[v2] mx8m: csf.sh: use vars for keys to avoid file edits when signing

The csf_spl.txt and csf_fit.txt templates contain file paths which must
be edited for the location of your NXP CST generated key files.

Streamline the process of signing an image by assigning unique var names
to these which can be expended from env variables in the csf.sh script.

The following vars are used:
 SRK_TABLE - full path to SRK_1_2_3_4_table.bin
 CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
 IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem

Additionally provide an example of running the csf.sh script.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
---
v2:
 - fix typo: s/SKK_TABLE/SRK_TABLE
 - add Fabio's rb tag
---
 doc/imx/habv4/csf_examples/mx8m/csf.sh        | 21 +++++++++++++++++++
 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt   | 12 +++++------
 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt   | 12 +++++------
 doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 10 +++++++++
 4 files changed, 43 insertions(+), 12 deletions(-)

On 6/15/2023 11:21 PM, Tim Harvey wrote:
> Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button
> 
> 
> The csf_spl.txt and csf_fit.txt templates contain file paths which must
> be edited for the location of your NXP CST generated key files.
> 
> Streamline the process of signing an image by assigning unique var names
> to these which can be expended from env variables in the csf.sh script.
> 
> The following vars are used:
>   SRK_TABLE - full path to SRK_1_2_3_4_table.bin
>   CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
>   IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> 
> Additionally provide an example of running the csf.sh script.
> 
> Signed-off-by: Tim Harvey <tharvey@gateworks.com>
> Reviewed-by: Fabio Estevam <festevam@denx.de>
> ---
> v2:
>   - fix typo: s/SKK_TABLE/SRK_TABLE
>   - add Fabio's rb tag
> ---
>   doc/imx/habv4/csf_examples/mx8m/csf.sh        | 21 +++++++++++++++++++
>   doc/imx/habv4/csf_examples/mx8m/csf_fit.txt   | 12 +++++------
>   doc/imx/habv4/csf_examples/mx8m/csf_spl.txt   | 12 +++++------
>   doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 10 +++++++++
>   4 files changed, 43 insertions(+), 12 deletions(-)
> 
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> index 7a9a05e63392..c4e610adf1c4 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> @@ -22,6 +22,27 @@
>   cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
>   cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
> 
> +# update File Paths from env vars
> +if ! [ -r $CSF_KEY ]; then
> +       echo "Error: \$CSF_KEY not found"
> +       exit 1
> +fi
> +if ! [ -r $IMG_KEY ]; then
> +       echo "Error: \$IMG_KEY not found"
> +       exit 1
> +fi
> +if ! [ -r $SRK_TABLE ]; then
> +       echo "Error: \$SRK_TABLE not found"
> +       exit 1
> +fi
> +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
> +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
> +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
> +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
> +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
> +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
> +
> +# update SPL Blocks
>   spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) )
>   spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
>   sed -i "/Blocks = / s@.*@  Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> index cd1d4070a5e5..dfcfb777c248 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
> @@ -7,21 +7,21 @@
>     Signature Format = CMS
> 
>   [Install SRK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
> +  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
> +  File = "$SRK_TABLE"
>     Source index = 0
> 
>   [Install CSFK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$CSF_KEY"
> 
>   [Authenticate CSF]
> 
>   [Install Key]
>     Verification index = 0
>     Target Index = 2
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$IMG_KEY"
> 
>   [Authenticate Data]
>     Verification index = 2
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> index 00e34f6b1b95..88fa420a5fa0 100644
> --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
> @@ -7,13 +7,13 @@
>     Signature Format = CMS
> 
>   [Install SRK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
> +  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
> +  File = "$SRK_TABLE"
>     Source index = 0
> 
>   [Install CSFK]
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$CSF_KEY"
> 
>   [Authenticate CSF]
> 
> @@ -24,8 +24,8 @@
>   [Install Key]
>     Verification index = 0
>     Target Index = 2
> -  # FIXME: Adjust path here
> -  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> +  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +  File = "$IMG_KEY"
> 
>   [Authenticate Data]
>     Verification index = 2
> diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> index 3e3d38440f94..e789bae55940 100644
> --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> @@ -251,6 +251,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
>   ```
> 
>   The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
> +and can be used as follows to modify flash.bin to be signed
> +(adjust paths as needed):
> +```
> +export CST_DIR=/usr/src/cst-3.3.1/
> +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
> +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
> +export PATH=$CST_DIR/linux64/bin:$PATH
> +/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
> +```
> 

Reviewed-by: Peng Fan <peng.fan@nxp.com>

It will be better if add SRK programming fuse in guide.

Thanks,
Peng.

>   1.4 Closing the device
>   -----------------------
> --
> 2.25.1
>

> The csf_spl.txt and csf_fit.txt templates contain file paths which must
> be edited for the location of your NXP CST generated key files.
> Streamline the process of signing an image by assigning unique var names
> to these which can be expended from env variables in the csf.sh script.
> The following vars are used:
>  SRK_TABLE - full path to SRK_1_2_3_4_table.bin
>  CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
>  IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem
> Additionally provide an example of running the csf.sh script.
> Signed-off-by: Tim Harvey <tharvey@gateworks.com>
> Reviewed-by: Fabio Estevam <festevam@denx.de>
> Reviewed-by: Peng Fan <peng.fan@nxp.com>
Applied to u-boot-imx, master, thanks !

Best regards,
Stefano Babic