Imx8qm container encryption

Technical Support
, ,
1

im using imx8qm and i implemented already secure boot features including signing etc my next step is to encrypt the container so i read the secure boot encryption docs and it uses cst tool for it.my question is why do it uses some paths inside the cst tool like backend directory that i dont have in my cst tool im using cst 4.0.1

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I’d be glad to help! Could you let me know which OS and version you are using? Also, could you specify which exact Toradex hardware platform you’re working with?

To help me provide the most accurate guidance for container encryption on your iMX8QM setup, please share:

  • Hardware: Which specific Toradex SoM (e.g., Apalis iMX8QP, Verdin iMX8QM)
  • OS and Version: Are you using Torizon OS, Yocto BSP, or another OS? Which version?
  • Current Setup: What secure boot implementation are you currently using?

You can get detailed system information by running the tdx-info command on your device. More details about this tool are available at: Getting Device Information with Tdx-Info | Toradex Developer Center

The CST tool directory structure and available features can vary between versions, and the implementation approach for container encryption differs depending on your specific platform and OS version. Once I know your exact setup, I can provide targeted guidance for your iMX8QM container encryption implementation.

Common platforms to consider:

  • Hardware: Verdin i.MX8M Plus, Verdin AM62, Aquila AM69, Apalis i.MX8QP, Colibri i.MX8X
  • OS: Yocto 7.2.0, Torizon 6.8.2, Torizon OS 6, BSP 7, BSP 6, Torizon OS 7.2.0-build.13

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

im using IMX8QM and 6.7 as os version

4

Container Encryption on iMX8QM with CST 4.0.1

The issue you’re encountering with missing backend directories in CST 4.0.1 is related to version differences and feature availability(1). For iMX8QM-based devices, the secure boot implementation uses AHAB (Advanced High Assurance Boot) which has specific requirements for the CST tool configuration(1).

CST Tool Configuration for iMX8QM

For NXP i.MX SoCs like the iMX8QM, you need to configure HAB/AHAB support as described in the meta-toradex-security documentation(1). The setup involves:

  1. PKI Tree Generation: You’ll need to generate the proper PKI tree structure for AHAB(1)
  2. SRK Table Configuration: Create the SRK table and eFuse hash for your specific setup(1)
  3. Container Signing: The boot container image needs to be properly signed(1)

Version Compatibility

The CST tool structure can vary between versions. CST 4.0.1 may have a different directory layout compared to earlier versions referenced in some documentation(1). The backend directory you’re missing might be:

  • Part of a different CST version
  • Related to specific encryption features not available in your CST version
  • Replaced by different configuration methods in CST 4.0.1

Recommended Approach

For Torizon OS 6.7 on iMX8QM, I recommend using the integrated secure boot approach through Yocto Project builds rather than manual CST tool manipulation(1). This involves:

  1. Using the tdx-signed class in your Yocto build configuration(1)
  2. Configuring the build variables for your CST tool path and certificates(1)
  3. Building with encryption support through the meta-toradex-security layer(1)

The build system will handle the proper CST tool invocation and directory structure requirements automatically(1).

Next Steps

Since you’re working with container encryption specifically, you may want to explore the composefs-based root filesystem protection available in Torizon OS, which provides encryption capabilities at the filesystem level(1).

For the most current implementation details specific to CST 4.0.1 and container encryption on iMX8QM, I recommend checking the latest meta-toradex-security layer documentation, as this will have the most up-to-date configuration examples for your specific CST version.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

5

the problem is even with automated build i need to manually provide the cst tool since it needs an nxp account to download it which i did and downloaded the latest version

6

Greetings @anmsn44,

I’m not sure I understand what your question is here exactly.

my question is why do it uses some paths inside the cst tool like backend directory that i dont have in my cst tool im using cst 4.0.1

What are you referring to here exactly? Are you talking about our docs or the NXP docs?

Best Regards,
Jeremias