[PATCH] imx: hab: add documentation about the required keys/certs
Marek Vasut
marex at denx.de
Tue May 7 15:28:44 CEST 2024
On 5/7/24 3:06 PM, Claudius Heine wrote:
> For CST to find the certificates and keys for signing, some keys and
> certs need to be copied into the u-boot build directory.
Make sure to CC "NXP i.MX U-Boot Team" , else NXP is not informed. Use
scripts/get_maintainer to get the full list or just reuse the CC list
from patches in this thread.
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index ce1de659d8..42214df21a 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst
> etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
> in case CONFIG_IMX_HAB Kconfig symbol is enabled.
>
> +Per default the HAB keys and certificates need to be located in the build
> +directory, this means copying the following files from the HAB keys directory
> +flat (e.g. removing the `keys` and `cert` subdirectory) into the u-boot build
> +directory for the CST Code Signing Tool to locate them:
Do symlink(s) work too ?
> +- `crts/SRK_1_2_3_4_table.bin`
> +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem`
> +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem`
> +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem`
> +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem`
> +- `keys/key_pass.txt`
> +
> +The paths to the SRK table and the certificates can be modified via changes to
> +the nxp_imx8mcst device tree node
"nodes", plural, there are two, one for SPL and one for fitImage.
It would be good to mention the DT properties which govern the crypto
material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere
around this sentence.
More information about the U-Boot
mailing list