i.MX ProcessorsのトピックTesting signed images

Testing signed images

eduardo3 — Mon, 12 Jun 2023 13:41:46 GMT

Hello,

I am in the process of adding signed images to our board but I was left with questions on how to test that.

After getting a signed os_cntr_signed.bin image, it boots fine. On u-boot when I try ahab_status, I see SECO events (because I don't have my keys fused yet).

Initially I thought I could use u-boot fuse override for testing the fuse values I need to use, but that is not implemented. After searching on how to use fuse shadow registers, I found that it is not possible. Examples:

https://community.nxp.com/t5/i-MX-Processors/Access-to-OCOTP-registers-from-SCU-on-IMX8QM-leads-to-hang/td-p/1335399

https://community.nxp.com/t5/i-MX-Processors/IMX8-unable-to-override-OCOTP-shadow-registers-Is-there-a-way/td-p/1424010

Initially If thought I could implement something like what is mentioned in the first link.

Based on that, how am I supposed to test secure boot keys / commands without permanently fusing the keys or bricking the board?

What is NXP advice on that?

For reference, we are using i.MX8X (imx8qxp).

Re: Testing signed images

Bio_TICFSL — Wed, 14 Jun 2023 12:54:02 GMT

Hello,

If not burning the SRK fuse, you may can use OPENSSL command to analyze the images with their key.

Regards

Re: Testing signed images

eduardo3 — Fri, 16 Jun 2023 07:45:29 GMT

I'll try the openssl approach in the future. Another FAE we contacted also confirmed there is no way of testing on a imx8 board without fusing the keys. His suggestion in that case was to fuse (if we are fine with that) but not close the device.

Re: Testing signed images

imx8mp_developer — Wed, 15 Oct 2025 15:29:02 GMT

I am interested in this topic!
I need to verify the os_cntr_signed.bin container coming out from a Yocto AHAB-signed build for imx93

If I do:
~/cst-4.0.0/linux64/bin/ahab_image_verifier os_cntr_signed.bin 0 0

I get:

Signature Block:
Version: 0
Length: 2648 bytes
Tag: 0x90
Certificate Offset: 0x0
SRK Table/Array Offset: 0x10
SRK Table:
   Tag: 0xD7
   Length: 2112 bytes
   Version: 66
   SRK Record:
     Tag: 0xE1
     Length: 527 bytes
     Sign Algorithm: RSA
     Hash Algorithm: SHA2_384
     Key Size/Curve: RSA4096
     SRK Flags: CA Flags
     Modulus (N):
.....
Signature verification failed

This doesn't happen for imx-boot-imx93-var-som-aski-sd.bin-flash_singleboot_gdet

Signature Block:
Version: 0
Length: 400 bytes
Tag: 0x90
Certificate Offset: 0x0
SRK Table/Array Offset: 0x10
SRK Table:
   Tag: 0xD7
   Length: 308 bytes
   Version: 66
   SRK Record:
     Tag: 0xE1
     Length: 76 bytes
     Sign Algorithm: ECDSA
     Hash Algorithm: SHA2_256
     Key Size/Curve: PRIME256V1
     SRK Flags: None
     X Coordinate: ....
     Y Coordinate: ...

......

Signature verification successful

I am using a Digicert HSM for the signature

does anybody have a clue about the verification failed for os_cntr_signed ?
does anybody have a hint on how to verify the signature with openssl ?(just to exclude the issue is ahab_image_verifier itself)