diff options
| author | Tim Harvey <tharvey@gateworks.com> | 2023-06-15 08:21:08 -0700 |
|---|---|---|
| committer | Stefano Babic <sbabic@denx.de> | 2023-07-13 11:29:40 +0200 |
| commit | ff1dd520243320259b654065821b0f5cdea9f551 (patch) | |
| tree | f746b3c59bd3abfab11ce8c7a5f9f5d9792148f7 /doc | |
| parent | 77b5ad0ea3d132412f21daaa997b6249266ff71c (diff) | |
| download | u-boot-ff1dd520243320259b654065821b0f5cdea9f551.zip u-boot-ff1dd520243320259b654065821b0f5cdea9f551.tar.gz u-boot-ff1dd520243320259b654065821b0f5cdea9f551.tar.bz2 | |
mx8m: csf.sh: use vars for keys to avoid file edits when signing
The csf_spl.txt and csf_fit.txt templates contain file paths which must
be edited for the location of your NXP CST generated key files.
Streamline the process of signing an image by assigning unique var names
to these which can be expended from env variables in the csf.sh script.
The following vars are used:
SRK_TABLE - full path to SRK_1_2_3_4_table.bin
CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
Additionally provide an example of running the csf.sh script.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/imx/habv4/csf_examples/mx8m/csf.sh | 21 | ||||
| -rw-r--r-- | doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 12 | ||||
| -rw-r--r-- | doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 12 | ||||
| -rw-r--r-- | doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 10 |
4 files changed, 43 insertions, 12 deletions
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh index 5b383fa..d87015f 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh @@ -22,6 +22,27 @@ cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp +# update File Paths from env vars +if ! [ -r $CSF_KEY ]; then + echo "Error: \$CSF_KEY not found" + exit 1 +fi +if ! [ -r $IMG_KEY ]; then + echo "Error: \$IMG_KEY not found" + exit 1 +fi +if ! [ -r $SRK_TABLE ]; then + echo "Error: \$SRK_TABLE not found" + exit 1 +fi +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp + +# update SPL Blocks spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt index bbb82f6..3d79edf 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt @@ -7,21 +7,21 @@ Signature Format = CMS [Install SRK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin" + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin + File = "$SRK_TABLE" Source index = 0 [Install CSFK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$CSF_KEY" [Authenticate CSF] [Install Key] Verification index = 0 Target Index = 2 - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$IMG_KEY" [Authenticate Data] Verification index = 2 diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt index 00e34f6..88fa420 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt +++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt @@ -7,13 +7,13 @@ Signature Format = CMS [Install SRK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin" + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin + File = "$SRK_TABLE" Source index = 0 [Install CSFK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$CSF_KEY" [Authenticate CSF] @@ -24,8 +24,8 @@ [Install Key] Verification index = 0 Target Index = 2 - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$IMG_KEY" [Authenticate Data] Verification index = 2 diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e79726b..e16e541 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -207,6 +207,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc ``` The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh +and can be used as follows to modify flash.bin to be signed +(adjust paths as needed): +``` +export CST_DIR=/usr/src/cst-3.3.1/ +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin +export PATH=$CST_DIR/linux64/bin:$PATH +/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh +``` 1.4 Closing the device ----------------------- |