[PATCH v2 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing

Tue May 14 22:23:22 CEST 2024

On 5/14/24 8:34 PM, Tim Harvey wrote:

Hi,

>> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>> index e16e5410bd9..ce1de659d8c 100644
>> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>> @@ -121,6 +121,9 @@ build configuration:
>>   - Defconfig:
>>
>>     CONFIG_IMX_HAB=y
>> +  CONFIG_FSL_CAAM=y
>> +  CONFIG_ARCH_MISC_INIT=y
>> +  CONFIG_SPL_CRYPTO=y
>>
> 
> Hi Marek,
> 
> Thanks for wrapping the dts bits with a config item.
> 
> Is there any other reason to build with CONFIG_IMX_HAB than to use a
> signed image? I see that there are several ARCH_MX6 and ARCH_MX7
> configs that have this enabled (not ARCH_IMX8M so this certainly
> doesn't break anything) and I'm not sure what the value of that is.

I think those few either enabled in preemptively in anticipation of 
possibly using HAB, or are wrong. I suspect it should be disabled for 
those, as it only adds to the board boot time and I am not even sure if 
those machines would boot correctly.

Francesco, maybe you do have MX7 Colibri ?

> I notice that FSL_CAAM is selected when you select IMX_HAB... is there
> any reason why ARCH_MISC_INIT and SPL_CRYPTO should not be selected by
> IMX_HAB as well (future patch perhaps)?

ARCH_MISC_INIT should be selected by SoC Kconfig on MX7 and maybe CAAM 
on MX8M I think . As for SPL_CRYPTO, that should be selected by 
SPL_FSL_CAAM I think.

>>   - Kconfig:
>>
> 
> We definitely need to describe the additional requirements here. Maybe
> something like:
> 
> - Tools:
> cst - NXP code-signing-tool (eg apt install imx-code-signing-tool)
> 
> - Files: (created with NXP IMX_CST_TOOL)
> SRK_1_2_3_4_table.bin (specified by nxp,srk-table node): fuse table
> CSF1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,csf-crt node): CSF_KEY
> IMG1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,img-crt node): IMG_KEY
> 
> The following works fine for me on v2024.01
> export CST_DIR=/usr/src/nxp/cst-3.3.2/
> export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> export PATH=$CST_DIR/linux64/bin:$PATH
> make && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
> 
> But with the above defines and your series this fails:
> ln -sf $SRK_TABLE SRK_1_2_3_4_table.bin
> ln -sf $CSF_KEY CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> ln -sf $IMG_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> make
>    BINMAN  .binman_stamp
> Wrote map file './image.map' to show errors
> binman: Error 1 running 'cst -i
> ./nxp.csf-config-txt.section.nxp-imx8mcst at 0 -o
> ./nxp.csf-output-blob.section.nxp-imx8mcst at 0': Error:
> Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem
> 0:error:02001002:system library:fopen:No such file or
> directory:crypto/bio/bss_file.c:288:fopen('IMG1_1_sha256_4096_65537_v3_usr_key.
> pem','r')
> 0:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
> 
> make: *** [Makefile:1126: .binman_stamp] Error 1
> 
> So how is it that the default for nxp,img-crt
> IMG1_1_sha256_4096_65537_v3_usr_crt.pem is now looking for
> IMG1_1_sha256_4096_65537_v3_usr_key? It fails also if I cp the files
> vs ln them.
> 
> So what am I missing here?

I think CST is using both the certificate and the key files. Try and run 
strace on the CST to test that:

$ strace cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst at 0 -o 
./nxp.csf-output-blob.section.nxp-imx8mcst at 0