Message ID | 20240516083614.510948-1-ch@denx.de |
---|---|
State | Accepted |
Delegated to: | Fabio Estevam |
Headers | show |
Series | [v2] imx: hab: add documentation about the required keys/certs | expand |
On 5/16/24 10:36, Claudius Heine wrote: > For CST to find the certificates and keys for signing, some keys and > certs need to be copied into the u-boot build directory. > > Signed-off-by: Claudius Heine <ch@denx.de> > --- > Hi, > > this patch documents some changes of the > '<20240503010518.263458-1-marex@denx.de>' patchset. So am posting it as > a reply to my earlier patch in that thread. When referring to patches, please, use the complete title and and url (e.g. from lore.kernel.org or Patchwork): [PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing https://lore.kernel.org/u-boot/20240503010518.263458-1-marex@denx.de/ Currently in Patchwork this patch is assigned to my review queue. I guess it should be reviewed and pulled by Fabio. Best regards Heinrich > > Changed from v1: > - added 'symbolic link' option for making keys/certs available in build > - `node` -> `node(s)` > > --- > doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > index ce1de659d8..75089fba4d 100644 > --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > @@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst > etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi > in case CONFIG_IMX_HAB Kconfig symbol is enabled. > > +Per default the HAB keys and certificates need to be located in the build > +directory, this means creating a symbolic link or copying the following files > +from the HAB keys directory flat (e.g. removing the `keys` and `cert` > +subdirectory) into the u-boot build directory for the CST Code Signing Tool to > +locate them: > + > +- `crts/SRK_1_2_3_4_table.bin` > +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` > +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` > +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` > +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` > +- `keys/key_pass.txt` > + > +The paths to the SRK table and the certificates can be modified via changes to > +the nxp_imx8mcst device tree node(s), however the other files are required by > +the CST tools as well, and will be searched for in relation to them. > + > Build of flash.bin target then produces a signed flash.bin automatically. > > 1.4 Closing the device
On Thu, May 16, 2024 at 5:36 AM Claudius Heine <ch@denx.de> wrote: > > For CST to find the certificates and keys for signing, some keys and > certs need to be copied into the u-boot build directory. > > Signed-off-by: Claudius Heine <ch@denx.de> Applied, thanks.
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..75089fba4d 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Per default the HAB keys and certificates need to be located in the build +directory, this means creating a symbolic link or copying the following files +from the HAB keys directory flat (e.g. removing the `keys` and `cert` +subdirectory) into the u-boot build directory for the CST Code Signing Tool to +locate them: + +- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt` + +The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node(s), however the other files are required by +the CST tools as well, and will be searched for in relation to them. + Build of flash.bin target then produces a signed flash.bin automatically. 1.4 Closing the device
For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory. Signed-off-by: Claudius Heine <ch@denx.de> --- Hi, this patch documents some changes of the '<20240503010518.263458-1-marex@denx.de>' patchset. So am posting it as a reply to my earlier patch in that thread. Changed from v1: - added 'symbolic link' option for making keys/certs available in build - `node` -> `node(s)` --- doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)