FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

IMX93 - AHAB SecureBoot - SRK TABLE

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

IMX93 - AHAB SecureBoot - SRK TABLE

Jump to solution
‎04-01-2025 08:34 AM
2,602 Views
il_ciancio
Contributor IV

Hello NXP experts,

I am studying AHAB SecureBoot on IMX93 processor, and I am using CST tool in order to generate certifcates.

A lot of example shows a PKI tree generation with 4 leafs (SRKn, n from 1 to 4).

After the generation, I have to generate the SRK_Table and the SRK_TableFuse.

The SRK_Table is appended on the image, and after I have to flash SRK_TableFuse into eFuse.

CST Tool generates SRK_TableFuse as 16 words, but on the reference manual I have 16 fuse (OES_SRKHy with Y from 0 to 15), but some of them are RESERVED,

  1. can I flash also these eFuses (fuse from 8 to 15)?
  2. More over, Can I generate a SRK Table with only one certificate for my target?

 

Thanks a lot!

0 Kudos
Reply
1 Solution

Jump to solution
‎04-02-2025 03:25 AM
2,579 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hello @il_ciancio 

can I flash also these eFuses (fuse from 8 to 15)?

-> No, please have a reference 9x_secure_boot for i.MX93

Can I generate a SRK Table with only one certificate for my target?

-> In AHAB, it requires always 4 SRKs.

 

Regards

Harvey

View solution in original post

Reply
3 Replies

Jump to solution
‎04-02-2025 03:25 AM
2,580 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hello @il_ciancio 

can I flash also these eFuses (fuse from 8 to 15)?

-> No, please have a reference 9x_secure_boot for i.MX93

Can I generate a SRK Table with only one certificate for my target?

-> In AHAB, it requires always 4 SRKs.

 

Regards

Harvey

Reply

Jump to solution
‎04-02-2025 03:13 AM
2,580 Views
il_ciancio
Contributor IV

Hello, 

about the SRK table to be fused, i have found an error during the generation.

The correct command with CST tools for IMX9 is showed in:

Why is there -s sha384  (-s, --sign_digest) ?

 

Tags (4)
0 Kudos
Reply

Jump to solution
‎04-10-2025 03:25 AM
2,521 Views
il_ciancio
Contributor IV
In the example from git, the certificates were generated with sha384!
0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2072159%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EIMX93%20-%20AHAB%20SecureBoot%20-%20SRK%20TABLE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2072159%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%20NXP%20experts%2C%3C%2FP%3E%3CP%3EI%20am%20studying%20AHAB%20SecureBoot%20on%20IMX93%20processor%2C%20and%20I%20am%20using%20CST%20tool%20in%20order%20to%20generate%20certifcates.%3C%2FP%3E%3CP%3EA%20lot%20of%20example%20shows%20a%20PKI%20tree%20generation%20with%204%20leafs%20(SRKn%2C%20n%20from%201%20to%204).%3C%2FP%3E%3CP%3EAfter%20the%20generation%2C%20I%20have%20to%20generate%20the%20SRK_Table%20and%20the%20SRK_TableFuse.%3C%2FP%3E%3CP%3EThe%20SRK_Table%20is%20appended%20on%20the%20image%2C%20and%20after%20I%20have%20to%20flash%20SRK_TableFuse%20into%20eFuse.%3C%2FP%3E%3CP%3ECST%20Tool%20generates%26nbsp%3BSRK_TableFuse%20as%2016%20words%2C%20but%20on%20the%20reference%20manual%20I%20have%2016%20fuse%20(OES_SRKHy%20with%20Y%20from%200%20to%2015)%2C%20but%20some%20of%20them%20are%20RESERVED%2C%3C%2FP%3E%3COL%3E%3CLI%3Ecan%20I%20flash%20also%20these%20eFuses%20(fuse%20from%208%20to%2015)%3F%3C%2FLI%3E%3CLI%3EMore%20over%2C%20Can%20I%20generate%20a%20SRK%20Table%20with%20only%20one%20certificate%20for%20my%20target%3F%3C%2FLI%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3EThanks%20a%20lot!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2078244%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20IMX93%20-%20AHAB%20SecureBoot%20-%20SRK%20TABLE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2078244%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EIn%20the%20example%20from%20git%2C%20the%20certificates%20were%20generated%20with%20sha384!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2072795%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20IMX93%20-%20AHAB%20SecureBoot%20-%20SRK%20TABLE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2072795%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F248332%22%20target%3D%22_blank%22%3E%40il_ciancio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ecan%20I%20flash%20also%20these%20eFuses%20(fuse%20from%208%20to%2015)%3F%3C%2FP%3E%0A%3CP%3E-%26gt%3B%20No%2C%20please%20have%20a%20reference%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2024.04%2Fdoc%2Fimx%2Fahab%2Fguides%2Fmx8ulp_9x_secure_boot.txt%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E9x_secure_boot%3C%2FA%3E%26nbsp%3Bfor%20i.MX93%3C%2FP%3E%0A%3CP%3ECan%20I%20generate%20a%20SRK%20Table%20with%20only%20one%20certificate%20for%20my%20target%3F%3C%2FP%3E%0A%3CP%3E-%26gt%3B%26nbsp%3BIn%20AHAB%2C%26nbsp%3B%3CSPAN%20data-teams%3D%22true%22%3Eit%20requires%20always%204%20SRKs.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2072783%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20IMX93%20-%20AHAB%20SecureBoot%20-%20SRK%20TABLE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2072783%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3Eabout%20the%20SRK%20table%20to%20be%20fused%2C%20i%20have%20found%20an%20error%20during%20the%20generation.%3C%2FP%3E%3CP%3EThe%20correct%20command%20with%20CST%20tools%20for%20IMX9%20is%20showed%20in%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2024.04%2Fdoc%2Fimx%2Fahab%2Fintroduction_ahab.txt%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Euboot-imx%2Fdoc%2Fimx%2Fahab%2Fintroduction_ahab.txt%20at%20lf_v2024.04%20%C2%B7%20nxp-imx%2Fuboot-imx%3C%2FA%3E%3C%2FLI%3E%3CLI%3EIn%20i.MX%208ULP%2F9x%2C%20the%20expected%20SRK%20HASH%20is%20of%20256%20bit.%3CUL%3E%3CLI%3E%24%20cd%20..%2Fcrts%2F%3C%2FLI%3E%3CLI%3E%24%20..%2Flinux64%2Fbin%2Fsrktool%20-a%20-d%20sha256%20-s%20sha384.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhy%20is%20there%26nbsp%3B-s%20sha384%26nbsp%3B%20(-s%2C%20--sign_digest)%20%3F%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E