On Thu, May 16, 2024 at 6:31 PM Marek Vasut <ma...@denx.de> wrote: > > On 5/16/24 11:40 PM, Tim Harvey wrote: > > [...] > > >> -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh > >> -and can be used as follows to modify flash.bin to be signed > >> -(adjust paths as needed): > >> -``` > >> -export CST_DIR=/usr/src/cst-3.3.1/ > >> -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > >> -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > >> -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > >> -export PATH=$CST_DIR/linux64/bin:$PATH > > > > Hi Marek, > > > > I thought you were going to leave the above env setting examples in > > the documentation. > > > > I suggest showing how to specify using env (by just leaving the above > > in) as well as by copying them directly to the build directory if > > wanted.. otherwise the documentation is lacking. > > If the tool can do env vars now, I would like to avoid copying key > material around. So what about this: > > diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > index 1eb1fb0aa61..257ffb45656 100644 > --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > @@ -144,6 +144,8 @@ The signing is activated by wrapping SPL and > fitImage sections into nxp-imx8mcst > etype, which is done automatically in > arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi > in case CONFIG_IMX_HAB Kconfig symbol is enabled. > > +Build of flash.bin target then produces a signed flash.bin automatically. > + > The nxp-imx8mcst etype is configurable using either DT properties or > environment > variables. The following DT properties and environment variables are > supported. > Note that environment variables override DT properties. > @@ -160,7 +162,15 @@ Note that environment variables override DT properties. > | nxp,img-crt | IMG_KEY | full path to the IMG Key > IMG1_1_sha256_4096_65537_v3_usr_crt.pem | > > +--------------------+-----------+------------------------------------------------------------------+ > > -Build of flash.bin target then produces a signed flash.bin automatically. > +Environment variables can be set as follows to point the build process > +to external key material: > +``` > +export CST_DIR=/usr/src/cst-3.3.1/ > +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > +make flash.bin > +``` > > 1.4 Closing the device > ----------------------- >
Hi Marek, Yes, with that change you can add for the series: Reviewed-by: Tim Harvey <thar...@gateworks.com> Best Regards, Tim