[PATCH v2] binman: add CST backend selection for i.MX8M signing

Simon Glass sjg at chromium.org
Thu Mar 19 23:09:11 CET 2026 

Hi,

On Tue, 17 Mar 2026 at 19:44, Tom Rini <trini at konsulko.com> wrote:
>
> On Tue, Mar 17, 2026 at 06:10:39PM -0600, Simon Glass wrote:
> > Hi Tom,
> >
> > On Tue, 17 Mar 2026 at 08:09, Tom Rini <trini at konsulko.com> wrote:
> > >
> > > On Tue, Mar 17, 2026 at 06:28:47AM -0600, Simon Glass wrote:
> > > > +Heinrich Schuchardt
> > > >
> > > > Hi Marek,
> > > >
> > > > On Fri, 13 Feb 2026 at 19:51, Marek Vasut <marex at nabladev.com> wrote:
> > > > >
> > > > > On 2/13/26 9:20 PM, Simon Glass wrote:
> > > > >
> > > > > Hello Simon,
> > > > >
> > > > > >> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > > > > >> index 1bea091344d..a3ebd397d82 100644
> > > > > >> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > > > > >> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> > > > > >> @@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT properties or environment
> > > > > >>   variables. The following DT properties and environment variables are supported.
> > > > > >>   Note that environment variables override DT properties.
> > > > > >>
> > > > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > > > >> -| DT property        | Variable  | Description                                                      |
> > > > > >> -+====================+===========+==================================================================+
> > > > > >> -| nxp,loader-address |           | SPL base address                                                 |
> > > > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > > > >> -| nxp,srk-table      | SRK_TABLE | full path to SRK_1_2_3_4_table.bin                               |
> > > > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > > > >> -| nxp,csf-crt        | CSF_KEY   | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > > > >> -| nxp,img-crt        | IMG_KEY   | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > > > >> -+--------------------+-----------+------------------------------------------------------------------+
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| DT property        | Variable    | Description                                                      |
> > > > > >> ++====================+=============+==================================================================+
> > > > > >> +| nxp,loader-address |             | SPL base address                                                 |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| nxp,srk-table      | SRK_TABLE   | full path to SRK_1_2_3_4_table.bin                               |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| nxp,csf-crt        | CSF_KEY     | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| nxp,img-crt        | IMG_KEY     | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| nxp,fast-auth      |             | enable fast authentication method                                |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| nxp,srk-crt        | SRK_KEY     | full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem    |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| nxp,unlock         |             | unlock CAAM in SPL                                               |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >> +| nxp,cst-backend    | CST_BACKEND | CST tool backend, default is 'ssl', or selectable 'pkcs11'       |
> > > > > >> ++--------------------+-------------+------------------------------------------------------------------+
> > > > > >
> > > > > > Perhaps point to an example?
> > > >
> > > > Sorry I missed this earlier.
> > > >
> > > > >
> > > > > Example of what ? Two lines below, there is an example of using those
> > > > > env vars, see the entire file.
> > > >
> > > > Yes I see it, but it doesn't have CST_BACKEND right?
> > > >
> > > > >
> > > > > >>   Environment variables can be set as follows to point the build process
> > > > > >>   to external key material:
> > > > > >> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> > > > > >> index 8922d6cd070..29bc778d0e5 100644
> > > > > >> --- a/tools/binman/entries.rst
> > > > > >> +++ b/tools/binman/entries.rst
> > > > > >> @@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker
> > > > > >>
> > > > > >>   Properties / Entry arguments:
> > > > > >>       - nxp,loader-address - loader address (SPL text base)
> > > > > >> +    - nxp,srk-table - full path to SRK_1_2_3_4_table.bin
> > > > > >> +    - nxp,csf-crt - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> > > > > >> +    - nxp,img-crt - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> > > > > >> +    - nxp,fast-auth - enable fast authentication method
> > > > > >> +    - nxp,srk-crt - full path to the SRK Key SRK1_sha256_4096_65537_v3_ca_crt.pem
> > > > > >> +    - nxp,unlock - unlock CAAM in SPL
> > > > > >> +    - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable 'pkcs11'
> > > > > >>
> > > > > >
> > > > > > The way it works is you add this as a comment in nxp_imx8mcst.py and
> > > > > > then run 'binman entry-docs' to generate entries.rst - see here:
> > > > > >
> > > > > > https://docs.u-boot.org/en/latest/develop/package/binman.html#entry-documentation
> > > > > Why is there this entries.rst then ? Should the entries be removed from
> > > > > here and moved into the py file or what is this inconsistency ?
> > > >
> > > > The entries.rst file is there so that the documentation can be build,
> > > > containing it. It might be possible to update 'make htmldocs' to run
> > > > binman to update the generated docs.
> > > >
> > > > Heinrich, what do you think about that?
> > >
> > > That won't work for readthedocs, it needs to be generated, if it can, as
> > > part of the normal sphix build doc process.
> >
> > Hmm that's a bit of a pain. We don't really want to run binman from
> > sphinx. I could create an Sphinx extension to create the entry and
> > bintools docs, perhaps?
>
> I'm not sure of the best way to solve the problem of generating this
> file on-demand, so it doesn't get out of date (nor edited directly
> again). I just know that in addition to the CI targets we need for
> readthedocs to do it automatically as well.

I sent this:

https://patchwork.ozlabs.org/project/uboot/list/?series=496461

Regards,
Simon

More information about the U-Boot mailing list