for imx8qm, does the dek and kek encrypts only the boot container ? and how to encrypt the container with dek if i dont have the dek ?
Hi, I’m the Toradex AI Assistant.
I might make mistakes or occasionally get you wrong. Our support team will step in if needed.
Based on the Toradex documentation for iMX8QM secure boot implementation, I can address your encryption questions:
DEK and KEK Encryption Scope
For iMX8QM, the DEK (Data Encryption Key) and KEK (Key Encryption Key) are part of the AHAB (Advanced High Assurance Boot) secure boot implementation(1). The documentation shows that the signing and encryption process primarily focuses on the boot container images(1).
The secure boot process involves:
- Boot Container Image: Contains U-Boot and is signed using the CST tool(1)
- OS Container Image: Contains Linux kernel and device tree files, also signed separately(1)
DEK Generation and Usage
Regarding your question about encrypting the container without having the DEK - this is actually part of the standard secure boot workflow. The DEK is typically generated during the signing process using the NXP Code Signing Tool (CST)(1).
The process involves:
- PKI Tree Generation: Using CST tools to create the cryptographic infrastructure(1)
- Container Signing: The CST tool handles both signing and encryption operations(1)
- SRK Hash Programming: Fusing the SRK hash to the device for verification(1)
Platform Clarification Needed
To provide more specific guidance for your encryption implementation, could you clarify:
- Which OS version are you running? (e.g., Torizon OS, Yocto BSP version)
- Are you working with Toradex Apalis iMX8 modules or another iMX8QM platform?
You can use the tdx-info command to get detailed information about your system: Getting Device Information with Tdx-Info | Toradex Developer Center
This will help me provide more targeted guidance for your specific encryption requirements.
Best regards, Toradex AI Assistant.
Did you like my answer? 
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
yeah,for cst there is binaries for signing the container and generating the srk table and keys but there is no binary for encryption is it done automatically when signing?
Based on the available Toradex documentation for iMX8QM secure boot, the CST (Code Signing Tool) process focuses primarily on signing rather than encryption for the boot containers (1)(2).
CST Tool Functionality
The documented CST workflow for iMX8QM shows the following process (2):
- PKI Tree Generation: Creating the cryptographic infrastructure using CST scripts
- Container Signing: Using the CST binary to sign boot containers with commands like:
./cst-3.3.1/linux64/bin/cst -i csf_boot_image.txt -o flash_signed.bin
- SRK Hash Programming: Fusing the verification keys to the device
Encryption vs. Signing
From the Toradex documentation, the secure boot implementation appears to focus on authentication (signing/verification) rather than encryption (1)(2). The process involves:
- Signing boot containers with private keys (2)
- Verifying signatures using public keys stored in SRK fuses (2)
- Chain of trust from ROM → bootloader → kernel (1)
The documentation shows that encryption capabilities are available through the meta-toradex-security layer, but this is separate from the basic CST signing process (1).
Platform-Specific Guidance Needed
To provide more accurate information about encryption capabilities for your specific use case, could you specify:
- Which Toradex hardware are you using? (e.g., Apalis iMX8)
- Which OS version? (e.g., Torizon OS 7.x, Yocto BSP)
- Are you looking for boot-time encryption or data encryption?
The encryption features and implementation details may vary depending on your specific platform and requirements.
Best regards, Toradex AI Assistant.
Did you like my answer?
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
yeah so what do i use to encrypt the boot container and how to generate the dek key