[PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing

Tim Harvey tharvey at gateworks.com
Fri May 17 19:35:55 CEST 2024 

On Thu, May 16, 2024 at 6:31 PM Marek Vasut <marex at denx.de> wrote:
>
> On 5/16/24 11:40 PM, Tim Harvey wrote:
>
> [...]
>
> >> -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
> >> -and can be used as follows to modify flash.bin to be signed
> >> -(adjust paths as needed):
> >> -```
> >> -export CST_DIR=/usr/src/cst-3.3.1/
> >> -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> >> -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> >> -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> >> -export PATH=$CST_DIR/linux64/bin:$PATH
> >
> > Hi Marek,
> >
> > I thought you were going to leave the above env setting examples in
> > the documentation.
> >
> > I suggest showing how to specify using env (by just leaving the above
> > in) as well as by copying them directly to the build directory if
> > wanted.. otherwise the documentation is lacking.
>
> If the tool can do env vars now, I would like to avoid copying key
> material around. So what about this:
>
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 1eb1fb0aa61..257ffb45656 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and
> fitImage sections into nxp-imx8mcst
>   etype, which is done automatically in
> arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
>   in case CONFIG_IMX_HAB Kconfig symbol is enabled.
>
> +Build of flash.bin target then produces a signed flash.bin automatically.
> +
>   The nxp-imx8mcst etype is configurable using either DT properties or
> environment
>   variables. The following DT properties and environment variables are
> supported.
>   Note that environment variables override DT properties.
> @@ -160,7 +162,15 @@ Note that environment variables override DT properties.
>   | nxp,img-crt        | IMG_KEY   | full path to the IMG Key
> IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
>
> +--------------------+-----------+------------------------------------------------------------------+
>
> -Build of flash.bin target then produces a signed flash.bin automatically.
> +Environment variables can be set as follows to point the build process
> +to external key material:
> +```
> +export CST_DIR=/usr/src/cst-3.3.1/
> +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> +make flash.bin
> +```
>
>   1.4 Closing the device
>   -----------------------
>

Hi Marek,

Yes, with that change you can add for the series:
Reviewed-by: Tim Harvey <tharvey at gateworks.com>

Best Regards,

Tim

More information about the U-Boot mailing list