Message ID | 20230615152108.2649868-1-tharvey@gateworks.com |
---|---|
State | Accepted |
Commit | ff1dd520243320259b654065821b0f5cdea9f551 |
Delegated to: | Stefano Babic |
Headers | show |
Series | [v2] mx8m: csf.sh: use vars for keys to avoid file edits when signing | expand |
On 6/15/2023 11:21 PM, Tim Harvey wrote: > Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button > > > The csf_spl.txt and csf_fit.txt templates contain file paths which must > be edited for the location of your NXP CST generated key files. > > Streamline the process of signing an image by assigning unique var names > to these which can be expended from env variables in the csf.sh script. > > The following vars are used: > SRK_TABLE - full path to SRK_1_2_3_4_table.bin > CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem > IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem > > Additionally provide an example of running the csf.sh script. > > Signed-off-by: Tim Harvey <tharvey@gateworks.com> > Reviewed-by: Fabio Estevam <festevam@denx.de> > --- > v2: > - fix typo: s/SKK_TABLE/SRK_TABLE > - add Fabio's rb tag > --- > doc/imx/habv4/csf_examples/mx8m/csf.sh | 21 +++++++++++++++++++ > doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 12 +++++------ > doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 12 +++++------ > doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 10 +++++++++ > 4 files changed, 43 insertions(+), 12 deletions(-) > > diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh > index 7a9a05e63392..c4e610adf1c4 100644 > --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh > +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh > @@ -22,6 +22,27 @@ > cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp > cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp > > +# update File Paths from env vars > +if ! [ -r $CSF_KEY ]; then > + echo "Error: \$CSF_KEY not found" > + exit 1 > +fi > +if ! [ -r $IMG_KEY ]; then > + echo "Error: \$IMG_KEY not found" > + exit 1 > +fi > +if ! [ -r $SRK_TABLE ]; then > + echo "Error: \$SRK_TABLE not found" > + exit 1 > +fi > +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp > +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp > +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp > +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp > +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp > +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp > + > +# update SPL Blocks > spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) > spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) > sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp > diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt > index cd1d4070a5e5..dfcfb777c248 100644 > --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt > +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt > @@ -7,21 +7,21 @@ > Signature Format = CMS > > [Install SRK] > - # FIXME: Adjust path here > - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin" > + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin > + File = "$SRK_TABLE" > Source index = 0 > > [Install CSFK] > - # FIXME: Adjust path here > - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" > + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem > + File = "$CSF_KEY" > > [Authenticate CSF] > > [Install Key] > Verification index = 0 > Target Index = 2 > - # FIXME: Adjust path here > - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" > + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem > + File = "$IMG_KEY" > > [Authenticate Data] > Verification index = 2 > diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt > index 00e34f6b1b95..88fa420a5fa0 100644 > --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt > +++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt > @@ -7,13 +7,13 @@ > Signature Format = CMS > > [Install SRK] > - # FIXME: Adjust path here > - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin" > + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin > + File = "$SRK_TABLE" > Source index = 0 > > [Install CSFK] > - # FIXME: Adjust path here > - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" > + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem > + File = "$CSF_KEY" > > [Authenticate CSF] > > @@ -24,8 +24,8 @@ > [Install Key] > Verification index = 0 > Target Index = 2 > - # FIXME: Adjust path here > - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" > + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem > + File = "$IMG_KEY" > > [Authenticate Data] > Verification index = 2 > diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > index 3e3d38440f94..e789bae55940 100644 > --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt > @@ -251,6 +251,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc > ``` > > The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh > +and can be used as follows to modify flash.bin to be signed > +(adjust paths as needed): > +``` > +export CST_DIR=/usr/src/cst-3.3.1/ > +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem > +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem > +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin > +export PATH=$CST_DIR/linux64/bin:$PATH > +/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh > +``` > Reviewed-by: Peng Fan <peng.fan@nxp.com> It will be better if add SRK programming fuse in guide. Thanks, Peng. > 1.4 Closing the device > ----------------------- > -- > 2.25.1 >
> The csf_spl.txt and csf_fit.txt templates contain file paths which must > be edited for the location of your NXP CST generated key files. > Streamline the process of signing an image by assigning unique var names > to these which can be expended from env variables in the csf.sh script. > The following vars are used: > SRK_TABLE - full path to SRK_1_2_3_4_table.bin > CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem > IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem > Additionally provide an example of running the csf.sh script. > Signed-off-by: Tim Harvey <tharvey@gateworks.com> > Reviewed-by: Fabio Estevam <festevam@denx.de> > Reviewed-by: Peng Fan <peng.fan@nxp.com> Applied to u-boot-imx, master, thanks ! Best regards, Stefano Babic
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh index 7a9a05e63392..c4e610adf1c4 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh @@ -22,6 +22,27 @@ cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp +# update File Paths from env vars +if ! [ -r $CSF_KEY ]; then + echo "Error: \$CSF_KEY not found" + exit 1 +fi +if ! [ -r $IMG_KEY ]; then + echo "Error: \$IMG_KEY not found" + exit 1 +fi +if ! [ -r $SRK_TABLE ]; then + echo "Error: \$SRK_TABLE not found" + exit 1 +fi +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp +sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp +sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp +sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp + +# update SPL Blocks spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt index cd1d4070a5e5..dfcfb777c248 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt @@ -7,21 +7,21 @@ Signature Format = CMS [Install SRK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin" + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin + File = "$SRK_TABLE" Source index = 0 [Install CSFK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$CSF_KEY" [Authenticate CSF] [Install Key] Verification index = 0 Target Index = 2 - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$IMG_KEY" [Authenticate Data] Verification index = 2 diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt index 00e34f6b1b95..88fa420a5fa0 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt +++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt @@ -7,13 +7,13 @@ Signature Format = CMS [Install SRK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin" + # SRK_TABLE is full path to SRK_1_2_3_4_table.bin + File = "$SRK_TABLE" Source index = 0 [Install CSFK] - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$CSF_KEY" [Authenticate CSF] @@ -24,8 +24,8 @@ [Install Key] Verification index = 0 Target Index = 2 - # FIXME: Adjust path here - File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem + File = "$IMG_KEY" [Authenticate Data] Verification index = 2 diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index 3e3d38440f94..e789bae55940 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -251,6 +251,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc ``` The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh +and can be used as follows to modify flash.bin to be signed +(adjust paths as needed): +``` +export CST_DIR=/usr/src/cst-3.3.1/ +export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem +export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem +export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin +export PATH=$CST_DIR/linux64/bin:$PATH +/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh +``` 1.4 Closing the device -----------------------