On 5/6/24 1:52 PM, Francesco Dolcini wrote:
Hello Marek,
On Fri, May 03, 2024 at 03:05:09AM +0200, Marek Vasut wrote:
Add new binman etype which allows signing both the SPL and fitImage sections
of i.MX8M flash.bin using CST. There are multiple DT properties which govern
the signing process, nxp,loader-address is the only mandatory one which sets
the SPL signature start address without the imx8mimage header, this should be
SPL text base. The key material can be configured using optional DT properties
nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material
names generated by CST tool scripts. The nxp,unlock property can be used to
unlock CAAM access in SPL section.
Signed-off-by: Marek Vasut <ma...@denx.de>
I was not able to test or really look into your series [1], however I can
relate with a comment from Tim Harvey.
I think is important to keep in mind that that signing cannot be done
with key material that is in-tree, because well, that's private, and I
think we should not force people to branch to properly sign the
binaries.
I think that it would be valuable to share how do you foresee this used
in a real environment.
I am open to discussion, really.
Currently the most basic approach is implemented -- plug in key material
either by copying it into build directory, or creating a symlink, or
adjusting the DT to specify full path to key material.
I am sure this can be expanded to cover other use cases ?
