Hi, On Fri, 27 Sept 2024 at 06:42, Brian Ruley <brian.ru...@gehealthcare.com> wrote: > > Using the PKI tree with SRKs as intermediate CA isn't necessary or even > desirable in some situations (boot time, for example). Add the possbility > to use the "fast authentication" method where the image and CSF are both > signed using the SRK [1, p.63]. > > [1] > https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf > > Signed-off-by: Brian Ruley <brian.ru...@gehealthcare.com> > Cc: Marek Vasut <ma...@denx.de> > > tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++++++---- > 1 file changed, 19 insertions(+), 4 deletions(-) >
Please can you coordinate with Marek as we need to sort out the test coverage for this etype, before adding more functionality. I did a starting point, now in -next, which should help. > diff --git a/tools/binman/etype/nxp_imx8mcst.py > b/tools/binman/etype/nxp_imx8mcst.py > index 8221517b0c..d39b6a79de 100644 > --- a/tools/binman/etype/nxp_imx8mcst.py > +++ b/tools/binman/etype/nxp_imx8mcst.py > @@ -36,6 +36,9 @@ csf_config_template = """ > File = "SRK_1_2_3_4_table.bin" > Source index = 0 > > +[Install NOCAK] > + File = "SRK1_sha256_4096_65537_v3_usr_crt.pem" > + > [Install CSFK] > File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem" > > @@ -70,8 +73,13 @@ class Entry_nxp_imx8mcst(Entry_mkimage): > super().ReadNode() > self.loader_address = fdt_util.GetInt(self._node, > 'nxp,loader-address') > self.srk_table = os.getenv('SRK_TABLE', > fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin')) > - self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, > 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem')) > - self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, > 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem')) > + self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth') > + if not self.fast_auth: > + self.csf_crt = os.getenv('CSF_KEY', > fdt_util.GetString(self._node, 'nxp,csf-crt', > 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem')) > + self.img_crt = os.getenv('IMG_KEY', > fdt_util.GetString(self._node, 'nxp,img-crt', > 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem')) > + else: > + self.srk_crt = os.getenv('SRK_KEY', > fdt_util.GetString(self._node, 'nxp,srk-crt', > 'SRK1_sha256_2048_65537_v3_usr_crt.pem')) > + > self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') > self.ReadEntries() > > @@ -125,8 +133,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage): > # Load configuration template and modify keys of interest > config.read_string(csf_config_template) > config['Install SRK']['File'] = '"' + self.srk_table + '"' > - config['Install CSFK']['File'] = '"' + self.csf_crt + '"' > - config['Install Key']['File'] = '"' + self.img_crt + '"' > + if not self.fast_auth: > + config.remove_section('Install NOCAK') > + config['Install CSFK']['File'] = '"' + self.csf_crt + '"' > + config['Install Key']['File'] = '"' + self.img_crt + '"' > + else: > + config.remove_section('Install CSFK') > + config.remove_section('Install Key') > + config['Install NOCAK']['File'] = '"' + self.srk_crt + '"' > + config['Authenticate Data']['Verification index'] = '0' > + > config['Authenticate Data']['Blocks'] = hex(signbase) + ' 0 ' + > hex(len(data)) + ' "' + str(output_dname) + '"' > if not self.unlock: > config.remove_section('Unlock') > -- > 2.39.2 > Regards, Simon