On 5/7/26 5:31 PM, Simon Glass wrote:
Hi Marek,
On 2026-05-04T19:04:59, Marek Vasut <[email protected]> wrote:
binman: add CST backend selection for i.MX8M signing
Add support for setting the CST backend, both via DT property and
CST_BACKEND environment variable. The CST currently supports two
backends, 'ssl' and 'pkcs11', with 'ssl' being the default when
CST tool is invoked without any -b parameter. Keep 'ssl' backend
as the default, but explicitly pass it via the '-b' parameter,
unless the user selects 'pkcs11' via either method.
Signed-off-by: Marek Vasut <[email protected]>
doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 30 +++++++++++++++++----------
tools/binman/etype/nxp_imx8mcst.py | 19 ++++++++++++++++-
2 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/tools/binman/etype/nxp_imx8mcst.py
b/tools/binman/etype/nxp_imx8mcst.py
@@ -90,6 +97,10 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
+ self.backend = os.getenv(
+ 'CST_BACKEND', fdt_util.GetString(self._node, 'nxp,cst-backend',
+ 'ssl'))
+
Please add a binman test covering this new feature - see
testNxpImx8mCSTFastAuth in ftest.py and the vendor/nxp_imx8_csf*.dts
fixtures. The missing coverage line for me is 177 (cst_backend =
"pkcs11" )
The pkcs11 option requires a HSM, how do you propose to test that ?
