1. Solution

The issue has been fixed in SPSDK 3.0.0 onwards but automation has not been tested with SPSDK 3.0.0 onwards. Please apply/port the 0001-Pull-request-2506-feat-ahab-Skip-signing-of-V2X-cont.patch patch attached here, in versions before SPSDK 3.0.0 and rebuild the SPSDK tool.

Now, the secure boot automation can be used to sign the affected devices' images properly.

2. Symptoms

Since Q1-25 BSP release, the usage of SPSDK for code signing has been introduced. Starting from SPSDK 3.0.0 the "signature_provider" has been renamed to "signer" . This will cause secure boot automation to fail.

2. Solution

Please use SPSDK version lower than 3.0.0 to rectify this issue. Eventually this change will be integrated into secure boot automation.

3. Symptoms

The image signing process fails for a boot image that is constructed with AHAB v2 container format. This is due to the fact that the nxp-cst-signer tool release v2.0 requires the container header version to be 0x00. 

Affected Devices: i.MX 95 B0, i.MX 943.

3. Solution

The issue can be resolved by ignoring the version number check in nxp-cst-signer release v2.0. The corresponding patch 0001-Ignore-version-number-due-to-updated-contianer-forma.patch is attached to the post.

This issue will be fixed and integrated in next release of nxp-cst-signer. 

4. Symptoms

The imx-mkimage release lf-6.12.3-1.0.0 and SPSDK release 3.0.0 are known to have an issue with secure boot automation for images that are built with AHAB v2.0 container format due to the fact that neither the imx-mkimage tool correctly set the "Signature Format Header version" of the OEM container nor does the SPSDK modify this version when signing the image. SPSDK fails to sign the image due to this reason and reports invalid signature header version when verbose option (-vv) is enabled.

4. Solution

The patch "0001-add-signature-blk-version.patch" to resolve this issue in imx-mkimage is attached. The patch will be integrated in imx-mkimage Q3 '25 release.