mx8m: csf.sh: use vars for keys to avoid file edits when signing

The csf_spl.txt and csf_fit.txt templates contain file paths which must
be edited for the location of your NXP CST generated key files.

Streamline the process of signing an image by assigning unique var names
to these which can be expended from env variables in the csf.sh script.

The following vars are used:
 SRK_TABLE - full path to SRK_1_2_3_4_table.bin
 CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
 IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem

Additionally provide an example of running the csf.sh script.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh
index 5b383fa982fb3ff26a2a4061e7d916537fd7a33f..d87015f6c4e28237f9a473d5775db13e5be28c74 100644 (file)
--- a/doc/imx/habv4/csf_examples/mx8m/csf.sh
+++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh
@@ -22,6 +22,27 @@
 cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
 cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
 
+# update File Paths from env vars
+if ! [ -r $CSF_KEY ]; then
+       echo "Error: \$CSF_KEY not found"
+       exit 1
+fi
+if ! [ -r $IMG_KEY ]; then
+       echo "Error: \$IMG_KEY not found"
+       exit 1
+fi
+if ! [ -r $SRK_TABLE ]; then
+       echo "Error: \$SRK_TABLE not found"
+       exit 1
+fi
+sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
+sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
+sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
+sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
+sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
+sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
+
+# update SPL Blocks
 spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) )
 spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
 sed -i "/Blocks = / s@.*@  Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp

diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
index bbb82f69448528dc0121dd6942a4ced0c9e6c3a4..3d79edf2813fcffdfc7d051ec68149a89f9512fa 100644 (file)
--- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
+++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
@@ -7,21 +7,21 @@
   Signature Format = CMS
 
 [Install SRK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
+  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
+  File = "$SRK_TABLE"
   Source index = 0
 
 [Install CSFK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$CSF_KEY"
 
 [Authenticate CSF]
 
 [Install Key]
   Verification index = 0
   Target Index = 2
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$IMG_KEY"
 
 [Authenticate Data]
   Verification index = 2

diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
index 00e34f6b1b95e5fda6a60f53762972de41ba343e..88fa420a5fa09af1352ebc9f7e6ed18fda6cee77 100644 (file)
--- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
+++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
@@ -7,13 +7,13 @@
   Signature Format = CMS
 
 [Install SRK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
+  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
+  File = "$SRK_TABLE"
   Source index = 0
 
 [Install CSFK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$CSF_KEY"
 
 [Authenticate CSF]
 
@@ -24,8 +24,8 @@
 [Install Key]
   Verification index = 0
   Target Index = 2
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$IMG_KEY"
 
 [Authenticate Data]
   Verification index = 2

diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
index e79726bf2c59973892aa3304a8c62c660f19f858..e16e5410bd931d9ce7de7127ce4df4934c1bcdb2 100644 (file)
--- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
@@ -207,6 +207,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
 ```
 
 The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
+and can be used as follows to modify flash.bin to be signed
+(adjust paths as needed):
+```
+export CST_DIR=/usr/src/cst-3.3.1/
+export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
+export PATH=$CST_DIR/linux64/bin:$PATH
+/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
+```
 
 1.4 Closing the device
 -----------------------