[PATCH] ARM: i.MX: add support for fast authentication

[Fabian Pfitzner <f.pfitzner@pengutronix.de>]

Integrate support for fast authentication on i.MX8 SoCs.
Fast authentication is only supported for HAB version >= 4.1.2

>From the NXP manual it says:

"It provides the option to use the SRK to verify the CSF data and Image data directly,
instead of using the CSF and IMG keys.
This reduces the number of key pair authentications that must occur during the ROM/HAB boot stage.
The typical boot time for an image smaller than 1MB can be reduced from 25 ms to 12 ms."

Introduce a variable called `HABV4_FAST_AUTH` that ignores the CSF and IMG
certificates during the CSF file generation and only considers one of the SRK instead.

---
Signed-off-by: Fabian Pfitzner <f.pfitzner@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig            | 15 +++++++++++++++
 include/mach/imx/habv4-imx8-gencsf.h |  8 ++++++++
 scripts/Makefile.lib                 |  1 +
 3 files changed, 24 insertions(+)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 2dc4eb3e79a410daa8bf1cb495a508f63f1f14d4..7f78e5282f7d040d71ac36b9e61fb66b79ed2eb9 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -968,6 +968,21 @@ config HAB_CERTS_ENV
 	  CONFIG_HABV4_CSF_CRT_PEM
 	  CONFIG_HABV4_IMG_CRT_PEM
 
+	  For HABv4 with fast authentication:
+
+	  CONFIG_HABV4_TABLE_BIN
+	  CONFIG_HABV4_SRK_CRT_PEM
+
+config HABV4_FAST_AUTH
+	depends on HABV4
+	bool "Fast authentication"
+	help
+	  Use the SRK to verify the CSF and image data.
+	  This reduces the number of key pair authentications
+	  that occur during the ROM/HAB boot state, resulting in a decreased boot time.
+
+	  Requires HAB version >= 4.1.2
+
 config HABV4_SRK_INDEX
 	depends on HABV4
 	int "SRK index"
diff --git a/include/mach/imx/habv4-imx8-gencsf.h b/include/mach/imx/habv4-imx8-gencsf.h
index 480f88fa9552c51fd94e8f11a1ddc03a544f8081..337f2fab40d02703c8a3be7726528f5ac0db956b 100644
--- a/include/mach/imx/habv4-imx8-gencsf.h
+++ b/include/mach/imx/habv4-imx8-gencsf.h
@@ -8,6 +8,7 @@
  * CONFIG_HABV4_TABLE_BIN
  * CONFIG_HABV4_CSF_CRT_PEM
  * CONFIG_HABV4_IMG_CRT_PEM
+ * CONFIG_HABV4_SRK_CRT_PEM
  */
 #if defined(CONFIG_HABV4) && defined(CONFIG_CPU_64)
 #if defined(CONFIG_HABV4_QSPI)
@@ -26,9 +27,14 @@ hab File = CONFIG_HABV4_TABLE_BIN
 hab # SRK index within SRK-Table 0..3
 hab Source index = CONFIG_HABV4_SRK_INDEX
 
+#if defined(CONFIG_HABV4_FAST_AUTH)
+hab [Install NOCAK]
+hab File = CONFIG_HABV4_SRK_CRT_PEM
+#else
 hab [Install CSFK]
 /* target key index in keystore 1 */
 hab File = CONFIG_HABV4_CSF_CRT_PEM
+#endif
 
 hab [Authenticate CSF]
 
@@ -49,12 +55,14 @@ hab Features = FIELD RETURN
 hab UID = HABV4_CSF_UNLOCK_UID
 #endif
 
+#if !defined(CONFIG_HABV4_FAST_AUTH)
 hab [Install Key]
 /* verification key index in key store (0, 2...4) */
 hab Verification index = 0
 /* target key index in key store (2...4) */
 hab Target index = 2
 hab File = CONFIG_HABV4_IMG_CRT_PEM
+#endif
 
 hab [Authenticate Data]
 /* verification key index in key store (2...4) */
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 6708802477deca5cac9263e8d6ebe7f916cf951b..26d5266f9fe101a5ba9b5d1921982578631c8214 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -594,6 +594,7 @@ imxcfg_cpp_flags  = -Wp,-MD,$(depfile) -nostdinc -x assembler-with-cpp \
       $(call overwrite-hab-env,CONFIG_HABV4_CSF_CRT_PEM) \
       -DHABV4_CSF_UNLOCK_UID=$(CONFIG_HABV4_CSF_UNLOCK_UID) \
       $(call overwrite-hab-env,CONFIG_HABV4_IMG_CRT_PEM) \
+      $(call overwrite-hab-env,CONFIG_HABV4_SRK_CRT_PEM) \
 
 dcd-tmp = $(subst $(comma),_,$(dot-target).dcd.tmp)
 

---
base-commit: 2f4fcbef2c6cb70c5a0aa2b6ab3590fc62c229b9
change-id: 20260518-fpf-fast-auth-a0e2c7e5107b

Best regards,
-- 
Fabian Pfitzner <f.pfitzner@pengutronix.de>