[PATCH] binman: add fast authentication method for i.MX8M signing

Simon Glass sjg at chromium.org
Fri Sep 27 18:50:29 CEST 2024


Hi,

On Fri, 27 Sept 2024 at 06:42, Brian Ruley <brian.ruley at gehealthcare.com> wrote:
>
> Using the PKI tree with SRKs as intermediate CA isn't necessary or even
> desirable in some situations (boot time, for example). Add the possbility
> to use the "fast authentication" method where the image and CSF are both
> signed using the SRK [1, p.63].
>
> [1] https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf
>
> Signed-off-by: Brian Ruley <brian.ruley at gehealthcare.com>
> Cc: Marek Vasut <marex at denx.de>
>
>  tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++++++----
>  1 file changed, 19 insertions(+), 4 deletions(-)
>

Please can you coordinate with Marek as we need to sort out the test
coverage for this etype, before adding more functionality. I did a
starting point, now in -next, which should help.

> diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
> index 8221517b0c..d39b6a79de 100644
> --- a/tools/binman/etype/nxp_imx8mcst.py
> +++ b/tools/binman/etype/nxp_imx8mcst.py
> @@ -36,6 +36,9 @@ csf_config_template = """
>    File = "SRK_1_2_3_4_table.bin"
>    Source index = 0
>
> +[Install NOCAK]
> +  File = "SRK1_sha256_4096_65537_v3_usr_crt.pem"
> +
>  [Install CSFK]
>    File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
>
> @@ -70,8 +73,13 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>          super().ReadNode()
>          self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
>          self.srk_table = os.getenv('SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin'))
> -        self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'))
> -        self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'))
> +        self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
> +        if not self.fast_auth:
> +            self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'))
> +            self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'))
> +        else:
> +            self.srk_crt = os.getenv('SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt', 'SRK1_sha256_2048_65537_v3_usr_crt.pem'))
> +
>          self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
>          self.ReadEntries()
>
> @@ -125,8 +133,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>          # Load configuration template and modify keys of interest
>          config.read_string(csf_config_template)
>          config['Install SRK']['File'] = '"' + self.srk_table + '"'
> -        config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> -        config['Install Key']['File'] = '"' + self.img_crt + '"'
> +        if not self.fast_auth:
> +            config.remove_section('Install NOCAK')
> +            config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> +            config['Install Key']['File'] = '"' + self.img_crt + '"'
> +        else:
> +            config.remove_section('Install CSFK')
> +            config.remove_section('Install Key')
> +            config['Install NOCAK']['File'] = '"' + self.srk_crt + '"'
> +            config['Authenticate Data']['Verification index'] = '0'
> +
>          config['Authenticate Data']['Blocks'] = hex(signbase) + ' 0 ' + hex(len(data)) + ' "' + str(output_dname) + '"'
>          if not self.unlock:
>              config.remove_section('Unlock')
> --
> 2.39.2
>

Regards,
Simon


More information about the U-Boot mailing list