[PATCH v2] binman: add CST backend selection for i.MX8M signing
Marek Vasut
marex at nabladev.com
Fri Feb 13 20:28:13 CET 2026
Add support for setting the CST backend, both via DT property and
CST_BACKEND environment variable. The CST currently supports two
backends, 'ssl' and 'pkcs11', with 'ssl' being the default when
CST tool is invoked without any -b parameter. Keep 'ssl' backend
as the default, but explicitly pass it via the '-b' parameter,
unless the user selects 'pkcs11' via either method.
Signed-off-by: Marek Vasut <marex at nabladev.com>
---
Cc: Alper Nebi Yasak <alpernebiyasak at gmail.com>
Cc: Simon Glass <sjg at chromium.org>
Cc: Tom Rini <trini at konsulko.com>
Cc: u-boot at lists.denx.de
---
V2: Fill in documentation for all used DT properties
---
doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 30 ++++++++++++-------
tools/binman/entries.rst | 7 +++++
tools/binman/etype/nxp_imx8mcst.py | 12 +++++++-
3 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
index 1bea091344d..a3ebd397d82 100644
--- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
@@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT properties or environment
variables. The following DT properties and environment variables are supported.
Note that environment variables override DT properties.
-+--------------------+-----------+------------------------------------------------------------------+
-| DT property | Variable | Description |
-+====================+===========+==================================================================+
-| nxp,loader-address | | SPL base address |
-+--------------------+-----------+------------------------------------------------------------------+
-| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
-+--------------------+-----------+------------------------------------------------------------------+
-| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
-+--------------------+-----------+------------------------------------------------------------------+
-| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
-+--------------------+-----------+------------------------------------------------------------------+
++--------------------+-------------+------------------------------------------------------------------+
+| DT property | Variable | Description |
++====================+=============+==================================================================+
+| nxp,loader-address | | SPL base address |
++--------------------+-------------+------------------------------------------------------------------+
+| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
++--------------------+-------------+------------------------------------------------------------------+
+| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
++--------------------+-------------+------------------------------------------------------------------+
+| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
++--------------------+-------------+------------------------------------------------------------------+
+| nxp,fast-auth | | enable fast authentication method |
++--------------------+-------------+------------------------------------------------------------------+
+| nxp,srk-crt | SRK_KEY | full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem |
++--------------------+-------------+------------------------------------------------------------------+
+| nxp,unlock | | unlock CAAM in SPL |
++--------------------+-------------+------------------------------------------------------------------+
+| nxp,cst-backend | CST_BACKEND | CST tool backend, default is 'ssl', or selectable 'pkcs11' |
++--------------------+-------------+------------------------------------------------------------------+
Environment variables can be set as follows to point the build process
to external key material:
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 8922d6cd070..29bc778d0e5 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker
Properties / Entry arguments:
- nxp,loader-address - loader address (SPL text base)
+ - nxp,srk-table - full path to SRK_1_2_3_4_table.bin
+ - nxp,csf-crt - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+ - nxp,img-crt - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+ - nxp,fast-auth - enable fast authentication method
+ - nxp,srk-crt - full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem
+ - nxp,unlock - unlock CAAM in SPL
+ - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable 'pkcs11'
diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
index dd9f226b751..3a95da6a35d 100644
--- a/tools/binman/etype/nxp_imx8mcst.py
+++ b/tools/binman/etype/nxp_imx8mcst.py
@@ -90,6 +90,10 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt',
f'SRK1_{KEY_NAME}.pem'))
+ self.backend = os.getenv(
+ 'CST_BACKEND', fdt_util.GetString(self._node, 'nxp,cst-backend',
+ 'ssl'))
+
self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
self.ReadEntries()
@@ -161,8 +165,14 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
with open(cfg_fname, 'w') as cfgf:
config.write(cfgf)
+ # SSL is the default backend, PKCS11 backend is optional
+ if self.backend == "pkcs11":
+ cst_backend = "pkcs11"
+ else:
+ cst_backend = "ssl"
+
output_fname = tools.get_output_filename(f'nxp.csf-output-blob.{uniq}')
- args = ['-i', cfg_fname, '-o', output_fname]
+ args = ['-i', cfg_fname, '-o', output_fname, '-b', cst_backend]
if self.cst.run_cmd(*args) is not None:
outdata = tools.read_file(output_fname)
# fixme: 0x2000 should be CONFIG_CSF_SIZE
--
2.51.0
More information about the U-Boot
mailing list