Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-04-20 11:55:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

imx: hab: add documentation about the required keys/certs

Browse source 
For CST to find the certificates and keys for signing, some keys and
certs need to be copied into the u-boot build directory.

Signed-off-by: Claudius Heine <ch@denx.de>
This commit is contained in:
Claudius Heine 2024-05-16 10:36:14 +02:00 committed by Fabio Estevam
parent 5838b3f751
commit 7457dc6f18
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
View file

@ -144,6 +144,23 @@ The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst
etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
in case CONFIG_IMX_HAB Kconfig symbol is enabled.
Per default the HAB keys and certificates need to be located in the build
directory, this means creating a symbolic link or copying the following files
from the HAB keys directory flat (e.g. removing the `keys` and `cert`
subdirectory) into the u-boot build directory for the CST Code Signing Tool to
locate them:
- `crts/SRK_1_2_3_4_table.bin`
- `crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem`
- `keys/CSF1_1_sha256_4096_65537_v3_usr_key.pem`
- `crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem`
- `keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem`
- `keys/key_pass.txt`
The paths to the SRK table and the certificates can be modified via changes to
the nxp_imx8mcst device tree node(s), however the other files are required by
the CST tools as well, and will be searched for in relation to them.
Build of flash.bin target then produces a signed flash.bin automatically.
The nxp-imx8mcst etype is configurable using either DT properties or environment