Two Issues in meta-nxp-security-reference-design for i.MX93 Custom Board with HSM Signing

udayMouli

I am currently integrating the meta-nxp-security-reference-design layer into our Yocto build system to enable secure boot for i.MX93. Following NXP's recommendation, I am using SPSDK for the AHAB signing process. During this integration, I have encountered two issues that prevent successful builds for custom hardware with HSM-based signing.
Environment:

SoC: i.MX93
Security Layer: https://github.com/nxp-imx-support/meta-nxp-security-reference-design/tree/scarthgap-6.6.23-2.0.0
SPSDK Version: 3.4.0
Signing Method: SPSDK with spsdk_PKCS11 plugin

Issue 1: Missing KERNEL_DTB Parameter Breaks Custom Board Support

file:meta-secure-boot/recipes-secure-boot/imx-mkimage/imx-boot_%.bbappend
The kernel container build command lacks the DTB parameter: make

SOC=${IMX_BOOT_SOC_TARGET} flash_kernel --> no dtb file input

The iMX93/soc.mak has a hardcoded default:KERNEL_DTB ?= imx93-11x11-evk.dtb

Build fails for custom boards with:make[1]: *** No rule to make target 'imx93-11x11-evk.dtb', needed by 'flash_kernel'. Stop.

Issue 2: imx_signer Generates Incorrect YAML for PKCS11/HSM Signing
Files:
meta-secure-boot/recipes-secure-boot/linux/linux-imx-signature.bb
imx_signer tool

imx_signer reads my spsdk_ahab.cfg but generates nxpimage_config.yaml with hardcoded default paths instead of my PKCS11 configuration.

imx_signer doesn't parse PKCS11 configuration from CFG files correctly. It:

Ignores signer=type=pkcs11(spsdk yaml reference file contains signer not signature_provider) and uses type=file instead
Ignores srk_array_X paths and uses hardcoded template paths
Appears designed for file-based signing only

Issue 1: Can you add KERNEL_DTB parameter support to the flash_kernel recipe or should I follow different approach please suggest?
Issue 2: Does imx_signer support PKCS11 configuration? If not, what's the recommended approach for HSM signing with the security reference design?

Is there documentation reference for using PKCS11/HSM with meta-nxp-security-reference-design?

JosephAtNXP

Hi,

Thank you for your interest in NXP Semiconductor products,

Can you please confirm both manifest and meta-layer are branch aligned?

The documentation to get started should be found under chapter 10.9 Security reference design. Could you share a fresh build log following the steps quoted?

Regards

udayMouli

Thanks for your response and the documentation pointers—I've been referencing the same NXP Security Reference Design to integrate secure boot into our Yocto build for i.MX devices.

However, I'm running into a compatibility issue with the prerequisites mentioned in the document. The document specifies that for both CST and SPSDK, the private key password must be in a file named key_pass.txt in the keys folder. In our setup, the private keys are securely stored in a Hardware Security Module (HSM), not as local files.

Directly using SPSDK's nxpimage ahab sign command with the spsdk-pkcs11 plugin works perfectly—I can sign successfully with a YAML config file, leveraging the HSM via PKCS#11.

The challenge arises in Yocto, where the imx_signer tool acts as a wrapper. It converts the .cfg file to YAML and handles signing. The command looks like this:

SIG_TOOL_PATH=${SIG_TOOL_PATH} SIG_DATA_PATH=${SIG_DATA_PATH} ${DEPLOY_DIR_IMAGE}/${BOOT_TOOLS}/imx_signer -d -i ${DEPLOY_DIR_IMAGE}/${BOOT_IMAGE_SD} -c ${SIGNDIR}/${SIG_CFGFILE}

I've set SIG_TOOL_PATH to the SPSDK binary location and SIG_DATA_PATH to include the public keys and spsdk_ahab.cfg.

I have attached failure log and yaml file generated for reference

JosephAtNXP

Hi @udayMouli

Seems strange, it fails when it doesn't find the binaries or the data, could you share your history output so I can replicate on my side? Also, share the tree output for the following paths.

$ tree /home/xxx/spsdk/venv/
$ tree /home/xxx/secureboot/

Regards,