Hello Marek, On Fri, May 03, 2024 at 03:05:09AM +0200, Marek Vasut wrote: > Add new binman etype which allows signing both the SPL and fitImage sections > of i.MX8M flash.bin using CST. There are multiple DT properties which govern > the signing process, nxp,loader-address is the only mandatory one which sets > the SPL signature start address without the imx8mimage header, this should be > SPL text base. The key material can be configured using optional DT properties > nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material > names generated by CST tool scripts. The nxp,unlock property can be used to > unlock CAAM access in SPL section. > > Signed-off-by: Marek Vasut <ma...@denx.de>
I was not able to test or really look into your series [1], however I can relate with a comment from Tim Harvey. I think is important to keep in mind that that signing cannot be done with key material that is in-tree, because well, that's private, and I think we should not force people to branch to properly sign the binaries. I think that it would be valuable to share how do you foresee this used in a real environment. Francesco [1] so feel free to reference me to any already agreed discussion on the topic ...
