https://www.mediawiki.compulab.com/w/index.php?action=history&feed=atom&title=IMX93%3A_Yocto_Linux%3A_Secure_BootIMX93: Yocto Linux: Secure Boot - Revision history2026-04-15T01:57:29ZRevision history for this page on the wikiMediaWiki 1.31.0https://www.mediawiki.compulab.com/w/index.php?title=IMX93:_Yocto_Linux:_Secure_Boot&diff=5749&oldid=prevIgor: Created page with "= Enabling AHAB Secure Boot on iMX93 based products = == Prepare Yocto Sources == https://github.com/compulab-yokneam/meta-bsp-imx9/blob/scarthgap/README.md == Install CST =..."2026-02-19T14:22:55Z<p>Created page with "= Enabling AHAB Secure Boot on iMX93 based products = == Prepare Yocto Sources == https://github.com/compulab-yokneam/meta-bsp-imx9/blob/scarthgap/README.md == Install CST =..."</p>
<p><b>New page</b></p><div>= Enabling AHAB Secure Boot on iMX93 based products =<br />
<br />
== Prepare Yocto Sources ==<br />
<br />
https://github.com/compulab-yokneam/meta-bsp-imx9/blob/scarthgap/README.md<br />
== Install CST ==<br />
The NXP Code Signing Tool (CST) cannot be downloaded automatically by Yocto due to NXP licensing requirements. <br />
<br />
# '''Download CST:''' Manually download the latest version of the CST from the [https://www.nxp.com/search?keyword=cst%2520tools&start=0 NXP CST Download Page]<br />
# '''Run Setup Script:''' Use the automated setup script to install CST, generate keys, and configure Yocto:<br />
<br />
bash <(curl -sL https://raw.githubusercontent.com/compulab-yokneam/meta-bsp-imx9/refs/heads/scarthgap/scripts/setup-secure-boot.sh) /opt/NXP/cst ~/Downloads/cst-4.0.1.tgz 4.0.1<br />
<br />
'''Add Security Layer and Build:'''<br />
bitbake imx-boot-signature<br />
<br />
boot e.g.:<br />
sudo uuu $BBPATH/tmp/deploy/images/$MACHINE/signed-imx-boot-$MACHINE-sd.bin-flash_singleboot<br />
<br />
run:<br />
ahab_status<br />
<br />
You will see <br />
IND - 0xFA (ELE_BAD_KEY_HASH_FAILURE_IND); because when the i.MX93 ROM/ELE verifies a signed image, it compares its hash to the value stored in the '''Hash Fuses''' and since you haven’t burned them yet, they are set to factory default state and the hash in your image does not match them<br />
== Fusing the SRK Hash and Advancing the Lifecycle ==<br />
This phase makes the Secure Boot permanent on the device. <br />
* Based on https://github.com/nxp-imx/uboot-imx/blob/lf_v2025.04/doc/imx/ahab/guides/mx8ulp_9x_secure_boot.txt#L395 <br />
* '''⚠️ WARNING: These steps are irreversible. If your keys are lost or incorrect, the board will be permanently bricked.<br />
<br />
Fuse the SRK Hash:''' Fuse the hash of your generated public keys (Super Root Keys) into the device fuses. This tells the device’s hardware (the ELE) which key to trust for authentication. <br />
<br />
a. '''Generate Fuse Script:''' Inspect the fuse data binary:<br />
<pre><br />
cd /opt/NXP/cst/cst-4.0.1/crts<br />
od -t x4 SRK_1_2_3_4_fuse.bin<br />
</pre><br />
<br />
b. For parsing convenience use generate_fuses.py on the fuse binary to generate the fusion commands:<br />
od -t x4 /opt/NXP/cst/cst-4.0.1/crts/SRK_1_2_3_4_fuse.bin| python3 <(curl -fsSL https://raw.githubusercontent.com/compulab-yokneam/meta-bsp-imx9/refs/heads/scarthgap/Documentation/generate_fuses.py)<br />
<br />
c. '''Advance Lifecycle:''' After the SRK hash is fused, advance the device lifecycle from “OEM Open” to “OEM Closed” using the U-Boot command:<br />
ahab_close<br />
<br />
= Signing a kernel image to extend the '''Root of Trust''' after the OEM is closed. =<br />
<br />
'''Security Scope:''' simply booting a signed image is '''not sufficient for full security certification'''; additional steps like disabling the U-Boot CLI and securing the rootfs boot partition are required<br />
<br />
== Create the Image Container ==<br />
<br />
assuming that you cloned https://github.com/compulab-yokneam/meta-bsp-imx9/blob/scarthgap/ for secure boot<br />
<pre><br />
cd $BBPATH/tmp/deploy/images/$MACHINE<br />
./mkimage_imx8 -soc IMX9 -c -ap path/to/Image a55 0x80400000 --data path/to/dtb a55 0x83000000 -out flash.bin<br />
mv flash.bin flash_os.bin<br />
</pre><br />
<br />
== Sign the Image ==<br />
<br />
Use the '''NXP Code Signing Tool (CST)''' to sign the container: - Download the Command Sequence File (CSF) template:<br />
wget https://raw.githubusercontent.com/nxp-imx/uboot-imx/refs/heads/lf_v2024.04/doc/imx/ahab/csf_examples/csf_linux_img.txt<br />
<br />
<br />
* '''Update the paths''' inside csf_linux_img.txt to point to your specific '''SRK (Super Root Key)''' files.<br />
* Execute the signing command e.g.:<br />
/opt/NXP/cst/cst-4.0.1/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin<br />
<br />
copy os_cntr_signed.bin to the target’s boot partition (1) of the bootable media<br />
<br />
== Verify in U-Boot ==<br />
<br />
obtain the latest boot logic from : https://github.com/compulab-yokneam/u-boot-compulab/commit/42a7661322af4e44294e304165c7ca532264391d this can be done by building :<br />
bitbake imx-boot<br />
<br />
on the target: - Load the image from the MMC:<br />
load mmc $mmcdev:1 $cntr_addr os_cntr_signed.bin<br />
<br />
* Authenticate the container:<br />
auth_cntr $cntr_addr<br />
<br />
* if no error shows you can proceed with:<br />
boot<br />
<br />
[[Category:Linux]]<br />
[[Category:Yocto]]<br />
[[Category:MCM-iMX93]]<br />
[[Category:UCM-iMX93]]<br />
[[Category:IOT-LINK]]</div>Igor