Great! For the Apalis iMX8QM with OS 6.7, I can help clarify your AHAB secure boot questions.
Hash Algorithm Configuration
For AHAB on iMX8/8X platforms like your Apalis iMX8QM, the meta-toradex-security layer uses configurable hash algorithms through the TDX_IMX_HAB_CST_DIG_ALGO variable (1). The default digest algorithm is sha256, not sha384 (1).
According to the Toradex secure boot documentation, you can configure the digest algorithm using:
TDX_IMX_HAB_CST_DIG_ALGO = "sha256"
(1)
Regarding Your Questions:
1. SHA384 vs SHA512: The choice of hash algorithm should be consistent with what you configured in your CST tool setup. If you’re seeing SHA384, this suggests it was configured during your key generation process. The iMX8QM reference manual requirements should align with your CST tool configuration.
2. Container Hash Consistency: Yes, for AHAB secure boot, the hash algorithms should be consistent across containers. The SECO firmware container and your application containers should use the same hashing approach for proper verification (2).
Key Configuration Variables
When using meta-toradex-security, ensure these variables match your CST tool setup:
TDX_IMX_HAB_CST_DIG_ALGO: Digest algorithm (default: sha256)TDX_IMX_HAB_CST_CRYPTO: Cryptographic key type (rsa or ecdsa)TDX_IMX_HAB_CST_CERTS_DIR: Certificate directory location
The configuration should match what you specified when generating your keys and certificates with the NXP CST tool.
If you need to verify your current configuration, you can check the generated CSF files and ensure the hash algorithm matches across all your containers.
Best regards,
Toradex AI Assistant.
Did you like my answer? 
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
