[PATCH v2] binman: add CST backend selection for i.MX8M signing
Simon Glass
sjg at chromium.org
Wed Mar 18 01:10:39 CET 2026
Hi Tom,
On Tue, 17 Mar 2026 at 08:09, Tom Rini <trini at konsulko.com> wrote:
>
> On Tue, Mar 17, 2026 at 06:28:47AM -0600, Simon Glass wrote:
> > +Heinrich Schuchardt
> >
> > Hi Marek,
> >
> > On Fri, 13 Feb 2026 at 19:51, Marek Vasut <marex at nabladev.com> wrote:
> > >
> > > On 2/13/26 9:20 PM, Simon Glass wrote:
> > >
> > > Hello Simon,
> > >
> > > >> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > > >> index 1bea091344d..a3ebd397d82 100644
> > > >> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > > >> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > > >> @@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT properties or environment
> > > >> variables. The following DT properties and environment variables are supported.
> > > >> Note that environment variables override DT properties.
> > > >>
> > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > >> -| DT property | Variable | Description |
> > > >> -+====================+===========+==================================================================+
> > > >> -| nxp,loader-address | | SPL base address |
> > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > >> -| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
> > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > >> -| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > >> -| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| DT property | Variable | Description |
> > > >> ++====================+=============+==================================================================+
> > > >> +| nxp,loader-address | | SPL base address |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| nxp,fast-auth | | enable fast authentication method |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| nxp,srk-crt | SRK_KEY | full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| nxp,unlock | | unlock CAAM in SPL |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >> +| nxp,cst-backend | CST_BACKEND | CST tool backend, default is 'ssl', or selectable 'pkcs11' |
> > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > >
> > > > Perhaps point to an example?
> >
> > Sorry I missed this earlier.
> >
> > >
> > > Example of what ? Two lines below, there is an example of using those
> > > env vars, see the entire file.
> >
> > Yes I see it, but it doesn't have CST_BACKEND right?
> >
> > >
> > > >> Environment variables can be set as follows to point the build process
> > > >> to external key material:
> > > >> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> > > >> index 8922d6cd070..29bc778d0e5 100644
> > > >> --- a/tools/binman/entries.rst
> > > >> +++ b/tools/binman/entries.rst
> > > >> @@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker
> > > >>
> > > >> Properties / Entry arguments:
> > > >> - nxp,loader-address - loader address (SPL text base)
> > > >> + - nxp,srk-table - full path to SRK_1_2_3_4_table.bin
> > > >> + - nxp,csf-crt - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> > > >> + - nxp,img-crt - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> > > >> + - nxp,fast-auth - enable fast authentication method
> > > >> + - nxp,srk-crt - full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem
> > > >> + - nxp,unlock - unlock CAAM in SPL
> > > >> + - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable 'pkcs11'
> > > >>
> > > >
> > > > The way it works is you add this as a comment in nxp_imx8mcst.py and
> > > > then run 'binman entry-docs' to generate entries.rst - see here:
> > > >
> > > > https://docs.u-boot.org/en/latest/develop/package/binman.html#entry-documentation
> > > Why is there this entries.rst then ? Should the entries be removed from
> > > here and moved into the py file or what is this inconsistency ?
> >
> > The entries.rst file is there so that the documentation can be build,
> > containing it. It might be possible to update 'make htmldocs' to run
> > binman to update the generated docs.
> >
> > Heinrich, what do you think about that?
>
> That won't work for readthedocs, it needs to be generated, if it can, as
> part of the normal sphix build doc process.
Hmm that's a bit of a pain. We don't really want to run binman from
sphinx. I could create an Sphinx extension to create the entry and
bintools docs, perhaps?
Regards,
Simon
More information about the U-Boot
mailing list