[PATCH] ARM: i.MX: add support for fast authentication

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

* [PATCH] ARM: i.MX: add support for fast authentication
@ 2026-05-18 12:55 Fabian Pfitzner
  2026-05-19  6:25 ` Sascha Hauer
  0 siblings, 1 reply; 2+ messages in thread
From: Fabian Pfitzner @ 2026-05-18 12:55 UTC (permalink / raw)
  To: Sascha Hauer, BAREBOX; +Cc: Fabian Pfitzner

Integrate support for fast authentication on i.MX8 SoCs.
Fast authentication is only supported for HAB version >= 4.1.2

>From the NXP manual it says:

"It provides the option to use the SRK to verify the CSF data and Image data directly,
instead of using the CSF and IMG keys.
This reduces the number of key pair authentications that must occur during the ROM/HAB boot stage.
The typical boot time for an image smaller than 1MB can be reduced from 25 ms to 12 ms."

Introduce a variable called `HABV4_FAST_AUTH` that ignores the CSF and IMG
certificates during the CSF file generation and only considers one of the SRK instead.

---
Signed-off-by: Fabian Pfitzner <f.pfitzner@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig            | 15 +++++++++++++++
 include/mach/imx/habv4-imx8-gencsf.h |  8 ++++++++
 scripts/Makefile.lib                 |  1 +
 3 files changed, 24 insertions(+)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 2dc4eb3e79a410daa8bf1cb495a508f63f1f14d4..7f78e5282f7d040d71ac36b9e61fb66b79ed2eb9 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -968,6 +968,21 @@ config HAB_CERTS_ENV
 	  CONFIG_HABV4_CSF_CRT_PEM
 	  CONFIG_HABV4_IMG_CRT_PEM
 
+	  For HABv4 with fast authentication:
+
+	  CONFIG_HABV4_TABLE_BIN
+	  CONFIG_HABV4_SRK_CRT_PEM
+
+config HABV4_FAST_AUTH
+	depends on HABV4
+	bool "Fast authentication"
+	help
+	  Use the SRK to verify the CSF and image data.
+	  This reduces the number of key pair authentications
+	  that occur during the ROM/HAB boot state, resulting in a decreased boot time.
+
+	  Requires HAB version >= 4.1.2
+
 config HABV4_SRK_INDEX
 	depends on HABV4
 	int "SRK index"
diff --git a/include/mach/imx/habv4-imx8-gencsf.h b/include/mach/imx/habv4-imx8-gencsf.h
index 480f88fa9552c51fd94e8f11a1ddc03a544f8081..337f2fab40d02703c8a3be7726528f5ac0db956b 100644
--- a/include/mach/imx/habv4-imx8-gencsf.h
+++ b/include/mach/imx/habv4-imx8-gencsf.h
@@ -8,6 +8,7 @@
  * CONFIG_HABV4_TABLE_BIN
  * CONFIG_HABV4_CSF_CRT_PEM
  * CONFIG_HABV4_IMG_CRT_PEM
+ * CONFIG_HABV4_SRK_CRT_PEM
  */
 #if defined(CONFIG_HABV4) && defined(CONFIG_CPU_64)
 #if defined(CONFIG_HABV4_QSPI)
@@ -26,9 +27,14 @@ hab File = CONFIG_HABV4_TABLE_BIN
 hab # SRK index within SRK-Table 0..3
 hab Source index = CONFIG_HABV4_SRK_INDEX
 
+#if defined(CONFIG_HABV4_FAST_AUTH)
+hab [Install NOCAK]
+hab File = CONFIG_HABV4_SRK_CRT_PEM
+#else
 hab [Install CSFK]
 /* target key index in keystore 1 */
 hab File = CONFIG_HABV4_CSF_CRT_PEM
+#endif
 
 hab [Authenticate CSF]
 
@@ -49,12 +55,14 @@ hab Features = FIELD RETURN
 hab UID = HABV4_CSF_UNLOCK_UID
 #endif
 
+#if !defined(CONFIG_HABV4_FAST_AUTH)
 hab [Install Key]
 /* verification key index in key store (0, 2...4) */
 hab Verification index = 0
 /* target key index in key store (2...4) */
 hab Target index = 2
 hab File = CONFIG_HABV4_IMG_CRT_PEM
+#endif
 
 hab [Authenticate Data]
 /* verification key index in key store (2...4) */
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 6708802477deca5cac9263e8d6ebe7f916cf951b..26d5266f9fe101a5ba9b5d1921982578631c8214 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -594,6 +594,7 @@ imxcfg_cpp_flags  = -Wp,-MD,$(depfile) -nostdinc -x assembler-with-cpp \
       $(call overwrite-hab-env,CONFIG_HABV4_CSF_CRT_PEM) \
       -DHABV4_CSF_UNLOCK_UID=$(CONFIG_HABV4_CSF_UNLOCK_UID) \
       $(call overwrite-hab-env,CONFIG_HABV4_IMG_CRT_PEM) \
+      $(call overwrite-hab-env,CONFIG_HABV4_SRK_CRT_PEM) \
 
 dcd-tmp = $(subst $(comma),_,$(dot-target).dcd.tmp)
 

---
base-commit: 2f4fcbef2c6cb70c5a0aa2b6ab3590fc62c229b9
change-id: 20260518-fpf-fast-auth-a0e2c7e5107b

Best regards,
-- 
Fabian Pfitzner <f.pfitzner@pengutronix.de>




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] ARM: i.MX: add support for fast authentication
  2026-05-18 12:55 [PATCH] ARM: i.MX: add support for fast authentication Fabian Pfitzner
@ 2026-05-19  6:25 ` Sascha Hauer
  0 siblings, 0 replies; 2+ messages in thread
From: Sascha Hauer @ 2026-05-19  6:25 UTC (permalink / raw)
  To: BAREBOX, Fabian Pfitzner


On Mon, 18 May 2026 14:55:48 +0200, Fabian Pfitzner wrote:
> Integrate support for fast authentication on i.MX8 SoCs.
> Fast authentication is only supported for HAB version >= 4.1.2
> 
> >From the NXP manual it says:
> 
> "It provides the option to use the SRK to verify the CSF data and Image data directly,
> instead of using the CSF and IMG keys.
> This reduces the number of key pair authentications that must occur during the ROM/HAB boot stage.
> The typical boot time for an image smaller than 1MB can be reduced from 25 ms to 12 ms."
> 
> [...]

Applied, thanks!

[1/1] ARM: i.MX: add support for fast authentication
      https://git.pengutronix.de/cgit/barebox/commit/?id=086d01264d9a (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-19  6:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-18 12:55 [PATCH] ARM: i.MX: add support for fast authentication Fabian Pfitzner
2026-05-19  6:25 ` Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox