[PATCH] imx: hab: add documentation about the required keys/certs

Claudius Heine ch at denx.de
Thu May 16 10:25:30 CEST 2024


Hi Tim and Marek,

On 2024-05-16 12:46 am, Tim Harvey wrote:
> On Tue, May 14, 2024 at 11:50 AM Tim Harvey <tharvey at gateworks.com> wrote:
>> On Sun, May 12, 2024 at 10:08 PM Marek Vasut <marex at denx.de> wrote:
>>> On 5/8/24 9:23 AM, Claudius Heine wrote:
>>>> On 2024-05-07 3:28 pm, Marek Vasut wrote:
>>>>> It would be good to mention the DT properties which govern the crypto
>>>>> material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere
>>>>> around this sentence.
>>>>
>>>> This is something that should be documented with the changes where that
>>>> code was added, IMO. I only documented here what I found out and have
>>>> used myself, I haven't used those.
>>>>
>>>> I would be interested in reading how to best overwrite those paths and
>>>> the image structured from board u-boot.dtsi files myself.
>>>>
>>>> If you want to can pickup my patch and integrate it into your series and
>>>> extend it.
>>>
>>> I'll keep it in mind for V3.
> 
> Hi Marek,
> 
> The documentation patch here by Claudius does resolve my issues
> discussed in the other thread and I can confirm symlinks work fine so
> I think something like the following should be added:
> 
> CST_DIR=/usr/src/cst-3.3.2/
> ln -s $CST_DIR/crts .
> ln -s $CST_DIR/keys .

`keys` and `crts` are very short and generic names, and putting them 
into the build directory might cause issues at some point. But I would 
not be against putting them into a sub directory (`imx-hab/{keys,crts}`?).

> 
> then with the following change to nxp_imx8mcst.py you can build a
> signed image without code modification:
> diff --git a/tools/binman/etype/nxp_imx8mcst.py
> b/tools/binman/etype/nxp_imx8mcst.py
> index 132127ad4827..7d8abc78fc89 100644
> --- a/tools/binman/etype/nxp_imx8mcst.py
> +++ b/tools/binman/etype/nxp_imx8mcst.py
> @@ -68,9 +68,9 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>       def ReadNode(self):
>           super().ReadNode()
>           self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
> -        self.srk_table = fdt_util.GetString(self._node,
> 'nxp,srk-table', 'SRK_1_2_3_4_table.bin')
> -        self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt',
> 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
> -        self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt',
> 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
> +        self.srk_table = fdt_util.GetString(self._node,
> 'nxp,srk-table', 'crts/SRK_1_2_3_4_table.bin')
> +        self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt',
> 'crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
> +        self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt',
> 'crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
>           self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
>           self.ReadEntries()
> 
> If copying or symlinking the keys/certs directory is not desired are
> env vars exposed to binman's python classes? If so you can just
> require CST_DIR to be specified and use that for the paths?

I personally would prefer using (one) environment variable(s) to specify 
the path to all keys, that way whatever `cst` needs, it will find it 
there, and explicit symlinking/copying can be avoided.

I would probably rather call it `HAB_DIR`/`HAB_BASE_DIR` or something, 
because it doesn't need to be pointing to the whole `cst` stuff just a 
directory for the keys and certs for the HAB. `CST_DIR` might leave the 
impression that the `cst` from that directory is used.

And you can still allow environment variables like (`SRK_TABLE`, 
`CSF_KEY` and `IMG_KEY`) to overwrite the name of each, relative to the 
`HAB_DIR/{keys,certs}` if a `HAB_DIR` is set.

This would be somewhat backwards compatible and allows simpler usage by 
setting just one variable (`HAB_DIR`) and leaving the rest to the dtb.

kind regards,
Claudius

-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch at denx.de


More information about the U-Boot mailing list