[PATCH v2] binman: add CST backend selection for i.MX8M signing

Marek Vasut marex at nabladev.com
Fri Feb 13 22:56:11 CET 2026 

On 2/13/26 9:20 PM, Simon Glass wrote:

Hello Simon,

>> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>> index 1bea091344d..a3ebd397d82 100644
>> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
>> @@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT properties or environment
>>   variables. The following DT properties and environment variables are supported.
>>   Note that environment variables override DT properties.
>>
>> -+--------------------+-----------+------------------------------------------------------------------+
>> -| DT property        | Variable  | Description                                                      |
>> -+====================+===========+==================================================================+
>> -| nxp,loader-address |           | SPL base address                                                 |
>> -+--------------------+-----------+------------------------------------------------------------------+
>> -| nxp,srk-table      | SRK_TABLE | full path to SRK_1_2_3_4_table.bin                               |
>> -+--------------------+-----------+------------------------------------------------------------------+
>> -| nxp,csf-crt        | CSF_KEY   | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
>> -+--------------------+-----------+------------------------------------------------------------------+
>> -| nxp,img-crt        | IMG_KEY   | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
>> -+--------------------+-----------+------------------------------------------------------------------+
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| DT property        | Variable    | Description                                                      |
>> ++====================+=============+==================================================================+
>> +| nxp,loader-address |             | SPL base address                                                 |
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| nxp,srk-table      | SRK_TABLE   | full path to SRK_1_2_3_4_table.bin                               |
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| nxp,csf-crt        | CSF_KEY     | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| nxp,img-crt        | IMG_KEY     | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| nxp,fast-auth      |             | enable fast authentication method                                |
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| nxp,srk-crt        | SRK_KEY     | full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem    |
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| nxp,unlock         |             | unlock CAAM in SPL                                               |
>> ++--------------------+-------------+------------------------------------------------------------------+
>> +| nxp,cst-backend    | CST_BACKEND | CST tool backend, default is 'ssl', or selectable 'pkcs11'       |
>> ++--------------------+-------------+------------------------------------------------------------------+
> 
> Perhaps point to an example?

Example of what ? Two lines below, there is an example of using those 
env vars, see the entire file.

>>   Environment variables can be set as follows to point the build process
>>   to external key material:
>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>> index 8922d6cd070..29bc778d0e5 100644
>> --- a/tools/binman/entries.rst
>> +++ b/tools/binman/entries.rst
>> @@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker
>>
>>   Properties / Entry arguments:
>>       - nxp,loader-address - loader address (SPL text base)
>> +    - nxp,srk-table - full path to SRK_1_2_3_4_table.bin
>> +    - nxp,csf-crt - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
>> +    - nxp,img-crt - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
>> +    - nxp,fast-auth - enable fast authentication method
>> +    - nxp,srk-crt - full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem
>> +    - nxp,unlock - unlock CAAM in SPL
>> +    - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable 'pkcs11'
>>
> 
> The way it works is you add this as a comment in nxp_imx8mcst.py and
> then run 'binman entry-docs' to generate entries.rst - see here:
> 
> https://docs.u-boot.org/en/latest/develop/package/binman.html#entry-documentation
Why is there this entries.rst then ? Should the entries be removed from 
here and moved into the py file or what is this inconsistency ?

More information about the U-Boot mailing list