Hi Tim and Marek,
On 2024-05-16 12:46 am, Tim Harvey wrote:
On Tue, May 14, 2024 at 11:50 AM Tim Harvey <thar...@gateworks.com> wrote:
On Sun, May 12, 2024 at 10:08 PM Marek Vasut <ma...@denx.de> wrote:
On 5/8/24 9:23 AM, Claudius Heine wrote:
On 2024-05-07 3:28 pm, Marek Vasut wrote:
It would be good to mention the DT properties which govern the crypto
material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt -- somewhere
around this sentence.
This is something that should be documented with the changes where that
code was added, IMO. I only documented here what I found out and have
used myself, I haven't used those.
I would be interested in reading how to best overwrite those paths and
the image structured from board u-boot.dtsi files myself.
If you want to can pickup my patch and integrate it into your series and
extend it.
I'll keep it in mind for V3.
Hi Marek,
The documentation patch here by Claudius does resolve my issues
discussed in the other thread and I can confirm symlinks work fine so
I think something like the following should be added:
CST_DIR=/usr/src/cst-3.3.2/
ln -s $CST_DIR/crts .
ln -s $CST_DIR/keys .
`keys` and `crts` are very short and generic names, and putting them
into the build directory might cause issues at some point. But I would
not be against putting them into a sub directory (`imx-hab/{keys,crts}`?).
then with the following change to nxp_imx8mcst.py you can build a
signed image without code modification:
diff --git a/tools/binman/etype/nxp_imx8mcst.py
b/tools/binman/etype/nxp_imx8mcst.py
index 132127ad4827..7d8abc78fc89 100644
--- a/tools/binman/etype/nxp_imx8mcst.py
+++ b/tools/binman/etype/nxp_imx8mcst.py
@@ -68,9 +68,9 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
def ReadNode(self):
super().ReadNode()
self.loader_address = fdt_util.GetInt(self._node,
'nxp,loader-address')
- self.srk_table = fdt_util.GetString(self._node,
'nxp,srk-table', 'SRK_1_2_3_4_table.bin')
- self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt',
'CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
- self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt',
'IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
+ self.srk_table = fdt_util.GetString(self._node,
'nxp,srk-table', 'crts/SRK_1_2_3_4_table.bin')
+ self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt',
'crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem')
+ self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt',
'crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem')
self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
self.ReadEntries()
If copying or symlinking the keys/certs directory is not desired are
env vars exposed to binman's python classes? If so you can just
require CST_DIR to be specified and use that for the paths?
I personally would prefer using (one) environment variable(s) to specify
the path to all keys, that way whatever `cst` needs, it will find it
there, and explicit symlinking/copying can be avoided.
I would probably rather call it `HAB_DIR`/`HAB_BASE_DIR` or something,
because it doesn't need to be pointing to the whole `cst` stuff just a
directory for the keys and certs for the HAB. `CST_DIR` might leave the
impression that the `cst` from that directory is used.
And you can still allow environment variables like (`SRK_TABLE`,
`CSF_KEY` and `IMG_KEY`) to overwrite the name of each, relative to the
`HAB_DIR/{keys,certs}` if a `HAB_DIR` is set.
This would be somewhat backwards compatible and allows simpler usage by
setting just one variable (`HAB_DIR`) and leaving the rest to the dtb.
kind regards,
Claudius
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: c...@denx.de
