[PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing
Marek Vasut
marex at denx.de
Mon May 6 17:21:54 CEST 2024
On 5/6/24 1:52 PM, Francesco Dolcini wrote:
> Hello Marek,
>
> On Fri, May 03, 2024 at 03:05:09AM +0200, Marek Vasut wrote:
>> Add new binman etype which allows signing both the SPL and fitImage sections
>> of i.MX8M flash.bin using CST. There are multiple DT properties which govern
>> the signing process, nxp,loader-address is the only mandatory one which sets
>> the SPL signature start address without the imx8mimage header, this should be
>> SPL text base. The key material can be configured using optional DT properties
>> nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material
>> names generated by CST tool scripts. The nxp,unlock property can be used to
>> unlock CAAM access in SPL section.
>>
>> Signed-off-by: Marek Vasut <marex at denx.de>
>
> I was not able to test or really look into your series [1], however I can
> relate with a comment from Tim Harvey.
>
> I think is important to keep in mind that that signing cannot be done
> with key material that is in-tree, because well, that's private, and I
> think we should not force people to branch to properly sign the
> binaries.
>
> I think that it would be valuable to share how do you foresee this used
> in a real environment.
I am open to discussion, really.
Currently the most basic approach is implemented -- plug in key material
either by copying it into build directory, or creating a symlink, or
adjusting the DT to specify full path to key material.
I am sure this can be expanded to cover other use cases ?
More information about the U-Boot
mailing list