Hi Marek, On Fri, 13 Feb 2026 at 12:28, Marek Vasut <[email protected]> wrote: > > Add support for setting the CST backend, both via DT property and > CST_BACKEND environment variable. The CST currently supports two > backends, 'ssl' and 'pkcs11', with 'ssl' being the default when > CST tool is invoked without any -b parameter. Keep 'ssl' backend > as the default, but explicitly pass it via the '-b' parameter, > unless the user selects 'pkcs11' via either method. > > Signed-off-by: Marek Vasut <[email protected]> > --- > Cc: Alper Nebi Yasak <[email protected]> > Cc: Simon Glass <[email protected]> > Cc: Tom Rini <[email protected]> > Cc: [email protected] > --- > V2: Fill in documentation for all used DT properties > --- > doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 30 ++++++++++++------- > tools/binman/entries.rst | 7 +++++ > tools/binman/etype/nxp_imx8mcst.py | 12 +++++++- > 3 files changed, 37 insertions(+), 12 deletions(-) > > diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > index 1bea091344d..a3ebd397d82 100644 > --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > @@ -167,17 +167,25 @@ The nxp-imx8mcst etype is configurable using either DT > properties or environment > variables. The following DT properties and environment variables are > supported. > Note that environment variables override DT properties. > > -+--------------------+-----------+------------------------------------------------------------------+ > -| DT property | Variable | Description > | > -+====================+===========+==================================================================+ > -| nxp,loader-address | | SPL base address > | > -+--------------------+-----------+------------------------------------------------------------------+ > -| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin > | > -+--------------------+-----------+------------------------------------------------------------------+ > -| nxp,csf-crt | CSF_KEY | full path to the CSF Key > CSF1_1_sha256_4096_65537_v3_usr_crt.pem | > -+--------------------+-----------+------------------------------------------------------------------+ > -| nxp,img-crt | IMG_KEY | full path to the IMG Key > IMG1_1_sha256_4096_65537_v3_usr_crt.pem | > -+--------------------+-----------+------------------------------------------------------------------+ > ++--------------------+-------------+------------------------------------------------------------------+ > +| DT property | Variable | Description > | > ++====================+=============+==================================================================+ > +| nxp,loader-address | | SPL base address > | > ++--------------------+-------------+------------------------------------------------------------------+ > +| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin > | > ++--------------------+-------------+------------------------------------------------------------------+ > +| nxp,csf-crt | CSF_KEY | full path to the CSF Key > CSF1_1_sha256_4096_65537_v3_usr_crt.pem | > ++--------------------+-------------+------------------------------------------------------------------+ > +| nxp,img-crt | IMG_KEY | full path to the IMG Key > IMG1_1_sha256_4096_65537_v3_usr_crt.pem | > ++--------------------+-------------+------------------------------------------------------------------+ > +| nxp,fast-auth | | enable fast authentication method > | > ++--------------------+-------------+------------------------------------------------------------------+ > +| nxp,srk-crt | SRK_KEY | full path to the SRK Key > SRK1_sha256_4096_65537_v3_ca_crt.pem | > ++--------------------+-------------+------------------------------------------------------------------+ > +| nxp,unlock | | unlock CAAM in SPL > | > ++--------------------+-------------+------------------------------------------------------------------+ > +| nxp,cst-backend | CST_BACKEND | CST tool backend, default is 'ssl', or > selectable 'pkcs11' | > ++--------------------+-------------+------------------------------------------------------------------+
Perhaps point to an example? > > Environment variables can be set as follows to point the build process > to external key material: > diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst > index 8922d6cd070..29bc778d0e5 100644 > --- a/tools/binman/entries.rst > +++ b/tools/binman/entries.rst > @@ -1664,6 +1664,13 @@ Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file > generator and cst invoker > > Properties / Entry arguments: > - nxp,loader-address - loader address (SPL text base) > + - nxp,srk-table - full path to SRK_1_2_3_4_table.bin > + - nxp,csf-crt - full path to the CSF Key > CSF1_1_sha256_4096_65537_v3_usr_crt.pem > + - nxp,img-crt - full path to the IMG Key > IMG1_1_sha256_4096_65537_v3_usr_crt.pem > + - nxp,fast-auth - enable fast authentication method > + - nxp,srk-crt - full path to the SRK Key > SRK1_sha256_4096_65537_v3_ca_crt.pem > + - nxp,unlock - unlock CAAM in SPL > + - nxp,cst-backend - CST tool backend, default is 'ssl', or selectable > 'pkcs11' > The way it works is you add this as a comment in nxp_imx8mcst.py and then run 'binman entry-docs' to generate entries.rst - see here: https://docs.u-boot.org/en/latest/develop/package/binman.html#entry-documentation > > > diff --git a/tools/binman/etype/nxp_imx8mcst.py > b/tools/binman/etype/nxp_imx8mcst.py > index dd9f226b751..3a95da6a35d 100644 > --- a/tools/binman/etype/nxp_imx8mcst.py > +++ b/tools/binman/etype/nxp_imx8mcst.py > @@ -90,6 +90,10 @@ class Entry_nxp_imx8mcst(Entry_mkimage): > 'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt', > f'SRK1_{KEY_NAME}.pem')) > > + self.backend = os.getenv( > + 'CST_BACKEND', fdt_util.GetString(self._node, 'nxp,cst-backend', > + 'ssl')) > + > self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') > self.ReadEntries() > > @@ -161,8 +165,14 @@ class Entry_nxp_imx8mcst(Entry_mkimage): > with open(cfg_fname, 'w') as cfgf: > config.write(cfgf) > > + # SSL is the default backend, PKCS11 backend is optional > + if self.backend == "pkcs11": > + cst_backend = "pkcs11" > + else: > + cst_backend = "ssl" > + > output_fname = > tools.get_output_filename(f'nxp.csf-output-blob.{uniq}') > - args = ['-i', cfg_fname, '-o', output_fname] > + args = ['-i', cfg_fname, '-o', output_fname, '-b', cst_backend] > if self.cst.run_cmd(*args) is not None: > outdata = tools.read_file(output_fname) > # fixme: 0x2000 should be CONFIG_CSF_SIZE > -- > 2.51.0 > Regards, Simon
