diff mbox series

[v4,1/2] binman: nxp_imx8mcst: read certificates from input path

Message ID 20241030080753.129-1-brian.ruley@gehealthcare.com
State New
Delegated to: Fabio Estevam
Headers show
Series [v4,1/2] binman: nxp_imx8mcst: read certificates from input path | expand

Commit Message

Brian Ruley Oct. 30, 2024, 8:07 a.m. UTC
Right now, it is unclear where the certificates (and private keys) are
read from if environment variables are unset, and providing complete
paths in the device tree is not ideal. Naturally, it makes sense
to be able to decide where binman should look for the files, regardless
whether the keys are specified in the device tree or not.

Therefore, expand the etype to look for the necessary files from the
input path. Introduce a new variable to provide users the ability to
specify a custom path.

As a consequence of this change, the environment variables used to
specify the keys, e.g., `IMG_KEY', will be searched *relative* to the
input directories.

Signed-off-by: Brian Ruley <brian.ruley@gehealthcare.com>
---
Changes for v2:
- Added missing *.pem files
- Rebased on top of "[PATCH v4 2/2] binman: add fast authentication
  method for i.MX8M signing"
- Included a test for fast authentication
Changes for v3:
- Fixed relative path for SRK table and *.pem files in
  340_nxp_imx8mcst.dts
Changes for v4:
- Rebased on master

 tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

Comments

Rasmus Villemoes Oct. 30, 2024, 12:40 p.m. UTC | #1
On Wed, Oct 30 2024, Brian Ruley <brian.ruley@gehealthcare.com> wrote:

> Right now, it is unclear where the certificates (and private keys) are
> read from if environment variables are unset, and providing complete
> paths in the device tree is not ideal. Naturally, it makes sense
> to be able to decide where binman should look for the files, regardless
> whether the keys are specified in the device tree or not.
>
> Therefore, expand the etype to look for the necessary files from the
> input path. Introduce a new variable to provide users the ability to
> specify a custom path.
>
> As a consequence of this change, the environment variables used to
> specify the keys, e.g., `IMG_KEY', will be searched *relative* to the
> input directories.

Hopefully not if those env variables contain an absolute path?

Rasmus
diff mbox series

Patch

diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
index a7d8db4eec..ff84b751b7 100644
--- a/tools/binman/etype/nxp_imx8mcst.py
+++ b/tools/binman/etype/nxp_imx8mcst.py
@@ -70,23 +70,26 @@  class Entry_nxp_imx8mcst(Entry_mkimage):
     def __init__(self, section, etype, node):
         super().__init__(section, etype, node)
         self.required_props = ['nxp,loader-address']
+        self._cst_key_path = os.getenv('CST_KEY_PATH', None)
+        if self._cst_key_path:
+            tools.set_input_dirs([self._cst_key_path] + tools.indir)
 
     def ReadNode(self):
         super().ReadNode()
         self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
-        self.srk_table = os.getenv(
+        self._srk_table = os.getenv(
             'SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table',
                                             'SRK_1_2_3_4_table.bin'))
         self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
         if not self.fast_auth:
-            self.csf_crt = os.getenv(
+            self._csf_crt = os.getenv(
                 'CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt',
                                               f'CSF1_1_{KEY_NAME}.pem'))
-            self.img_crt = os.getenv(
+            self._img_crt = os.getenv(
                 'IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt',
                                               f'IMG1_1_{KEY_NAME}.pem'))
         else:
-            self.srk_crt = os.getenv(
+            self._srk_crt = os.getenv(
                 'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt',
                                               f'SRK1_{KEY_NAME}.pem'))
 
@@ -142,15 +145,19 @@  class Entry_nxp_imx8mcst(Entry_mkimage):
         config.optionxform = str
         # Load configuration template and modify keys of interest
         config.read_string(CSF_CONFIG_TEMPLATE)
-        config['Install SRK']['File']  = f'"{self.srk_table}"'
+        srk_table = tools.get_input_filename(self._srk_table)
+        config['Install SRK']['File']  = f'"{srk_table}"'
         if not self.fast_auth:
+            csf_crt = tools.get_input_filename(self._csf_crt)
+            img_crt = tools.get_input_filename(self._img_crt)
             config.remove_section('Install NOCAK')
-            config['Install CSFK']['File'] = f'"{self.csf_crt}"'
-            config['Install Key']['File']  = f'"{self.img_crt}"'
+            config['Install CSFK']['File'] = f'"{csf_crt}"'
+            config['Install Key']['File']  = f'"{img_crt}"'
         else:
+            srk_crt = tools.get_input_filename(self._srk_crt)
             config.remove_section('Install CSFK')
             config.remove_section('Install Key')
-            config['Install NOCAK']['File'] = f'"{self.srk_crt}"'
+            config['Install NOCAK']['File'] = f'"{srk_crt}"'
             config['Authenticate Data']['Verification index'] = '0'
 
         config['Authenticate Data']['Blocks'] = \