[PATCH] binman: add CST backend selection for i.MX8M signing

Simon Glass sjg at chromium.org
Fri Feb 13 18:53:23 CET 2026 

Hi Marek,

On Thu, 12 Feb 2026 at 17:12, Marek Vasut <marex at nabladev.com> wrote:
>
> Add support for setting the CST backend, both via DT property and
> CST_BACKEND environment variable. The CST currently supports two
> backends, 'ssl' and 'pkcs11', with 'ssl' being the default when
> CST tool is invoked without any -b parameter. Keep 'ssl' backend
> as the default, but explicitly pass it via the '-b' parameter,
> unless the user selects 'pkcs11' via either method.
>
> Signed-off-by: Marek Vasut <marex at nabladev.com>
> ---
> Cc: Alper Nebi Yasak <alpernebiyasak at gmail.com>
> Cc: Simon Glass <sjg at chromium.org>
> Cc: Tom Rini <trini at konsulko.com>
> Cc: u-boot at lists.denx.de
> ---
>  tools/binman/etype/nxp_imx8mcst.py | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
> index dd9f226b751..3a95da6a35d 100644
> --- a/tools/binman/etype/nxp_imx8mcst.py
> +++ b/tools/binman/etype/nxp_imx8mcst.py
> @@ -90,6 +90,10 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>                  'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt',
>                                                f'SRK1_{KEY_NAME}.pem'))
>
> +        self.backend = os.getenv(
> +            'CST_BACKEND', fdt_util.GetString(self._node, 'nxp,cst-backend',
> +                                              'ssl'))
> +
>          self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
>          self.ReadEntries()
>
> @@ -161,8 +165,14 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>          with open(cfg_fname, 'w') as cfgf:
>              config.write(cfgf)
>
> +        # SSL is the default backend, PKCS11 backend is optional
> +        if self.backend == "pkcs11":
> +            cst_backend = "pkcs11"
> +        else:
> +            cst_backend = "ssl"
> +
>          output_fname = tools.get_output_filename(f'nxp.csf-output-blob.{uniq}')
> -        args = ['-i', cfg_fname, '-o', output_fname]
> +        args = ['-i', cfg_fname, '-o', output_fname, '-b', cst_backend]
>          if self.cst.run_cmd(*args) is not None:
>              outdata = tools.read_file(output_fname)
>              # fixme: 0x2000 should be CONFIG_CSF_SIZE
> --
> 2.51.0
>

This should be documented somewhere, likely in the comment for this
entry type, so it ends up visible in the docs.

Also, this code path will need a test, please.

Regards,
Simon

More information about the U-Boot mailing list