From patchwork Thu May 16 08:36:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 1935845 X-Patchwork-Delegate: festevam@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=udiV2Mco; dkim=pass (2048-bit key) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=b1YHg/Lf; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Vg3NQ5v6tz1ymw for ; Thu, 16 May 2024 18:36:38 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 87AD78825A; Thu, 16 May 2024 10:36:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=denx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1715848593; bh=EBfvndYPO4zl31rp48E2KdT56YLxTGPbpjWUOJ806nQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=udiV2McoAockhwFxP83o31yDfC9Ya4jCyOakZc3/k0OZzPXu88l2yRN1XPIN4fWYK WW6bIq7vVENKf2Z7DU5qwrU+V57llVkBtdkaTZP1z4Q8upUSwaNc8Ai3RV10YerXNr NcRkyBydh2JWOPaDnQq9XfL2zeqrdxOnc6pkjXheBno8BNt394BDTzOKDDF/QwE6vT Lui1SaFeFO/0Yazn0x57cS3Cok4fvXfOEdQA3f8IOg4sd70rbSdOiIvcp7eqggE5z4 Ohyn8N2mQCN1sYZ75BoGWlm/PIRDkasiLLHMYzEOeYpR7z293+srzwQHcATbELDzpb lkZeEmD0NpqDw== Received: from localhost (dslb-088-077-007-084.088.077.pools.vodafone-ip.de [88.77.7.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: ch@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id ECE2A8812B; Thu, 16 May 2024 10:36:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1715848592; bh=EBfvndYPO4zl31rp48E2KdT56YLxTGPbpjWUOJ806nQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b1YHg/Lf4eRduNH0ATpWaz3zruMDBuLN2j/h0ckT9qrpGAwHERhTqz7yqH06yzAJG GjGW2GWTSzFUmiHUATykxwBzD093RsQHsGgqhlM8o+BAFLmHULD6L/N4WBxPiCR9fd w2WZHs311YO8blDSSHvk/GoCT30aVta3CPBRMemekJYreS37BB4ardRC83C9sJv6Fp gTLjQHD8Vxo8bUH+BjiMoUBMJF2g0j9hloD3o633K6VLgnw8mDN/gbERW3cglK2y0l d+9/+bQdE9BCBm5HySiDbfgyoVTeyF4ZBuqb3DV8lAtBsTZnD5kvC2joblonH/45Hy wekfdKmcP/nWg== From: Claudius Heine To: Marek Vasut Cc: Claudius Heine , Stefano Babic , Fabio Estevam , "NXP i.MX U-Boot Team" , Tom Rini , Peng Fan , Tim Harvey , u-boot@lists.denx.de (open list) Subject: [PATCH v2] imx: hab: add documentation about the required keys/certs Date: Thu, 16 May 2024 10:36:14 +0200 Message-ID: <20240516083614.510948-1-ch@denx.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20240507130650.713801-1-ch@denx.de> References: <20240507130650.713801-1-ch@denx.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory. Signed-off-by: Claudius Heine --- Hi, this patch documents some changes of the '<20240503010518.263458-1-marex@denx.de>' patchset. So am posting it as a reply to my earlier patch in that thread. Changed from v1: - added 'symbolic link' option for making keys/certs available in build - `node` -> `node(s)` --- doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index ce1de659d8..75089fba4d 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Per default the HAB keys and certificates need to be located in the build +directory, this means creating a symbolic link or copying the following files +from the HAB keys directory flat (e.g. removing the `keys` and `cert` +subdirectory) into the u-boot build directory for the CST Code Signing Tool to +locate them: + +- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt` + +The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node(s), however the other files are required by +the CST tools as well, and will be searched for in relation to them. + Build of flash.bin target then produces a signed flash.bin automatically. 1.4 Closing the device