On Thu, Apr 25, 2024 at 4:07 PM Marek Vasut <[email protected]> wrote: > > Update documentation and use nxp_imx8mcst binman etype for signing > of flash.bin instead of previous horrible shell scripting.
Hi Marek, To be completely fair we are just replacing a shell script and template file with a python script (tools/binman/etype/nxp_imx8mcst.py) which also creates the template file. I could care less about shell vs python but do put huge value in the idea of making signing easier and doing so without modification of U-Boot code. The current implementation requires a couple of things to be enabled in defconfig which can be done with a seperate 'out-of-tree' defconfig but this new proposed implementation requires changing a u-boot.dtsi which is a tracked file. > > Signed-off-by: Marek Vasut <[email protected]> > --- > Cc: "NXP i.MX U-Boot Team" <[email protected]> > Cc: Adam Ford <[email protected]> > Cc: Alper Nebi Yasak <[email protected]> > Cc: Andrejs Cainikovs <[email protected]> > Cc: Angus Ainslie <[email protected]> > Cc: Emanuele Ghidoli <[email protected]> > Cc: Fabio Estevam <[email protected]> > Cc: Francesco Dolcini <[email protected]> > Cc: Marcel Ziswiler <[email protected]> > Cc: Rasmus Villemoes <[email protected]> > Cc: Simon Glass <[email protected]> > Cc: Stefan Eichenberger <[email protected]> > Cc: Stefano Babic <[email protected]> > Cc: Tim Harvey <[email protected]> > Cc: Tom Rini <[email protected]> > Cc: [email protected] > Cc: [email protected] > Cc: [email protected] > --- > doc/imx/habv4/csf_examples/mx8m/csf.sh | 92 ------------ > doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 ---- > doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 ---- > doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 141 +++++++----------- > 4 files changed, 55 insertions(+), 241 deletions(-) > delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh > delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt > delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt > <snip> > +to authenticate, which keys to install, use and etc. The CSF is generated > +using the CST Code Signing Tool based on input configuration file. This tool > +input configuration file is generated using binman, and the tool is invoked > +from binman as well. > + > +The SPL and fitImage sections of the generated image are signed separately. > +The signing is activated by wrapping SPL and fitImage sections into > nxp-imx8mcst > +etype, by adding the following modification into the binman node: > + Can we avoid having to modify code to sign an image? If we add a Kconfig then you can wrap the following changes with an ifdef. I've run into a similar issues enabling OPTEE and was able to wrap the entries with ifdefs with the exception of one that requires a unique load address which I guess requires another Kconfig to solve [1] Best Regards, Tim [1] https://patchwork.ozlabs.org/project/uboot/patch/[email protected]/ > +" > + diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi > b/arch/arm/dts/imx8mp-u-boot.dtsi > + index c4c1a177102..ccd44bf9d0b 100644 > + --- a/arch/arm/dts/imx8mp-u-boot.dtsi > + +++ b/arch/arm/dts/imx8mp-u-boot.dtsi > + @@ -86,6 +86,12 @@ > + section { > + pad-byte = <0x00>; > + > + + nxp-imx8mcst@0 { > + + filename = "u-boot-spl-mkimage.signed.bin"; > + + nxp,loader-address = <CONFIG_SPL_TEXT_BASE>; > + + nxp,unlock; > + + args; /* Needed by mkimage etype superclass */ > + + > + nxp-imx8mimage { > + filename = "u-boot-spl-mkimage.bin"; > + nxp,boot-from = "sd"; > + @@ -129,6 +135,14 @@ > + }; > + }; > + > + + }; > + + > + + nxp-imx8mcst@1 { > + + filename = "u-boot-fit.signed.bin"; > + + nxp,loader-address = > <CONFIG_SPL_LOAD_FIT_ADDRESS>; > + + offset = <0x58000>; > + + args; /* Needed by mkimage etype superclass */ > + + > + fit { > + description = "Configuration to load ATF before > U-Boot"; > + #ifndef CONFIG_IMX_HAB > + @@ -191,5 +205,6 @@ > + }; > + }; > + }; > + + }; > + }; > + }; > +" > + > +Build of flash.bin target then produces a signed flash.bin automatically. > > 1.4 Closing the device > ----------------------- > -- > 2.43.0 >
