[PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing

Marek Vasut marex at denx.de
Fri May 17 03:25:38 CEST 2024 

On 5/16/24 11:40 PM, Tim Harvey wrote:

[...]

>> -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
>> -and can be used as follows to modify flash.bin to be signed
>> -(adjust paths as needed):
>> -```
>> -export CST_DIR=/usr/src/cst-3.3.1/
>> -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
>> -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
>> -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
>> -export PATH=$CST_DIR/linux64/bin:$PATH
> 
> Hi Marek,
> 
> I thought you were going to leave the above env setting examples in
> the documentation.
> 
> I suggest showing how to specify using env (by just leaving the above
> in) as well as by copying them directly to the build directory if
> wanted.. otherwise the documentation is lacking.

If the tool can do env vars now, I would like to avoid copying key 
material around. So what about this:

diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt 
b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
index 1eb1fb0aa61..257ffb45656 100644
--- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
@@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and 
fitImage sections into nxp-imx8mcst
  etype, which is done automatically in 
arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
  in case CONFIG_IMX_HAB Kconfig symbol is enabled.

+Build of flash.bin target then produces a signed flash.bin automatically.
+
  The nxp-imx8mcst etype is configurable using either DT properties or 
environment
  variables. The following DT properties and environment variables are 
supported.
  Note that environment variables override DT properties.
@@ -160,7 +162,15 @@ Note that environment variables override DT properties.
  | nxp,img-crt        | IMG_KEY   | full path to the IMG Key 
IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
 
+--------------------+-----------+------------------------------------------------------------------+

-Build of flash.bin target then produces a signed flash.bin automatically.
+Environment variables can be set as follows to point the build process
+to external key material:
+```
+export CST_DIR=/usr/src/cst-3.3.1/
+export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
+make flash.bin
+```

  1.4 Closing the device
  -----------------------

More information about the U-Boot mailing list