On 5/14/24 8:34 PM, Tim Harvey wrote:
Hi,
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..ce1de659d8c 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration:
Defconfig:
CONFIG_IMX_HAB=y
- CONFIG_FSL_CAAM=y
- CONFIG_ARCH_MISC_INIT=y
- CONFIG_SPL_CRYPTO=y
Hi Marek,
Thanks for wrapping the dts bits with a config item.
Is there any other reason to build with CONFIG_IMX_HAB than to use a signed image? I see that there are several ARCH_MX6 and ARCH_MX7 configs that have this enabled (not ARCH_IMX8M so this certainly doesn't break anything) and I'm not sure what the value of that is.
I think those few either enabled in preemptively in anticipation of possibly using HAB, or are wrong. I suspect it should be disabled for those, as it only adds to the board boot time and I am not even sure if those machines would boot correctly.
Francesco, maybe you do have MX7 Colibri ?
I notice that FSL_CAAM is selected when you select IMX_HAB... is there any reason why ARCH_MISC_INIT and SPL_CRYPTO should not be selected by IMX_HAB as well (future patch perhaps)?
ARCH_MISC_INIT should be selected by SoC Kconfig on MX7 and maybe CAAM on MX8M I think . As for SPL_CRYPTO, that should be selected by SPL_FSL_CAAM I think.
- Kconfig:
We definitely need to describe the additional requirements here. Maybe something like:
- Tools:
cst - NXP code-signing-tool (eg apt install imx-code-signing-tool)
- Files: (created with NXP IMX_CST_TOOL)
SRK_1_2_3_4_table.bin (specified by nxp,srk-table node): fuse table CSF1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,csf-crt node): CSF_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,img-crt node): IMG_KEY
The following works fine for me on v2024.01 export CST_DIR=/usr/src/nxp/cst-3.3.2/ export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin export PATH=$CST_DIR/linux64/bin:$PATH make && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
But with the above defines and your series this fails: ln -sf $SRK_TABLE SRK_1_2_3_4_table.bin ln -sf $CSF_KEY CSF1_1_sha256_4096_65537_v3_usr_crt.pem ln -sf $IMG_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem make BINMAN .binman_stamp Wrote map file './image.map' to show errors binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:288:fopen('IMG1_1_sha256_4096_65537_v3_usr_key. pem','r') 0:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
make: *** [Makefile:1126: .binman_stamp] Error 1
So how is it that the default for nxp,img-crt IMG1_1_sha256_4096_65537_v3_usr_crt.pem is now looking for IMG1_1_sha256_4096_65537_v3_usr_key? It fails also if I cp the files vs ln them.
So what am I missing here?
I think CST is using both the certificate and the key files. Try and run strace on the CST to test that:
$ strace cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0