[PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing

Francesco Dolcini francesco at dolcini.it
Mon May 6 13:52:27 CEST 2024


Hello Marek,

On Fri, May 03, 2024 at 03:05:09AM +0200, Marek Vasut wrote:
> Add new binman etype which allows signing both the SPL and fitImage sections
> of i.MX8M flash.bin using CST. There are multiple DT properties which govern
> the signing process, nxp,loader-address is the only mandatory one which sets
> the SPL signature start address without the imx8mimage header, this should be
> SPL text base. The key material can be configured using optional DT properties
> nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material
> names generated by CST tool scripts. The nxp,unlock property can be used to
> unlock CAAM access in SPL section.
> 
> Signed-off-by: Marek Vasut <marex at denx.de>

I was not able to test or really look into your series [1], however I can
relate with a comment from Tim Harvey.

I think is important to keep in mind that that signing cannot be done
with key material that is in-tree, because well, that's private, and I
think we should not force people to branch to properly sign the
binaries.

I think that it would be valuable to share how do you foresee this used
in a real environment.

Francesco

[1] so feel free to reference me to any already agreed discussion on the
topic ...




More information about the U-Boot mailing list