Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
On Thu, May 16, 2024 at 6:31 PM Marek Vasut wrote:
>
> On 5/16/24 11:40 PM, Tim Harvey wrote:
>
> [...]
>
> >> -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
> >> -and can be used as follows to modify flash.bin to be signed
> >> -(adjust paths as needed):
> >> -```
> >> -export CST_DIR=/usr/src/cst-3.3.1/
> >> -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> >> -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> >> -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> >> -export PATH=$CST_DIR/linux64/bin:$PATH
> >
> > Hi Marek,
> >
> > I thought you were going to leave the above env setting examples in
> > the documentation.
> >
> > I suggest showing how to specify using env (by just leaving the above
> > in) as well as by copying them directly to the build directory if
> > wanted.. otherwise the documentation is lacking.
>
> If the tool can do env vars now, I would like to avoid copying key
> material around. So what about this:
>
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 1eb1fb0aa61..257ffb45656 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and
> fitImage sections into nxp-imx8mcst
> etype, which is done automatically in
> arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
> in case CONFIG_IMX_HAB Kconfig symbol is enabled.
>
> +Build of flash.bin target then produces a signed flash.bin automatically.
> +
> The nxp-imx8mcst etype is configurable using either DT properties or
> environment
> variables. The following DT properties and environment variables are
> supported.
> Note that environment variables override DT properties.
> @@ -160,7 +162,15 @@ Note that environment variables override DT properties.
> | nxp,img-crt| IMG_KEY | full path to the IMG Key
> IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
>
> ++---+--+
>
> -Build of flash.bin target then produces a signed flash.bin automatically.
> +Environment variables can be set as follows to point the build process
> +to external key material:
> +```
> +export CST_DIR=/usr/src/cst-3.3.1/
> +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> +make flash.bin
> +```
>
> 1.4 Closing the device
> ---
>
Hi Marek,
Yes, with that change you can add for the series:
Reviewed-by: Tim Harvey
Best Regards,
Tim
Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
Hello Marek,
On Fri, May 17, 2024 at 03:25:38AM +0200, Marek Vasut wrote:
> On 5/16/24 11:40 PM, Tim Harvey wrote:
>
> [...]
>
> > > -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
> > > -and can be used as follows to modify flash.bin to be signed
> > > -(adjust paths as needed):
> > > -```
> > > -export CST_DIR=/usr/src/cst-3.3.1/
> > > -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> > > -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> > > -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> > > -export PATH=$CST_DIR/linux64/bin:$PATH
> >
> > Hi Marek,
> >
> > I thought you were going to leave the above env setting examples in
> > the documentation.
> >
> > I suggest showing how to specify using env (by just leaving the above
> > in) as well as by copying them directly to the build directory if
> > wanted.. otherwise the documentation is lacking.
>
> If the tool can do env vars now, I would like to avoid copying key material
> around. So what about this:
>
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 1eb1fb0aa61..257ffb45656 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and fitImage
> sections into nxp-imx8mcst
> etype, which is done automatically in
> arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
> in case CONFIG_IMX_HAB Kconfig symbol is enabled.
>
> +Build of flash.bin target then produces a signed flash.bin automatically.
> +
> The nxp-imx8mcst etype is configurable using either DT properties or
> environment
> variables. The following DT properties and environment variables are
> supported.
> Note that environment variables override DT properties.
> @@ -160,7 +162,15 @@ Note that environment variables override DT properties.
> | nxp,img-crt| IMG_KEY | full path to the IMG Key
> IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
>
> ++---+--+
>
> -Build of flash.bin target then produces a signed flash.bin automatically.
> +Environment variables can be set as follows to point the build process
> +to external key material:
> +```
> +export CST_DIR=/usr/src/cst-3.3.1/
> +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> +make flash.bin
> +```
FWIW, this addresses the concern I raised on the previous version, works
for me. Thanks Marek (and Tim).
Francesco
Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
On 5/16/24 11:40 PM, Tim Harvey wrote:
[...]
-The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
-and can be used as follows to modify flash.bin to be signed
-(adjust paths as needed):
-```
-export CST_DIR=/usr/src/cst-3.3.1/
-export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
-export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
-export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
-export PATH=$CST_DIR/linux64/bin:$PATH
Hi Marek,
I thought you were going to leave the above env setting examples in
the documentation.
I suggest showing how to specify using env (by just leaving the above
in) as well as by copying them directly to the build directory if
wanted.. otherwise the documentation is lacking.
If the tool can do env vars now, I would like to avoid copying key
material around. So what about this:
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
index 1eb1fb0aa61..257ffb45656 100644
--- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
@@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and
fitImage sections into nxp-imx8mcst
etype, which is done automatically in
arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
in case CONFIG_IMX_HAB Kconfig symbol is enabled.
+Build of flash.bin target then produces a signed flash.bin automatically.
+
The nxp-imx8mcst etype is configurable using either DT properties or
environment
variables. The following DT properties and environment variables are
supported.
Note that environment variables override DT properties.
@@ -160,7 +162,15 @@ Note that environment variables override DT properties.
| nxp,img-crt| IMG_KEY | full path to the IMG Key
IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
++---+--+
-Build of flash.bin target then produces a signed flash.bin automatically.
+Environment variables can be set as follows to point the build process
+to external key material:
+```
+export CST_DIR=/usr/src/cst-3.3.1/
+export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
+make flash.bin
+```
1.4 Closing the device
---
Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
On Thu, May 16, 2024 at 2:31 PM Marek Vasut wrote:
>
> Update documentation and use nxp_imx8mcst binman etype for signing
> of flash.bin instead of previous horrible shell scripting.
>
> Signed-off-by: Marek Vasut
> ---
> Cc: "NXP i.MX U-Boot Team"
> Cc: Adam Ford
> Cc: Alper Nebi Yasak
> Cc: Andrejs Cainikovs
> Cc: Angus Ainslie
> Cc: Emanuele Ghidoli
> Cc: Fabio Estevam
> Cc: Francesco Dolcini
> Cc: Marcel Ziswiler
> Cc: Rasmus Villemoes
> Cc: Simon Glass
> Cc: Stefan Eichenberger
> Cc: Stefano Babic
> Cc: Tim Harvey
> Cc: Tom Rini
> Cc: ker...@puri.sm
> Cc: u-b...@dh-electronics.com
> Cc: u-boot@lists.denx.de
> ---
> V2: Document the automatic signing in case CONFIG_IMX_HAB is enabled
> V3: Document configuration of imx8mcst
> ---
> doc/imx/habv4/csf_examples/mx8m/csf.sh| 92 --
> doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 -
> doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 -
> doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 116 +-
> 4 files changed, 30 insertions(+), 241 deletions(-)
> delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh
> delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
>
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh
> b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> deleted file mode 100644
> index cd3b2614a2f..000
> --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh
> +++ /dev/null
> @@ -1,92 +0,0 @@
> -#!/bin/sh
> -
> -# 0) Generate keys
> -#
> -# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M
> Plus)
> -#
> -# cd /path/to/cst-3.3.1/keys/
> -#./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10
> -num-srk 4 -srk-ca y
> -# cd /path/to/cst-3.3.1/crts/
> -# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
> SRK_1_2_3_4_fuse.bin -d sha256 -c
> ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem
> -f 1
> -
> -# 1) Build U-Boot (e.g. for i.MX8MM)
> -#
> -# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin .
> -# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* .
> -# make -j imx8mm_board_defconfig
> -# make -j`nproc` flash.bin
> -
> -# 2) Sign SPL and DRAM blobs
> -
> -cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
> -cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
> -
> -# update File Paths from env vars
> -if ! [ -r $CSF_KEY ]; then
> - echo "Error: \$CSF_KEY not found"
> - exit 1
> -fi
> -if ! [ -r $IMG_KEY ]; then
> - echo "Error: \$IMG_KEY not found"
> - exit 1
> -fi
> -if ! [ -r $SRK_TABLE ]; then
> - echo "Error: \$SRK_TABLE not found"
> - exit 1
> -fi
> -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
> -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
> -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
> -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
> -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
> -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
> -
> -# update SPL Blocks
> -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/
> s@.*=@@p" .config) - 0x40)) )
> -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
> -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size
> \"flash.bin\"@" csf_spl.tmp
> -
> -# Generate CSF blob
> -cst -i csf_spl.tmp -o csf_spl.bin
> -
> -# Patch CSF blob into flash.bin
> -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed
> "s@^@0x@")
> -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed
> "s@^@0x@")
> -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40))
> -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc
> -
> -# 3) Sign u-boot.itb
> -
> -# fitImage
> -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/
> s@.*=@@p" .config) )
> -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb
> /binman/imx-boot/uboot offset))
> -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 -
> 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) )
> -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset
> $fit_block_size \"flash.bin\"@" csf_fit.tmp
> -
> -# IVT
> -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed
> "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
> -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} -
> 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
> -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} ))
> | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
> -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20))
> -csf_block_offset=$((${ivt_block_offset} + 0x20))
> -
> -echo "0xd1002041 ${ivt_block_base} 0x 0x 0x
> ${ivt_block_base} ${csf_block_base} 0x" | xxd -r -p > ivt.bin
> -dd if=ivt.bin
[PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
Update documentation and use nxp_imx8mcst binman etype for signing
of flash.bin instead of previous horrible shell scripting.
Signed-off-by: Marek Vasut
---
Cc: "NXP i.MX U-Boot Team"
Cc: Adam Ford
Cc: Alper Nebi Yasak
Cc: Andrejs Cainikovs
Cc: Angus Ainslie
Cc: Emanuele Ghidoli
Cc: Fabio Estevam
Cc: Francesco Dolcini
Cc: Marcel Ziswiler
Cc: Rasmus Villemoes
Cc: Simon Glass
Cc: Stefan Eichenberger
Cc: Stefano Babic
Cc: Tim Harvey
Cc: Tom Rini
Cc: ker...@puri.sm
Cc: u-b...@dh-electronics.com
Cc: u-boot@lists.denx.de
---
V2: Document the automatic signing in case CONFIG_IMX_HAB is enabled
V3: Document configuration of imx8mcst
---
doc/imx/habv4/csf_examples/mx8m/csf.sh| 92 --
doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 -
doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 -
doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 116 +-
4 files changed, 30 insertions(+), 241 deletions(-)
delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh
delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh
b/doc/imx/habv4/csf_examples/mx8m/csf.sh
deleted file mode 100644
index cd3b2614a2f..000
--- a/doc/imx/habv4/csf_examples/mx8m/csf.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/bin/sh
-
-# 0) Generate keys
-#
-# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M
Plus)
-#
-# cd /path/to/cst-3.3.1/keys/
-#./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10
-num-srk 4 -srk-ca y
-# cd /path/to/cst-3.3.1/crts/
-# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
SRK_1_2_3_4_fuse.bin -d sha256 -c
./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem
-f 1
-
-# 1) Build U-Boot (e.g. for i.MX8MM)
-#
-# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin .
-# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* .
-# make -j imx8mm_board_defconfig
-# make -j`nproc` flash.bin
-
-# 2) Sign SPL and DRAM blobs
-
-cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
-cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
-
-# update File Paths from env vars
-if ! [ -r $CSF_KEY ]; then
- echo "Error: \$CSF_KEY not found"
- exit 1
-fi
-if ! [ -r $IMG_KEY ]; then
- echo "Error: \$IMG_KEY not found"
- exit 1
-fi
-if ! [ -r $SRK_TABLE ]; then
- echo "Error: \$SRK_TABLE not found"
- exit 1
-fi
-sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
-sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
-sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
-sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
-sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
-sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
-
-# update SPL Blocks
-spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p"
.config) - 0x40)) )
-spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
-sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size
\"flash.bin\"@" csf_spl.tmp
-
-# Generate CSF blob
-cst -i csf_spl.tmp -o csf_spl.bin
-
-# Patch CSF blob into flash.bin
-spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
-spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
-spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40))
-dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc
-
-# 3) Sign u-boot.itb
-
-# fitImage
-fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/
s@.*=@@p" .config) )
-fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb
/binman/imx-boot/uboot offset))
-fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 -
0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) )
-sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset
$fit_block_size \"flash.bin\"@" csf_fit.tmp
-
-# IVT
-ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed
"s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} -
0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) |
sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20))
-csf_block_offset=$((${ivt_block_offset} + 0x20))
-
-echo "0xd1002041 ${ivt_block_base} 0x 0x 0x
${ivt_block_base} ${csf_block_base} 0x" | xxd -r -p > ivt.bin
-dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc
-
-# Generate CSF blob
-cst -i csf_fit.tmp -o csf_fit.bin
-
-# When loading flash.bin via USB, we must ensure that the file being
-# served is as large as the target expects (see
-# board_spl_fit_size_align()), otherwise the target will hang in
-#
