I enabled AHAB in u-boot for secure boot. I now need to create a signed image.
1) I am confused where to invoke the make SOC=iMX8QM flash mentioned in section 1.4 Prepare the boot image layout. It says cd <work>/imx-mkimage and do a "make SOC=iMX8QX flash" and the build results will have the offsets needed to create to signed image using the CST. Where do I do this make? I don't see a make or imx-mkimage under work.
2) Is this flash image already created in the yocto environment and can I get the offsets from the yocto build log for the CST?
Downloading and building the imx-mkimage is required before executing this command. It would be helpful to refer to the following community thread for more information about the mkimage: https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/i-MX8-Boot-process-and-creating-a-bootab...
The work repository is where all parts have been downloaded and built. I would recommend to first refer to chapter 1.1 for preparing the environment to build a secure boot image: https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t...
Hope it helps.
this was very helpful and greatly appreciated. What it doesn't provide is the following:
1) The csf_boot_image.txt requires the SRK_1_2_3_4_table.bin. I need information on how to generate this .bin file and the srktool.
2) The csf_boot_image.txt needs the SRK1_sha384_secp384r1_v3_usr_crt.pem. I need information on how to generate this file.
3) How do I generate an atf u-boot and when do I know when it is needed?
4) The latest cst tool still requires the csf-boot_image.txt, correct? I don't see this .txt file in release cst-3.3.1 under docs.
All of this is handled by the cst tool. Answers are in using it as required to sign the iMX-boot image. I’m surprised NXP doesn’t configure the steps required by cst in yocto to save hours of work by customers to figure it out. Also all instructions are for cst 3.1.0 and the current level is 3.3 or so. So the instructions from NXP is inconsistent with the latest version of the cst tool. There is now no release directory, etc.