Hello Marek,
On Fri, May 17, 2024 at 03:25:38AM +0200, Marek Vasut wrote:
> On 5/16/24 11:40 PM, Tim Harvey wrote:
>
> [...]
>
> > > -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
> > > -and can be used as follows to modify flash.bin to be signed
> > > -(adjust paths as needed):
> > > -```
> > > -export CST_DIR=/usr/src/cst-3.3.1/
> > > -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> > > -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> > > -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> > > -export PATH=$CST_DIR/linux64/bin:$PATH
> >
> > Hi Marek,
> >
> > I thought you were going to leave the above env setting examples in
> > the documentation.
> >
> > I suggest showing how to specify using env (by just leaving the above
> > in) as well as by copying them directly to the build directory if
> > wanted.. otherwise the documentation is lacking.
>
> If the tool can do env vars now, I would like to avoid copying key material
> around. So what about this:
>
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 1eb1fb0aa61..257ffb45656 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and fitImage
> sections into nxp-imx8mcst
> etype, which is done automatically in
> arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
> in case CONFIG_IMX_HAB Kconfig symbol is enabled.
>
> +Build of flash.bin target then produces a signed flash.bin automatically.
> +
> The nxp-imx8mcst etype is configurable using either DT properties or
> environment
> variables. The following DT properties and environment variables are
> supported.
> Note that environment variables override DT properties.
> @@ -160,7 +162,15 @@ Note that environment variables override DT properties.
> | nxp,img-crt | IMG_KEY | full path to the IMG Key
> IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
>
> +--------------------+-----------+------------------------------------------------------------------+
>
> -Build of flash.bin target then produces a signed flash.bin automatically.
> +Environment variables can be set as follows to point the build process
> +to external key material:
> +```
> +export CST_DIR=/usr/src/cst-3.3.1/
> +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> +make flash.bin
> +```
FWIW, this addresses the concern I raised on the previous version, works
for me. Thanks Marek (and Tim).
Francesco
