Creating and signing a Kernel FIT image for booting from a secured u-boot on i.MX93 EVKCM

abt · ‎08-31-2023

Hi,

I have successfully deployed a CST signed u-boot image to i.MX93 EVKCM. The u-boot loads and starts correctly from an SD and the 'ahab_status' command output looks good.

Now I am trying to figure out how to create a Kernel FIT image and sign it with CST so I can load it from a signed u-boot.

Image and imx93-11x11-evk.dtb artifacts were built successfully based on linux-6.1.33.tar.xz source code.

Can anyone point me to specific resources with step by step instructions for creating and signing a FIT Kernel image ?

Thanks!

AldoG · ‎08-31-2023

Hello,

You may refer to the following:
https://github.com/nxp-imx/uboot-imx/blob/lf_v2022.04/doc/imx/ahab/guides/sign_os_cntr.txt

Aside from this, unfortunately we do not have any other guides for it.

Best regards,
Aldo.

View solution in original post

AldoG · ‎08-31-2023

Hello,

You may refer to the following:
https://github.com/nxp-imx/uboot-imx/blob/lf_v2022.04/doc/imx/ahab/guides/sign_os_cntr.txt

Aside from this, unfortunately we do not have any other guides for it.

Best regards,
Aldo.

omar_aberkan · ‎07-18-2024

In my opinion this is not solved. Why can't we just use a standard signed FIt Image? This works perfect on an IMX6 and IMX8.

The OS containier is basicly a signed kernel, but what if we also want to use an initramfs, how can we protect that?

We also need to protect our cryptsetup keys. There is no DCP or CAAM on the IMX93. Is there no simple solution to safely store the cryptsetup keys on the the device?

Many others have these problems. But there are still no solutions. Please fix them as soon as possible.