[PATCH v2] binman: add CST backend selection for i.MX8M signing
Tom Rini
trini at konsulko.com
Tue Mar 17 15:09:18 CET 2026
On Tue, Mar 17, 2026 at 06:28:47AM -0600, Simon Glass wrote:
> +Heinrich Schuchardt
>
> Hi Marek,
>
> On Fri, 13 Feb 2026 at 19:51, Marek Vasut <marex at nabladev.com> wrote:
> >
> > On 2/13/26 9:20 PM, Simon Glass wrote:
> >
> > Hello Simon,
> >
> > >> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > >> index 1bea091344d..a3ebd397d82 100644
> > >> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > >> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > >> @@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT properties or environment
> > >> variables. The following DT properties and environment variables are supported.
> > >> Note that environment variables override DT properties.
> > >>
> > >> -+--------------------+-----------+------------------------------------------------------------------+
> > >> -| DT property | Variable | Description |
> > >> -+====================+===========+==================================================================+
> > >> -| nxp,loader-address | | SPL base address |
> > >> -+--------------------+-----------+------------------------------------------------------------------+
> > >> -| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
> > >> -+--------------------+-----------+------------------------------------------------------------------+
> > >> -| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> > >> -+--------------------+-----------+------------------------------------------------------------------+
> > >> -| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> > >> -+--------------------+-----------+------------------------------------------------------------------+
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| DT property | Variable | Description |
> > >> ++====================+=============+==================================================================+
> > >> +| nxp,loader-address | | SPL base address |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| nxp,fast-auth | | enable fast authentication method |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| nxp,srk-crt | SRK_KEY | full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| nxp,unlock | | unlock CAAM in SPL |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >> +| nxp,cst-backend | CST_BACKEND | CST tool backend, default is 'ssl', or selectable 'pkcs11' |
> > >> ++--------------------+-------------+------------------------------------------------------------------+
> > >
> > > Perhaps point to an example?
>
> Sorry I missed this earlier.
>
> >
> > Example of what ? Two lines below, there is an example of using those
> > env vars, see the entire file.
>
> Yes I see it, but it doesn't have CST_BACKEND right?
>
> >
> > >> Environment variables can be set as follows to point the build process
> > >> to external key material:
> > >> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> > >> index 8922d6cd070..29bc778d0e5 100644
> > >> --- a/tools/binman/entries.rst
> > >> +++ b/tools/binman/entries.rst
> > >> @@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker
> > >>
> > >> Properties / Entry arguments:
> > >> - nxp,loader-address - loader address (SPL text base)
> > >> + - nxp,srk-table - full path to SRK_1_2_3_4_table.bin
> > >> + - nxp,csf-crt - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> > >> + - nxp,img-crt - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> > >> + - nxp,fast-auth - enable fast authentication method
> > >> + - nxp,srk-crt - full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem
> > >> + - nxp,unlock - unlock CAAM in SPL
> > >> + - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable 'pkcs11'
> > >>
> > >
> > > The way it works is you add this as a comment in nxp_imx8mcst.py and
> > > then run 'binman entry-docs' to generate entries.rst - see here:
> > >
> > > https://docs.u-boot.org/en/latest/develop/package/binman.html#entry-documentation
> > Why is there this entries.rst then ? Should the entries be removed from
> > here and moved into the py file or what is this inconsistency ?
>
> The entries.rst file is there so that the documentation can be build,
> containing it. It might be possible to update 'make htmldocs' to run
> binman to update the generated docs.
>
> Heinrich, what do you think about that?
That won't work for readthedocs, it needs to be generated, if it can, as
part of the normal sphix build doc process.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260317/bb190a9f/attachment.sig>
More information about the U-Boot
mailing list