From bc6beae7c55f3adc1fc520ff8c3f4ec986f7c2ef Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Tue, 21 May 2024 12:48:23 +0200 Subject: [PATCH 01/10] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing Add new binman etype which allows signing both the SPL and fitImage sections of i.MX8M flash.bin using CST. There are multiple DT properties which govern the signing process, nxp,loader-address is the only mandatory one which sets the SPL signature start address without the imx8mimage header, this should be SPL text base. The key material can be configured using optional DT properties nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material names generated by CST tool scripts. The nxp,unlock property can be used to unlock CAAM access in SPL section. Reviewed-by: Tim Harvey Signed-off-by: Marek Vasut --- .gitignore | 2 + Makefile | 2 +- tools/binman/btool/cst.py | 48 +++++++++ tools/binman/etype/nxp_imx8mcst.py | 164 +++++++++++++++++++++++++++++ 4 files changed, 215 insertions(+), 1 deletion(-) create mode 100644 tools/binman/btool/cst.py create mode 100644 tools/binman/etype/nxp_imx8mcst.py diff --git a/.gitignore b/.gitignore index 37f71c275c3..502a7e6ec70 100644 --- a/.gitignore +++ b/.gitignore @@ -73,6 +73,8 @@ fit-dtb.blob* /capsule.*.efi-capsule /capsule*.map /keep-syms-lto.* +/*imx8mimage* +/*imx8mcst* # # Generated include files diff --git a/Makefile b/Makefile index e3a0eaff942..c014b0d4b91 100644 --- a/Makefile +++ b/Makefile @@ -2213,7 +2213,7 @@ MRPROPER_DIRS += include/config include/generated spl tpl vpl \ # Remove include/asm symlink created by U-Boot before v2014.01 MRPROPER_FILES += .config .config.old include/autoconf.mk* include/config.h \ ctags etags tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ - drivers/video/fonts/*.S include/asm + drivers/video/fonts/*.S include/asm *imx8mimage* *imx8mcst* # clean - Delete most, but leave enough to build external modules # diff --git a/tools/binman/btool/cst.py b/tools/binman/btool/cst.py new file mode 100644 index 00000000000..30e78bdbbd9 --- /dev/null +++ b/tools/binman/btool/cst.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2024 Marek Vasut +# +"""Bintool implementation for cst""" + +import re + +from binman import bintool + +class Bintoolcst(bintool.Bintool): + """Image generation for U-Boot + + This bintool supports running `cst` with some basic parameters as + needed by binman. + """ + def __init__(self, name): + super().__init__(name, 'Sign NXP i.MX image') + + # pylint: disable=R0913 + def run(self, output_fname=None): + """Run cst + + Args: + output_fname: Output filename to write to + """ + args = [] + if output_fname: + args += ['-o', output_fname] + return self.run_cmd(*args) + + def fetch(self, method): + """Fetch handler for cst + + This installs cst using the apt utility. + + Args: + method (FETCH_...): Method to use + + Returns: + True if the file was fetched and now installed, None if a method + other than FETCH_BIN was requested + + Raises: + Valuerror: Fetching could not be completed + """ + if method != bintool.FETCH_BIN: + return None + return self.apt_install('imx-code-signing-tool') diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py new file mode 100644 index 00000000000..8221517b0c4 --- /dev/null +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -0,0 +1,164 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2023-2024 Marek Vasut +# Written with much help from Simon Glass +# +# Entry-type module for generating the i.MX8M code signing tool +# input configuration file and invocation of cst on generated +# input configuration file and input data to be signed. +# + +import configparser +import os +import struct + +from collections import OrderedDict + +from binman.entry import Entry +from binman.etype.mkimage import Entry_mkimage +from binman.etype.section import Entry_section +from binman import elf +from dtoc import fdt_util +from u_boot_pylib import tools + +MAGIC_NXP_IMX_IVT = 0x412000d1 +MAGIC_FITIMAGE = 0xedfe0dd0 + +csf_config_template = """ +[Header] + Version = 4.3 + Hash Algorithm = sha256 + Engine = CAAM + Engine Configuration = 0 + Certificate Format = X509 + Signature Format = CMS + +[Install SRK] + File = "SRK_1_2_3_4_table.bin" + Source index = 0 + +[Install CSFK] + File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate CSF] + +[Unlock] + Engine = CAAM + Features = MID + +[Install Key] + Verification index = 0 + Target Index = 2 + File = "IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate Data] + Verification index = 2 + Blocks = 0x1234 0x78 0xabcd "data.bin" +""" + +class Entry_nxp_imx8mcst(Entry_mkimage): + """NXP i.MX8M CST .cfg file generator and cst invoker + + Properties / Entry arguments: + - nxp,loader-address - loader address (SPL text base) + """ + + def __init__(self, section, etype, node): + super().__init__(section, etype, node) + self.required_props = ['nxp,loader-address'] + + def ReadNode(self): + super().ReadNode() + self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address') + self.srk_table = os.getenv('SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin')) + self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem')) + self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem')) + self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') + self.ReadEntries() + + def BuildSectionData(self, required): + data, input_fname, uniq = self.collect_contents_to_file( + self._entries.values(), 'input') + + # Parse the input data and figure out what it is that is being signed. + # - If it is mkimage'd imx8mimage, then extract to be signed data size + # from imx8mimage header, and calculate CSF blob offset right past + # the SPL from this information. + # - If it is fitImage, then pad the image to 4k, add generated IVT and + # sign the whole payload, then append CSF blob at the end right past + # the IVT. + signtype = struct.unpack(' Date: Tue, 21 May 2024 12:48:24 +0200 Subject: [PATCH 02/10] ARM: dts: imx: Introduce SPL and FIT labels to i.MX8M DTs binman nodes Add binman_imx_spl and binman_imx_fit labels to nxp-imx8mimage {} and fit {} nodes respectively, so they can be referened in board DTs no matter how deep in the top level binman image description they are. Update current board DTs to use those labels. Reviewed-by: Tim Harvey Signed-off-by: Marek Vasut --- arch/arm/dts/imx8mm-u-boot.dtsi | 4 +- .../dts/imx8mm-verdin-wifi-dev-u-boot.dtsi | 8 +- arch/arm/dts/imx8mn-u-boot.dtsi | 4 +- arch/arm/dts/imx8mp-dhcom-u-boot.dtsi | 120 +++++++++--------- arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi | 24 ++-- arch/arm/dts/imx8mp-u-boot.dtsi | 4 +- arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi | 10 +- arch/arm/dts/imx8mq-u-boot.dtsi | 4 +- 8 files changed, 81 insertions(+), 97 deletions(-) diff --git a/arch/arm/dts/imx8mm-u-boot.dtsi b/arch/arm/dts/imx8mm-u-boot.dtsi index 6ab8f66256e..b9b1193823a 100644 --- a/arch/arm/dts/imx8mm-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-u-boot.dtsi @@ -54,7 +54,7 @@ }; #endif - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <1>; @@ -98,7 +98,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; diff --git a/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi b/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi index 90183aff8bc..183de46f66a 100644 --- a/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi @@ -35,12 +35,8 @@ bootph-pre-ram; }; -&binman { - section { - fit { - offset = <0x5fc00>; - }; - }; +&binman_imx_fit { + offset = <0x5fc00>; }; &gpio1 { diff --git a/arch/arm/dts/imx8mn-u-boot.dtsi b/arch/arm/dts/imx8mn-u-boot.dtsi index ba9967dbe4a..c9fb33cfb73 100644 --- a/arch/arm/dts/imx8mn-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-u-boot.dtsi @@ -103,7 +103,7 @@ }; #endif - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <2>; @@ -169,7 +169,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; diff --git a/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi b/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi index cb37e28f28f..c065fb82994 100644 --- a/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi @@ -135,73 +135,69 @@ bootph-pre-ram; }; -&binman { - section { - fit { - images { - fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast { - description = "imx8mp-dhcom-som-overlay-eth1xfast"; - type = "flat_dt"; - compression = "none"; +&binman_imx_fit { + images { + fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast { + description = "imx8mp-dhcom-som-overlay-eth1xfast"; + type = "flat_dt"; + compression = "none"; - blob-ext { - filename = "imx8mp-dhcom-som-overlay-eth1xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast { - description = "imx8mp-dhcom-som-overlay-eth2xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-eth2xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast { - description = "imx8mp-dhcom-pdk-overlay-eth2xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-pdk-overlay-eth2xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-som-overlay-rev100 { - description = "imx8mp-dhcom-som-overlay-rev100"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-rev100.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100 { - description = "imx8mp-dhcom-pdk3-overlay-rev100"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-pdk3-overlay-rev100.dtbo"; - }; - }; + blob-ext { + filename = "imx8mp-dhcom-som-overlay-eth1xfast.dtbo"; }; + }; - configurations { - default = "@config-DEFAULT-SEQ"; + fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast { + description = "imx8mp-dhcom-som-overlay-eth2xfast"; + type = "flat_dt"; + compression = "none"; - @config-SEQ { - fdt = "fdt-1", - "fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast", - "fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast", - "fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast", - "fdt-dto-imx8mp-dhcom-som-overlay-rev100", - "fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100"; - }; + blob-ext { + filename = "imx8mp-dhcom-som-overlay-eth2xfast.dtbo"; + }; + }; + + fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast { + description = "imx8mp-dhcom-pdk-overlay-eth2xfast"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-pdk-overlay-eth2xfast.dtbo"; + }; + }; + + fdt-dto-imx8mp-dhcom-som-overlay-rev100 { + description = "imx8mp-dhcom-som-overlay-rev100"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-som-overlay-rev100.dtbo"; + }; + }; + + fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100 { + description = "imx8mp-dhcom-pdk3-overlay-rev100"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-pdk3-overlay-rev100.dtbo"; }; }; }; + + configurations { + default = "@config-DEFAULT-SEQ"; + + @config-SEQ { + fdt = "fdt-1", + "fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast", + "fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast", + "fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast", + "fdt-dto-imx8mp-dhcom-som-overlay-rev100", + "fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100"; + }; + }; }; diff --git a/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi b/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi index aff5dcf615d..21eff6d6ad4 100644 --- a/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi @@ -135,21 +135,17 @@ assigned-clock-parents = <&clk IMX8MP_SYS_PLL1_400M>; }; -&binman { - section { - fit { - images { - fip { - description = "Trusted Firmware FIP"; - type = "firmware"; - arch = "arm64"; - compression = "none"; - load = <0x40310000>; +&binman_imx_fit { + images { + fip { + description = "Trusted Firmware FIP"; + type = "firmware"; + arch = "arm64"; + compression = "none"; + load = <0x40310000>; - fip_blob: blob-ext{ - filename = "fip.bin"; - }; - }; + fip_blob: blob-ext{ + filename = "fip.bin"; }; }; }; diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi index c4c1a177102..8b5ac3faf1c 100644 --- a/arch/arm/dts/imx8mp-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-u-boot.dtsi @@ -86,7 +86,7 @@ section { pad-byte = <0x00>; - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <2>; @@ -129,7 +129,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; diff --git a/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi b/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi index 1a4568dac65..98da015a444 100644 --- a/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi @@ -10,14 +10,10 @@ bootph-pre-ram; }; -&binman { +&binman_imx_spl { section { - nxp-imx8mimage { - section { - signed-hdmi-imx8m { - filename = "signed_dp_imx8m.bin"; - }; - }; + signed-hdmi-imx8m { + filename = "signed_dp_imx8m.bin"; }; }; }; diff --git a/arch/arm/dts/imx8mq-u-boot.dtsi b/arch/arm/dts/imx8mq-u-boot.dtsi index 48dbe94f0c4..72da674d245 100644 --- a/arch/arm/dts/imx8mq-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-u-boot.dtsi @@ -38,7 +38,7 @@ section { pad-byte = <0x00>; - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <1>; @@ -87,7 +87,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; From d415a48b405ea218da37f1a9e9d02151a07862be Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Tue, 21 May 2024 12:48:25 +0200 Subject: [PATCH 03/10] ARM: dts: imx: Wrap i.MX8M binman SPL and FIT nodes in CST node if IMX_HAB enabled In case CONFIG_IMX_HAB is enabled, extend the binman image description for all of i.MX8M{Q,M,N,P} with CST wrapper node. This way, if CONFIG_IMX_HAB is enabled, binman will be automatically used to sign SPL and fitImage. Reviewed-by: Tim Harvey Signed-off-by: Marek Vasut --- arch/arm/dts/imx8mm-u-boot.dtsi | 211 +++++++++++++++------------- arch/arm/dts/imx8mn-u-boot.dtsi | 239 ++++++++++++++++++-------------- arch/arm/dts/imx8mp-u-boot.dtsi | 190 +++++++++++++------------ arch/arm/dts/imx8mq-u-boot.dtsi | 184 +++++++++++++----------- 4 files changed, 457 insertions(+), 367 deletions(-) diff --git a/arch/arm/dts/imx8mm-u-boot.dtsi b/arch/arm/dts/imx8mm-u-boot.dtsi index b9b1193823a..c02e11def5f 100644 --- a/arch/arm/dts/imx8mm-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-u-boot.dtsi @@ -54,126 +54,151 @@ }; #endif - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <1>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif - section { - align = <4>; - align-size = <4>; - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <1>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + section { + align = <4>; + align-size = <4>; + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; - ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + }; - ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; + + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; }; }; +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = ; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; #ifdef CONFIG_FSPI_CONF_HEADER offset = <0x58C00>; #else offset = <0x57c00>; #endif - images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = ; - type = "standalone"; - - uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; - }; - }; - -#ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x920000>; - load = <0x920000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; - }; - }; + args; /* Needed by mkimage etype superclass */ #endif - binman_fip: fip { - arch = "arm64"; - compression = "none"; - description = "Trusted Firmware FIP"; - load = <0x40310000>; - type = "firmware"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = ; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; +#ifdef CONFIG_FSPI_CONF_HEADER + offset = <0x58C00>; +#else + offset = <0x57c00>; +#endif + + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = ; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; + }; + +#ifndef CONFIG_ARMV8_PSCI + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x920000>; + load = <0x920000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; + }; +#endif + + binman_fip: fip { + arch = "arm64"; + compression = "none"; + description = "Trusted Firmware FIP"; + load = <0x40310000>; + type = "firmware"; + }; + + @fdt-SEQ { + compression = "none"; + description = "NAME"; + type = "flat_dt"; + + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; + }; }; - @fdt-SEQ { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + configurations { + default = "@config-DEFAULT-SEQ"; - uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; +#ifndef CONFIG_ARMV8_PSCI + loadables = "atf"; +#endif }; }; }; - - configurations { - default = "@config-DEFAULT-SEQ"; - - @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; -#ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; -#endif - }; - }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mn-u-boot.dtsi b/arch/arm/dts/imx8mn-u-boot.dtsi index c9fb33cfb73..732191f5205 100644 --- a/arch/arm/dts/imx8mn-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-u-boot.dtsi @@ -103,147 +103,172 @@ }; #endif - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <2>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ - - section { - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - align-size = <4>; - align = <4>; - - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; - - ddr-1d-imem-fw { -#ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_1d_imem.bin"; -#elif CONFIG_IMX8M_DDR4 - filename = "ddr4_imem_1d_201810.bin"; -#else - filename = "ddr3_imem_1d.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; - ddr-1d-dmem-fw { + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <2>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ + + section { + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + align-size = <4>; + align = <4>; + + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + }; + + ddr-1d-imem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_1d_dmem.bin"; + filename = "lpddr4_pmu_train_1d_imem.bin"; #elif CONFIG_IMX8M_DDR4 - filename = "ddr4_dmem_1d_201810.bin"; + filename = "ddr4_imem_1d_201810.bin"; #else - filename = "ddr3_dmem_1d.bin"; + filename = "ddr3_imem_1d.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + }; + + ddr-1d-dmem-fw { +#ifdef CONFIG_IMX8M_LPDDR4 + filename = "lpddr4_pmu_train_1d_dmem.bin"; +#elif CONFIG_IMX8M_DDR4 + filename = "ddr4_dmem_1d_201810.bin"; +#else + filename = "ddr3_dmem_1d.bin"; +#endif + type = "blob-ext"; + align-end = <4>; + }; #if defined(CONFIG_IMX8M_LPDDR4) || defined(CONFIG_IMX8M_DDR4) - ddr-2d-imem-fw { + ddr-2d-imem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_2d_imem.bin"; + filename = "lpddr4_pmu_train_2d_imem.bin"; #else - filename = "ddr4_imem_2d_201810.bin"; + filename = "ddr4_imem_2d_201810.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + }; - ddr-2d-dmem-fw { + ddr-2d-dmem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_2d_dmem.bin"; + filename = "lpddr4_pmu_train_2d_dmem.bin"; #else - filename = "ddr4_dmem_2d_201810.bin"; + filename = "ddr4_dmem_2d_201810.bin"; +#endif + type = "blob-ext"; + align-end = <4>; + }; #endif - type = "blob-ext"; - align-end = <4>; }; -#endif }; + +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = ; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; #ifdef CONFIG_FSPI_CONF_HEADER offset = <0x59000>; #else offset = <0x58000>; #endif - - images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = ; - type = "standalone"; - - uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; - }; - }; - -#ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x960000>; - load = <0x960000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; - }; - }; + args; /* Needed by mkimage etype superclass */ #endif - binman_fip: fip { - arch = "arm64"; - compression = "none"; - description = "Trusted Firmware FIP"; - load = <0x40310000>; - type = "firmware"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = ; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; +#ifdef CONFIG_FSPI_CONF_HEADER + offset = <0x59000>; +#else + offset = <0x58000>; +#endif + + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = ; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; + }; + +#ifndef CONFIG_ARMV8_PSCI + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x960000>; + load = <0x960000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; + }; +#endif + + binman_fip: fip { + arch = "arm64"; + compression = "none"; + description = "Trusted Firmware FIP"; + load = <0x40310000>; + type = "firmware"; + }; + + @fdt-SEQ { + compression = "none"; + description = "NAME"; + type = "flat_dt"; + + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; + }; }; - @fdt-SEQ { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + configurations { + default = "@config-DEFAULT-SEQ"; - uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; +#ifndef CONFIG_ARMV8_PSCI + loadables = "atf"; +#endif }; }; }; - - configurations { - default = "@config-DEFAULT-SEQ"; - - @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; -#ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; -#endif - }; - }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi index 8b5ac3faf1c..f2655a4d0c8 100644 --- a/arch/arm/dts/imx8mp-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-u-boot.dtsi @@ -86,110 +86,130 @@ section { pad-byte = <0x00>; - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <2>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif - section { - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - align-size = <4>; - align = <4>; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <2>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ - u-boot-spl { - align-end = <4>; - }; + section { + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + align-size = <4>; + align = <4>; - ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + u-boot-spl { + align-end = <4>; + }; - ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; - ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; - ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem_202006.bin"; - type = "blob-ext"; - align-end = <4>; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; + + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; }; }; +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = ; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; offset = <0x58000>; - - images { - uboot { - description = "U-Boot (64-bit)"; - type = "standalone"; - arch = "arm64"; - compression = "none"; - load = ; - - uboot_blob: blob-ext { - filename = "u-boot-nodtb.bin"; - }; - }; - -#ifndef CONFIG_ARMV8_PSCI - atf { - description = "ARM Trusted Firmware"; - type = "firmware"; - arch = "arm64"; - compression = "none"; - load = <0x970000>; - entry = <0x970000>; - - atf_blob: atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; - }; - }; + args; /* Needed by mkimage etype superclass */ #endif - @fdt-SEQ { - description = "NAME"; - type = "flat_dt"; - compression = "none"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = ; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; + offset = <0x58000>; - blob-ext { - filename = "u-boot.dtb"; + images { + uboot { + description = "U-Boot (64-bit)"; + type = "standalone"; + arch = "arm64"; + compression = "none"; + load = ; + + uboot_blob: blob-ext { + filename = "u-boot-nodtb.bin"; + }; + }; + +#ifndef CONFIG_ARMV8_PSCI + atf { + description = "ARM Trusted Firmware"; + type = "firmware"; + arch = "arm64"; + compression = "none"; + load = <0x970000>; + entry = <0x970000>; + + atf_blob: atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; + }; +#endif + + @fdt-SEQ { + description = "NAME"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "u-boot.dtb"; + }; + }; + }; + + configurations { + default = "@config-DEFAULT-SEQ"; + + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; +#ifndef CONFIG_ARMV8_PSCI + loadables = "atf"; +#endif }; }; }; - - configurations { - default = "@config-DEFAULT-SEQ"; - - @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; -#ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; -#endif - }; - }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mq-u-boot.dtsi b/arch/arm/dts/imx8mq-u-boot.dtsi index 72da674d245..e1cd6f8996d 100644 --- a/arch/arm/dts/imx8mq-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-u-boot.dtsi @@ -38,116 +38,136 @@ section { pad-byte = <0x00>; - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <1>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif - section { - align = <4>; - align-size = <4>; - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <1>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + section { + align = <4>; + align-size = <4>; + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; - ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + }; - ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - signed-hdmi-imx8m { - filename = "signed_hdmi_imx8m.bin"; - type = "blob-ext"; + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; + + signed-hdmi-imx8m { + filename = "signed_hdmi_imx8m.bin"; + type = "blob-ext"; + }; }; }; +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; + offset = <0x58000>; + args; /* Needed by mkimage etype superclass */ +#endif + + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB - fit,external-offset = ; + fit,external-offset = ; #endif - #address-cells = <1>; + #address-cells = <1>; - images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = ; - type = "standalone"; + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = ; + type = "standalone"; - uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; }; - }; #ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x910000>; - load = <0x910000>; - type = "firmware"; + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x910000>; + load = <0x910000>; + type = "firmware"; - atf-blob { - filename = "bl31.bin"; - type = "blob-ext"; + atf-blob { + filename = "bl31.bin"; + type = "blob-ext"; + }; }; - }; #endif - fdt { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + fdt { + compression = "none"; + description = "NAME"; + type = "flat_dt"; - uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; + }; + }; + + configurations { + default = "conf"; + + conf { + description = "NAME"; + fdt = "fdt"; + firmware = "uboot"; +#ifndef CONFIG_ARMV8_PSCI + loadables = "atf"; +#endif }; }; }; - - configurations { - default = "conf"; - - conf { - description = "NAME"; - fdt = "fdt"; - firmware = "uboot"; -#ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; -#endif - }; - }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; From 52dc74feab49f5f0641b9662a06fe98a66a5c437 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Tue, 21 May 2024 12:48:26 +0200 Subject: [PATCH 04/10] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing Update documentation and use nxp_imx8mcst binman etype for signing of flash.bin instead of previous horrible shell scripting. Reviewed-by: Tim Harvey Signed-off-by: Marek Vasut --- doc/imx/habv4/csf_examples/mx8m/csf.sh | 92 ---------------- doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 ----- doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 ------ doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 104 +++++------------- 4 files changed, 29 insertions(+), 230 deletions(-) delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh deleted file mode 100644 index cd3b2614a2f..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh - -# 0) Generate keys -# -# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M Plus) -# -# cd /path/to/cst-3.3.1/keys/ -# ./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10 -num-srk 4 -srk-ca y -# cd /path/to/cst-3.3.1/crts/ -# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1 - -# 1) Build U-Boot (e.g. for i.MX8MM) -# -# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin . -# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* . -# make -j imx8mm_board_defconfig -# make -j`nproc` flash.bin - -# 2) Sign SPL and DRAM blobs - -cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp -cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp - -# update File Paths from env vars -if ! [ -r $CSF_KEY ]; then - echo "Error: \$CSF_KEY not found" - exit 1 -fi -if ! [ -r $IMG_KEY ]; then - echo "Error: \$IMG_KEY not found" - exit 1 -fi -if ! [ -r $SRK_TABLE ]; then - echo "Error: \$SRK_TABLE not found" - exit 1 -fi -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp - -# update SPL Blocks -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp - -# Generate CSF blob -cst -i csf_spl.tmp -o csf_spl.bin - -# Patch CSF blob into flash.bin -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc - -# 3) Sign u-boot.itb - -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp - -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20)) - -echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc - -# Generate CSF blob -cst -i csf_fit.tmp -o csf_fit.bin - -# When loading flash.bin via USB, we must ensure that the file being -# served is as large as the target expects (see -# board_spl_fit_size_align()), otherwise the target will hang in -# rom_api_download_image() waiting for the remaining bytes. -# -# Note that in order for dd to actually extend the file, one must not -# pass conv=notrunc here. With a non-zero seek= argument, dd is -# documented to preserve the contents of the file seeked past; in -# particular, dd does not open the file with O_TRUNC. -CSF_SIZE=$(sed -n "/CONFIG_CSF_SIZE=/ s@.*=@@p" .config) -dd if=/dev/null of=csf_fit.bin bs=1 seek=$((CSF_SIZE - 0x20)) count=0 - -# Patch CSF blob into flash.bin -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt deleted file mode 100644 index 97f3eea573b..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt +++ /dev/null @@ -1,30 +0,0 @@ -[Header] - Version = 4.3 - Hash Algorithm = sha256 - Engine = CAAM - Engine Configuration = 0 - Certificate Format = X509 - Signature Format = CMS - -[Install SRK] - # SRK_TABLE is full path to SRK_1_2_3_4_table.bin - File = "$SRK_TABLE" - Source index = 0 - -[Install CSFK] - # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$CSF_KEY" - -[Authenticate CSF] - -[Install Key] - Verification index = 0 - Target Index = 2 - # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$IMG_KEY" - -[Authenticate Data] - Verification index = 2 - # FIXME: - # Line 1 -- fitImage - Blocks = CONFIG_SPL_LOAD_FIT_ADDRESS 0x57c00 0xffff "flash.bin" diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt deleted file mode 100644 index 88fa420a5fa..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt +++ /dev/null @@ -1,33 +0,0 @@ -[Header] - Version = 4.3 - Hash Algorithm = sha256 - Engine = CAAM - Engine Configuration = 0 - Certificate Format = X509 - Signature Format = CMS - -[Install SRK] - # SRK_TABLE is full path to SRK_1_2_3_4_table.bin - File = "$SRK_TABLE" - Source index = 0 - -[Install CSFK] - # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$CSF_KEY" - -[Authenticate CSF] - -[Unlock] - Engine = CAAM - Features = MID - -[Install Key] - Verification index = 0 - Target Index = 2 - # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$IMG_KEY" - -[Authenticate Data] - Verification index = 2 - # FIXME: Adjust start (first column) and size (third column) here - Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin" diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..257ffb45656 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration: - Defconfig: CONFIG_IMX_HAB=y + CONFIG_FSL_CAAM=y + CONFIG_ARCH_MISC_INIT=y + CONFIG_SPL_CRYPTO=y - Kconfig: @@ -131,91 +134,42 @@ build configuration: The CSF contains all the commands that the HAB executes during the secure boot. These commands instruct the HAB code on which memory areas of the image -to authenticate, which keys to install, use and etc. +to authenticate, which keys to install, use and etc. The CSF is generated +using the CST Code Signing Tool based on input configuration file. This tool +input configuration file is generated using binman, and the tool is invoked +from binman as well. -CSF examples are available under doc/imx/habv4/csf_examples/ directory. +The SPL and fitImage sections of the generated image are signed separately. +The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst +etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi +in case CONFIG_IMX_HAB Kconfig symbol is enabled. -CSF "Blocks" line for csf_spl.txt can be generated as follows: +Build of flash.bin target then produces a signed flash.bin automatically. -``` -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.txt -``` +The nxp-imx8mcst etype is configurable using either DT properties or environment +variables. The following DT properties and environment variables are supported. +Note that environment variables override DT properties. -The resulting line looks as follows: -``` - Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin" -``` ++--------------------+-----------+------------------------------------------------------------------+ +| DT property | Variable | Description | ++====================+===========+==================================================================+ +| nxp,loader-address | | SPL base address | ++--------------------+-----------+------------------------------------------------------------------+ +| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin | ++--------------------+-----------+------------------------------------------------------------------+ +| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem | ++--------------------+-----------+------------------------------------------------------------------+ +| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem | ++--------------------+-----------+------------------------------------------------------------------+ -The columns mean: - - CONFIG_SPL_TEXT_BASE - 0x40 -- Start address of signed data, in DRAM - - 0x0 -- Start address of signed data, in "flash.bin" - - 0x306f0 -- Length of signed data, in "flash.bin" - - Filename -- "flash.bin" - -To generate signature for the SPL part of flash.bin container, use CST: -``` -cst -i csf_spl.tmp -o csf_spl.bin -``` - -The newly generated CST blob has to be patched into existing flash.bin -container. Conveniently, flash.bin IVT contains physical address of the -CSF blob. Remember, the SPL part of flash.bin container is loaded by the -BootROM at CONFIG_SPL_TEXT_BASE - 0x40 , so the offset of CSF blob in -the fitImage can be calculated and inserted into the flash.bin in the -correct location as follows: -``` -# offset = IVT_HEADER[6 = CSF address] - CONFIG_SPL_TEXT_BASE - 0x40 -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc -``` - -CSF "Blocks" line for csf_fit.txt can be generated as follows: -``` -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp -``` - -The fitImage part of flash.bin requires separate IVT. Generate the IVT and -patch it into the correct aligned location of flash.bin as follows: -``` -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20)) - -echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc -``` - -To generate CSF signature for the fitImage part of flash.bin container, use CST: -``` -cst -i csf_fit.tmp -o csf_fit.bin -``` - -Finally, patch the CSF signature into the fitImage right past the IVT: -``` -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc -``` - -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh -and can be used as follows to modify flash.bin to be signed -(adjust paths as needed): +Environment variables can be set as follows to point the build process +to external key material: ``` export CST_DIR=/usr/src/cst-3.3.1/ export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin -export PATH=$CST_DIR/linux64/bin:$PATH -/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh +make flash.bin ``` 1.4 Closing the device From 198b3ce737fab0f53e4e4e11f80a6634ec068b11 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Mon, 13 May 2024 05:28:06 +0200 Subject: [PATCH 05/10] ARM: imx: Add doc/imx/ to i.MX MAINTAINERS entry Make sure i.MX maintainers are CCed on doc/imx/ patches. Signed-off-by: Marek Vasut Reviewed-by: Fabio Estevam --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 6d021763a62..8e7a8ddaddf 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -306,6 +306,7 @@ F: arch/arm/include/asm/mach-imx/ F: board/freescale/*mx*/ F: board/freescale/common/ F: common/spl/spl_imx_container.c +F: doc/imx/ F: drivers/serial/serial_mxc.c F: include/imx_container.h From 146d353b7303a059961fb501eaecc92916577e3d Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Tue, 21 May 2024 11:39:38 +0200 Subject: [PATCH 06/10] ARM: imx: Increase PHY auto-negotiation timeout to 20s on MX8Menlo The ethernet PHY on MX8Menlo board takes a while to come out of reset, increase the auto-negotiation timeout to prevent it from timing out in case the ethernet is used right after the board was reset. Signed-off-by: Marek Vasut --- include/configs/imx8mm-mx8menlo.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/configs/imx8mm-mx8menlo.h b/include/configs/imx8mm-mx8menlo.h index a86bd76a3c7..5cc60af91e5 100644 --- a/include/configs/imx8mm-mx8menlo.h +++ b/include/configs/imx8mm-mx8menlo.h @@ -8,6 +8,9 @@ #include +/* PHY needs a longer autoneg timeout */ +#define PHY_ANEG_TIMEOUT 20000 + /* Custom initial environment variables */ #undef CFG_EXTRA_ENV_SETTINGS #define CFG_EXTRA_ENV_SETTINGS \ From a1136831cb7c2790ff13a3e5f1c0239715b96467 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Tue, 21 May 2024 11:40:45 +0200 Subject: [PATCH 07/10] ARM: dts: imx8mm: Update iMX8MM Menlo board configuration Synchronize Toradex Verdin iMX8MM based MX8Menlo board configuration with Toradex Verdin iMX8MM and enable convenience commands like cat, hexdump, xxd. Signed-off-by: Marek Vasut Reviewed-by: Peng Fan --- configs/imx8mm-mx8menlo_defconfig | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/configs/imx8mm-mx8menlo_defconfig b/configs/imx8mm-mx8menlo_defconfig index e9b18ac1be7..68b24ce3fb0 100644 --- a/configs/imx8mm-mx8menlo_defconfig +++ b/configs/imx8mm-mx8menlo_defconfig @@ -25,15 +25,19 @@ CONFIG_SPL_BSS_MAX_SIZE=0x2000 CONFIG_SPL=y CONFIG_SYS_BOOTCOUNT_SINGLEWORD=y CONFIG_ENV_OFFSET_REDUND=0xFFFFDE00 +CONFIG_IMX_BOOTAUX=y CONFIG_SYS_LOAD_ADDR=0x40480000 CONFIG_SYS_MEMTEST_START=0x40000000 CONFIG_SYS_MEMTEST_END=0x80000000 CONFIG_FIT=y CONFIG_FIT_EXTERNAL_OFFSET=0x3000 +CONFIG_FIT_VERBOSE=y CONFIG_SPL_LOAD_FIT=y CONFIG_DISTRO_DEFAULTS=y +CONFIG_BOOTDELAY=1 CONFIG_OF_SYSTEM_SETUP=y CONFIG_BOOTCOMMAND="mmc partconf 0 distro_bootpart && load ${devtype} ${devnum}:${distro_bootpart} ${loadaddr} boot/fitImage && source ${loadaddr}:bootscr-boot.cmd ; reset" +CONFIG_USE_PREBOOT=y CONFIG_DEFAULT_FDT_FILE="imx8mm-mx8menlo.dtb" CONFIG_SYS_CBSIZE=2048 CONFIG_SYS_PBSIZE=2081 @@ -57,19 +61,26 @@ CONFIG_SYS_PROMPT="Verdin iMX8MM # " # CONFIG_BOOTM_NETBSD is not set CONFIG_CMD_ASKENV=y # CONFIG_CMD_EXPORTENV is not set -# CONFIG_CMD_CRC32 is not set +CONFIG_CRC32_VERIFY=y +CONFIG_CMD_MD5SUM=y +CONFIG_MD5SUM_VERIFY=y CONFIG_CMD_MEMTEST=y CONFIG_CMD_CLK=y CONFIG_CMD_FUSE=y CONFIG_CMD_GPIO=y CONFIG_CMD_I2C=y CONFIG_CMD_MMC=y +CONFIG_CMD_READ=y CONFIG_CMD_USB=y CONFIG_CMD_USB_SDP=y CONFIG_CMD_USB_MASS_STORAGE=y +CONFIG_CMD_CAT=y +CONFIG_CMD_XXD=y CONFIG_CMD_BOOTCOUNT=y CONFIG_CMD_CACHE=y +CONFIG_CMD_TIME=y CONFIG_CMD_UUID=y +CONFIG_CMD_PMIC=y CONFIG_CMD_REGULATOR=y CONFIG_CMD_BTRFS=y CONFIG_CMD_EXT4_WRITE=y @@ -84,8 +95,9 @@ CONFIG_SYS_RELOC_GD_ENV_ADDR=y CONFIG_SYS_MMC_ENV_PART=1 CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG=y CONFIG_USE_ETHPRIME=y -CONFIG_ETHPRIME="FEC" +CONFIG_ETHPRIME="eth0" CONFIG_VERSION_VARIABLE=y +CONFIG_NET_RANDOM_ETHADDR=y CONFIG_IP_DEFRAG=y CONFIG_TFTP_BLOCKSIZE=4096 CONFIG_SPL_DM=y @@ -96,16 +108,26 @@ CONFIG_CLK_COMPOSITE_CCF=y CONFIG_SPL_CLK_IMX8MM=y CONFIG_CLK_IMX8MM=y CONFIG_GPIO_HOG=y +CONFIG_SPL_GPIO_HOG=y CONFIG_MXC_GPIO=y CONFIG_DM_I2C=y CONFIG_MISC=y CONFIG_I2C_EEPROM=y CONFIG_SUPPORT_EMMC_BOOT=y +CONFIG_MMC_IO_VOLTAGE=y +CONFIG_SPL_MMC_IO_VOLTAGE=y +CONFIG_MMC_UHS_SUPPORT=y +CONFIG_SPL_MMC_UHS_SUPPORT=y +CONFIG_MMC_HS400_ES_SUPPORT=y +CONFIG_MMC_HS400_SUPPORT=y +CONFIG_SPL_MMC_HS400_SUPPORT=y CONFIG_FSL_USDHC=y CONFIG_PHYLIB=y CONFIG_PHY_ADDR_ENABLE=y CONFIG_PHY_MICREL=y CONFIG_PHY_MICREL_KSZ90X1=y +CONFIG_PHY_FIXED=y +CONFIG_DM_MDIO=y CONFIG_FEC_MXC=y CONFIG_MII=y CONFIG_SPL_PHY=y @@ -128,6 +150,7 @@ CONFIG_SPL_SYSRESET=y CONFIG_SYSRESET_PSCI=y CONFIG_SYSRESET_WATCHDOG=y CONFIG_DM_THERMAL=y +CONFIG_IMX_TMU=y CONFIG_USB=y CONFIG_SPL_USB_HOST=y CONFIG_USB_EHCI_HCD=y @@ -143,3 +166,4 @@ CONFIG_SDP_LOADADDR=0x40400000 CONFIG_USB_GADGET_DOWNLOAD=y CONFIG_SPL_USB_SDP_SUPPORT=y CONFIG_IMX_WATCHDOG=y +CONFIG_HEXDUMP=y From 4095df4634b4791d83cf86ad94e43b83057830f4 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Tue, 21 May 2024 11:42:06 +0200 Subject: [PATCH 08/10] ARM: imx: mx5: Enable BMODE command on MX53 Menlo board The board can do primary/secondary boot switching, enable the bmode command. Signed-off-by: Marek Vasut Reviewed-by: Peng Fan --- configs/m53menlo_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/m53menlo_defconfig b/configs/m53menlo_defconfig index 0ebda79f65c..67805b14fa0 100644 --- a/configs/m53menlo_defconfig +++ b/configs/m53menlo_defconfig @@ -22,6 +22,7 @@ CONFIG_SPL=y CONFIG_SYS_BOOTCOUNT_SINGLEWORD=y CONFIG_ENV_OFFSET_REDUND=0x180000 CONFIG_SYS_LOAD_ADDR=0x70800000 +CONFIG_CMD_BMODE=y CONFIG_FIT=y CONFIG_BOOTDELAY=1 CONFIG_OF_BOARD_SETUP=y From 5838b3f751bd28319f8c016f7537a88842e548a6 Mon Sep 17 00:00:00 2001 From: Olaf Mandel Date: Tue, 21 May 2024 12:49:38 +0200 Subject: [PATCH 09/10] ARM: imx: mx5: Simplify TFTP server layout on MX53 Menlo board By removing the "boot" directory in the "m53menlo/boot/fitImage" path, we simplify the TFTP server directory layout a bit. This also requires a change to the mmcload command as it (mis-)uses the same variable as the TFTP boot. Signed-off-by: Olaf Mandel Signed-off-by: Marek Vasut --- configs/m53menlo_defconfig | 2 +- include/configs/m53menlo.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/m53menlo_defconfig b/configs/m53menlo_defconfig index 67805b14fa0..db3a5b9f206 100644 --- a/configs/m53menlo_defconfig +++ b/configs/m53menlo_defconfig @@ -72,7 +72,7 @@ CONFIG_ENV_RANGE=0x80000 CONFIG_SYS_REDUNDAND_ENVIRONMENT=y CONFIG_SYS_RELOC_GD_ENV_ADDR=y CONFIG_USE_BOOTFILE=y -CONFIG_BOOTFILE="boot/fitImage" +CONFIG_BOOTFILE="fitImage" CONFIG_USE_ETHPRIME=y CONFIG_ETHPRIME="FEC0" CONFIG_USE_HOSTNAME=y diff --git a/include/configs/m53menlo.h b/include/configs/m53menlo.h index 1ecbba1b58f..9cf46b2c362 100644 --- a/include/configs/m53menlo.h +++ b/include/configs/m53menlo.h @@ -119,7 +119,7 @@ "addargs=run addcons addmisc addmtd\0" \ "mmcload=" \ "mmc rescan || reset ; load mmc ${mmcdev}:${mmcpart} " \ - "${kernel_addr_r} ${bootfile} || reset\0" \ + "${kernel_addr_r} boot/${bootfile} || reset\0" \ "miscargs=nohlt panic=1\0" \ "mmcargs=setenv bootargs root=/dev/mmcblk0p${mmcpart} rw " \ "rootwait\0" \ From 7457dc6f183303aaf2d58fff0a622e6791aba33c Mon Sep 17 00:00:00 2001 From: Claudius Heine Date: Thu, 16 May 2024 10:36:14 +0200 Subject: [PATCH 10/10] imx: hab: add documentation about the required keys/certs For CST to find the certificates and keys for signing, some keys and certs need to be copied into the u-boot build directory. Signed-off-by: Claudius Heine --- doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index 257ffb45656..1bea091344d 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi in case CONFIG_IMX_HAB Kconfig symbol is enabled. +Per default the HAB keys and certificates need to be located in the build +directory, this means creating a symbolic link or copying the following files +from the HAB keys directory flat (e.g. removing the `keys` and `cert` +subdirectory) into the u-boot build directory for the CST Code Signing Tool to +locate them: + +- `crts/SRK_1_2_3_4_table.bin` +- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem` +- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem` +- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem` +- `keys/key_pass.txt` + +The paths to the SRK table and the certificates can be modified via changes to +the nxp_imx8mcst device tree node(s), however the other files are required by +the CST tools as well, and will be searched for in relation to them. + Build of flash.bin target then produces a signed flash.bin automatically. The nxp-imx8mcst etype is configurable using either DT properties or environment