Re: [PATCH v3 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing

Thu, 16 May 2024 18:31:24 -0700 

On 5/16/24 11:40 PM, Tim Harvey wrote:

[...]


-The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
-and can be used as follows to modify flash.bin to be signed
-(adjust paths as needed):
-```
-export CST_DIR=/usr/src/cst-3.3.1/
-export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
-export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
-export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
-export PATH=$CST_DIR/linux64/bin:$PATH


Hi Marek,

I thought you were going to leave the above env setting examples in
the documentation.

I suggest showing how to specify using env (by just leaving the above
in) as well as by copying them directly to the build directory if
wanted.. otherwise the documentation is lacking.
If the tool can do env vars now, I would like to avoid copying key material around. So what about this:
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt 
index 1eb1fb0aa61..257ffb45656 100644
--- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
@@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi 
 in case CONFIG_IMX_HAB Kconfig symbol is enabled.

+Build of flash.bin target then produces a signed flash.bin automatically.
+
The nxp-imx8mcst etype is configurable using either DT properties or environment variables. The following DT properties and environment variables are supported. 
 Note that environment variables override DT properties.
@@ -160,7 +162,15 @@ Note that environment variables override DT properties.
| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem | 

+--------------------+-----------+------------------------------------------------------------------+

-Build of flash.bin target then produces a signed flash.bin automatically.
+Environment variables can be set as follows to point the build process
+to external key material:
+```
+export CST_DIR=/usr/src/cst-3.3.1/
+export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
+make flash.bin
+```

 1.4 Closing the device
 -----------------------

Reply via email to