Hi Brian, On Mon, 30 Sept 2024 at 10:10, Brian Ruley <brian.ru...@gehealthcare.com> wrote: > > Using the PKI tree with SRKs as intermediate CA isn't necessary or even > desirable in some situations (boot time, for example). Add the possibility
spelling > to use the "fast authentication" method where the image and CSF are both > signed using the SRK [1, p.63]. > > [1] > https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf > > Signed-off-by: Brian Ruley <brian.ru...@gehealthcare.com> > Cc: Marek Vasut <ma...@denx.de> > > tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++++++---- > 1 file changed, 19 insertions(+), 4 deletions(-) That should be below the --- (you can use patman to get this right automatically) > --- > tools/binman/etype/nxp_imx8mcst.py | 44 ++++++++++++++++++++++-------- > 1 file changed, 32 insertions(+), 12 deletions(-) > > diff --git a/tools/binman/etype/nxp_imx8mcst.py > b/tools/binman/etype/nxp_imx8mcst.py > index 0c744a00d7..a80cb94499 100644 > --- a/tools/binman/etype/nxp_imx8mcst.py > +++ b/tools/binman/etype/nxp_imx8mcst.py > @@ -36,6 +36,9 @@ csf_config_template = ''' > File = "SRK_1_2_3_4_table.bin" > Source index = 0 > > +[Install NOCAK] > + File = "SRK1_sha256_4096_65537_v3_usr_crt.pem" > + > [Install CSFK] > File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem" Since 'sha256_4096_65537_v3_usr_crt.' is common to everything, could you have a variable, say keyname, and use that everywhere? > > @@ -74,16 +77,25 @@ class Entry_nxp_imx8mcst(Entry_mkimage): > self._node, 'nxp,srk-table', > 'SRK_1_2_3_4_table.bin' > )) > - self.csf_crt = os.getenv( > - 'CSF_KEY', fdt_util.GetString( > - self._node, 'nxp,csf-crt', > - 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem' > - )) > - self.img_crt = os.getenv( > - 'IMG_KEY', fdt_util.GetString( > - self._node, 'nxp,img-crt', > - 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem' > - )) > + self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth') > + if not self.fast_auth: > + self.csf_crt = os.getenv( > + 'CSF_KEY', fdt_util.GetString( > + self._node, 'nxp,csf-crt', > + 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem' e.g. f'CSF1_1_{keyname}' > + )) > + self.img_crt = os.getenv( > + 'IMG_KEY', fdt_util.GetString( > + self._node, 'nxp,img-crt', > + 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem' > + )) > + else: > + self.srk_crt = os.getenv( > + 'SRK_KEY', fdt_util.GetString( > + self._node, 'nxp,srk-crt', > + 'SRK1_sha256_4096_65537_v3_usr_crt.pem' > + )) All three options seem to read the 'nxp,srk-crt' property, so you can do that once the if() to reduce the amount of duplicated code. > + > self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') > self.ReadEntries() > > @@ -137,8 +149,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage): > # Load configuration template and modify keys of interest > config.read_string(csf_config_template) > config['Install SRK']['File'] = '"' + self.srk_table + '"' This is what I mean by the f-string: f'"{self.srk_table}"' > - config['Install CSFK']['File'] = '"' + self.csf_crt + '"' > - config['Install Key']['File'] = '"' + self.img_crt + '"' > + if not self.fast_auth: > + config.remove_section('Install NOCAK') > + config['Install CSFK']['File'] = '"' + self.csf_crt + '"' > + config['Install Key']['File'] = '"' + self.img_crt + '"' > + else: > + config.remove_section('Install CSFK') > + config.remove_section('Install Key') > + config['Install NOCAK']['File'] = '"' + self.srk_crt + '"' > + config['Authenticate Data']['Verification index'] = '0' > + > config['Authenticate Data']['Blocks'] = (hex(signbase) + ' 0 ' > + hex(len(data)) + ' "' > + str(output_dname) + '"') Can use f-strings here too, e.g. f'{signbase:#x} 0 {len(data):#x} ... > -- > 2.39.5 > Regards, Simon