[PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing
Add new binman etype which allows signing both the SPL and fitImage sections of i.MX8M flash.bin using CST. There are multiple DT properties which govern the signing process, nxp,loader-address is the only mandatory one which sets the SPL signature start address without the imx8mimage header, this should be SPL text base. The key material can be configured using optional DT properties nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material names generated by CST tool scripts. The nxp,unlock property can be used to unlock CAAM access in SPL section.
Signed-off-by: Marek Vasut marex@denx.de --- Cc: "NXP i.MX U-Boot Team" uboot-imx@nxp.com Cc: Adam Ford aford173@gmail.com Cc: Alper Nebi Yasak alpernebiyasak@gmail.com Cc: Andrejs Cainikovs andrejs.cainikovs@toradex.com Cc: Angus Ainslie angus@akkea.ca Cc: Emanuele Ghidoli emanuele.ghidoli@toradex.com Cc: Fabio Estevam festevam@gmail.com Cc: Francesco Dolcini francesco.dolcini@toradex.com Cc: Marcel Ziswiler marcel.ziswiler@toradex.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk Cc: Simon Glass sjg@chromium.org Cc: Stefan Eichenberger stefan.eichenberger@toradex.com Cc: Stefano Babic sbabic@denx.de Cc: Tim Harvey tharvey@gateworks.com Cc: Tom Rini trini@konsulko.com Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: - Use configparser module for generating the configuration INI file - Use config template as an input, parse it, modify only keys of interest - Pull magic values into top level variables - Rename nxp,csf-key and nxp,img-key to nxp,csf-crt and nxp,img-crt - Return unmodified data if signing unrecognized (non-SPL/non-FIT) section --- tools/binman/btool/cst.py | 48 +++++++++ tools/binman/etype/nxp_imx8mcst.py | 163 +++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 tools/binman/btool/cst.py create mode 100644 tools/binman/etype/nxp_imx8mcst.py
diff --git a/tools/binman/btool/cst.py b/tools/binman/btool/cst.py new file mode 100644 index 00000000000..30e78bdbbd9 --- /dev/null +++ b/tools/binman/btool/cst.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2024 Marek Vasut marex@denx.de +# +"""Bintool implementation for cst""" + +import re + +from binman import bintool + +class Bintoolcst(bintool.Bintool): + """Image generation for U-Boot + + This bintool supports running `cst` with some basic parameters as + needed by binman. + """ + def __init__(self, name): + super().__init__(name, 'Sign NXP i.MX image') + + # pylint: disable=R0913 + def run(self, output_fname=None): + """Run cst + + Args: + output_fname: Output filename to write to + """ + args = [] + if output_fname: + args += ['-o', output_fname] + return self.run_cmd(*args) + + def fetch(self, method): + """Fetch handler for cst + + This installs cst using the apt utility. + + Args: + method (FETCH_...): Method to use + + Returns: + True if the file was fetched and now installed, None if a method + other than FETCH_BIN was requested + + Raises: + Valuerror: Fetching could not be completed + """ + if method != bintool.FETCH_BIN: + return None + return self.apt_install('imx-code-signing-tool') diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py new file mode 100644 index 00000000000..132127ad482 --- /dev/null +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -0,0 +1,163 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2023-2024 Marek Vasut marex@denx.de +# Written with much help from Simon Glass sjg@chromium.org +# +# Entry-type module for generating the i.MX8M code signing tool +# input configuration file and invocation of cst on generated +# input configuration file and input data to be signed. +# + +import configparser +import struct + +from collections import OrderedDict + +from binman.entry import Entry +from binman.etype.mkimage import Entry_mkimage +from binman.etype.section import Entry_section +from binman import elf +from dtoc import fdt_util +from u_boot_pylib import tools + +MAGIC_NXP_IMX_IVT = 0x412000d1 +MAGIC_FITIMAGE = 0xedfe0dd0 + +csf_config_template = """ +[Header] + Version = 4.3 + Hash Algorithm = sha256 + Engine = CAAM + Engine Configuration = 0 + Certificate Format = X509 + Signature Format = CMS + +[Install SRK] + File = "SRK_1_2_3_4_table.bin" + Source index = 0 + +[Install CSFK] + File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate CSF] + +[Unlock] + Engine = CAAM + Features = MID + +[Install Key] + Verification index = 0 + Target Index = 2 + File = "IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate Data] + Verification index = 2 + Blocks = 0x1234 0x78 0xabcd "data.bin" +""" + +class Entry_nxp_imx8mcst(Entry_mkimage): + """NXP i.MX8M CST .cfg file generator and cst invoker + + Properties / Entry arguments: + - nxp,loader-address - loader address (SPL text base) + """ + + def __init__(self, section, etype, node): + super().__init__(section, etype, node) + self.required_props = ['nxp,loader-address'] + + def ReadNode(self): + super().ReadNode() + self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address') + self.srk_table = fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin') + self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem') + self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem') + self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') + self.ReadEntries() + + def BuildSectionData(self, required): + data, input_fname, uniq = self.collect_contents_to_file( + self._entries.values(), 'input') + + # Parse the input data and figure out what it is that is being signed. + # - If it is mkimage'd imx8mimage, then extract to be signed data size + # from imx8mimage header, and calculate CSF blob offset right past + # the SPL from this information. + # - If it is fitImage, then pad the image to 4k, add generated IVT and + # sign the whole payload, then append CSF blob at the end right past + # the IVT. + signtype = struct.unpack('<I', data[:4])[0] + signbase = self.loader_address + signsize = 0 + if signtype == MAGIC_NXP_IMX_IVT: # SPL/imx8mimage + # Sign the payload including imx8mimage header + # (extra 0x40 bytes before the payload) + signbase -= 0x40 + signsize = struct.unpack('<I', data[24:28])[0] - signbase + # Remove mkimage generated padding from the end of data + data = data[:signsize] + elif signtype == MAGIC_FITIMAGE: # fitImage + # Align fitImage to 4k + signsize = tools.align(len(data), 0x1000) + data += tools.get_bytes(0, signsize - len(data)) + # Add generated IVT + data += struct.pack('<I', MAGIC_NXP_IMX_IVT) + data += struct.pack('<I', signbase + signsize) # IVT base + data += struct.pack('<I', 0) + data += struct.pack('<I', 0) + data += struct.pack('<I', 0) + data += struct.pack('<I', signbase + signsize) # IVT base + data += struct.pack('<I', signbase + signsize + 0x20) # CSF base + data += struct.pack('<I', 0) + else: + # Unknown section type, pass input data through. + return data + + # Write out customized data to be signed + output_dname = tools.get_output_filename(f'nxp.cst-input-data.{uniq}') + tools.write_file(output_dname, data) + + # Generate CST configuration file used to sign payload + cfg_fname = tools.get_output_filename('nxp.csf-config-txt.%s' % uniq) + config = configparser.ConfigParser() + # Do not make key names lowercase + config.optionxform = str + # Load configuration template and modify keys of interest + config.read_string(csf_config_template) + config['Install SRK']['File'] = '"' + self.srk_table + '"' + config['Install CSFK']['File'] = '"' + self.csf_crt + '"' + config['Install Key']['File'] = '"' + self.img_crt + '"' + config['Authenticate Data']['Blocks'] = hex(signbase) + ' 0 ' + hex(len(data)) + ' "' + str(output_dname) + '"' + if not self.unlock: + config.remove_section('Unlock') + with open(cfg_fname, 'w') as cfgf: + config.write(cfgf) + + output_fname = tools.get_output_filename(f'nxp.csf-output-blob.{uniq}') + args = ['-i', cfg_fname, '-o', output_fname] + if self.cst.run_cmd(*args) is not None: + outdata = tools.read_file(output_fname) + return data + outdata + else: + # Bintool is missing; just use the input data as the output + self.record_missing_bintool(self.cst) + return data + + def SetImagePos(self, image_pos): + # Customized SoC specific SetImagePos which skips the mkimage etype + # implementation and removes the 0x48 offset introduced there. That + # offset is only used for uImage/fitImage, which is not the case in + # here. + upto = 0x00 + for entry in super().GetEntries().values(): + entry.SetOffsetSize(upto, None) + + # Give up if any entries lack a size + if entry.size is None: + return + upto += entry.size + + Entry_section.SetImagePos(self, image_pos) + + def AddBintools(self, btools): + super().AddBintools(btools) + self.cst = self.AddBintool(btools, 'cst')
Add binman_imx_spl and binman_imx_fit labels to nxp-imx8mimage {} and fit {} nodes respectively, so they can be referened in board DTs no matter how deep in the top level binman image description they are. Update current board DTs to use those labels.
Signed-off-by: Marek Vasut marex@denx.de --- Cc: "NXP i.MX U-Boot Team" uboot-imx@nxp.com Cc: Adam Ford aford173@gmail.com Cc: Alper Nebi Yasak alpernebiyasak@gmail.com Cc: Andrejs Cainikovs andrejs.cainikovs@toradex.com Cc: Angus Ainslie angus@akkea.ca Cc: Emanuele Ghidoli emanuele.ghidoli@toradex.com Cc: Fabio Estevam festevam@gmail.com Cc: Francesco Dolcini francesco.dolcini@toradex.com Cc: Marcel Ziswiler marcel.ziswiler@toradex.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk Cc: Simon Glass sjg@chromium.org Cc: Stefan Eichenberger stefan.eichenberger@toradex.com Cc: Stefano Babic sbabic@denx.de Cc: Tim Harvey tharvey@gateworks.com Cc: Tom Rini trini@konsulko.com Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: New patch --- arch/arm/dts/imx8mm-u-boot.dtsi | 4 +- .../dts/imx8mm-verdin-wifi-dev-u-boot.dtsi | 8 +- arch/arm/dts/imx8mn-u-boot.dtsi | 4 +- arch/arm/dts/imx8mp-dhcom-u-boot.dtsi | 124 +++++++++--------- arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi | 26 ++-- arch/arm/dts/imx8mp-u-boot.dtsi | 4 +- arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi | 10 +- arch/arm/dts/imx8mq-u-boot.dtsi | 4 +- 8 files changed, 84 insertions(+), 100 deletions(-)
diff --git a/arch/arm/dts/imx8mm-u-boot.dtsi b/arch/arm/dts/imx8mm-u-boot.dtsi index 6ab8f66256e..b9b1193823a 100644 --- a/arch/arm/dts/imx8mm-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-u-boot.dtsi @@ -54,7 +54,7 @@ }; #endif
- nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <1>; @@ -98,7 +98,7 @@ }; };
- fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; diff --git a/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi b/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi index 90183aff8bc..183de46f66a 100644 --- a/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi @@ -35,12 +35,8 @@ bootph-pre-ram; };
-&binman { - section { - fit { - offset = <0x5fc00>; - }; - }; +&binman_imx_fit { + offset = <0x5fc00>; };
&gpio1 { diff --git a/arch/arm/dts/imx8mn-u-boot.dtsi b/arch/arm/dts/imx8mn-u-boot.dtsi index ba9967dbe4a..c9fb33cfb73 100644 --- a/arch/arm/dts/imx8mn-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-u-boot.dtsi @@ -103,7 +103,7 @@ }; #endif
- nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <2>; @@ -169,7 +169,7 @@ }; };
- fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; diff --git a/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi b/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi index cb37e28f28f..c065fb82994 100644 --- a/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi @@ -135,73 +135,69 @@ bootph-pre-ram; };
-&binman { - section { - fit { - images { - fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast { - description = "imx8mp-dhcom-som-overlay-eth1xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-eth1xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast { - description = "imx8mp-dhcom-som-overlay-eth2xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-eth2xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast { - description = "imx8mp-dhcom-pdk-overlay-eth2xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-pdk-overlay-eth2xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-som-overlay-rev100 { - description = "imx8mp-dhcom-som-overlay-rev100"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-rev100.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100 { - description = "imx8mp-dhcom-pdk3-overlay-rev100"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-pdk3-overlay-rev100.dtbo"; - }; - }; +&binman_imx_fit { + images { + fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast { + description = "imx8mp-dhcom-som-overlay-eth1xfast"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-som-overlay-eth1xfast.dtbo"; }; + }; + + fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast { + description = "imx8mp-dhcom-som-overlay-eth2xfast"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-som-overlay-eth2xfast.dtbo"; + }; + }; + + fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast { + description = "imx8mp-dhcom-pdk-overlay-eth2xfast"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-pdk-overlay-eth2xfast.dtbo"; + }; + };
- configurations { - default = "@config-DEFAULT-SEQ"; - - @config-SEQ { - fdt = "fdt-1", - "fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast", - "fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast", - "fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast", - "fdt-dto-imx8mp-dhcom-som-overlay-rev100", - "fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100"; - }; + fdt-dto-imx8mp-dhcom-som-overlay-rev100 { + description = "imx8mp-dhcom-som-overlay-rev100"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-som-overlay-rev100.dtbo"; + }; + }; + + fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100 { + description = "imx8mp-dhcom-pdk3-overlay-rev100"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-pdk3-overlay-rev100.dtbo"; }; }; }; + + configurations { + default = "@config-DEFAULT-SEQ"; + + @config-SEQ { + fdt = "fdt-1", + "fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast", + "fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast", + "fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast", + "fdt-dto-imx8mp-dhcom-som-overlay-rev100", + "fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100"; + }; + }; }; diff --git a/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi b/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi index aff5dcf615d..21eff6d6ad4 100644 --- a/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi @@ -135,21 +135,17 @@ assigned-clock-parents = <&clk IMX8MP_SYS_PLL1_400M>; };
-&binman { - section { - fit { - images { - fip { - description = "Trusted Firmware FIP"; - type = "firmware"; - arch = "arm64"; - compression = "none"; - load = <0x40310000>; - - fip_blob: blob-ext{ - filename = "fip.bin"; - }; - }; +&binman_imx_fit { + images { + fip { + description = "Trusted Firmware FIP"; + type = "firmware"; + arch = "arm64"; + compression = "none"; + load = <0x40310000>; + + fip_blob: blob-ext{ + filename = "fip.bin"; }; }; }; diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi index c4c1a177102..8b5ac3faf1c 100644 --- a/arch/arm/dts/imx8mp-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-u-boot.dtsi @@ -86,7 +86,7 @@ section { pad-byte = <0x00>;
- nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <2>; @@ -129,7 +129,7 @@ }; };
- fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; diff --git a/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi b/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi index 1a4568dac65..98da015a444 100644 --- a/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi @@ -10,14 +10,10 @@ bootph-pre-ram; };
-&binman { +&binman_imx_spl { section { - nxp-imx8mimage { - section { - signed-hdmi-imx8m { - filename = "signed_dp_imx8m.bin"; - }; - }; + signed-hdmi-imx8m { + filename = "signed_dp_imx8m.bin"; }; }; }; diff --git a/arch/arm/dts/imx8mq-u-boot.dtsi b/arch/arm/dts/imx8mq-u-boot.dtsi index 48dbe94f0c4..72da674d245 100644 --- a/arch/arm/dts/imx8mq-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-u-boot.dtsi @@ -38,7 +38,7 @@ section { pad-byte = <0x00>;
- nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <1>; @@ -87,7 +87,7 @@ }; };
- fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>;
In case CONFIG_IMX_HAB is enabled, extend the binman image description for all of i.MX8M{Q,M,N,P} with CST wrapper node. This way, if CONFIG_IMX_HAB is enabled, binman will be automatically used to sign SPL and fitImage.
Signed-off-by: Marek Vasut marex@denx.de --- Cc: "NXP i.MX U-Boot Team" uboot-imx@nxp.com Cc: Adam Ford aford173@gmail.com Cc: Alper Nebi Yasak alpernebiyasak@gmail.com Cc: Andrejs Cainikovs andrejs.cainikovs@toradex.com Cc: Angus Ainslie angus@akkea.ca Cc: Emanuele Ghidoli emanuele.ghidoli@toradex.com Cc: Fabio Estevam festevam@gmail.com Cc: Francesco Dolcini francesco.dolcini@toradex.com Cc: Marcel Ziswiler marcel.ziswiler@toradex.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk Cc: Simon Glass sjg@chromium.org Cc: Stefan Eichenberger stefan.eichenberger@toradex.com Cc: Stefano Babic sbabic@denx.de Cc: Tim Harvey tharvey@gateworks.com Cc: Tom Rini trini@konsulko.com Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: New patch --- arch/arm/dts/imx8mm-u-boot.dtsi | 195 ++++++++++++++++------------- arch/arm/dts/imx8mn-u-boot.dtsi | 209 ++++++++++++++++++-------------- arch/arm/dts/imx8mp-u-boot.dtsi | 172 ++++++++++++++------------ arch/arm/dts/imx8mq-u-boot.dtsi | 182 ++++++++++++++------------- 4 files changed, 424 insertions(+), 334 deletions(-)
diff --git a/arch/arm/dts/imx8mm-u-boot.dtsi b/arch/arm/dts/imx8mm-u-boot.dtsi index b9b1193823a..c02e11def5f 100644 --- a/arch/arm/dts/imx8mm-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-u-boot.dtsi @@ -54,126 +54,151 @@ }; #endif
- binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <1>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif
- section { - align = <4>; - align-size = <4>; - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <1>; + nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + args; /* Needed by mkimage etype superclass */ + + section { + align = <4>; + align-size = <4>; + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + };
- ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + };
- ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + };
- ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + };
- ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; }; }; +#ifdef CONFIG_IMX_HAB };
- binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = <CONFIG_SPL_LOAD_FIT_ADDRESS>; #ifdef CONFIG_FSPI_CONF_HEADER offset = <0x58C00>; #else offset = <0x57c00>; #endif
- images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = <CONFIG_TEXT_BASE>; - type = "standalone"; + args; /* Needed by mkimage etype superclass */ +#endif
- uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; +#ifdef CONFIG_FSPI_CONF_HEADER + offset = <0x58C00>; +#else + offset = <0x57c00>; +#endif + + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = <CONFIG_TEXT_BASE>; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; }; - };
#ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x920000>; - load = <0x920000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x920000>; + load = <0x920000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; }; - }; #endif
- binman_fip: fip { - arch = "arm64"; - compression = "none"; - description = "Trusted Firmware FIP"; - load = <0x40310000>; - type = "firmware"; - }; + binman_fip: fip { + arch = "arm64"; + compression = "none"; + description = "Trusted Firmware FIP"; + load = <0x40310000>; + type = "firmware"; + };
- @fdt-SEQ { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + @fdt-SEQ { + compression = "none"; + description = "NAME"; + type = "flat_dt";
- uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; }; }; - };
- configurations { - default = "@config-DEFAULT-SEQ"; + configurations { + default = "@config-DEFAULT-SEQ";
- @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; };
diff --git a/arch/arm/dts/imx8mn-u-boot.dtsi b/arch/arm/dts/imx8mn-u-boot.dtsi index c9fb33cfb73..732191f5205 100644 --- a/arch/arm/dts/imx8mn-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-u-boot.dtsi @@ -103,147 +103,172 @@ }; #endif
- binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <2>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif
- section { - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - align-size = <4>; - align = <4>; - - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <2>; + nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + args; /* Needed by mkimage etype superclass */ + + section { + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + align-size = <4>; + align = <4>; + + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + };
- ddr-1d-imem-fw { + ddr-1d-imem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_1d_imem.bin"; + filename = "lpddr4_pmu_train_1d_imem.bin"; #elif CONFIG_IMX8M_DDR4 - filename = "ddr4_imem_1d_201810.bin"; + filename = "ddr4_imem_1d_201810.bin"; #else - filename = "ddr3_imem_1d.bin"; + filename = "ddr3_imem_1d.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + };
- ddr-1d-dmem-fw { + ddr-1d-dmem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_1d_dmem.bin"; + filename = "lpddr4_pmu_train_1d_dmem.bin"; #elif CONFIG_IMX8M_DDR4 - filename = "ddr4_dmem_1d_201810.bin"; + filename = "ddr4_dmem_1d_201810.bin"; #else - filename = "ddr3_dmem_1d.bin"; + filename = "ddr3_dmem_1d.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + };
#if defined(CONFIG_IMX8M_LPDDR4) || defined(CONFIG_IMX8M_DDR4) - ddr-2d-imem-fw { + ddr-2d-imem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_2d_imem.bin"; + filename = "lpddr4_pmu_train_2d_imem.bin"; #else - filename = "ddr4_imem_2d_201810.bin"; + filename = "ddr4_imem_2d_201810.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + };
- ddr-2d-dmem-fw { + ddr-2d-dmem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_2d_dmem.bin"; + filename = "lpddr4_pmu_train_2d_dmem.bin"; #else - filename = "ddr4_dmem_2d_201810.bin"; + filename = "ddr4_dmem_2d_201810.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + }; #endif + }; }; + +#ifdef CONFIG_IMX_HAB };
- binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = <CONFIG_SPL_LOAD_FIT_ADDRESS>; #ifdef CONFIG_FSPI_CONF_HEADER offset = <0x59000>; #else offset = <0x58000>; #endif + args; /* Needed by mkimage etype superclass */ +#endif
- images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = <CONFIG_TEXT_BASE>; - type = "standalone"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; +#ifdef CONFIG_FSPI_CONF_HEADER + offset = <0x59000>; +#else + offset = <0x58000>; +#endif
- uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = <CONFIG_TEXT_BASE>; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; }; - };
#ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x960000>; - load = <0x960000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x960000>; + load = <0x960000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; }; - }; #endif
- binman_fip: fip { - arch = "arm64"; - compression = "none"; - description = "Trusted Firmware FIP"; - load = <0x40310000>; - type = "firmware"; - }; + binman_fip: fip { + arch = "arm64"; + compression = "none"; + description = "Trusted Firmware FIP"; + load = <0x40310000>; + type = "firmware"; + };
- @fdt-SEQ { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + @fdt-SEQ { + compression = "none"; + description = "NAME"; + type = "flat_dt";
- uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; }; }; - };
- configurations { - default = "@config-DEFAULT-SEQ"; + configurations { + default = "@config-DEFAULT-SEQ";
- @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi index 8b5ac3faf1c..f2655a4d0c8 100644 --- a/arch/arm/dts/imx8mp-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-u-boot.dtsi @@ -86,110 +86,130 @@ section { pad-byte = <0x00>;
- binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <2>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif
- section { - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - align-size = <4>; - align = <4>; - - u-boot-spl { - align-end = <4>; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <2>; + nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + args; /* Needed by mkimage etype superclass */ + + section { + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + align-size = <4>; + align = <4>; + + u-boot-spl { + align-end = <4>; + };
- ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + };
- ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + };
- ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + };
- ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem_202006.bin"; - type = "blob-ext"; - align-end = <4>; + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; }; }; +#ifdef CONFIG_IMX_HAB };
- binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = <CONFIG_SPL_LOAD_FIT_ADDRESS>; offset = <0x58000>; + args; /* Needed by mkimage etype superclass */ +#endif
- images { - uboot { - description = "U-Boot (64-bit)"; - type = "standalone"; - arch = "arm64"; - compression = "none"; - load = <CONFIG_TEXT_BASE>; - - uboot_blob: blob-ext { - filename = "u-boot-nodtb.bin"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; + offset = <0x58000>; + + images { + uboot { + description = "U-Boot (64-bit)"; + type = "standalone"; + arch = "arm64"; + compression = "none"; + load = <CONFIG_TEXT_BASE>; + + uboot_blob: blob-ext { + filename = "u-boot-nodtb.bin"; + }; }; - };
#ifndef CONFIG_ARMV8_PSCI - atf { - description = "ARM Trusted Firmware"; - type = "firmware"; - arch = "arm64"; - compression = "none"; - load = <0x970000>; - entry = <0x970000>; - - atf_blob: atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; + atf { + description = "ARM Trusted Firmware"; + type = "firmware"; + arch = "arm64"; + compression = "none"; + load = <0x970000>; + entry = <0x970000>; + + atf_blob: atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; }; - }; #endif
- @fdt-SEQ { - description = "NAME"; - type = "flat_dt"; - compression = "none"; + @fdt-SEQ { + description = "NAME"; + type = "flat_dt"; + compression = "none";
- blob-ext { - filename = "u-boot.dtb"; + blob-ext { + filename = "u-boot.dtb"; + }; }; }; - };
- configurations { - default = "@config-DEFAULT-SEQ"; + configurations { + default = "@config-DEFAULT-SEQ";
- @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mq-u-boot.dtsi b/arch/arm/dts/imx8mq-u-boot.dtsi index 72da674d245..e1cd6f8996d 100644 --- a/arch/arm/dts/imx8mq-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-u-boot.dtsi @@ -38,116 +38,136 @@ section { pad-byte = <0x00>;
- binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <1>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif
- section { - align = <4>; - align-size = <4>; - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <1>; + nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; + args; /* Needed by mkimage etype superclass */ + + section { + align = <4>; + align-size = <4>; + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + };
- ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + };
- ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + };
- ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + };
- ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + };
- signed-hdmi-imx8m { - filename = "signed_hdmi_imx8m.bin"; - type = "blob-ext"; + signed-hdmi-imx8m { + filename = "signed_hdmi_imx8m.bin"; + type = "blob-ext"; + }; }; }; +#ifdef CONFIG_IMX_HAB };
- binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = <CONFIG_SPL_LOAD_FIT_ADDRESS>; + offset = <0x58000>; + args; /* Needed by mkimage etype superclass */ +#endif + + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB - fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; + fit,external-offset = <CONFIG_FIT_EXTERNAL_OFFSET>; #endif - #address-cells = <1>; - - images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = <CONFIG_TEXT_BASE>; - type = "standalone"; - - uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; + #address-cells = <1>; + + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = <CONFIG_TEXT_BASE>; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; }; - };
#ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x910000>; - load = <0x910000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "blob-ext"; + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x910000>; + load = <0x910000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "blob-ext"; + }; }; - }; #endif
- fdt { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + fdt { + compression = "none"; + description = "NAME"; + type = "flat_dt";
- uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; }; }; - };
- configurations { - default = "conf"; + configurations { + default = "conf";
- conf { - description = "NAME"; - fdt = "fdt"; - firmware = "uboot"; + conf { + description = "NAME"; + fdt = "fdt"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; };
Update documentation and use nxp_imx8mcst binman etype for signing of flash.bin instead of previous horrible shell scripting.
Signed-off-by: Marek Vasut marex@denx.de --- Cc: "NXP i.MX U-Boot Team" uboot-imx@nxp.com Cc: Adam Ford aford173@gmail.com Cc: Alper Nebi Yasak alpernebiyasak@gmail.com Cc: Andrejs Cainikovs andrejs.cainikovs@toradex.com Cc: Angus Ainslie angus@akkea.ca Cc: Emanuele Ghidoli emanuele.ghidoli@toradex.com Cc: Fabio Estevam festevam@gmail.com Cc: Francesco Dolcini francesco.dolcini@toradex.com Cc: Marcel Ziswiler marcel.ziswiler@toradex.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk Cc: Simon Glass sjg@chromium.org Cc: Stefan Eichenberger stefan.eichenberger@toradex.com Cc: Stefano Babic sbabic@denx.de Cc: Tim Harvey tharvey@gateworks.com Cc: Tom Rini trini@konsulko.com Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: Document the automatic signing in case CONFIG_IMX_HAB is enabled --- doc/imx/habv4/csf_examples/mx8m/csf.sh | 92 ---------------- doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 ------ doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 ------ doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 100 +++--------------- 4 files changed, 14 insertions(+), 241 deletions(-) delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh deleted file mode 100644 index cd3b2614a2f..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh - -# 0) Generate keys -# -# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M Plus) -# -# cd /path/to/cst-3.3.1/keys/ -# ./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10 -num-srk 4 -srk-ca y -# cd /path/to/cst-3.3.1/crts/ -# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1 - -# 1) Build U-Boot (e.g. for i.MX8MM) -# -# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin . -# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* . -# make -j imx8mm_board_defconfig -# make -j`nproc` flash.bin - -# 2) Sign SPL and DRAM blobs - -cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp -cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp - -# update File Paths from env vars -if ! [ -r $CSF_KEY ]; then - echo "Error: $CSF_KEY not found" - exit 1 -fi -if ! [ -r $IMG_KEY ]; then - echo "Error: $IMG_KEY not found" - exit 1 -fi -if ! [ -r $SRK_TABLE ]; then - echo "Error: $SRK_TABLE not found" - exit 1 -fi -sed -i "s:$CSF_KEY:$CSF_KEY:" csf_spl.tmp -sed -i "s:$IMG_KEY:$IMG_KEY:" csf_spl.tmp -sed -i "s:$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp -sed -i "s:$CSF_KEY:$CSF_KEY:" csf_fit.tmp -sed -i "s:$IMG_KEY:$IMG_KEY:" csf_fit.tmp -sed -i "s:$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp - -# update SPL Blocks -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size "flash.bin"@" csf_spl.tmp - -# Generate CSF blob -cst -i csf_spl.tmp -o csf_spl.bin - -# Patch CSF blob into flash.bin -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc - -# 3) Sign u-boot.itb - -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size "flash.bin"@" csf_fit.tmp - -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20)) - -echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc - -# Generate CSF blob -cst -i csf_fit.tmp -o csf_fit.bin - -# When loading flash.bin via USB, we must ensure that the file being -# served is as large as the target expects (see -# board_spl_fit_size_align()), otherwise the target will hang in -# rom_api_download_image() waiting for the remaining bytes. -# -# Note that in order for dd to actually extend the file, one must not -# pass conv=notrunc here. With a non-zero seek= argument, dd is -# documented to preserve the contents of the file seeked past; in -# particular, dd does not open the file with O_TRUNC. -CSF_SIZE=$(sed -n "/CONFIG_CSF_SIZE=/ s@.*=@@p" .config) -dd if=/dev/null of=csf_fit.bin bs=1 seek=$((CSF_SIZE - 0x20)) count=0 - -# Patch CSF blob into flash.bin -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt deleted file mode 100644 index 97f3eea573b..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt +++ /dev/null @@ -1,30 +0,0 @@ -[Header] - Version = 4.3 - Hash Algorithm = sha256 - Engine = CAAM - Engine Configuration = 0 - Certificate Format = X509 - Signature Format = CMS - -[Install SRK] - # SRK_TABLE is full path to SRK_1_2_3_4_table.bin - File = "$SRK_TABLE" - Source index = 0 - -[Install CSFK] - # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$CSF_KEY" - -[Authenticate CSF] - -[Install Key] - Verification index = 0 - Target Index = 2 - # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$IMG_KEY" - -[Authenticate Data] - Verification index = 2 - # FIXME: - # Line 1 -- fitImage - Blocks = CONFIG_SPL_LOAD_FIT_ADDRESS 0x57c00 0xffff "flash.bin" diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt deleted file mode 100644 index 88fa420a5fa..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt +++ /dev/null @@ -1,33 +0,0 @@ -[Header] - Version = 4.3 - Hash Algorithm = sha256 - Engine = CAAM - Engine Configuration = 0 - Certificate Format = X509 - Signature Format = CMS - -[Install SRK] - # SRK_TABLE is full path to SRK_1_2_3_4_table.bin - File = "$SRK_TABLE" - Source index = 0 - -[Install CSFK] - # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$CSF_KEY" - -[Authenticate CSF] - -[Unlock] - Engine = CAAM - Features = MID - -[Install Key] - Verification index = 0 - Target Index = 2 - # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$IMG_KEY" - -[Authenticate Data] - Verification index = 2 - # FIXME: Adjust start (first column) and size (third column) here - Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin" diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..ce1de659d8c 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration: - Defconfig:
CONFIG_IMX_HAB=y + CONFIG_FSL_CAAM=y + CONFIG_ARCH_MISC_INIT=y + CONFIG_SPL_CRYPTO=y
- Kconfig:
@@ -131,92 +134,17 @@ build configuration:
The CSF contains all the commands that the HAB executes during the secure boot. These commands instruct the HAB code on which memory areas of the image -to authenticate, which keys to install, use and etc. - -CSF examples are available under doc/imx/habv4/csf_examples/ directory. - -CSF "Blocks" line for csf_spl.txt can be generated as follows: - -``` -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size "flash.bin"@" csf_spl.txt -``` - -The resulting line looks as follows: -``` - Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin" -``` - -The columns mean: - - CONFIG_SPL_TEXT_BASE - 0x40 -- Start address of signed data, in DRAM - - 0x0 -- Start address of signed data, in "flash.bin" - - 0x306f0 -- Length of signed data, in "flash.bin" - - Filename -- "flash.bin" - -To generate signature for the SPL part of flash.bin container, use CST: -``` -cst -i csf_spl.tmp -o csf_spl.bin -``` - -The newly generated CST blob has to be patched into existing flash.bin -container. Conveniently, flash.bin IVT contains physical address of the -CSF blob. Remember, the SPL part of flash.bin container is loaded by the -BootROM at CONFIG_SPL_TEXT_BASE - 0x40 , so the offset of CSF blob in -the fitImage can be calculated and inserted into the flash.bin in the -correct location as follows: -``` -# offset = IVT_HEADER[6 = CSF address] - CONFIG_SPL_TEXT_BASE - 0x40 -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc -``` - -CSF "Blocks" line for csf_fit.txt can be generated as follows: -``` -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size "flash.bin"@" csf_fit.tmp -``` - -The fitImage part of flash.bin requires separate IVT. Generate the IVT and -patch it into the correct aligned location of flash.bin as follows: -``` -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20)) - -echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc -``` - -To generate CSF signature for the fitImage part of flash.bin container, use CST: -``` -cst -i csf_fit.tmp -o csf_fit.bin -``` - -Finally, patch the CSF signature into the fitImage right past the IVT: -``` -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc -``` - -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh -and can be used as follows to modify flash.bin to be signed -(adjust paths as needed): -``` -export CST_DIR=/usr/src/cst-3.3.1/ -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin -export PATH=$CST_DIR/linux64/bin:$PATH -/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh -``` +to authenticate, which keys to install, use and etc. The CSF is generated +using the CST Code Signing Tool based on input configuration file. This tool +input configuration file is generated using binman, and the tool is invoked +from binman as well. + +The SPL and fitImage sections of the generated image are signed separately. +The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst +etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi +in case CONFIG_IMX_HAB Kconfig symbol is enabled. + +Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device -----------------------
On Thu, May 2, 2024 at 6:05 PM Marek Vasut marex@denx.de wrote:
Update documentation and use nxp_imx8mcst binman etype for signing of flash.bin instead of previous horrible shell scripting.
Signed-off-by: Marek Vasut marex@denx.de
Cc: "NXP i.MX U-Boot Team" uboot-imx@nxp.com Cc: Adam Ford aford173@gmail.com Cc: Alper Nebi Yasak alpernebiyasak@gmail.com Cc: Andrejs Cainikovs andrejs.cainikovs@toradex.com Cc: Angus Ainslie angus@akkea.ca Cc: Emanuele Ghidoli emanuele.ghidoli@toradex.com Cc: Fabio Estevam festevam@gmail.com Cc: Francesco Dolcini francesco.dolcini@toradex.com Cc: Marcel Ziswiler marcel.ziswiler@toradex.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk Cc: Simon Glass sjg@chromium.org Cc: Stefan Eichenberger stefan.eichenberger@toradex.com Cc: Stefano Babic sbabic@denx.de Cc: Tim Harvey tharvey@gateworks.com Cc: Tom Rini trini@konsulko.com Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de
V2: Document the automatic signing in case CONFIG_IMX_HAB is enabled
doc/imx/habv4/csf_examples/mx8m/csf.sh | 92 ---------------- doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 ------ doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 ------ doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 100 +++--------------- 4 files changed, 14 insertions(+), 241 deletions(-) delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
<snip>
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..ce1de659d8c 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration:
Defconfig:
CONFIG_IMX_HAB=y
- CONFIG_FSL_CAAM=y
- CONFIG_ARCH_MISC_INIT=y
- CONFIG_SPL_CRYPTO=y
Hi Marek,
Thanks for wrapping the dts bits with a config item.
Is there any other reason to build with CONFIG_IMX_HAB than to use a signed image? I see that there are several ARCH_MX6 and ARCH_MX7 configs that have this enabled (not ARCH_IMX8M so this certainly doesn't break anything) and I'm not sure what the value of that is.
I notice that FSL_CAAM is selected when you select IMX_HAB... is there any reason why ARCH_MISC_INIT and SPL_CRYPTO should not be selected by IMX_HAB as well (future patch perhaps)?
- Kconfig:
We definitely need to describe the additional requirements here. Maybe something like:
- Tools: cst - NXP code-signing-tool (eg apt install imx-code-signing-tool)
- Files: (created with NXP IMX_CST_TOOL) SRK_1_2_3_4_table.bin (specified by nxp,srk-table node): fuse table CSF1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,csf-crt node): CSF_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,img-crt node): IMG_KEY
The following works fine for me on v2024.01 export CST_DIR=/usr/src/nxp/cst-3.3.2/ export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin export PATH=$CST_DIR/linux64/bin:$PATH make && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
But with the above defines and your series this fails: ln -sf $SRK_TABLE SRK_1_2_3_4_table.bin ln -sf $CSF_KEY CSF1_1_sha256_4096_65537_v3_usr_crt.pem ln -sf $IMG_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem make BINMAN .binman_stamp Wrote map file './image.map' to show errors binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:288:fopen('IMG1_1_sha256_4096_65537_v3_usr_key. pem','r') 0:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
make: *** [Makefile:1126: .binman_stamp] Error 1
So how is it that the default for nxp,img-crt IMG1_1_sha256_4096_65537_v3_usr_crt.pem is now looking for IMG1_1_sha256_4096_65537_v3_usr_key? It fails also if I cp the files vs ln them.
So what am I missing here?
Best Regards,
Tim
@@ -131,92 +134,17 @@ build configuration:
The CSF contains all the commands that the HAB executes during the secure boot. These commands instruct the HAB code on which memory areas of the image -to authenticate, which keys to install, use and etc.
-CSF examples are available under doc/imx/habv4/csf_examples/ directory.
-CSF "Blocks" line for csf_spl.txt can be generated as follows:
-``` -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size "flash.bin"@" csf_spl.txt -```
-The resulting line looks as follows: -```
- Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin"
-```
-The columns mean:
- CONFIG_SPL_TEXT_BASE - 0x40 -- Start address of signed data, in DRAM
- 0x0 -- Start address of signed data, in "flash.bin"
- 0x306f0 -- Length of signed data, in "flash.bin"
- Filename -- "flash.bin"
-To generate signature for the SPL part of flash.bin container, use CST: -``` -cst -i csf_spl.tmp -o csf_spl.bin -```
-The newly generated CST blob has to be patched into existing flash.bin -container. Conveniently, flash.bin IVT contains physical address of the -CSF blob. Remember, the SPL part of flash.bin container is loaded by the -BootROM at CONFIG_SPL_TEXT_BASE - 0x40 , so the offset of CSF blob in -the fitImage can be calculated and inserted into the flash.bin in the -correct location as follows: -``` -# offset = IVT_HEADER[6 = CSF address] - CONFIG_SPL_TEXT_BASE - 0x40 -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc -```
-CSF "Blocks" line for csf_fit.txt can be generated as follows: -``` -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size "flash.bin"@" csf_fit.tmp -```
-The fitImage part of flash.bin requires separate IVT. Generate the IVT and -patch it into the correct aligned location of flash.bin as follows: -``` -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20))
-echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc -```
-To generate CSF signature for the fitImage part of flash.bin container, use CST: -``` -cst -i csf_fit.tmp -o csf_fit.bin -```
-Finally, patch the CSF signature into the fitImage right past the IVT: -``` -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc -```
-The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh -and can be used as follows to modify flash.bin to be signed -(adjust paths as needed): -``` -export CST_DIR=/usr/src/cst-3.3.1/ -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin -export PATH=$CST_DIR/linux64/bin:$PATH -/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh -``` +to authenticate, which keys to install, use and etc. The CSF is generated +using the CST Code Signing Tool based on input configuration file. This tool +input configuration file is generated using binman, and the tool is invoked +from binman as well.
+The SPL and fitImage sections of the generated image are signed separately. +The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst +etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi +in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device
-- 2.43.0
- Kconfig:
@@ -131,92 +134,17 @@ build configuration:
The CSF contains all the commands that the HAB executes during the secure boot. These commands instruct the HAB code on which memory areas of the image -to authenticate, which keys to install, use and etc.
-CSF examples are available under doc/imx/habv4/csf_examples/ directory.
-CSF "Blocks" line for csf_spl.txt can be generated as follows:
-``` -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size "flash.bin"@" csf_spl.txt -```
-The resulting line looks as follows: -```
- Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin"
-```
-The columns mean:
- CONFIG_SPL_TEXT_BASE - 0x40 -- Start address of signed data, in DRAM
- 0x0 -- Start address of signed data, in "flash.bin"
- 0x306f0 -- Length of signed data, in "flash.bin"
- Filename -- "flash.bin"
-To generate signature for the SPL part of flash.bin container, use CST: -``` -cst -i csf_spl.tmp -o csf_spl.bin -```
-The newly generated CST blob has to be patched into existing flash.bin -container. Conveniently, flash.bin IVT contains physical address of the -CSF blob. Remember, the SPL part of flash.bin container is loaded by the -BootROM at CONFIG_SPL_TEXT_BASE - 0x40 , so the offset of CSF blob in -the fitImage can be calculated and inserted into the flash.bin in the -correct location as follows: -``` -# offset = IVT_HEADER[6 = CSF address] - CONFIG_SPL_TEXT_BASE - 0x40 -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc -```
-CSF "Blocks" line for csf_fit.txt can be generated as follows: -``` -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size "flash.bin"@" csf_fit.tmp -```
-The fitImage part of flash.bin requires separate IVT. Generate the IVT and -patch it into the correct aligned location of flash.bin as follows: -``` -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@(..)(..)(..)(..)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20))
-echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc -```
-To generate CSF signature for the fitImage part of flash.bin container, use CST: -``` -cst -i csf_fit.tmp -o csf_fit.bin -```
-Finally, patch the CSF signature into the fitImage right past the IVT: -``` -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc -```
-The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh -and can be used as follows to modify flash.bin to be signed -(adjust paths as needed): -``` -export CST_DIR=/usr/src/cst-3.3.1/ -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin -export PATH=$CST_DIR/linux64/bin:$PATH -/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh -``` +to authenticate, which keys to install, use and etc. The CSF is generated +using the CST Code Signing Tool based on input configuration file. This tool +input configuration file is generated using binman, and the tool is invoked +from binman as well.
+The SPL and fitImage sections of the generated image are signed separately. +The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst +etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi +in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device
-- 2.43.0
On 5/14/24 8:34 PM, Tim Harvey wrote:
Hi,
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..ce1de659d8c 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration:
Defconfig:
CONFIG_IMX_HAB=y
- CONFIG_FSL_CAAM=y
- CONFIG_ARCH_MISC_INIT=y
- CONFIG_SPL_CRYPTO=y
Hi Marek,
Thanks for wrapping the dts bits with a config item.
Is there any other reason to build with CONFIG_IMX_HAB than to use a signed image? I see that there are several ARCH_MX6 and ARCH_MX7 configs that have this enabled (not ARCH_IMX8M so this certainly doesn't break anything) and I'm not sure what the value of that is.
I think those few either enabled in preemptively in anticipation of possibly using HAB, or are wrong. I suspect it should be disabled for those, as it only adds to the board boot time and I am not even sure if those machines would boot correctly.
Francesco, maybe you do have MX7 Colibri ?
I notice that FSL_CAAM is selected when you select IMX_HAB... is there any reason why ARCH_MISC_INIT and SPL_CRYPTO should not be selected by IMX_HAB as well (future patch perhaps)?
ARCH_MISC_INIT should be selected by SoC Kconfig on MX7 and maybe CAAM on MX8M I think . As for SPL_CRYPTO, that should be selected by SPL_FSL_CAAM I think.
- Kconfig:
We definitely need to describe the additional requirements here. Maybe something like:
- Tools:
cst - NXP code-signing-tool (eg apt install imx-code-signing-tool)
- Files: (created with NXP IMX_CST_TOOL)
SRK_1_2_3_4_table.bin (specified by nxp,srk-table node): fuse table CSF1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,csf-crt node): CSF_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,img-crt node): IMG_KEY
The following works fine for me on v2024.01 export CST_DIR=/usr/src/nxp/cst-3.3.2/ export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin export PATH=$CST_DIR/linux64/bin:$PATH make && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
But with the above defines and your series this fails: ln -sf $SRK_TABLE SRK_1_2_3_4_table.bin ln -sf $CSF_KEY CSF1_1_sha256_4096_65537_v3_usr_crt.pem ln -sf $IMG_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem make BINMAN .binman_stamp Wrote map file './image.map' to show errors binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:288:fopen('IMG1_1_sha256_4096_65537_v3_usr_key. pem','r') 0:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
make: *** [Makefile:1126: .binman_stamp] Error 1
So how is it that the default for nxp,img-crt IMG1_1_sha256_4096_65537_v3_usr_crt.pem is now looking for IMG1_1_sha256_4096_65537_v3_usr_key? It fails also if I cp the files vs ln them.
So what am I missing here?
I think CST is using both the certificate and the key files. Try and run strace on the CST to test that:
$ strace cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0
On Tue, May 14, 2024 at 1:58 PM Marek Vasut marex@denx.de wrote:
On 5/14/24 8:34 PM, Tim Harvey wrote:
Hi,
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..ce1de659d8c 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration:
Defconfig:
CONFIG_IMX_HAB=y
- CONFIG_FSL_CAAM=y
- CONFIG_ARCH_MISC_INIT=y
- CONFIG_SPL_CRYPTO=y
Hi Marek,
Thanks for wrapping the dts bits with a config item.
Is there any other reason to build with CONFIG_IMX_HAB than to use a signed image? I see that there are several ARCH_MX6 and ARCH_MX7 configs that have this enabled (not ARCH_IMX8M so this certainly doesn't break anything) and I'm not sure what the value of that is.
I think those few either enabled in preemptively in anticipation of possibly using HAB, or are wrong. I suspect it should be disabled for those, as it only adds to the board boot time and I am not even sure if those machines would boot correctly.
Francesco, maybe you do have MX7 Colibri ?
I notice that FSL_CAAM is selected when you select IMX_HAB... is there any reason why ARCH_MISC_INIT and SPL_CRYPTO should not be selected by IMX_HAB as well (future patch perhaps)?
ARCH_MISC_INIT should be selected by SoC Kconfig on MX7 and maybe CAAM on MX8M I think . As for SPL_CRYPTO, that should be selected by SPL_FSL_CAAM I think.
- Kconfig:
We definitely need to describe the additional requirements here. Maybe something like:
- Tools:
cst - NXP code-signing-tool (eg apt install imx-code-signing-tool)
- Files: (created with NXP IMX_CST_TOOL)
SRK_1_2_3_4_table.bin (specified by nxp,srk-table node): fuse table CSF1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,csf-crt node): CSF_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,img-crt node): IMG_KEY
The following works fine for me on v2024.01 export CST_DIR=/usr/src/nxp/cst-3.3.2/ export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin export PATH=$CST_DIR/linux64/bin:$PATH make && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
But with the above defines and your series this fails: ln -sf $SRK_TABLE SRK_1_2_3_4_table.bin ln -sf $CSF_KEY CSF1_1_sha256_4096_65537_v3_usr_crt.pem ln -sf $IMG_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem make BINMAN .binman_stamp Wrote map file './image.map' to show errors binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:288:fopen('IMG1_1_sha256_4096_65537_v3_usr_key. pem','r') 0:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
make: *** [Makefile:1126: .binman_stamp] Error 1
So how is it that the default for nxp,img-crt IMG1_1_sha256_4096_65537_v3_usr_crt.pem is now looking for IMG1_1_sha256_4096_65537_v3_usr_key? It fails also if I cp the files vs ln them.
So what am I missing here?
I think CST is using both the certificate and the key files. Try and run strace on the CST to test that:
$ strace cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0
Hi Marek,
strace was a good idea and showed me what was going on.
The previous documentation stated to pass your keys via env vars that were full paths to key certificates. Using strace shows me that it will use the directory the KEY certificate is in and try to open up ../keys/*_usr_key.pem if the key path is specified. So apparently the 'File' in the CST config file is used indirectly. Pointing to the usr_key.pem isn't enough either by the way, it seems to need both of these:
so if I hack the path to my certs in like this it works: diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad4827..b432200960df 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -67,10 +67,11 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
def ReadNode(self): super().ReadNode() + self.certpath = '/usr/src/nxp/cst-3.3.2/crts/'; self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address') self.srk_table = fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin') - self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem') - self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem') + self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', self.certpath + '/CSF1_1_sha256_4096_65537_v3_usr_crt.pem') + self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', self.certpath + '/IMG1_1_sha256_4096_65537_v3_usr_crt.pem') self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()
$ make -j8 BINMAN .binman_stamp OFCHK .config
Here is a snippet of strace with the patch above: openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/crts//IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=7012, ...}) = 0 read(6, "Certificate:\n Data:\n V"..., 4096) = 4096 read(6, "31:3d:64:30:11:32:1d:ab:15:\n "..., 4096) = 2916 close(6) = 0 openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/keys//IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0600, st_size=3414, ...}) = 0 read(6, "-----BEGIN ENCRYPTED PRIVATE KEY"..., 4096) = 3414
And a snippet at the same part without the patch above: openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=7012, ...}) = 0 read(6, "Certificate:\n Data:\n V"..., 4096) = 4096 read(6, "31:3d:64:30:11:32:1d:ab:15:\n "..., 4096) = 2916 close(6) = 0 openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "Error: Cannot open key file IMG1"..., 68 Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem ) = 68 write(2, "0:error:02001002:system library:"..., 1430:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:288:fopen('IMG1_1_sha256_4096_65537_v3_usr_key.pem','r')
Do you not run into this and if not is it because you have put full paths in the dtsi overriding the defaults I'm using? Maybe this has something to do with how my keys were generated or the version of cst I'm using or maybe we just need to also add a directory which can be symlinked to or something.
Another thing that I'm seeing is that this leaves a bunch of turd files around: $ git status On branch cst Your branch is ahead of 'origin/master' by 4 commits. (use "git push" to publish your local commits)
Untracked files: (use "git add <file>..." to include in what will be committed) cfg-out.section.nxp-imx8mcst@0.nxp-imx8mimage cfg-out.section.nxp-imx8mimage input.section.nxp-imx8mcst@0 input.section.nxp-imx8mcst@0.nxp-imx8mimage input.section.nxp-imx8mimage nxp.csf-config-txt.section.nxp-imx8mcst@0 nxp.cst-input-data.section.nxp-imx8mcst@0 nxp.imx8mimage.cfg.section.nxp-imx8mcst@0.nxp-imx8mimage nxp.imx8mimage.cfg.section.nxp-imx8mimage
These intermediate files should be cleaned up after signing is complete.
Best Regards,
Tim
On Tue, May 14, 2024 at 1:58 PM Marek Vasut marex@denx.de wrote:
On 5/14/24 8:34 PM, Tim Harvey wrote:
Hi,
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..ce1de659d8c 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration:
Defconfig:
CONFIG_IMX_HAB=y
- CONFIG_FSL_CAAM=y
- CONFIG_ARCH_MISC_INIT=y
- CONFIG_SPL_CRYPTO=y
Hi Marek,
Thanks for wrapping the dts bits with a config item.
Is there any other reason to build with CONFIG_IMX_HAB than to use a signed image? I see that there are several ARCH_MX6 and ARCH_MX7 configs that have this enabled (not ARCH_IMX8M so this certainly doesn't break anything) and I'm not sure what the value of that is.
I think those few either enabled in preemptively in anticipation of possibly using HAB, or are wrong. I suspect it should be disabled for those, as it only adds to the board boot time and I am not even sure if those machines would boot correctly.
Francesco, maybe you do have MX7 Colibri ?
I notice that FSL_CAAM is selected when you select IMX_HAB... is there any reason why ARCH_MISC_INIT and SPL_CRYPTO should not be selected by IMX_HAB as well (future patch perhaps)?
ARCH_MISC_INIT should be selected by SoC Kconfig on MX7 and maybe CAAM on MX8M I think . As for SPL_CRYPTO, that should be selected by SPL_FSL_CAAM I think.
- Kconfig:
We definitely need to describe the additional requirements here. Maybe something like:
- Tools:
cst - NXP code-signing-tool (eg apt install imx-code-signing-tool)
- Files: (created with NXP IMX_CST_TOOL)
SRK_1_2_3_4_table.bin (specified by nxp,srk-table node): fuse table CSF1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,csf-crt node): CSF_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem (specified by nxp,img-crt node): IMG_KEY
The following works fine for me on v2024.01 export CST_DIR=/usr/src/nxp/cst-3.3.2/ export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin export PATH=$CST_DIR/linux64/bin:$PATH make && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
But with the above defines and your series this fails: ln -sf $SRK_TABLE SRK_1_2_3_4_table.bin ln -sf $CSF_KEY CSF1_1_sha256_4096_65537_v3_usr_crt.pem ln -sf $IMG_KEY IMG1_1_sha256_4096_65537_v3_usr_crt.pem make BINMAN .binman_stamp Wrote map file './image.map' to show errors binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:288:fopen('IMG1_1_sha256_4096_65537_v3_usr_key. pem','r') 0:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
make: *** [Makefile:1126: .binman_stamp] Error 1
So how is it that the default for nxp,img-crt IMG1_1_sha256_4096_65537_v3_usr_crt.pem is now looking for IMG1_1_sha256_4096_65537_v3_usr_key? It fails also if I cp the files vs ln them.
So what am I missing here?
I think CST is using both the certificate and the key files. Try and run strace on the CST to test that:
$ strace cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0
Hi Marek,
(this is a resend... apologies if its a duplicate. I got some strange bounce that mime types were included so I'm resending with the otuput of strace cliped out)
strace was a good idea and showed me what was going on.
The previous documentation stated to pass your keys via env vars that were full paths to key certificates. Using strace shows me that it will use the directory the KEY certificate is in and try to open up ../keys/*_usr_key.pem if the key path is specified. So apparently the 'File' in the CST config file is used indirectly. Pointing to the usr_key.pem isn't enough either by the way, it seems to need both of these:
so if I hack the path to my certs in like this it works:diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad4827..b432200960df 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -67,10 +67,11 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
def ReadNode(self): super().ReadNode() + self.certpath =3D '/usr/src/nxp/cst-3.3.2/crts/'; self.loader_address =3D fdt_util.GetInt(self._node, 'nxp,loader-ad= dress') self.srk_table =3D fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin') - self.csf_crt =3D fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem') - self.img_crt =3D fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem') + self.csf_crt =3D fdt_util.GetString(self._node, 'nxp,csf-crt', self.certpath + '/CSF1_1_sha256_4096_65537_v3_usr_crt.pem') + self.img_crt =3D fdt_util.GetString(self._node, 'nxp,img-crt', self.certpath + '/IMG1_1_sha256_4096_65537_v3_usr_crt.pem') self.unlock =3D fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()
$ make -j8 BINMAN .binman_stamp OFCHK .config
Strace indicatest the following with the above patch: openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/crts//IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) ... openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/keys//IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) ^^^ look how it sneakily changes the PATH!
And without the above patch using a key file without a path: openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) ... openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) ENOENT (No such file or directory) ^^^ fails
Simply copying both usr_crt.pem and usr_key.pem to the build directory still fails: binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612: 0:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62: 0:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93: 0:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
Do you not run into this and if not is it because you have put full paths in the dtsi overriding the defaults I'm using? Maybe this has something to do with how my keys were generated or the version of cst I'm using or maybe we just need to also add a directory which can be symlinked to or something.
Another thing that I'm seeing is that this leaves a bunch of turd files around: cfg-out.section.nxp-imx8mcst@0.nxp-imx8mimage cfg-out.section.nxp-imx8mimage input.section.nxp-imx8mcst@0 input.section.nxp-imx8mcst@0.nxp-imx8mimage input.section.nxp-imx8mimage nxp.csf-config-txt.section.nxp-imx8mcst@0 nxp.cst-input-data.section.nxp-imx8mcst@0 nxp.imx8mimage.cfg.section.nxp-imx8mcst@0.nxp-imx8mimage nxp.imx8mimage.cfg.section.nxp-imx8mimage
These intermediate files should be cleaned up after signing is complete.
Best Regards,
Tim
On 5/16/24 12:31 AM, Tim Harvey wrote:
Hi,
(this is a resend... apologies if its a duplicate. I got some strange bounce that mime types were included so I'm resending with the otuput of strace cliped out)
strace was a good idea and showed me what was going on.
The previous documentation stated to pass your keys via env vars that were full paths to key certificates. Using strace shows me that it will use the directory the KEY certificate is in and try to open up ../keys/*_usr_key.pem if the key path is specified. So apparently the 'File' in the CST config file is used indirectly. Pointing to the usr_key.pem isn't enough either by the way, it seems to need both of these:
so if I hack the path to my certs in like this it works:diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad4827..b432200960df 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -67,10 +67,11 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
def ReadNode(self): super().ReadNode()
self.certpath =3D '/usr/src/nxp/cst-3.3.2/crts/';
=3D , seems like your email is acting funny today indeed.
self.loader_address =3D fdt_util.GetInt(self._node, 'nxp,loader-ad=dress') self.srk_table =3D fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin')
self.csf_crt =3D fdt_util.GetString(self._node, 'nxp,csf-crt','CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
self.img_crt =3D fdt_util.GetString(self._node, 'nxp,img-crt','IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
self.csf_crt =3D fdt_util.GetString(self._node, 'nxp,csf-crt',self.certpath + '/CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
self.img_crt =3D fdt_util.GetString(self._node, 'nxp,img-crt',self.certpath + '/IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
What about this:
diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad482..9ead7488a2d 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -68,9 +68,9 @@ class Entry_nxp_imx8mcst(Entry_mkimage): def ReadNode(self): super().ReadNode() self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address') - self.srk_table = fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin') - self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem') - self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem') + self.srk_table = os.getenv('SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin')) + self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem')) + self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem')) self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()
Then you can also use the old behavior with keys supplied via env vars.
This might in fact be useful for build systems too.
self.unlock =3D fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()$ make -j8 BINMAN .binman_stamp OFCHK .config
Strace indicatest the following with the above patch: openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/crts//IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) ... openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/keys//IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) ^^^ look how it sneakily changes the PATH!
And without the above patch using a key file without a path: openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) ... openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) ENOENT (No such file or directory) ^^^ fails
Simply copying both usr_crt.pem and usr_key.pem to the build directory still fails: binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612: 0:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62: 0:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93: 0:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
Do you not run into this and if not is it because you have put full paths in the dtsi overriding the defaults I'm using?
I just do '$ cp -Lv /CST/{keys,crts}/* .' to copy the keys and certs into the build directory for testing.
Maybe this has something to do with how my keys were generated or the version of cst I'm using or maybe we just need to also add a directory which can be symlinked to or something.
I use the imx-code-signing-tool 3.4.0+dfsg-2+b1 from debian .
Another thing that I'm seeing is that this leaves a bunch of turd files around: cfg-out.section.nxp-imx8mcst@0.nxp-imx8mimage cfg-out.section.nxp-imx8mimage input.section.nxp-imx8mcst@0 input.section.nxp-imx8mcst@0.nxp-imx8mimage input.section.nxp-imx8mimage nxp.csf-config-txt.section.nxp-imx8mcst@0 nxp.cst-input-data.section.nxp-imx8mcst@0 nxp.imx8mimage.cfg.section.nxp-imx8mcst@0.nxp-imx8mimage nxp.imx8mimage.cfg.section.nxp-imx8mimage
These intermediate files should be cleaned up after signing is complete.
Those are intermediate build artifacts, sort of like .o files or such, so they should be OK to keep around, right ?
On Wed, May 15, 2024 at 6:53 PM Marek Vasut marex@denx.de wrote:
On 5/16/24 12:31 AM, Tim Harvey wrote:
Hi,
(this is a resend... apologies if its a duplicate. I got some strange bounce that mime types were included so I'm resending with the otuput of strace cliped out)
strace was a good idea and showed me what was going on.
The previous documentation stated to pass your keys via env vars that were full paths to key certificates. Using strace shows me that it will use the directory the KEY certificate is in and try to open up ../keys/*_usr_key.pem if the key path is specified. So apparently the 'File' in the CST config file is used indirectly. Pointing to the usr_key.pem isn't enough either by the way, it seems to need both of these:
so if I hack the path to my certs in like this it works:diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad4827..b432200960df 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -67,10 +67,11 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
def ReadNode(self): super().ReadNode()
self.certpath =3D '/usr/src/nxp/cst-3.3.2/crts/';=3D , seems like your email is acting funny today indeed.
self.loader_address =3D fdt_util.GetInt(self._node, 'nxp,loader-ad=dress') self.srk_table =3D fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin')
self.csf_crt =3D fdt_util.GetString(self._node, 'nxp,csf-crt','CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
self.img_crt =3D fdt_util.GetString(self._node, 'nxp,img-crt','IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
self.csf_crt =3D fdt_util.GetString(self._node, 'nxp,csf-crt',self.certpath + '/CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
self.img_crt =3D fdt_util.GetString(self._node, 'nxp,img-crt',self.certpath + '/IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
What about this:
diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad482..9ead7488a2d 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -68,9 +68,9 @@ class Entry_nxp_imx8mcst(Entry_mkimage): def ReadNode(self): super().ReadNode() self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
self.srk_table = fdt_util.GetString(self._node,'nxp,srk-table', 'SRK_1_2_3_4_table.bin')
self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt','CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt','IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
self.srk_table = os.getenv('SRK_TABLE',fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin'))
self.csf_crt = os.getenv('CSF_KEY',fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'))
self.img_crt = os.getenv('IMG_KEY',fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem')) self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()
Then you can also use the old behavior with keys supplied via env vars.
This might in fact be useful for build systems too.
yes, I like that (with an added 'import os')
self.unlock =3D fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()$ make -j8 BINMAN .binman_stamp OFCHK .config
Strace indicatest the following with the above patch: openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/crts//IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) ... openat(AT_FDCWD, "/usr/src/nxp/cst-3.3.2/keys//IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) ^^^ look how it sneakily changes the PATH!
And without the above patch using a key file without a path: openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_crt.pem", O_RDONLY) ... openat(AT_FDCWD, "IMG1_1_sha256_4096_65537_v3_usr_key.pem", O_RDONLY) ENOENT (No such file or directory) ^^^ fails
Simply copying both usr_crt.pem and usr_key.pem to the build directory still fails: binman: Error 1 running 'cst -i ./nxp.csf-config-txt.section.nxp-imx8mcst@0 -o ./nxp.csf-output-blob.section.nxp-imx8mcst@0': Error: Cannot open key file IMG1_1_sha256_4096_65537_v3_usr_key.pem 0:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612: 0:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62: 0:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93: 0:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
Do you not run into this and if not is it because you have put full paths in the dtsi overriding the defaults I'm using?
I just do '$ cp -Lv /CST/{keys,crts}/* .' to copy the keys and certs into the build directory for testing.
Maybe this has something to do with how my keys were generated or the version of cst I'm using or maybe we just need to also add a directory which can be symlinked to or something.
I use the imx-code-signing-tool 3.4.0+dfsg-2+b1 from debian .
Another thing that I'm seeing is that this leaves a bunch of turd files around: cfg-out.section.nxp-imx8mcst@0.nxp-imx8mimage cfg-out.section.nxp-imx8mimage input.section.nxp-imx8mcst@0 input.section.nxp-imx8mcst@0.nxp-imx8mimage input.section.nxp-imx8mimage nxp.csf-config-txt.section.nxp-imx8mcst@0 nxp.cst-input-data.section.nxp-imx8mcst@0 nxp.imx8mimage.cfg.section.nxp-imx8mcst@0.nxp-imx8mimage nxp.imx8mimage.cfg.section.nxp-imx8mimage
These intermediate files should be cleaned up after signing is complete.
Those are intermediate build artifacts, sort of like .o files or such, so they should be OK to keep around, right ?
then they should be added to .gitignore and removed with a 'make clean'. Right now they clutter up 'git status'. Maybe they can be put in the build dir which is in .gitignore (but strangely not cleaned).
With these two things and an update to the documentation showing the methods of specifying the keys I think everything else in the series looks good.
Best Regards,
Tim
Hello Marek,
On Fri, May 03, 2024 at 03:05:09AM +0200, Marek Vasut wrote:
Add new binman etype which allows signing both the SPL and fitImage sections of i.MX8M flash.bin using CST. There are multiple DT properties which govern the signing process, nxp,loader-address is the only mandatory one which sets the SPL signature start address without the imx8mimage header, this should be SPL text base. The key material can be configured using optional DT properties nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material names generated by CST tool scripts. The nxp,unlock property can be used to unlock CAAM access in SPL section.
Signed-off-by: Marek Vasut marex@denx.de
I was not able to test or really look into your series [1], however I can relate with a comment from Tim Harvey.
I think is important to keep in mind that that signing cannot be done with key material that is in-tree, because well, that's private, and I think we should not force people to branch to properly sign the binaries.
I think that it would be valuable to share how do you foresee this used in a real environment.
Francesco
[1] so feel free to reference me to any already agreed discussion on the topic ...
On 5/6/24 1:52 PM, Francesco Dolcini wrote:
Hello Marek,
On Fri, May 03, 2024 at 03:05:09AM +0200, Marek Vasut wrote:
Add new binman etype which allows signing both the SPL and fitImage sections of i.MX8M flash.bin using CST. There are multiple DT properties which govern the signing process, nxp,loader-address is the only mandatory one which sets the SPL signature start address without the imx8mimage header, this should be SPL text base. The key material can be configured using optional DT properties nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material names generated by CST tool scripts. The nxp,unlock property can be used to unlock CAAM access in SPL section.
Signed-off-by: Marek Vasut marex@denx.de
I was not able to test or really look into your series [1], however I can relate with a comment from Tim Harvey.
I think is important to keep in mind that that signing cannot be done with key material that is in-tree, because well, that's private, and I think we should not force people to branch to properly sign the binaries.
I think that it would be valuable to share how do you foresee this used in a real environment.
I am open to discussion, really.
Currently the most basic approach is implemented -- plug in key material either by copying it into build directory, or creating a symlink, or adjusting the DT to specify full path to key material.
I am sure this can be expanded to cover other use cases ?
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Signed-off-by: Claudius Heine ch@denx.de --- doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..42214df21a 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Per default the HAB keys and certificates need to be located in the build +directory, this means copying the following files from the HAB keys directory +flat (e.g. removing the `keys` and `cert` subdirectory) into the u-boot build +directory for the CST Code Signing Tool to locate them: + +- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt` + +The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node, however the other files are required by the +CST tools as well, and will be searched for in relation to them. + Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device
On 5/7/24 3:06 PM, Claudius Heine wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Make sure to CC "NXP i.MX U-Boot Team" , else NXP is not informed. Use scripts/get_maintainer to get the full list or just reuse the CC list from patches in this thread.
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..42214df21a 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Per default the HAB keys and certificates need to be located in the build +directory, this means copying the following files from the HAB keys directory +flat (e.g. removing the `keys` and `cert` subdirectory) into the u-boot build +directory for the CST Code Signing Tool to locate them:
Do symlink(s) work too ?
+- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt`
+The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node
"nodes", plural, there are two, one for SPL and one for fitImage.
It would be good to mention the DT properties which govern the crypto material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere around this sentence.
Hi Marek,
On 2024-05-07 3:28 pm, Marek Vasut wrote:
On 5/7/24 3:06 PM, Claudius Heine wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Make sure to CC "NXP i.MX U-Boot Team" , else NXP is not informed. Use scripts/get_maintainer to get the full list or just reuse the CC list from patches in this thread.
I send the patch with `--to-cmd scripts/get_maintainer.pl`, maybe I should have used `--cc-cmd`, but that would not change the list of recipients.
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..42214df21a 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Per default the HAB keys and certificates need to be located in the build +directory, this means copying the following files from the HAB keys directory +flat (e.g. removing the `keys` and `cert` subdirectory) into the u-boot build +directory for the CST Code Signing Tool to locate them:
Do symlink(s) work too ?
I have not tested it, but I don't see any reason why it would not. I also don't see a reason for mentioning it. I want to keep it simple, if the dev whats to do things differently, they are free to do so.
+- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt`
+The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node
"nodes", plural, there are two, one for SPL and one for fitImage.
Well, I was thinking here more generally about the node type and was assuming that the person reading this knows how many they have of that type. But I can add a `s` in v2.
It would be good to mention the DT properties which govern the crypto material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere around this sentence.
This is something that should be documented with the changes where that code was added, IMO. I only documented here what I found out and have used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and extend it.
regards, Claudius
On 5/8/24 9:23 AM, Claudius Heine wrote:
Hi Marek,
Hi,
On 2024-05-07 3:28 pm, Marek Vasut wrote:
On 5/7/24 3:06 PM, Claudius Heine wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Make sure to CC "NXP i.MX U-Boot Team" , else NXP is not informed. Use scripts/get_maintainer to get the full list or just reuse the CC list from patches in this thread.
I send the patch with `--to-cmd scripts/get_maintainer.pl`, maybe I should have used `--cc-cmd`, but that would not change the list of recipients.
Should now be fixed in [PATCH] ARM: imx: Add doc/imx/ to i.MX MAINTAINERS entry
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..42214df21a 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Per default the HAB keys and certificates need to be located in the build +directory, this means copying the following files from the HAB keys directory +flat (e.g. removing the `keys` and `cert` subdirectory) into the u-boot build +directory for the CST Code Signing Tool to locate them:
Do symlink(s) work too ?
I have not tested it, but I don't see any reason why it would not. I also don't see a reason for mentioning it. I want to keep it simple, if the dev whats to do things differently, they are free to do so.
" Per default the HAB keys and certificates need to be located in the build directory, this means {+creating a symbolic link or +}copying the following... "
Please test it and add it in V2 if it works, I think symlink is better than bluntly copying files around, esp. for crypto material.
+- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt`
+The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node
"nodes", plural, there are two, one for SPL and one for fitImage.
Well, I was thinking here more generally about the node type and was assuming that the person reading this knows how many they have of that type. But I can add a `s` in v2.
Use "node(s)" which covers both options.
It would be good to mention the DT properties which govern the crypto material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere around this sentence.
This is something that should be documented with the changes where that code was added, IMO. I only documented here what I found out and have used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and extend it.
I'll keep it in mind for V3.
On Sun, May 12, 2024 at 10:08 PM Marek Vasut marex@denx.de wrote:
On 5/8/24 9:23 AM, Claudius Heine wrote:
Hi Marek,
Hi,
On 2024-05-07 3:28 pm, Marek Vasut wrote:
On 5/7/24 3:06 PM, Claudius Heine wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Make sure to CC "NXP i.MX U-Boot Team" , else NXP is not informed. Use scripts/get_maintainer to get the full list or just reuse the CC list from patches in this thread.
I send the patch with `--to-cmd scripts/get_maintainer.pl`, maybe I should have used `--cc-cmd`, but that would not change the list of recipients.
Should now be fixed in [PATCH] ARM: imx: Add doc/imx/ to i.MX MAINTAINERS entry
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..42214df21a 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Per default the HAB keys and certificates need to be located in the build +directory, this means copying the following files from the HAB keys directory +flat (e.g. removing the `keys` and `cert` subdirectory) into the u-boot build +directory for the CST Code Signing Tool to locate them:
Do symlink(s) work too ?
I have not tested it, but I don't see any reason why it would not. I also don't see a reason for mentioning it. I want to keep it simple, if the dev whats to do things differently, they are free to do so.
" Per default the HAB keys and certificates need to be located in the build directory, this means {+creating a symbolic link or +}copying the following... "
Please test it and add it in V2 if it works, I think symlink is better than bluntly copying files around, esp. for crypto material.
Hi Marek and Claudius,
Yes, this documentation is needed as well but I'm still unclear why the old method before this series did not require the usr_key.pem files, why I don't have the *usr_key.pem files in my crts dir created (long ago) with cst-3.3.1 and cst-3.3.2, and what I need to do to generate them now that they are apparently needed.
Best Regards,
Tim
+- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt`
+The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node
"nodes", plural, there are two, one for SPL and one for fitImage.
Well, I was thinking here more generally about the node type and was assuming that the person reading this knows how many they have of that type. But I can add a `s` in v2.
Use "node(s)" which covers both options.
It would be good to mention the DT properties which govern the crypto material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere around this sentence.
This is something that should be documented with the changes where that code was added, IMO. I only documented here what I found out and have used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and extend it.
I'll keep it in mind for V3.
On Tue, May 14, 2024 at 11:50 AM Tim Harvey tharvey@gateworks.com wrote:
On Sun, May 12, 2024 at 10:08 PM Marek Vasut marex@denx.de wrote:
On 5/8/24 9:23 AM, Claudius Heine wrote:
Hi Marek,
Hi,
On 2024-05-07 3:28 pm, Marek Vasut wrote:
On 5/7/24 3:06 PM, Claudius Heine wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Make sure to CC "NXP i.MX U-Boot Team" , else NXP is not informed. Use scripts/get_maintainer to get the full list or just reuse the CC list from patches in this thread.
I send the patch with `--to-cmd scripts/get_maintainer.pl`, maybe I should have used `--cc-cmd`, but that would not change the list of recipients.
Should now be fixed in [PATCH] ARM: imx: Add doc/imx/ to i.MX MAINTAINERS entry
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..42214df21a 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,22 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Per default the HAB keys and certificates need to be located in the build +directory, this means copying the following files from the HAB keys directory +flat (e.g. removing the `keys` and `cert` subdirectory) into the u-boot build +directory for the CST Code Signing Tool to locate them:
Do symlink(s) work too ?
I have not tested it, but I don't see any reason why it would not. I also don't see a reason for mentioning it. I want to keep it simple, if the dev whats to do things differently, they are free to do so.
" Per default the HAB keys and certificates need to be located in the build directory, this means {+creating a symbolic link or +}copying the following... "
Please test it and add it in V2 if it works, I think symlink is better than bluntly copying files around, esp. for crypto material.
Hi Marek and Claudius,
Yes, this documentation is needed as well but I'm still unclear why the old method before this series did not require the usr_key.pem files, why I don't have the *usr_key.pem files in my crts dir created (long ago) with cst-3.3.1 and cst-3.3.2, and what I need to do to generate them now that they are apparently needed.
Best Regards,
Tim
+- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt`
+The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node
"nodes", plural, there are two, one for SPL and one for fitImage.
Well, I was thinking here more generally about the node type and was assuming that the person reading this knows how many they have of that type. But I can add a `s` in v2.
Use "node(s)" which covers both options.
It would be good to mention the DT properties which govern the crypto material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere around this sentence.
This is something that should be documented with the changes where that code was added, IMO. I only documented here what I found out and have used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and extend it.
I'll keep it in mind for V3.
Hi Marek,
The documentation patch here by Claudius does resolve my issues discussed in the other thread and I can confirm symlinks work fine so I think something like the following should be added:
CST_DIR=/usr/src/cst-3.3.2/ ln -s $CST_DIR/crts . ln -s $CST_DIR/keys .
then with the following change to nxp_imx8mcst.py you can build a signed image without code modification: diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad4827..7d8abc78fc89 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -68,9 +68,9 @@ class Entry_nxp_imx8mcst(Entry_mkimage): def ReadNode(self): super().ReadNode() self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address') - self.srk_table = fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin') - self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem') - self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem') + self.srk_table = fdt_util.GetString(self._node, 'nxp,srk-table', 'crts/SRK_1_2_3_4_table.bin') + self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', 'crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem') + self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', 'crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem') self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()
If copying or symlinking the keys/certs directory is not desired are env vars exposed to binman's python classes? If so you can just require CST_DIR to be specified and use that for the paths?
Best Regards,
Tim
Hi Tim and Marek,
On 2024-05-16 12:46 am, Tim Harvey wrote:
On Tue, May 14, 2024 at 11:50 AM Tim Harvey tharvey@gateworks.com wrote:
On Sun, May 12, 2024 at 10:08 PM Marek Vasut marex@denx.de wrote:
On 5/8/24 9:23 AM, Claudius Heine wrote:
On 2024-05-07 3:28 pm, Marek Vasut wrote:
It would be good to mention the DT properties which govern the crypto material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere around this sentence.
This is something that should be documented with the changes where that code was added, IMO. I only documented here what I found out and have used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and extend it.
I'll keep it in mind for V3.
Hi Marek,
The documentation patch here by Claudius does resolve my issues discussed in the other thread and I can confirm symlinks work fine so I think something like the following should be added:
CST_DIR=/usr/src/cst-3.3.2/ ln -s $CST_DIR/crts . ln -s $CST_DIR/keys .
`keys` and `crts` are very short and generic names, and putting them into the build directory might cause issues at some point. But I would not be against putting them into a sub directory (`imx-hab/{keys,crts}`?).
then with the following change to nxp_imx8mcst.py you can build a signed image without code modification: diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index 132127ad4827..7d8abc78fc89 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -68,9 +68,9 @@ class Entry_nxp_imx8mcst(Entry_mkimage): def ReadNode(self): super().ReadNode() self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
self.srk_table = fdt_util.GetString(self._node,'nxp,srk-table', 'SRK_1_2_3_4_table.bin')
self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt','CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt','IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
self.srk_table = fdt_util.GetString(self._node,'nxp,srk-table', 'crts/SRK_1_2_3_4_table.bin')
self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt','crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt','crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem') self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries()
If copying or symlinking the keys/certs directory is not desired are env vars exposed to binman's python classes? If so you can just require CST_DIR to be specified and use that for the paths?
I personally would prefer using (one) environment variable(s) to specify the path to all keys, that way whatever `cst` needs, it will find it there, and explicit symlinking/copying can be avoided.
I would probably rather call it `HAB_DIR`/`HAB_BASE_DIR` or something, because it doesn't need to be pointing to the whole `cst` stuff just a directory for the keys and certs for the HAB. `CST_DIR` might leave the impression that the `cst` from that directory is used.
And you can still allow environment variables like (`SRK_TABLE`, `CSF_KEY` and `IMG_KEY`) to overwrite the name of each, relative to the `HAB_DIR/{keys,certs}` if a `HAB_DIR` is set.
This would be somewhat backwards compatible and allows simpler usage by setting just one variable (`HAB_DIR`) and leaving the rest to the dtb.
kind regards, Claudius
On 16/05/2024 10.25, Claudius Heine wrote:
Hi Tim and Marek,
On 2024-05-16 12:46 am, Tim Harvey wrote:
On Tue, May 14, 2024 at 11:50 AM Tim Harvey tharvey@gateworks.com wrote:
On Sun, May 12, 2024 at 10:08 PM Marek Vasut marex@denx.de wrote:
On 5/8/24 9:23 AM, Claudius Heine wrote:
On 2024-05-07 3:28 pm, Marek Vasut wrote:
It would be good to mention the DT properties which govern the crypto material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere around this sentence.
This is something that should be documented with the changes where that code was added, IMO. I only documented here what I found out and have used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and extend it.
I'll keep it in mind for V3.
Hi Marek,
The documentation patch here by Claudius does resolve my issues discussed in the other thread and I can confirm symlinks work fine so I think something like the following should be added:
CST_DIR=/usr/src/cst-3.3.2/ ln -s $CST_DIR/crts . ln -s $CST_DIR/keys .
`keys` and `crts` are very short and generic names, and putting them into the build directory might cause issues at some point. But I would not be against putting them into a sub directory (`imx-hab/{keys,crts}`?).
It is probably useful to be aware of the quality of the cst code. For reference, I quote get_key_file()
int32_t get_key_file(const char* cert_file, char* key_file) { /* Algorithm to locate key file from given cert file */ /* for now just assume the key to present in the */ /* same folder as cert file. The crt in the name will */ /* will be replaced with key */ char * folder; int32_t i = strlen(cert_file); /**< Index into key filename, initialized to filename length */
strcpy(key_file, cert_file); key_file[i] = 0;
key_file[i-5] = 'y'; key_file[i-6] = 'e'; key_file[i-7] = 'k';
/* Search for folder name "certs" in the file and replace it with "keys" */ /* Keys are found in "keys" folder and certs are in "certs" folder */
folder = strstr(key_file, "crts"); if(folder) { folder[0] = 'k'; folder[1] = 'e'; folder[2] = 'y'; folder[3] = 's'; } return CAL_SUCCESS; }
Ignoring the inconsistencies in the comments, obviously there are a lot of implicit assumptions on file names and paths. First, the assumption that the filename of they key corresponding to the certificate can be obtained by replacing [-7:-5] by "key". Second, and much more egregious, is the use of strstr() on key_file searching for "crts", and just blindly replacing the first such with "keys", and ignoring it if not found. So if that string appears anywhere in the path (say, my homedir is /home/dcrts/ and I have the key material somewhere below that) this will replace the wrong occurrence (and look in /home/dkeys/ ....).
And of course it was unthinkable that this could have been written using the much shorter memcpy(..., "keys", 4) so that one could actually `git grep 'keys'` and figure out what was going on.
Rasmus
Hi Rasmus,
On 2024-05-16 11:50 am, Rasmus Villemoes wrote:
On 16/05/2024 10.25, Claudius Heine wrote:
Hi Tim and Marek,
On 2024-05-16 12:46 am, Tim Harvey wrote:
On Tue, May 14, 2024 at 11:50 AM Tim Harvey tharvey@gateworks.com wrote:
On Sun, May 12, 2024 at 10:08 PM Marek Vasut marex@denx.de wrote:
On 5/8/24 9:23 AM, Claudius Heine wrote:
On 2024-05-07 3:28 pm, Marek Vasut wrote: > It would be good to mention the DT properties which govern the crypto > material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- > somewhere > around this sentence.
This is something that should be documented with the changes where that code was added, IMO. I only documented here what I found out and have used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and extend it.
I'll keep it in mind for V3.
Hi Marek,
The documentation patch here by Claudius does resolve my issues discussed in the other thread and I can confirm symlinks work fine so I think something like the following should be added:
CST_DIR=/usr/src/cst-3.3.2/ ln -s $CST_DIR/crts . ln -s $CST_DIR/keys .
`keys` and `crts` are very short and generic names, and putting them into the build directory might cause issues at some point. But I would not be against putting them into a sub directory (`imx-hab/{keys,crts}`?).
It is probably useful to be aware of the quality of the cst code. For reference, I quote get_key_file()
int32_t get_key_file(const char* cert_file, char* key_file) { /* Algorithm to locate key file from given cert file */ /* for now just assume the key to present in the */ /* same folder as cert file. The crt in the name will */ /* will be replaced with key */ char * folder; int32_t i = strlen(cert_file); /**< Index into key filename, initialized to filename length */
strcpy(key_file, cert_file); key_file[i] = 0; key_file[i-5] = 'y'; key_file[i-6] = 'e'; key_file[i-7] = 'k'; /* Search for folder name "certs" in the file and replace it with"keys" */ /* Keys are found in "keys" folder and certs are in "certs" folder */
folder = strstr(key_file, "crts"); if(folder) { folder[0] = 'k'; folder[1] = 'e'; folder[2] = 'y'; folder[3] = 's'; } return CAL_SUCCESS;}
Ignoring the inconsistencies in the comments, obviously there are a lot of implicit assumptions on file names and paths. First, the assumption that the filename of they key corresponding to the certificate can be obtained by replacing [-7:-5] by "key". Second, and much more egregious, is the use of strstr() on key_file searching for "crts", and just blindly replacing the first such with "keys", and ignoring it if not found. So if that string appears anywhere in the path (say, my homedir is /home/dcrts/ and I have the key material somewhere below that) this will replace the wrong occurrence (and look in /home/dkeys/ ....).
And of course it was unthinkable that this could have been written using the much shorter memcpy(..., "keys", 4) so that one could actually `git grep 'keys'` and figure out what was going on.
Exactly. I had the pleasure to read cst code a bit as well to figure out some issue. This is also a reason I suggested to just set the base path to the CST/HAB files instead of setting the individual paths to the keys/certs in the hope that this is a more robust way for cst to find its implicitly required files.
regards, Claudius
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Signed-off-by: Claudius Heine ch@denx.de --- Hi,
this patch documents some changes of the '20240503010518.263458-1-marex@denx.de' patchset. So am posting it as a reply to my earlier patch in that thread.
Changed from v1: - added 'symbolic link' option for making keys/certs available in build - `node` -> `node(s)`
--- doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..75089fba4d 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Per default the HAB keys and certificates need to be located in the build +directory, this means creating a symbolic link or copying the following files +from the HAB keys directory flat (e.g. removing the `keys` and `cert` +subdirectory) into the u-boot build directory for the CST Code Signing Tool to +locate them: + +- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt` + +The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node(s), however the other files are required by +the CST tools as well, and will be searched for in relation to them. + Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device
On 5/16/24 10:36, Claudius Heine wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Signed-off-by: Claudius Heine ch@denx.de
Hi,
this patch documents some changes of the '20240503010518.263458-1-marex@denx.de' patchset. So am posting it as a reply to my earlier patch in that thread.
When referring to patches, please, use the complete title and and url (e.g. from lore.kernel.org or Patchwork):
[PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing https://lore.kernel.org/u-boot/20240503010518.263458-1-marex@denx.de/
Currently in Patchwork this patch is assigned to my review queue. I guess it should be reviewed and pulled by Fabio.
Best regards
Heinrich
Changed from v1:
- added 'symbolic link' option for making keys/certs available in build
- `node` -> `node(s)`
doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..75089fba4d 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Per default the HAB keys and certificates need to be located in the build +directory, this means creating a symbolic link or copying the following files +from the HAB keys directory flat (e.g. removing the `keys` and `cert` +subdirectory) into the u-boot build directory for the CST Code Signing Tool to +locate them:
+- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt`
+The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node(s), however the other files are required by +the CST tools as well, and will be searched for in relation to them.
Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device
On Thu, May 16, 2024 at 5:36 AM Claudius Heine ch@denx.de wrote:
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory.
Signed-off-by: Claudius Heine ch@denx.de
Applied, thanks.
participants (7)
-
Claudius Heine -
Fabio Estevam -
Francesco Dolcini -
Heinrich Schuchardt -
Marek Vasut -
Rasmus Villemoes -
Tim Harvey