[PATCH v2] binman: add CST backend selection for i.MX8M signing

Simon Glass sjg at chromium.org
Fri Feb 13 21:20:06 CET 2026 

Hi Marek,

On Fri, 13 Feb 2026 at 12:28, Marek Vasut <marex at nabladev.com> wrote:
>
> Add support for setting the CST backend, both via DT property and
> CST_BACKEND environment variable. The CST currently supports two
> backends, 'ssl' and 'pkcs11', with 'ssl' being the default when
> CST tool is invoked without any -b parameter. Keep 'ssl' backend
> as the default, but explicitly pass it via the '-b' parameter,
> unless the user selects 'pkcs11' via either method.
>
> Signed-off-by: Marek Vasut <marex at nabladev.com>
> ---
> Cc: Alper Nebi Yasak <alpernebiyasak at gmail.com>
> Cc: Simon Glass <sjg at chromium.org>
> Cc: Tom Rini <trini at konsulko.com>
> Cc: u-boot at lists.denx.de
> ---
> V2: Fill in documentation for all used DT properties
> ---
>  doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 30 ++++++++++++-------
>  tools/binman/entries.rst                      |  7 +++++
>  tools/binman/etype/nxp_imx8mcst.py            | 12 +++++++-
>  3 files changed, 37 insertions(+), 12 deletions(-)
>
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 1bea091344d..a3ebd397d82 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT properties or environment
>  variables. The following DT properties and environment variables are supported.
>  Note that environment variables override DT properties.
>
> -+--------------------+-----------+------------------------------------------------------------------+
> -| DT property        | Variable  | Description                                                      |
> -+====================+===========+==================================================================+
> -| nxp,loader-address |           | SPL base address                                                 |
> -+--------------------+-----------+------------------------------------------------------------------+
> -| nxp,srk-table      | SRK_TABLE | full path to SRK_1_2_3_4_table.bin                               |
> -+--------------------+-----------+------------------------------------------------------------------+
> -| nxp,csf-crt        | CSF_KEY   | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> -+--------------------+-----------+------------------------------------------------------------------+
> -| nxp,img-crt        | IMG_KEY   | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> -+--------------------+-----------+------------------------------------------------------------------+
> ++--------------------+-------------+------------------------------------------------------------------+
> +| DT property        | Variable    | Description                                                      |
> ++====================+=============+==================================================================+
> +| nxp,loader-address |             | SPL base address                                                 |
> ++--------------------+-------------+------------------------------------------------------------------+
> +| nxp,srk-table      | SRK_TABLE   | full path to SRK_1_2_3_4_table.bin                               |
> ++--------------------+-------------+------------------------------------------------------------------+
> +| nxp,csf-crt        | CSF_KEY     | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> ++--------------------+-------------+------------------------------------------------------------------+
> +| nxp,img-crt        | IMG_KEY     | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> ++--------------------+-------------+------------------------------------------------------------------+
> +| nxp,fast-auth      |             | enable fast authentication method                                |
> ++--------------------+-------------+------------------------------------------------------------------+
> +| nxp,srk-crt        | SRK_KEY     | full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem    |
> ++--------------------+-------------+------------------------------------------------------------------+
> +| nxp,unlock         |             | unlock CAAM in SPL                                               |
> ++--------------------+-------------+------------------------------------------------------------------+
> +| nxp,cst-backend    | CST_BACKEND | CST tool backend, default is 'ssl', or selectable 'pkcs11'       |
> ++--------------------+-------------+------------------------------------------------------------------+

Perhaps point to an example?

>
>  Environment variables can be set as follows to point the build process
>  to external key material:
> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index 8922d6cd070..29bc778d0e5 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker
>
>  Properties / Entry arguments:
>      - nxp,loader-address - loader address (SPL text base)
> +    - nxp,srk-table - full path to SRK_1_2_3_4_table.bin
> +    - nxp,csf-crt - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +    - nxp,img-crt - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +    - nxp,fast-auth - enable fast authentication method
> +    - nxp,srk-crt - full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem
> +    - nxp,unlock - unlock CAAM in SPL
> +    - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable 'pkcs11'
>

The way it works is you add this as a comment in nxp_imx8mcst.py and
then run 'binman entry-docs' to generate entries.rst - see here:

https://docs.u-boot.org/en/latest/develop/package/binman.html#entry-documentation

>
>
> diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
> index dd9f226b751..3a95da6a35d 100644
> --- a/tools/binman/etype/nxp_imx8mcst.py
> +++ b/tools/binman/etype/nxp_imx8mcst.py
> @@ -90,6 +90,10 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>                  'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt',
>                                                f'SRK1_{KEY_NAME}.pem'))
>
> +        self.backend = os.getenv(
> +            'CST_BACKEND', fdt_util.GetString(self._node, 'nxp,cst-backend',
> +                                              'ssl'))
> +
>          self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
>          self.ReadEntries()
>
> @@ -161,8 +165,14 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>          with open(cfg_fname, 'w') as cfgf:
>              config.write(cfgf)
>
> +        # SSL is the default backend, PKCS11 backend is optional
> +        if self.backend == "pkcs11":
> +            cst_backend = "pkcs11"
> +        else:
> +            cst_backend = "ssl"
> +
>          output_fname = tools.get_output_filename(f'nxp.csf-output-blob.{uniq}')
> -        args = ['-i', cfg_fname, '-o', output_fname]
> +        args = ['-i', cfg_fname, '-o', output_fname, '-b', cst_backend]
>          if self.cst.run_cmd(*args) is not None:
>              outdata = tools.read_file(output_fname)
>              # fixme: 0x2000 should be CONFIG_CSF_SIZE
> --
> 2.51.0
>

Regards,
Simon

More information about the U-Boot mailing list