Boot container signature verification problem

Technical Support
, ,
1

im using meta-toradex-security for nxp imx8qm and i inherited the tdx-signed class,added the signing variables to local.conf : i used rsa 2048 ,sha256 and no CA flag. my image is built correctly and i see the boot container in the output along with the fuse commands file,the problem is when i verify the boot container signature,with the cst tool i used ahab_verifier script which generated a succeful signature message meanwhile when i use the SPSDK nxpimage ahab verify command it generates that all of the boot container structure is correct except for the signature which shows error. so how do i know which one of them is correct?

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Boot Container Signature Verification Discrepancy

The discrepancy you’re experiencing between the CST tool’s ahab_verifier script and SPSDK’s nxpimage ahab verify command is a known issue when working with AHAB-based secure boot on i.MX8QM (1).

Understanding the Tools

The meta-toradex-security layer uses the NXP CST (Code Signing Tool) for signing boot containers on AHAB-based SoMs like the i.MX8QM (1). The CST tool includes the ahab_verifier script specifically designed to verify signatures created by the CST signing process.

SPSDK (Secure Provisioning SDK) is NXP’s newer tool suite that includes nxpimage, which has its own verification implementation that may interpret certain aspects of the boot container structure differently than the CST tool.

Recommended Verification Approach

Since meta-toradex-security uses the CST tool for signing (1), the ahab_verifier script from the same CST tool suite is the authoritative verification method for images built with the Toradex security layer. The successful verification by ahab_verifier indicates that your boot container signature is correct according to the signing method used by the Toradex build system.

Additional Verification Steps

To further validate your secure boot setup:

  1. Test on Hardware: The ultimate verification is testing the signed image on your actual i.MX8QM hardware. If the device boots successfully and shows no HAB/AHAB events, your signature is correct (1).

  2. Check AHAB Status: Once booted, use the U-Boot command ahab_status to verify there are no authentication events (1).

  3. Verify Build Configuration: Ensure your local.conf variables match the CST tool configuration you used for key generation (1).

Tool Compatibility Considerations

The difference in verification results between CST and SPSDK tools may be due to:

  • Different interpretation of optional fields in the boot container
  • Version differences between the tools
  • Slight variations in signature format expectations

Since your image was built using the CST-based signing process in meta-toradex-security, trust the CST ahab_verifier result over the SPSDK verification.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

Greetings @anmsn44,

According to the NXP webpage about the SPSDK: https://www.nxp.com/design/design-center/software/development-software/secure-provisioning-sdk-spsdk:SPSDK

This tool seems to be only for NXP micro-controllers and i.MX9* based-products. In which case you shouldn’t be using this for the imx8qm SoC. Furthermore, for verifying the AHAB process was correct we suggest using the ahab_status command in U-Boot.

Best Regards,
Jeremias

4

i opened the spsdk documentation and the imx8qm is supported this is the link:List of supported devices — SPSDK documentation, so my question as long as the fuse commands are in the deploydir , does that means that these commands are 100% correct and ready to fuse?

5

so my question as long as the fuse commands are in the deploydir , does that means that these commands are 100% correct and ready to fuse?

The fuse commands file gets derived from the SRK_1_2_3_4_fuse.bin file that should be created by you, prior to the Yocto build. If the fuse commands are incorrect, this means the file that you provided was likely incorrect as well.

Best Regards,
Jeremias

6

so is there any idea how to verify the fuse commands?

7

so is there any idea how to verify the fuse commands?

As we state in our documentation: meta-toradex-security/docs/README-secure-boot-imx.md at scarthgap-7.x.y · toradex/meta-toradex-security · GitHub

The only way to know for certain is to flash your image with the signed bootloader to the device. Then program the fuses in U-Boot, but do not flash the final fuse that closes the device. Once you’ve programmed the fuse values related to your keys, you can reboot the device, and then in U-Boot again run ahab_status.

If this command generates any “events” then that means there is an issue either with your signed bootloader, or the values you programmed in the fuses. If the device were to be closed in such a state, then it would not pass the AHAB verification and it would not boot.

This is the only way to know for certain, since ahab_status will use the actual AHAB library/firmware on the device to check whether verification would have passed or not. Of course this still involves irreversibly programming fuses. But, as long as the final closing fuse is not programmed the device will still be able to boot whatever software you want.

Best Regards,
Jeremias