commit 1f2a517019df5c83e05c005824b8df2cb0573aa6
author Brian Ruley <brian.ruley@gehealthcare.com> Tue Oct 01 16:58:09 2024 +0300
committer Fabio Estevam <festevam@denx.de> Sun Oct 13 09:44:00 2024 -0300
tree c70f82e4a482e027ecaacf5a6065c4cd5fff85d7
parent d26a4971e4861cc17f54af1e6563a2620b306de7

binman: add fast authentication method for i.MX8M signing

Using the PKI tree with SRKs as intermediate CA isn't necessary or even
desirable in some situations (boot time, for example). Add the possibility
to use the "fast authentication" method where the image and CSF are both
signed using the SRK [1, p.63].

[1] https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf

Signed-off-by: Brian Ruley <brian.ruley@gehealthcare.com>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>

tools/binman/etype/nxp_imx8mcst.py

diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
index bd5a5d8..a7d8db4 100644
--- a/tools/binman/etype/nxp_imx8mcst.py
+++ b/tools/binman/etype/nxp_imx8mcst.py
@@ -38,6 +38,9 @@
   File = "SRK_1_2_3_4_table.bin"
   Source index = 0
 
+[Install NOCAK]
+  File = "SRK1_{KEY_NAME}.pem"
+
 [Install CSFK]
   File = "CSF1_1_{KEY_NAME}.pem"
 
@@ -74,12 +77,19 @@
         self.srk_table = os.getenv(
             'SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table',
                                             'SRK_1_2_3_4_table.bin'))
-        self.csf_crt = os.getenv(
-            'CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt',
-                                          f'CSF1_1_{KEY_NAME}.pem'))
-        self.img_crt = os.getenv(
-            'IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt',
-                                          f'IMG1_1_{KEY_NAME}.pem'))
+        self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
+        if not self.fast_auth:
+            self.csf_crt = os.getenv(
+                'CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt',
+                                              f'CSF1_1_{KEY_NAME}.pem'))
+            self.img_crt = os.getenv(
+                'IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt',
+                                              f'IMG1_1_{KEY_NAME}.pem'))
+        else:
+            self.srk_crt = os.getenv(
+                'SRK_KEY', fdt_util.GetString(self._node, 'nxp,srk-crt',
+                                              f'SRK1_{KEY_NAME}.pem'))
+
         self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
         self.ReadEntries()
 
@@ -133,8 +143,16 @@
         # Load configuration template and modify keys of interest
         config.read_string(CSF_CONFIG_TEMPLATE)
         config['Install SRK']['File']  = f'"{self.srk_table}"'
-        config['Install CSFK']['File'] = f'"{self.csf_crt}"'
-        config['Install Key']['File']  = f'"{self.img_crt}"'
+        if not self.fast_auth:
+            config.remove_section('Install NOCAK')
+            config['Install CSFK']['File'] = f'"{self.csf_crt}"'
+            config['Install Key']['File']  = f'"{self.img_crt}"'
+        else:
+            config.remove_section('Install CSFK')
+            config.remove_section('Install Key')
+            config['Install NOCAK']['File'] = f'"{self.srk_crt}"'
+            config['Authenticate Data']['Verification index'] = '0'
+
         config['Authenticate Data']['Blocks'] = \
             f'{signbase:#x} 0 {len(data):#x} "{output_dname}"'