Hi,
On Fri, 27 Sept 2024 at 06:42, Brian Ruley <brian.ru...@gehealthcare.com> wrote:
>
> Using the PKI tree with SRKs as intermediate CA isn't necessary or even
> desirable in some situations (boot time, for example). Add the possbility
> to use the "fast authentication" method where the image and CSF are both
> signed using the SRK [1, p.63].
>
> [1]
> https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf
>
> Signed-off-by: Brian Ruley <brian.ru...@gehealthcare.com>
> Cc: Marek Vasut <ma...@denx.de>
>
> tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++++++----
> 1 file changed, 19 insertions(+), 4 deletions(-)
>
Please can you coordinate with Marek as we need to sort out the test
coverage for this etype, before adding more functionality. I did a
starting point, now in -next, which should help.
> diff --git a/tools/binman/etype/nxp_imx8mcst.py
> b/tools/binman/etype/nxp_imx8mcst.py
> index 8221517b0c..d39b6a79de 100644
> --- a/tools/binman/etype/nxp_imx8mcst.py
> +++ b/tools/binman/etype/nxp_imx8mcst.py
> @@ -36,6 +36,9 @@ csf_config_template = """
> File = "SRK_1_2_3_4_table.bin"
> Source index = 0
>
> +[Install NOCAK]
> + File = "SRK1_sha256_4096_65537_v3_usr_crt.pem"
> +
> [Install CSFK]
> File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
>
> @@ -70,8 +73,13 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
> super().ReadNode()
> self.loader_address = fdt_util.GetInt(self._node,
> 'nxp,loader-address')
> self.srk_table = os.getenv('SRK_TABLE',
> fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin'))
> - self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node,
> 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'))
> - self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node,
> 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'))
> + self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
> + if not self.fast_auth:
> + self.csf_crt = os.getenv('CSF_KEY',
> fdt_util.GetString(self._node, 'nxp,csf-crt',
> 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'))
> + self.img_crt = os.getenv('IMG_KEY',
> fdt_util.GetString(self._node, 'nxp,img-crt',
> 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'))
> + else:
> + self.srk_crt = os.getenv('SRK_KEY',
> fdt_util.GetString(self._node, 'nxp,srk-crt',
> 'SRK1_sha256_2048_65537_v3_usr_crt.pem'))
> +
> self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
> self.ReadEntries()
>
> @@ -125,8 +133,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
> # Load configuration template and modify keys of interest
> config.read_string(csf_config_template)
> config['Install SRK']['File'] = '"' + self.srk_table + '"'
> - config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> - config['Install Key']['File'] = '"' + self.img_crt + '"'
> + if not self.fast_auth:
> + config.remove_section('Install NOCAK')
> + config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> + config['Install Key']['File'] = '"' + self.img_crt + '"'
> + else:
> + config.remove_section('Install CSFK')
> + config.remove_section('Install Key')
> + config['Install NOCAK']['File'] = '"' + self.srk_crt + '"'
> + config['Authenticate Data']['Verification index'] = '0'
> +
> config['Authenticate Data']['Blocks'] = hex(signbase) + ' 0 ' +
> hex(len(data)) + ' "' + str(output_dname) + '"'
> if not self.unlock:
> config.remove_section('Unlock')
> --
> 2.39.2
>
Regards,
Simon
