[PATCH v4] binman: add CST backend selection for i.MX8M signing
Marek Vasut
marex at nabladev.com
Sun May 24 18:20:48 CEST 2026
On 5/7/26 5:31 PM, Simon Glass wrote:
> Hi Marek,
>
> On 2026-05-04T19:04:59, Marek Vasut <marex at nabladev.com> wrote:
>> binman: add CST backend selection for i.MX8M signing
>>
>> Add support for setting the CST backend, both via DT property and
>> CST_BACKEND environment variable. The CST currently supports two
>> backends, 'ssl' and 'pkcs11', with 'ssl' being the default when
>> CST tool is invoked without any -b parameter. Keep 'ssl' backend
>> as the default, but explicitly pass it via the '-b' parameter,
>> unless the user selects 'pkcs11' via either method.
>>
>> Signed-off-by: Marek Vasut <marex at nabladev.com>
>>
>> doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 30 +++++++++++++++++----------
>> tools/binman/etype/nxp_imx8mcst.py | 19 ++++++++++++++++-
>> 2 files changed, 37 insertions(+), 12 deletions(-)
>
>> diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
>> @@ -90,6 +97,10 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>> + self.backend = os.getenv(
>> + 'CST_BACKEND', fdt_util.GetString(self._node, 'nxp,cst-backend',
>> + 'ssl'))
>> +
>
> Please add a binman test covering this new feature - see
> testNxpImx8mCSTFastAuth in ftest.py and the vendor/nxp_imx8_csf*.dts
> fixtures. The missing coverage line for me is 177 (cst_backend =
> "pkcs11" )
The pkcs11 option requires a HSM, how do you propose to test that ?
More information about the U-Boot
mailing list