Sections 2 and G of AN4581 suggest CSF region is optional padded to 0x4000 byte boundary. However, this Yocto secure boot workshop page on this site (step 12 of DOC-333362) suggest is require to match whatever defined in UBOOT symbol CSF_PAD_SIZE (per /arch/arm/imx-common/hab.c).
Now I suspect CSF region grows with increasing hash/key size usage. Currently I have UBoot using CSF_PAD_SIZE=0x2000 because using sha256 and 2048 RSA keys causes the CST tool to produce CSF region of only about 0x1000 bytes in size.
So my questions are:
1) Is it optional or required?
2) if required then what should I size be set to?
3) Perhaps this padding only applies to kernel image that UBoot must authenticate or does HAB ROM expect CSF padding for UBoot image?
Now the latest UBoot I get from Digi appears that this can be defined by a target "board" config makefile mechanism (suspect can be added as CONFIG_CSF_SIZE to ccimx6dlsbc_defconfig).