[PATCH v2 1/2] binman: nxp_imx8mcst: read certificates from input path

Brian Ruley brian.ruley at gehealthcare.com
Thu Oct 10 13:24:49 CEST 2024


Right now, it is unclear where the certificates (and private keys) are
read from if environment variables are unset, and providing complete
paths in the device tree is not ideal. Naturally, it makes sense
to be able to decide where binman should look for the files, regardless
whether the keys are specified in the device tree or not.

Therefore, expand the etype to look for the necessary files from the
input path. Introduce a new variable to provide users the ability to
specify a custom path.

As a consequence of this change, the environment variables used to
specify the keys, e.g., `IMG_KEY', will be searched *relative* to the
input directories.

Signed-off-by: Brian Ruley <brian.ruley at gehealthcare.com>
---
 tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
index a7d8db4eec..8e544807bb 100644
--- a/tools/binman/etype/nxp_imx8mcst.py
+++ b/tools/binman/etype/nxp_imx8mcst.py
@@ -70,23 +70,26 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
     def __init__(self, section, etype, node):
         super().__init__(section, etype, node)
         self.required_props = ['nxp,loader-address']
+        self._cst_key_path = os.getenv('CST_KEY_PATH', None)
+        if self._cst_key_path:
+            tools.set_input_dirs([self._cst_key_path] + tools.indir)
 
     def ReadNode(self):
         super().ReadNode()
         self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
-        self.srk_table = os.getenv(
+        self._srk_table = os.getenv(
             'SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table',
                                             'SRK_1_2_3_4_table.bin'))
         self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
         if not self.fast_auth:
-            self.csf_crt = os.getenv(
+            self._csf_crt = os.getenv(
                 'CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt',
                                               f'CSF1_1_{KEY_NAME}.pem'))
-            self.img_crt = os.getenv(
+            self._img_crt = os.getenv(
                 'IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt',
                                               f'IMG1_1_{KEY_NAME}.pem'))
         else:
-            self.srk_crt = os.getenv(
+            self._srk_crt = os.getenv(
                 'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt',
                                               f'SRK1_{KEY_NAME}.pem'))
 
@@ -142,15 +145,19 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
         config.optionxform = str
         # Load configuration template and modify keys of interest
         config.read_string(CSF_CONFIG_TEMPLATE)
-        config['Install SRK']['File']  = f'"{self.srk_table}"'
+        srk_table = tools.get_input_filename(self._srk_table)
+        config['Install SRK']['File']  = f'"{srk_table}"'
         if not self.fast_auth:
+            csf_crt = tools.get_input_filename(self._csf_crt)
+            img_crt = tools.get_input_filename(self._img_crt)
             config.remove_section('Install NOCAK')
-            config['Install CSFK']['File'] = f'"{self.csf_crt}"'
-            config['Install Key']['File']  = f'"{self.img_crt}"'
+            config['Install CSFK']['File'] = f'"{csf_crt}"'
+            config['Install Key']['File']  = f'"{img_crt}"'
         else:
+            srk_crt = tools.get_input_filename(self._srk_crt)
             config.remove_section('Install CSFK')
             config.remove_section('Install Key')
-            config['Install NOCAK']['File'] = f'"{self.srk_crt}"'
+            config['Install NOCAK']['File'] = f'"{srk_crt}"'
             config['Authenticate Data']['Verification index'] = '0'
 
         config['Authenticate Data']['Blocks'] = \
-- 
2.39.5



More information about the U-Boot mailing list