AM -0700, Tim Harvey wrote:
>> On Fri, Apr 26, 2024 at 8:51 AM Tom Rini <trini at konsulko.com> wrote:
>>>
>>> On Fri, Apr 26, 2024 at 08:30:23AM -0700, Tim Harvey wrote:
>>>> On Thu, Apr 25, 2024 at 4:07 PM Marek Vasut <marex at denx.de> wrote:
>>>>>
>>>>> Update documentation and use nxp_imx8mcst binman etype for signing
>>>>> of flash.bin instead of previous horrible shell scripting.
>>>>
>>>> Hi Marek,
>>>>
>>>> To be completely fair we are just replacing a shell script and
>>>> template file with a python script
>>>> (tools/binman/etype/nxp_imx8mcst.py) which also creates the template
>>>> file.
>>>>
>>>> I could care less about shell vs python but do put huge value in the
>>>> idea of making signing easier and doing so without modification of
>>>> U-Boot code. The current implementation requires a couple of things to
>>>> be enabled in defconfig which can be done with a seperate
>>>> 'out-of-tree' defconfig but this new proposed implementation requires
>>>> changing a u-boot.dtsi which is a tracked file.
>>>
>>> A counter-point is that with using binman for signing we start
>>> eliminating differences between different semiconductors on how to get
>>> something signed.
>>
>> Hi Tom,
>>
>> I agree... I'm a huge fan of binman. I just don't want to replace
>> current constructs that use env and/or config items on a clean code
>> directory with replacements that require code diffs to do the same.
>>
>> I'm simply wanting to wrap binman sections with Kconfig items. Is
>> there a way to use environment variables within binman sections (ie to
>> wrap sections or override filenames)?
> 
> I'm honestly not sure if everyone is happy just yet with how integration
> and support for production use cases of signing features is integrated
> with binman just yet.

I am sort-of on the fence with the Kconfig option, I did consider it 
before sending this patch, because we already have #ifdef ...IMX_HAB in 
that .dtsi file, but we would need new Kconfig option for this and the 
binman node is starting to be cluttered with ifdeffery.

The other option would be to add a wrapper section around both the SPL 
and FIT nodes, and for signing the type= of the section could be 
overridden to nxp_mx8mcst , that would work too, but that impact all the 
non-signing users.

So ... thoughts ?