Hello Marek, On Fri, May 17, 2024 at 03:25:38AM +0200, Marek Vasut wrote: > On 5/16/24 11:40 PM, Tim Harvey wrote: > > [...] > > > > -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh > > > -and can be used as follows to modify flash.bin to be signed > > > -(adjust paths as needed): > > > -``` > > > -export CST_DIR=/usr/src/cst-3.3.1/ > > > -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > > > -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > > > -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > > > -export PATH=$CST_DIR/linux64/bin:$PATH > > > > Hi Marek, > > > > I thought you were going to leave the above env setting examples in > > the documentation. > > > > I suggest showing how to specify using env (by just leaving the above > > in) as well as by copying them directly to the build directory if > > wanted.. otherwise the documentation is lacking. > > If the tool can do env vars now, I would like to avoid copying key material > around. So what about this: > > diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > index 1eb1fb0aa61..257ffb45656 100644 > --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and fitImage > sections into nxp-imx8mcst > etype, which is done automatically in > arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi > in case CONFIG_IMX_HAB Kconfig symbol is enabled. > > +Build of flash.bin target then produces a signed flash.bin automatically. > + > The nxp-imx8mcst etype is configurable using either DT properties or > environment > variables. The following DT properties and environment variables are > supported. > Note that environment variables override DT properties. > @@ -160,7 +162,15 @@ Note that environment variables override DT properties. > | nxp,img-crt | IMG_KEY | full path to the IMG Key > IMG1_1_sha256_4096_65537_v3_usr_crt.pem | > > +--------------------+-----------+------------------------------------------------------------------+ > > -Build of flash.bin target then produces a signed flash.bin automatically. > +Environment variables can be set as follows to point the build process > +to external key material: > +``` > +export CST_DIR=/usr/src/cst-3.3.1/ > +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > +make flash.bin > +```
FWIW, this addresses the concern I raised on the previous version, works for me. Thanks Marek (and Tim). Francesco