[PATCH v4 1/2] binman: nxp_imx8mcst: read certificates from input path
Brian Ruley
brian.ruley at gehealthcare.com
Wed Oct 30 09:07:51 CET 2024
Right now, it is unclear where the certificates (and private keys) are
read from if environment variables are unset, and providing complete
paths in the device tree is not ideal. Naturally, it makes sense
to be able to decide where binman should look for the files, regardless
whether the keys are specified in the device tree or not.
Therefore, expand the etype to look for the necessary files from the
input path. Introduce a new variable to provide users the ability to
specify a custom path.
As a consequence of this change, the environment variables used to
specify the keys, e.g., `IMG_KEY', will be searched *relative* to the
input directories.
Signed-off-by: Brian Ruley <brian.ruley at gehealthcare.com>
---
Changes for v2:
- Added missing *.pem files
- Rebased on top of "[PATCH v4 2/2] binman: add fast authentication
method for i.MX8M signing"
- Included a test for fast authentication
Changes for v3:
- Fixed relative path for SRK table and *.pem files in
340_nxp_imx8mcst.dts
Changes for v4:
- Rebased on master
tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
index a7d8db4eec..ff84b751b7 100644
--- a/tools/binman/etype/nxp_imx8mcst.py
+++ b/tools/binman/etype/nxp_imx8mcst.py
@@ -70,23 +70,26 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
def __init__(self, section, etype, node):
super().__init__(section, etype, node)
self.required_props = ['nxp,loader-address']
+ self._cst_key_path = os.getenv('CST_KEY_PATH', None)
+ if self._cst_key_path:
+ tools.set_input_dirs([self._cst_key_path] + tools.indir)
def ReadNode(self):
super().ReadNode()
self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
- self.srk_table = os.getenv(
+ self._srk_table = os.getenv(
'SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table',
'SRK_1_2_3_4_table.bin'))
self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
if not self.fast_auth:
- self.csf_crt = os.getenv(
+ self._csf_crt = os.getenv(
'CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt',
f'CSF1_1_{KEY_NAME}.pem'))
- self.img_crt = os.getenv(
+ self._img_crt = os.getenv(
'IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt',
f'IMG1_1_{KEY_NAME}.pem'))
else:
- self.srk_crt = os.getenv(
+ self._srk_crt = os.getenv(
'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt',
f'SRK1_{KEY_NAME}.pem'))
@@ -142,15 +145,19 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
config.optionxform = str
# Load configuration template and modify keys of interest
config.read_string(CSF_CONFIG_TEMPLATE)
- config['Install SRK']['File'] = f'"{self.srk_table}"'
+ srk_table = tools.get_input_filename(self._srk_table)
+ config['Install SRK']['File'] = f'"{srk_table}"'
if not self.fast_auth:
+ csf_crt = tools.get_input_filename(self._csf_crt)
+ img_crt = tools.get_input_filename(self._img_crt)
config.remove_section('Install NOCAK')
- config['Install CSFK']['File'] = f'"{self.csf_crt}"'
- config['Install Key']['File'] = f'"{self.img_crt}"'
+ config['Install CSFK']['File'] = f'"{csf_crt}"'
+ config['Install Key']['File'] = f'"{img_crt}"'
else:
+ srk_crt = tools.get_input_filename(self._srk_crt)
config.remove_section('Install CSFK')
config.remove_section('Install Key')
- config['Install NOCAK']['File'] = f'"{self.srk_crt}"'
+ config['Install NOCAK']['File'] = f'"{srk_crt}"'
config['Authenticate Data']['Verification index'] = '0'
config['Authenticate Data']['Blocks'] = \
--
2.39.5
More information about the U-Boot
mailing list