Changes between Version 43 and Version 44 of venice/secure_boot


Ignore:
Timestamp:
10/07/2025 05:04:35 PM (7 weeks ago)
Author:
Ryan Erbstoesser
Comment:

add a few comments for cst, etc

Legend:

Unmodified
Added
Removed
Modified

  • venice/secure_boot

    v43 v44  
    9797 1. Creation of Code Signing Key: '''This is an example - read the CST documentation and tailor to your needs'''
    9898  a. Retrieve the NXP Code Signing Tool (CST): https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW (Account required on NXP site)
    99   b. Unpack the CST :
     99  b. Unpack the CST : (versions may change over time)
    100100{{{#!bash
    101101tar xvf cst-3.4.0.tgz
     
    150150{{{#!bash
    151151# setup env to point to the CST
    152 export CST_DIR=/usr/src/nxp/cst-3.4.0
     152export CST_DIR=/usr/src/nxp/cst-3.4.0 #ADJUST TO POINT TO ACTUAL DIRECTORY
    153153export CST_BIN=$CST_DIR/linux64/bin/cst
    154154export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
     
    167167cp $VENICE_BSP/atf/build/imx8mm/release/bl31.bin . # ATF
    168168# configure for venice board
    169 make imx8mm_venice_defconfig
     169make imx8mm_venice_defconfig #SEE NOTE BELOW FOR imx8mp
    170170make menuconfig # select CONFIG_IMX_HAB=y
    171171make flash.bin
     
    180180< # CONFIG_CMD_DEKBLOB is not set
    181181}}}
    182    - note that the above is for imx8mm (you need to copy the ATF from the imx8mp directory and use imx8mp_venice_defconfig if you are using imx8mp for example)
    183  3. create a signed_flash.bin (required prior to v2024.10; for v2024.10-venice branch you can skip this step as it signs it automatically
     182   - NOTE that the above is for imx8mm (you need to copy the ATF from the imx8mp directory and use imx8mp_venice_defconfig if you are using imx8mp for example)
     183 3. Create a signed_flash.bin (required prior to v2024.10; for v2024.10-venice branch you can skip this step as it signs it automatically
    184184{{{#!bash
    185185# sign flash.bin (if U-Boot version is less than v2024.10 where automated signing was introduced if CONFIG_IMX_HAB=y)
     
    226226No HAB Events Found!
    227227}}}
    228   - Note the 'hab fuse not enabled' message which means the SEC_CONFIG[1] fuse is not blown and the device is not locked
     228  - Note the 'hab fuse not enabled' message which means the !SEC_CONFIG[1] fuse is not blown and the device is not locked
    229229  - Note the 'Authenticate image from DDR location' messages which shows that image authentication is able to be used
    230230 5. Program SRK Hash fuses from Step 1 into IMX OTP (using U-Boot and the keys from fuse bin)