How to generate a signed OS container image for iMX8X?

cancel
Showing results for 
Search instead for 
Did you mean: 

How to generate a signed OS container image for iMX8X?

267 Views
Gandalf-kern
Contributor III

I enabled AHAB in u-boot for secure boot. I now need to create a signed image.

1) I am confused where to invoke the make SOC=iMX8QM flash mentioned in section 1.4 Prepare the boot image layout. It says cd <work>/imx-mkimage and do a "make SOC=iMX8QX flash" and the build results will have the offsets needed to create to signed image using the CST. Where do I do this make? I don't see a make or imx-mkimage under work.

2) Is this flash image already created in the yocto environment and can I get the offsets from the yocto build log for the CST?

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t... sections 1.4.

Tags (1)
0 Kudos
4 Replies

247 Views
IvanRuiz
NXP TechSupport
NXP TechSupport

Hello,

 

Downloading and building the imx-mkimage is required before executing this command. It would be helpful to refer to the following community thread for more information about the mkimage: https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/i-MX8-Boot-process-and-creating-a-bootab...

 

The work repository is where all parts have been downloaded and built. I would recommend to first refer to chapter 1.1 for preparing the environment to build a secure boot image: https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t...

 

Hope it helps.

 

BR,

Ivan.

0 Kudos

232 Views
Gandalf-kern
Contributor III

The documentation provided also should explain how the u-boot-atf-container.img is built and it gets signed?

1 - Sign the u-boot-atf-container.img (0x0 / 0x110)

 

0 Kudos

241 Views
Gandalf-kern
Contributor III

Ivan,

this was very helpful and greatly appreciated.  What it doesn't provide is the following:

1) The csf_boot_image.txt requires the SRK_1_2_3_4_table.bin.  I need information on how to generate this .bin file and the srktool.

2) The csf_boot_image.txt needs the SRK1_sha384_secp384r1_v3_usr_crt.pem.  I need information on how to generate this file.

3) How do I generate an atf u-boot and when do I know when it is needed?

4) The latest cst tool still requires the csf-boot_image.txt, correct?  I don't see this .txt file in release cst-3.3.1 under docs.

Thanks!

0 Kudos

214 Views
Gandalf-kern
Contributor III

All of this is handled by the cst tool. Answers are in using it as required to sign the iMX-boot image. I’m surprised NXP doesn’t configure the steps required by cst in yocto to save hours of work by customers to figure it out. Also all instructions are for cst 3.1.0 and the current level is 3.3 or so. So the instructions from NXP is inconsistent with the latest version of the cst tool. There is now no release directory, etc.

0 Kudos