mx8m: csf.sh: use vars for keys to avoid file edits when signing

The csf_spl.txt and csf_fit.txt templates contain file paths which must
be edited for the location of your NXP CST generated key files.

Streamline the process of signing an image by assigning unique var names
to these which can be expended from env variables in the csf.sh script.

The following vars are used:
 SRK_TABLE - full path to SRK_1_2_3_4_table.bin
 CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
 IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem

Additionally provide an example of running the csf.sh script.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

doc/imx/habv4/csf_examples/mx8m/csf.sh

@@ -22,6 +22,27 @@
 cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
 cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
 
+# update File Paths from env vars
+if ! [ -r $CSF_KEY ]; then
+	echo "Error: \$CSF_KEY not found"
+	exit 1
+fi
+if ! [ -r $IMG_KEY ]; then
+	echo "Error: \$IMG_KEY not found"
+	exit 1
+fi
+if ! [ -r $SRK_TABLE ]; then
+	echo "Error: \$SRK_TABLE not found"
+	exit 1
+fi
+sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
+sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
+sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
+sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
+sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
+sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
+
+# update SPL Blocks
 spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) )
 spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
 sed -i "/Blocks = / s@.*@  Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp

doc/imx/habv4/csf_examples/mx8m/csf_fit.txt

@@ -7,21 +7,21 @@
   Signature Format = CMS
 
 [Install SRK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
+  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
+  File = "$SRK_TABLE"
   Source index = 0
 
 [Install CSFK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$CSF_KEY"
 
 [Authenticate CSF]
 
 [Install Key]
   Verification index = 0
   Target Index = 2
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$IMG_KEY"
 
 [Authenticate Data]
   Verification index = 2

doc/imx/habv4/csf_examples/mx8m/csf_spl.txt

@@ -7,13 +7,13 @@
   Signature Format = CMS
 
 [Install SRK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
+  # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
+  File = "$SRK_TABLE"
   Source index = 0
 
 [Install CSFK]
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$CSF_KEY"
 
 [Authenticate CSF]
 
@@ -24,8 +24,8 @@
 [Install Key]
   Verification index = 0
   Target Index = 2
-  # FIXME: Adjust path here
-  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
+  # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+  File = "$IMG_KEY"
 
 [Authenticate Data]
   Verification index = 2

doc/imx/habv4/guides/mx8m_spl_secure_boot.txt

@@ -207,6 +207,16 @@ dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
 ```
 
 The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
+and can be used as follows to modify flash.bin to be signed
+(adjust paths as needed):
+```
+export CST_DIR=/usr/src/cst-3.3.1/
+export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
+export PATH=$CST_DIR/linux64/bin:$PATH
+/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
+```
 
 1.4 Closing the device
 -----------------------