Hi Brian,
On Mon, 30 Sept 2024 at 10:10, Brian Ruley brian.ruley@gehealthcare.com wrote:
Using the PKI tree with SRKs as intermediate CA isn't necessary or even desirable in some situations (boot time, for example). Add the possibility
spelling
to use the "fast authentication" method where the image and CSF are both signed using the SRK [1, p.63].
[1] https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/2...
Signed-off-by: Brian Ruley brian.ruley@gehealthcare.com Cc: Marek Vasut marex@denx.de
tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-)
That should be below the --- (you can use patman to get this right automatically)
tools/binman/etype/nxp_imx8mcst.py | 44 ++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 12 deletions(-)
diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 0c744a00d7..a80cb94499 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -36,6 +36,9 @@ csf_config_template = ''' File = "SRK_1_2_3_4_table.bin" Source index = 0
+[Install NOCAK]
- File = "SRK1_sha256_4096_65537_v3_usr_crt.pem"
[Install CSFK] File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
Since 'sha256_4096_65537_v3_usr_crt.' is common to everything, could you have a variable, say keyname, and use that everywhere?
@@ -74,16 +77,25 @@ class Entry_nxp_imx8mcst(Entry_mkimage): self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin' ))
self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt','CSF1_1_sha256_4096_65537_v3_usr_crt.pem'))self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt','IMG1_1_sha256_4096_65537_v3_usr_crt.pem'))
self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')if not self.fast_auth:self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt','CSF1_1_sha256_4096_65537_v3_usr_crt.pem'
e.g. f'CSF1_1_{keyname}'
))self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt','IMG1_1_sha256_4096_65537_v3_usr_crt.pem'))else:self.srk_crt = os.getenv('SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt','SRK1_sha256_4096_65537_v3_usr_crt.pem'))
All three options seem to read the 'nxp,srk-crt' property, so you can do that once the if() to reduce the amount of duplicated code.
self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()@@ -137,8 +149,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage): # Load configuration template and modify keys of interest config.read_string(csf_config_template) config['Install SRK']['File'] = '"' + self.srk_table + '"'
This is what I mean by the f-string:
f'"{self.srk_table}"'
config['Install CSFK']['File'] = '"' + self.csf_crt + '"'config['Install Key']['File'] = '"' + self.img_crt + '"'
if not self.fast_auth:config.remove_section('Install NOCAK')config['Install CSFK']['File'] = '"' + self.csf_crt + '"'config['Install Key']['File'] = '"' + self.img_crt + '"'else:config.remove_section('Install CSFK')config.remove_section('Install Key')config['Install NOCAK']['File'] = '"' + self.srk_crt + '"'config['Authenticate Data']['Verification index'] = '0'config['Authenticate Data']['Blocks'] = (hex(signbase) + ' 0 ' + hex(len(data)) + ' "' + str(output_dname) + '"')
Can use f-strings here too, e.g.
f'{signbase:#x} 0 {len(data):#x} ...
-- 2.39.5
Regards, Simon