On 5/16/24 10:36, Claudius Heine wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Signed-off-by: Claudius Heine ch@denx.de
Hi,
this patch documents some changes of the '20240503010518.263458-1-marex@denx.de' patchset. So am posting it as a reply to my earlier patch in that thread.
When referring to patches, please, use the complete title and and url (e.g. from lore.kernel.org or Patchwork):
[PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing https://lore.kernel.org/u-boot/20240503010518.263458-1-marex@denx.de/
Currently in Patchwork this patch is assigned to my review queue. I guess it should be reviewed and pulled by Fabio.
Best regards
Heinrich
Changed from v1:
- added 'symbolic link' option for making keys/certs available in build
- `node` -> `node(s)`
doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..75089fba4d 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Per default the HAB keys and certificates need to be located in the build +directory, this means creating a symbolic link or copying the following files +from the HAB keys directory flat (e.g. removing the `keys` and `cert` +subdirectory) into the u-boot build directory for the CST Code Signing Tool to +locate them:
+- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt`
+The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node(s), however the other files are required by +the CST tools as well, and will be searched for in relation to them.
Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device