diff options
| author | Brian Ruley <brian.ruley@gehealthcare.com> | 2024-10-01 16:58:09 +0300 |
|---|---|---|
| committer | Fabio Estevam <festevam@denx.de> | 2024-10-13 09:44:00 -0300 |
| commit | cd31c728729b6f08b48fb6a2cef758f135950f73 (patch) | |
| tree | c70f82e4a482e027ecaacf5a6065c4cd5fff85d7 /tools | |
| parent | 784f84d5d81d534a20f327d04693e7b8b7594858 (diff) | |
binman: add fast authentication method for i.MX8M signing
Using the PKI tree with SRKs as intermediate CA isn't necessary or even
desirable in some situations (boot time, for example). Add the possibility
to use the "fast authentication" method where the image and CSF are both
signed using the SRK [1, p.63].
[1] https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf
Signed-off-by: Brian Ruley <brian.ruley@gehealthcare.com>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/binman/etype/nxp_imx8mcst.py | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py index bd5a5d805f0..a7d8db4eec4 100644 --- a/tools/binman/etype/nxp_imx8mcst.py +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -38,6 +38,9 @@ CSF_CONFIG_TEMPLATE = f''' File = "SRK_1_2_3_4_table.bin" Source index = 0 +[Install NOCAK] + File = "SRK1_{KEY_NAME}.pem" + [Install CSFK] File = "CSF1_1_{KEY_NAME}.pem" @@ -74,12 +77,19 @@ class Entry_nxp_imx8mcst(Entry_mkimage): self.srk_table = os.getenv( 'SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin')) - self.csf_crt = os.getenv( - 'CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt', - f'CSF1_1_{KEY_NAME}.pem')) - self.img_crt = os.getenv( - 'IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt', - f'IMG1_1_{KEY_NAME}.pem')) + self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth') + if not self.fast_auth: + self.csf_crt = os.getenv( + 'CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt', + f'CSF1_1_{KEY_NAME}.pem')) + self.img_crt = os.getenv( + 'IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt', + f'IMG1_1_{KEY_NAME}.pem')) + else: + self.srk_crt = os.getenv( + 'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt', + f'SRK1_{KEY_NAME}.pem')) + self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') self.ReadEntries() @@ -133,8 +143,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage): # Load configuration template and modify keys of interest config.read_string(CSF_CONFIG_TEMPLATE) config['Install SRK']['File'] = f'"{self.srk_table}"' - config['Install CSFK']['File'] = f'"{self.csf_crt}"' - config['Install Key']['File'] = f'"{self.img_crt}"' + if not self.fast_auth: + config.remove_section('Install NOCAK') + config['Install CSFK']['File'] = f'"{self.csf_crt}"' + config['Install Key']['File'] = f'"{self.img_crt}"' + else: + config.remove_section('Install CSFK') + config.remove_section('Install Key') + config['Install NOCAK']['File'] = f'"{self.srk_crt}"' + config['Authenticate Data']['Verification index'] = '0' + config['Authenticate Data']['Blocks'] = \ f'{signbase:#x} 0 {len(data):#x} "{output_dname}"' |