- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
Error in SRK table key generated from IMX_CST_TOOL_NEW
I want to implement Secure Boot on FRDM i.MX 91 Development Board. So far I have generated Private & Public Keys by following - https://wiki.amarulasolutions.com/opensource/uboot/secure_boot/imx8mm_habv4.html
and using IMX_CST_TOOL_NEW. I am referring https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf to set a Yocto build for code signing. I have followed these steps
1.
repo init -u https://github.com/nxp-imx/imx-manifest -b imx-linux-styhead -m
imx-6.12.3-1.0.0_security-reference-design.xml
repo sync
MACHINE=imx91-11x11-lpddr4-evk DISTRO=fsl-imx-xwayland source imx-setup-release.sh -b frdm-imx91
2. Add the meta-secure-boot layer to the Yocto project.
bitbake-layers add-layer ../sources/meta-nxp-security-reference-design/meta-
secure-boot
3. Add CST or SPSDK in SIG_TOOL_PATH in local.conf.
echo "SIG_TOOL_PATH = \"/home/Kiran/Downloads/IMX_CST_TOOL_NEW/cst-4.0.0\"" >> conf/local.conf
To generate a signed bootloader/kernel/WIC image in Yocto project:
Build a signed WIC image.
bitbake core-image-minimal-secure-boot
On running the above command I get below error
.....
meta-secure-boot = "HEAD:8f8264146cb639a6eee13da463560c5e7a893fb2"
Sstate summary: Wanted 22 Local 6 Mirrors 0 Missed 16 Current 2516 (27% match, 99% complete)#### | ETA: 0:00:00
Initialising tasks: 100% |###############################################################################| Time: 0:00:01
NOTE: Executing Tasks
ERROR: imx-boot-signature-1.0-r0 do_compile: Execution of '/home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/imx-boot-signature/1.0/temp/run.do_compile.88482' failed with exit code 255
ERROR: Logfile of failure stored in: /home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/imx-boot-signature/1.0/temp/log.do_compile.88482
Log data follows:
DEBUG: Executing shell function do_compile
NOTE: Signing boot image
Install SRK
Super Root Key table is invalid in file File/home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0/crts/SRK_1_2_3_4_table.bin in command InstallSRK
ERROR: Failed to sign the image using: container_2.csf
imx_signer.c:main:1959: SIG_TOOL_PATH set to: "/home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0"
imx_signer.c:main:1960: SIG_DATA_PATH set to: "/home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0"
imx_signer.c:main:1961: Input filename = imx-boot-imx91-11x11-lpddr4-evk-sd.bin-flash_singleboot
imx_signer.c:main:1962: Output filename = signed-imx-boot-imx91-11x11-lpddr4-evk-sd.bin-flash_singleboot
imx_signer.c:main:1964: Input CSF Configuration filename = /home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/imx-boot-signature/1.0/imx-boot-signature-1.0/sign.cfg
imx_signer.c:main:1974: Input filesize = 2032640 bytes
imx_signer.c:main:1988: IVT header = TAG:0x87 | LEN:0x0220 | VER:0x00
imx_signer.c:sign_container:963: Image Flag type: 0x6
imx_signer.c:sign_container:969: Container 0 already signed
imx_signer.c:sign_container:972: file_off = 0x00000400
imx_signer.c:sign_container:963: Image Flag type: 0x3
imx_signer.c:sign_container:987: file_off = 0x00000800 imx_signer.c:sign_container:996: APP container offset = 0x00049800
imx_signer.c:sign_container:997: APP container signature offset = 0x00049990
imx_signer.c:sign_container:1009: CSF Container: Container Number : 0
imx_signer.c:sign_container:1010: Container Offset : 0x00000000
imx_signer.c:sign_container:1011: Signature Offset : 0x00000000
imx_signer.c:sign_container:1009: CSF Container: Container Number : 2
imx_signer.c:sign_container:1010: Container Offset : 0x00000400
imx_signer.c:sign_container:1011: Signature Offset : 0x00000490
imx_signer.c:sign_container:1009: CSF Container: Container Number : 3
imx_signer.c:sign_container:1010: Container Offset : 0x00049800
imx_signer.c:sign_container:1011: Signature Offset : 0x00049990
imx_signer.c:sign_container:1009: CSF Container: Container Number : 0
imx_signer.c:sign_container:1010: Container Offset : 0x00000000
imx_signer.c:sign_container:1011: Signature Offset : 0x00000000
imx_signer.c:sign_container:1044: CSF filename = container_2.csf
INFO: container_2.csf generated
imx_signer.c:sign_container:1051: CSF filename created = container_2.csf
Executing command: /home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0/linux64/bin/cst --verbose --i container_2.csf --o otemp.bin
| WARNING: exit code 255 from a shell command.
ERROR: Task (/home/Kiran/SEC_YOCTO/sources/meta-nxp-security-reference-design/meta-secure-boot/recipes-secure-boot/imx-mkimage/imx-boot-signature.bb:do_compile) failed with exit code '1'
ERROR: linux-imx-signature-1.0-r0 do_compile: Execution of '/home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/linux-imx-signature/1.0/temp/run.do_compile.88485' failed with exit code 255
ERROR: Logfile of failure stored in: /home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/linux-imx-signature/1.0/temp/log.do_compile.88485
Log data follows:
DEBUG: Executing shell function do_compile
NOTE: Signing kernel image
Install SRK
Super Root Key table is invalid in file File/home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0/crts/SRK_1_2_3_4_table.bin in command InstallSRK
ERROR: Failed to sign the image using: container_1.csf
imx_signer.c:main:1959: SIG_TOOL_PATH set to: "/home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0"
imx_signer.c:main:1960: SIG_DATA_PATH set to: "/home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0"
imx_signer.c:main:1961: Input filename = flash_os.bin
imx_signer.c:main:1962: Output filename = signed-flash_os.bin
imx_signer.c:main:1964: Input CSF Configuration filename = /home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/linux-imx-signature/1.0/linux-imx-signature-1.0/sign.cfg
imx_signer.c:main:1974: Input filesize = 35030016 bytes
imx_signer.c:main:1988: IVT header = TAG:0x87 | LEN:0x0120 | VER:0x00
imx_signer.c:sign_container:963: Image Flag type: 0x3
imx_signer.c:sign_container:987: file_off = 0x00000400
imx_signer.c:sign_container:1009: CSF Container: Container Number : 1
imx_signer.c:sign_container:1010: Container Offset : 0x00000000
imx_signer.c:sign_container:1011: Signature Offset : 0x00000110
imx_signer.c:sign_container:1009: CSF Container: Container Number : 0
imx_signer.c:sign_container:1010: Container Offset : 0x00000000
imx_signer.c:sign_container:1011: Signature Offset : 0x00000000
imx_signer.c:sign_container:1009: CSF Container: Container Number : 0
imx_signer.c:sign_container:1010: Container Offset : 0x00000000
imx_signer.c:sign_container:1011: Signature Offset : 0x00000000
imx_signer.c:sign_container:1009: CSF Container: Container Number : 0
imx_signer.c:sign_container:1010: Container Offset : 0x00000000
imx_signer.c:sign_container:1011: Signature Offset : 0x00000000
imx_signer.c:sign_container:1044: CSF filename = container_1.csf
INFO: container_1.csf generated
imx_signer.c:sign_container:1051: CSF filename created = container_1.csf
Executing command: /home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0/linux64/bin/cst --verbose --i container_1.csf --o signed-flash_os.bin
WARNING: exit code 255 from a shell command.
ERROR: Task (/home/Kiran/SEC_YOCTO/sources/meta-nxp-security-reference-design/meta-secure-boot/recipes-secure-boot/linux/linux-imx-signature.bb:do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 5207 tasks of which 5203 didn't need to be rerun and 2 failed.
Summary: 2 tasks failed:
/home/Kiran/SEC_YOCTO/sources/meta-nxp-security-reference-design/meta-secure-boot/recipes-secure-boot/imx-mkimage/imx-boot-signature.bb:do_compile
log: /home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/imx-boot-signature/1.0/temp/log.do_compile.88482
/home/Kiran/SEC_YOCTO/sources/meta-nxp-security-reference-design/meta-secure-boot/recipes-secure-boot/linux/linux-imx-signature.bb:do_compile
log: /home/Kiran/SEC_YOCTO/frdm-imx91/tmp/work/imx91_11x11_lpddr4_evk-poky-linux/linux-imx-signature/1.0/temp/log.do_compile.88485
Summary: There were 2 ERROR messages, returning a non-zero exit code.
The error snap from above code:
Super Root Key table is invalid in file File/home/Kiran/cst/IMX_CST_TOOL_NEW/cst-4.0.0/crts/SRK_1_2_3_4_table.bin in command InstallSRK
ERROR: Failed to sign the image using: container_2.csf
imx_signer.c:main:1959: SIG_TOOL_PATH set to:
I have followed these steps to generate the SRK keys
$ echo "42424242" > serial $ echo "Amarual357" > key_pass.txt $ echo "Amarual357" >> key_pass.txt $ ./hab4_pki_tree
Do you want to use an existing CA key (y/n)?: n
Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
Kiran@LinuxNew:~/cst/IMX_CST_TOOL_NEW/cst-4.0.0/crts$ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pem
Number of certificates = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRKH[0] = 0x542C6295
SRKH[1] = 0x41D0DB63
SRKH[2] = 0x96D4FB34
SRKH[3] = 0x2FE8944E
SRKH[4] = 0xEF82C54D
SRKH[5] = 0xC956909F
SRKH[6] = 0xA5A5365D
SRKH[7] = 0x33E50E18
The Yocto build is failing because of invalid SRK_1_2_3_4_table.bin.
Please help in resolving this issue for i.MX91 processor.
Also, let me know if I have to follow some specific guide for getting a signed image through IMX_CST_TOOL_NEW - cst-4.0.0 tool.
Hi,
Requesting you to provide help with respect to NXP Code Signing Tool to get the correct SRK_Table.bin generated from iMX91 processor point of view. I know there is no support for FRDM iMX91 dev board, but at least give some guidance on how to do it for iMX 91 processor.
Thx,
Kiran.
Hi,
I changed the key type to ECC. Executed below commands to generate the key:
Do you want to use an existing CA key (y/n)?: n
Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: ecc
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521: p256
Enter the digest algorithm to use: sha256
Enter PKI tree duration (years): 10
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
After the keys were generated renamed secp256r1 with prime256v1, this ensured the Yocto build went ahead and was successful albiet with setting MACHINE= imx91-11x11-lpddr4-evk.
I have this image core-image-minimal-secure-boot-imx91-11x11-lpddr4-evk.rootfs-20250625112623.wic.zst ready now.
So far I have executed following bitbake commands:
bitbake core-image-minimal-secure-boot
bitbake imx-boot-signature
bitbake linux-imx-signature
Can you please suggest the next steps in verifying that the secure boot works.
We recommend to run the "ahab_status" in U-Boot to verify that secure boot work.
For more information on how to program the SRK Fuses, verifying signature and closing
the part to enable secure boot, see the secure boot user guide, - ahab_guide
As you're working with FRDM board. To Integrate the i.MX FRDM layer to BSP is needed. UG10195
As previous post about secure boot for FRMD board, R&D will have a plan for that in the late of this year.
Regards
Harvey
Hi,
Today I flashed the core-image-base-imx91-11x11-lpddr4-evk.rootfs.wic.zst onto the iMX-FRDM board and got below log on u-boot, can you please suggest the things that I am missing.
Retry time exceeded; starting again
Authenticate OS container at 0x98000000
Error: Wrong container header
ERR: failed to authenticate
u-boot=> aha_status
Lifecycle: 0x00000008, OEM Open
0x0287eed6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_NO_AUTHENTICATION_FAILURE_IND (0xEE)
STA = ELE_SUCCESS_IND (0xD6)
0x0287eed6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_NO_AUTHENTICATION_FAILURE_IND (0xEE)
STA = ELE_SUCCESS_IND (0xD6)
Hi, today I flashed signed-imx-boot-imx91-11x11-lpddr4-evk-sd.bin-flash_singleboot and it's still stuck up in u-boot, please find the snap below:
Retry time exceeded; starting again
Authenticate OS container at 0x98000000
Error: Wrong container header
ERR: failed to authenticate
u-boot=> ahab_status
Lifecycle: 0x00000008, OEM Open
0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)
0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)
u-boot=> % The IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
Key does not match with the OTP that SRK hashes fused on the target, or the event can be displayed in case the SRK fuses are not programmed yet.
Regards
Harvey
Hi,
After flashing the 2 files:
1. core-image-minimal-secure-boot-imx91-11x11-lpddr4-evk.rootfs.wic.zst
2. signed-imx-boot-imx91-11x11-lpddr4-evk-sd.bin-flash_singleboot
When I check ahab_status on u-boot I get the below message and also the board boots completely till Linux
Hit any key to stop autoboot: 0
u-boot=>
u-boot=> ahab_status
Lifecycle: 0x00000008, OEM Open
0x0287eed6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_NO_AUTHENTICATION_FAILURE_IND (0xEE)
STA = ELE_SUCCESS_IND (0xD6)
0x0287eed6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_NO_AUTHENTICATION_FAILURE_IND (0xEE)
STA = ELE_SUCCESS_IND (0xD6)
u-boot=>
Please let me know if this indicates that the secure boot is working correctly. Also, how can I test this by trying corresponding non-secure image?
NOTE: I haven't yet flashed the fuses. I wan't to check whether the secure boot works without flashing the fuses first. Once this step is completed then I will flash the fuses.
Thx,
Kiran.
Hi,
I have generated below keys through NXP CST:
Do you want to use an existing CA key (y/n)?: n
Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: ecc
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521: p384
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 5
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
kiran@ip-172-31-30-41:/data1/Kiran/SEC_YOCTO/cst-4.0.0/crts$ ../linux64/bin/srktool -a -d sha256 -s sha384 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -f 1 -c ./SRK1_sha384_secp384r1_v3_usr_crt.pem,./SRK2_sha384_secp384r1_v3_usr_crt.pem,./SRK3_sha384_secp384r1_v3_usr_crt.pem,./SRK4_sha384_secp384r1_v3_usr_crt.pem
Number of certificates = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRKH[0] = 0x6B8C7EE0
SRKH[1] = 0x18EF2C9C
SRKH[2] = 0xF08294BB
SRKH[3] = 0x0F81D4E7
SRKH[4] = 0xFBF5ECC7
SRKH[5] = 0xD1604A8F
SRKH[6] = 0xB026FF45
SRKH[7] = 0xF1B499F4
kiran@ip-172-31-30-41:/data1/Kiran/SEC_YOCTO/cst-4.0.0/crts$ openssl dgst -binary -sha256 SRK_1_2_3_4_table.bin
?~?k?,??????ԁ?????J`?E?&?????kiran@ip-172-31-30-41:/data1/Kiran/SEC_YOCTO/cst-4.0.0/crts$ od -t x4 --endian=big SRK_1_2_3_4_fuse.bin
0000000 e07e8c6b 9c2cef18 bb9482f0 e7d4810f
0000020 c7ecf5fb 8f4a60d1 45ff26b0 f499b4f1
0000040
kiran@ip-172-31-30-41:/data1/Kiran/SEC_YOCTO/cst-4.0.0/crts$ sha256sum SRK_1_2_3_4_table.bin
e07e8c6b9c2cef18bb9482f0e7d4810fc7ecf5fb8f4a60d145ff26b0f499b4f1 SRK_1_2_3_4_table.bin
Can you please guide me on which fuse addresses do I have to flash the below?:
SRK Fuse binary dump:
SRKH[0] = 0x6B8C7EE0
SRKH[1] = 0x18EF2C9C
SRKH[2] = 0xF08294BB
SRKH[3] = 0x0F81D4E7
SRKH[4] = 0xFBF5ECC7
SRKH[5] = 0xD1604A8F
SRKH[6] = 0xB026FF45
SRKH[7] = 0xF1B499F4
Also, any other steps that I need to do after flashing the keys?
Thx,
Kiran.
