Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
On Thu, May 16, 2024 at 6:31 PM Marek Vasut wrote: > > On 5/16/24 11:40 PM, Tim Harvey wrote: > > [...] > > >> -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh > >> -and can be used as follows to modify flash.bin to be signed > >> -(adjust paths as needed): > >> -``` > >> -export CST_DIR=/usr/src/cst-3.3.1/ > >> -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > >> -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > >> -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > >> -export PATH=$CST_DIR/linux64/bin:$PATH > > > > Hi Marek, > > > > I thought you were going to leave the above env setting examples in > > the documentation. > > > > I suggest showing how to specify using env (by just leaving the above > > in) as well as by copying them directly to the build directory if > > wanted.. otherwise the documentation is lacking. > > If the tool can do env vars now, I would like to avoid copying key > material around. So what about this: > > diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > index 1eb1fb0aa61..257ffb45656 100644 > --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and > fitImage sections into nxp-imx8mcst > etype, which is done automatically in > arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi > in case CONFIG_IMX_HAB Kconfig symbol is enabled. > > +Build of flash.bin target then produces a signed flash.bin automatically. > + > The nxp-imx8mcst etype is configurable using either DT properties or > environment > variables. The following DT properties and environment variables are > supported. > Note that environment variables override DT properties. > @@ -160,7 +162,15 @@ Note that environment variables override DT properties. > | nxp,img-crt| IMG_KEY | full path to the IMG Key > IMG1_1_sha256_4096_65537_v3_usr_crt.pem | > > ++---+--+ > > -Build of flash.bin target then produces a signed flash.bin automatically. > +Environment variables can be set as follows to point the build process > +to external key material: > +``` > +export CST_DIR=/usr/src/cst-3.3.1/ > +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > +make flash.bin > +``` > > 1.4 Closing the device > --- > Hi Marek, Yes, with that change you can add for the series: Reviewed-by: Tim Harvey Best Regards, Tim
Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
Hello Marek, On Fri, May 17, 2024 at 03:25:38AM +0200, Marek Vasut wrote: > On 5/16/24 11:40 PM, Tim Harvey wrote: > > [...] > > > > -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh > > > -and can be used as follows to modify flash.bin to be signed > > > -(adjust paths as needed): > > > -``` > > > -export CST_DIR=/usr/src/cst-3.3.1/ > > > -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > > > -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > > > -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > > > -export PATH=$CST_DIR/linux64/bin:$PATH > > > > Hi Marek, > > > > I thought you were going to leave the above env setting examples in > > the documentation. > > > > I suggest showing how to specify using env (by just leaving the above > > in) as well as by copying them directly to the build directory if > > wanted.. otherwise the documentation is lacking. > > If the tool can do env vars now, I would like to avoid copying key material > around. So what about this: > > diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > index 1eb1fb0aa61..257ffb45656 100644 > --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and fitImage > sections into nxp-imx8mcst > etype, which is done automatically in > arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi > in case CONFIG_IMX_HAB Kconfig symbol is enabled. > > +Build of flash.bin target then produces a signed flash.bin automatically. > + > The nxp-imx8mcst etype is configurable using either DT properties or > environment > variables. The following DT properties and environment variables are > supported. > Note that environment variables override DT properties. > @@ -160,7 +162,15 @@ Note that environment variables override DT properties. > | nxp,img-crt| IMG_KEY | full path to the IMG Key > IMG1_1_sha256_4096_65537_v3_usr_crt.pem | > > ++---+--+ > > -Build of flash.bin target then produces a signed flash.bin automatically. > +Environment variables can be set as follows to point the build process > +to external key material: > +``` > +export CST_DIR=/usr/src/cst-3.3.1/ > +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > +make flash.bin > +``` FWIW, this addresses the concern I raised on the previous version, works for me. Thanks Marek (and Tim). Francesco
Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
On 5/16/24 11:40 PM, Tim Harvey wrote: [...] -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh -and can be used as follows to modify flash.bin to be signed -(adjust paths as needed): -``` -export CST_DIR=/usr/src/cst-3.3.1/ -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin -export PATH=$CST_DIR/linux64/bin:$PATH Hi Marek, I thought you were going to leave the above env setting examples in the documentation. I suggest showing how to specify using env (by just leaving the above in) as well as by copying them directly to the build directory if wanted.. otherwise the documentation is lacking. If the tool can do env vars now, I would like to avoid copying key material around. So what about this: diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index 1eb1fb0aa61..257ffb45656 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Build of flash.bin target then produces a signed flash.bin automatically. + The nxp-imx8mcst etype is configurable using either DT properties or environment variables. The following DT properties and environment variables are supported. Note that environment variables override DT properties. @@ -160,7 +162,15 @@ Note that environment variables override DT properties. | nxp,img-crt| IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem | ++---+--+ -Build of flash.bin target then produces a signed flash.bin automatically. +Environment variables can be set as follows to point the build process +to external key material: +``` +export CST_DIR=/usr/src/cst-3.3.1/ +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin +make flash.bin +``` 1.4 Closing the device ---
Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
On Thu, May 16, 2024 at 2:31 PM Marek Vasut wrote: > > Update documentation and use nxp_imx8mcst binman etype for signing > of flash.bin instead of previous horrible shell scripting. > > Signed-off-by: Marek Vasut > --- > Cc: "NXP i.MX U-Boot Team" > Cc: Adam Ford > Cc: Alper Nebi Yasak > Cc: Andrejs Cainikovs > Cc: Angus Ainslie > Cc: Emanuele Ghidoli > Cc: Fabio Estevam > Cc: Francesco Dolcini > Cc: Marcel Ziswiler > Cc: Rasmus Villemoes > Cc: Simon Glass > Cc: Stefan Eichenberger > Cc: Stefano Babic > Cc: Tim Harvey > Cc: Tom Rini > Cc: ker...@puri.sm > Cc: u-b...@dh-electronics.com > Cc: u-boot@lists.denx.de > --- > V2: Document the automatic signing in case CONFIG_IMX_HAB is enabled > V3: Document configuration of imx8mcst > --- > doc/imx/habv4/csf_examples/mx8m/csf.sh| 92 -- > doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 - > doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 - > doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 116 +- > 4 files changed, 30 insertions(+), 241 deletions(-) > delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh > delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt > delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt > > diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh > b/doc/imx/habv4/csf_examples/mx8m/csf.sh > deleted file mode 100644 > index cd3b2614a2f..000 > --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh > +++ /dev/null > @@ -1,92 +0,0 @@ > -#!/bin/sh > - > -# 0) Generate keys > -# > -# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M > Plus) > -# > -# cd /path/to/cst-3.3.1/keys/ > -#./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10 > -num-srk 4 -srk-ca y > -# cd /path/to/cst-3.3.1/crts/ > -# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e > SRK_1_2_3_4_fuse.bin -d sha256 -c > ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem > -f 1 > - > -# 1) Build U-Boot (e.g. for i.MX8MM) > -# > -# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin . > -# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* . > -# make -j imx8mm_board_defconfig > -# make -j`nproc` flash.bin > - > -# 2) Sign SPL and DRAM blobs > - > -cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp > -cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp > - > -# update File Paths from env vars > -if ! [ -r $CSF_KEY ]; then > - echo "Error: \$CSF_KEY not found" > - exit 1 > -fi > -if ! [ -r $IMG_KEY ]; then > - echo "Error: \$IMG_KEY not found" > - exit 1 > -fi > -if ! [ -r $SRK_TABLE ]; then > - echo "Error: \$SRK_TABLE not found" > - exit 1 > -fi > -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp > -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp > -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp > -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp > -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp > -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp > - > -# update SPL Blocks > -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ > s@.*=@@p" .config) - 0x40)) ) > -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) > -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size > \"flash.bin\"@" csf_spl.tmp > - > -# Generate CSF blob > -cst -i csf_spl.tmp -o csf_spl.bin > - > -# Patch CSF blob into flash.bin > -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed > "s@^@0x@") > -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed > "s@^@0x@") > -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) > -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc > - > -# 3) Sign u-boot.itb > - > -# fitImage > -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ > s@.*=@@p" .config) ) > -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb > /binman/imx-boot/uboot offset)) > -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - > 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) > -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset > $fit_block_size \"flash.bin\"@" csf_fit.tmp > - > -# IVT > -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed > "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") > -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - > 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") > -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) > | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") > -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) > -csf_block_offset=$((${ivt_block_offset} + 0x20)) > - > -echo "0xd1002041 ${ivt_block_base} 0x 0x 0x > ${ivt_block_base} ${csf_block_base} 0x" | xxd -r -p > ivt.bin > -dd if=ivt.bin
[PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
Update documentation and use nxp_imx8mcst binman etype for signing of flash.bin instead of previous horrible shell scripting. Signed-off-by: Marek Vasut --- Cc: "NXP i.MX U-Boot Team" Cc: Adam Ford Cc: Alper Nebi Yasak Cc: Andrejs Cainikovs Cc: Angus Ainslie Cc: Emanuele Ghidoli Cc: Fabio Estevam Cc: Francesco Dolcini Cc: Marcel Ziswiler Cc: Rasmus Villemoes Cc: Simon Glass Cc: Stefan Eichenberger Cc: Stefano Babic Cc: Tim Harvey Cc: Tom Rini Cc: ker...@puri.sm Cc: u-b...@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: Document the automatic signing in case CONFIG_IMX_HAB is enabled V3: Document configuration of imx8mcst --- doc/imx/habv4/csf_examples/mx8m/csf.sh| 92 -- doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 - doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 - doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 116 +- 4 files changed, 30 insertions(+), 241 deletions(-) delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh deleted file mode 100644 index cd3b2614a2f..000 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh - -# 0) Generate keys -# -# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M Plus) -# -# cd /path/to/cst-3.3.1/keys/ -#./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10 -num-srk 4 -srk-ca y -# cd /path/to/cst-3.3.1/crts/ -# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1 - -# 1) Build U-Boot (e.g. for i.MX8MM) -# -# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin . -# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* . -# make -j imx8mm_board_defconfig -# make -j`nproc` flash.bin - -# 2) Sign SPL and DRAM blobs - -cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp -cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp - -# update File Paths from env vars -if ! [ -r $CSF_KEY ]; then - echo "Error: \$CSF_KEY not found" - exit 1 -fi -if ! [ -r $IMG_KEY ]; then - echo "Error: \$IMG_KEY not found" - exit 1 -fi -if ! [ -r $SRK_TABLE ]; then - echo "Error: \$SRK_TABLE not found" - exit 1 -fi -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp - -# update SPL Blocks -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp - -# Generate CSF blob -cst -i csf_spl.tmp -o csf_spl.bin - -# Patch CSF blob into flash.bin -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc - -# 3) Sign u-boot.itb - -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp - -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20)) - -echo "0xd1002041 ${ivt_block_base} 0x 0x 0x ${ivt_block_base} ${csf_block_base} 0x" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc - -# Generate CSF blob -cst -i csf_fit.tmp -o csf_fit.bin - -# When loading flash.bin via USB, we must ensure that the file being -# served is as large as the target expects (see -# board_spl_fit_size_align()), otherwise the target will hang in -#