On 5/6/24 1:52 PM, Francesco Dolcini wrote:
Hello Marek,
On Fri, May 03, 2024 at 03:05:09AM +0200, Marek Vasut wrote:
Add new binman etype which allows signing both the SPL and fitImage sections of i.MX8M flash.bin using CST. There are multiple DT properties which govern the signing process, nxp,loader-address is the only mandatory one which sets the SPL signature start address without the imx8mimage header, this should be SPL text base. The key material can be configured using optional DT properties nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material names generated by CST tool scripts. The nxp,unlock property can be used to unlock CAAM access in SPL section.
Signed-off-by: Marek Vasut marex@denx.de
I was not able to test or really look into your series [1], however I can relate with a comment from Tim Harvey.
I think is important to keep in mind that that signing cannot be done with key material that is in-tree, because well, that's private, and I think we should not force people to branch to properly sign the binaries.
I think that it would be valuable to share how do you foresee this used in a real environment.
I am open to discussion, really.
Currently the most basic approach is implemented -- plug in key material either by copying it into build directory, or creating a symlink, or adjusting the DT to specify full path to key material.
I am sure this can be expanded to cover other use cases ?