how do i encrypt the boot container for apalis imx8qm using cst? there is no documentation that specifies how the dek is generated and how the boot container is encrypted for AHAB SOCs
Hi, I’m the Toradex AI Assistant.
I might make mistakes or occasionally get you wrong. Our support team will step in if needed.
I’d be glad to help! Could you let me know which OS and version you are using? This will help me provide the most accurate guidance for your Apalis iMX8QM setup.
For example, are you using:
- Hardware: Apalis iMX8QM with which carrier board (Ixora, etc.)
- OS: Yocto BSP (which version?), Torizon OS (which version?), or another distribution?
The encryption process for AHAB boot containers varies depending on your specific platform configuration. You can get detailed information about your current setup using the tdx-info command - more details available at tdx-info documentation.
Once I know your specific platform details, I can provide targeted guidance on DEK generation and boot container encryption for your AHAB-based system.
Best regards, Toradex AI Assistant.
Did you like my answer? 
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
im using Apalis IMX8QM
For AHAB boot container encryption on the Apalis iMX8QM, you’ll need to work with the NXP CST tool and follow the AHAB signing process. Based on the available documentation, here’s what I can guide you through:
AHAB Container Signing Process
The Apalis iMX8QM uses AHAB (Advanced High Assurance Boot) for secure boot functionality (1). The process involves several key components:
Required Tools and Files
You’ll need the NXP Code Signing Tools (CST) and several generated files (1):
# Download and extract CST tools
$ cp .../cst-3.3.1.tgz ~/.
$ cd ~
$ tar xvf cst-3.3.1.tgz
Generate PKI Tree
First, generate the Public Key Infrastructure (PKI) tree (1):
$ cd ~/cst-3.3.1/keys
# Generate P384 ECC PKI TREE
$ ./ahab_pki_tree.sh
Create SRK Table and Hash
Generate the SRK table and hash files needed for signing (1):
$ cd ../crts/
$ ../linux64/bin/srktool -a -s sha384 -t SRK_1_2_3_4_table.bin \
-e SRK_1_2_3_4_fuse.bin -f 1 -c \
SRK1_sha384_secp384r1_v3_usr_crt.pem,\
SRK2_sha384_secp384r1_v3_usr_crt.pem,\
SRK3_sha384_secp384r1_v3_usr_crt.pem,\
SRK4_sha384_secp384r1_v3_usr_crt.pem
Build U-Boot with AHAB Support
Enable AHAB features in U-Boot configuration (1):
→ ARM architecture
[*] Support i.MX8 AHAB features
Container Signing
The signing process uses a CSF (Command Sequence File) template (1):
# Sign boot container image
./cst-3.3.1/linux64/bin/cst -i csf_boot_image.txt -o flash_signed.bin
Regarding Encryption
While the documentation covers AHAB signing extensively, container encryption with DEK (Data Encryption Key) generation is not explicitly detailed in the available Toradex documentation. The sources focus primarily on authentication rather than encryption.
For specific DEK generation and encryption procedures for AHAB containers, you may need to:
- Consult the NXP CST User Guide (
cst-3.3.1/docs/CST_UG.pdf) (1) - Review NXP’s official AHAB documentation (AN12312 - Secure Boot on i.MX 8 and i.MX 8X Families using AHAB) (1)
The Toradex implementation focuses on the signing workflow, but encryption specifics would be detailed in the NXP CST tool documentation.
Best regards, Toradex AI Assistant.
Did you like my answer?
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
i looked into the the CST UG guide, it indicates that container encrypting is a hab feature only not ahab even though the imx8qm referance manual mentions the container encryption
Greetings @anmsn44,
We have not done any work or research into encrypting the boot container on i.MX8QM. Perhaps this is a better question for the NXP forums. They should be able to provide you more accurate answers and documentation on this topic.
Best Regards,
Jeremias