[PATCH] imx: hab: add documentation about the required keys/certs
Marek Vasut
marex at denx.de
Mon May 13 05:46:48 CEST 2024
On 5/8/24 9:23 AM, Claudius Heine wrote:
> Hi Marek,
Hi,
> On 2024-05-07 3:28 pm, Marek Vasut wrote:
>> On 5/7/24 3:06 PM, Claudius Heine wrote:
>>> For CST to find the certificates and keys for signing, some keys and
>>> certs need to be copied into the u-boot build directory.
>>
>> Make sure to CC "NXP i.MX U-Boot Team" , else NXP is not informed. Use
>> scripts/get_maintainer to get the full list or just reuse the CC list
>> from patches in this thread.
>
> I send the patch with `--to-cmd scripts/get_maintainer.pl`, maybe I
> should have used `--cc-cmd`, but that would not change the list of
> recipients.
Should now be fixed in
[PATCH] ARM: imx: Add doc/imx/ to i.MX MAINTAINERS entry
>>> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>>> b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>>> index ce1de659d8..42214df21a 100644
>>> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>>> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>>> @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and
>>> fitImage sections into nxp-imx8mcst
>>> etype, which is done automatically in
>>> arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
>>> in case CONFIG_IMX_HAB Kconfig symbol is enabled.
>>> +Per default the HAB keys and certificates need to be located in the
>>> build
>>> +directory, this means copying the following files from the HAB keys
>>> directory
>>> +flat (e.g. removing the `keys` and `cert` subdirectory) into the
>>> u-boot build
>>> +directory for the CST Code Signing Tool to locate them:
>>
>> Do symlink(s) work too ?
>
> I have not tested it, but I don't see any reason why it would not. I
> also don't see a reason for mentioning it. I want to keep it simple, if
> the dev whats to do things differently, they are free to do so.
"
Per default the HAB keys and certificates need to be located in the
build directory, this means {+creating a symbolic link or +}copying the
following...
"
Please test it and add it in V2 if it works, I think symlink is better
than bluntly copying files around, esp. for crypto material.
>>> +- `crts/SRK_1_2_3_4_table.bin`
>>> +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem`
>>> +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem`
>>> +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem`
>>> +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem`
>>> +- `keys/key_pass.txt`
>>> +
>>> +The paths to the SRK table and the certificates can be modified via
>>> changes to
>>> +the nxp_imx8mcst device tree node
>>
>> "nodes", plural, there are two, one for SPL and one for fitImage.
>
> Well, I was thinking here more generally about the node type and was
> assuming that the person reading this knows how many they have of that
> type. But I can add a `s` in v2.
Use "node(s)" which covers both options.
>> It would be good to mention the DT properties which govern the crypto
>> material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere
>> around this sentence.
>
> This is something that should be documented with the changes where that
> code was added, IMO. I only documented here what I found out and have
> used myself, I haven't used those.
>
> I would be interested in reading how to best overwrite those paths and
> the image structured from board u-boot.dtsi files myself.
>
> If you want to can pickup my patch and integrate it into your series and
> extend it.
I'll keep it in mind for V3.
More information about the U-Boot
mailing list