[PATCH v2] binman: add CST backend selection for i.MX8M signing
Simon Glass
sjg at chromium.org
Tue Mar 17 13:28:47 CET 2026
+Heinrich Schuchardt
Hi Marek,
On Fri, 13 Feb 2026 at 19:51, Marek Vasut <marex at nabladev.com> wrote:
>
> On 2/13/26 9:20 PM, Simon Glass wrote:
>
> Hello Simon,
>
> >> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> >> index 1bea091344d..a3ebd397d82 100644
> >> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> >> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> >> @@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT properties or environment
> >> variables. The following DT properties and environment variables are supported.
> >> Note that environment variables override DT properties.
> >>
> >> -+--------------------+-----------+------------------------------------------------------------------+
> >> -| DT property | Variable | Description |
> >> -+====================+===========+==================================================================+
> >> -| nxp,loader-address | | SPL base address |
> >> -+--------------------+-----------+------------------------------------------------------------------+
> >> -| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
> >> -+--------------------+-----------+------------------------------------------------------------------+
> >> -| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> >> -+--------------------+-----------+------------------------------------------------------------------+
> >> -| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> >> -+--------------------+-----------+------------------------------------------------------------------+
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| DT property | Variable | Description |
> >> ++====================+=============+==================================================================+
> >> +| nxp,loader-address | | SPL base address |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| nxp,fast-auth | | enable fast authentication method |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| nxp,srk-crt | SRK_KEY | full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| nxp,unlock | | unlock CAAM in SPL |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >> +| nxp,cst-backend | CST_BACKEND | CST tool backend, default is 'ssl', or selectable 'pkcs11' |
> >> ++--------------------+-------------+------------------------------------------------------------------+
> >
> > Perhaps point to an example?
Sorry I missed this earlier.
>
> Example of what ? Two lines below, there is an example of using those
> env vars, see the entire file.
Yes I see it, but it doesn't have CST_BACKEND right?
>
> >> Environment variables can be set as follows to point the build process
> >> to external key material:
> >> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> >> index 8922d6cd070..29bc778d0e5 100644
> >> --- a/tools/binman/entries.rst
> >> +++ b/tools/binman/entries.rst
> >> @@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker
> >>
> >> Properties / Entry arguments:
> >> - nxp,loader-address - loader address (SPL text base)
> >> + - nxp,srk-table - full path to SRK_1_2_3_4_table.bin
> >> + - nxp,csf-crt - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> >> + - nxp,img-crt - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> >> + - nxp,fast-auth - enable fast authentication method
> >> + - nxp,srk-crt - full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem
> >> + - nxp,unlock - unlock CAAM in SPL
> >> + - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable 'pkcs11'
> >>
> >
> > The way it works is you add this as a comment in nxp_imx8mcst.py and
> > then run 'binman entry-docs' to generate entries.rst - see here:
> >
> > https://docs.u-boot.org/en/latest/develop/package/binman.html#entry-documentation
> Why is there this entries.rst then ? Should the entries be removed from
> here and moved into the py file or what is this inconsistency ?
The entries.rst file is there so that the documentation can be build,
containing it. It might be possible to update 'make htmldocs' to run
binman to update the generated docs.
Heinrich, what do you think about that?
Anyway, if you update the comments in the code, then you can run
binman as above to regenerate the documentation.
Regards,
Simon
More information about the U-Boot
mailing list