Running bitbake imx-boot with ahab with colibri imx8x board

flavio · January 25, 2026, 8:03pm

hello,

I am trying to run bitbake imx-boot to get a boot image with ahab signed.

But the running terminate with this error:

| /opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/mx8_sign.sh -t flash
| Verified TDX_IMX_HAB_CST_BIN=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/cst-4.0.1/linux64/bin/cst
| Verified TDX_IMX_HAB_CST_SRK=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/keys/SRK_1_2_3_4_table.bin
| Verified TDX_IMX_HAB_CST_SRK_CERT=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/keys/SRK1_sha256_4096_65537_v3_usr_crt.pem
| Verified TDX_IMX_HAB_CST_TEMPLATE=mx8_template.csf
| Verified UNSIGNED_IMAGE=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/git/iMX8QX/flash.bin
| Verified LOG_MKIMAGE=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/mkimage-flash.log
| Creating CSF file: /opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/flash.csf
| Using SRK1 for signing.
| Inferred that CA flag was not set; signing with SRK only.
| Signing ‘/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/git/iMX8QX/flash.bin’ with CST tool.
| Tool location: ‘/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/cst-4.0.1/linux64/bin/cst’
| CSF location: ‘/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/flash.csf’
| Error: Cannot open key file /opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/keys/SRK1_sha256_4096_65537_v3_usr_key.
|

this is the content of the keys folder

flavio@simde:/opt/yocto/scarthgap-7.4.0/TEST-AHAB$ ls /opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/keys -l
total 60
-rw-rw-r-- 1 flavio flavio 1858 Jan 25 20:42 CSF_crt.pem
-rw------- 1 flavio flavio 3272 Jan 25 20:42 CSF_key.pem
-rw-rw-r-- 1 flavio flavio 1858 Jan 25 20:42 IMG_crt.pem
-rw------- 1 flavio flavio 3272 Jan 25 20:42 IMG_key.pem
-rw-rw-r-- 1 flavio flavio 64 Jan 25 20:42 SRK_1_2_3_4_fuse.bin
-rw-rw-r-- 1 flavio flavio 144 Jan 25 20:42 SRK_1_2_3_4_fuse.txt
-rw-rw-r-- 1 flavio flavio 2112 Jan 25 20:42 SRK_1_2_3_4_table.bin
-rw-rw-r-- 1 flavio flavio 7237 Jan 25 20:42 SRK1_sha256_4096_65537_v3_usr_crt.pem
-rw-rw-r-- 1 flavio flavio 7237 Jan 25 20:42 SRK2_sha256_4096_65537_v3_usr_crt.pem
-rw-rw-r-- 1 flavio flavio 7237 Jan 25 20:42 SRK3_sha256_4096_65537_v3_usr_crt.pem
-rw-rw-r-- 1 flavio flavio 7237 Jan 25 20:42 SRK4_sha256_4096_65537_v3_usr_crt.pem

I tried to put into the folder the file SRK1_sha256_4096_65537_v3_usr_key but none changed.

and this is con/local.conf content about ahab

INHERIT += “tdx-signed”

TDX_IMX_HAB_ENABLE = “1”
IMX_BOOT_SOC_TARGET = “ahab”

TDX_IMX_HAB_CST_DIR = “${TOPDIR}/../simde/secure-boot”
TDX_IMX_HAB_CST_BIN = “${TDX_IMX_HAB_CST_DIR}/cst-4.0.1/linux64/bin/cst”
TDX_IMX_HAB_CST_CERTS_DIR = “${TDX_IMX_HAB_CST_DIR}/keys”

TDX_IMX_HAB_CST_KEY_SIZE = “4096”
TDX_IMX_HAB_CST_DIG_ALGO = “sha256”
TDX_IMX_HAB_CST_SRK_CA = “0”

which could be the reason of the error.

Thank you

Best regards

Flavio

ToradexAI · January 25, 2026, 8:03pm

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Issue Analysis

The error indicates that the CST tool cannot find the private key file SRK1_sha256_4096_65537_v3_usr_key (1). Looking at your key directory listing, you have the certificate files but the corresponding private key files are missing.

Root Cause

Based on the NXP CST documentation referenced in the Secure Boot integration guide, the CST tool expects the private keys to be located in a keys directory at the same level as the crts directory (1). However, your current setup has both certificates and keys in the same directory.

Solution

1. Correct Directory Structure

You need to reorganize your key structure according to CST requirements:

secure-boot/
├── crts/               # Certificate files
│   ├── SRK1_sha256_4096_65537_v3_usr_crt.pem
│   ├── SRK2_sha256_4096_65537_v3_usr_crt.pem
│   ├── SRK3_sha256_4096_65537_v3_usr_crt.pem
│   ├── SRK4_sha256_4096_65537_v3_usr_crt.pem
│   ├── SRK_1_2_3_4_table.bin
│   └── SRK_1_2_3_4_fuse.bin
└── keys/               # Private key files
    ├── SRK1_sha256_4096_65537_v3_usr_key.pem
    ├── SRK2_sha256_4096_65537_v3_usr_key.pem
    ├── SRK3_sha256_4096_65537_v3_usr_key.pem
    └── SRK4_sha256_4096_65537_v3_usr_key.pem

2. Generate Missing Private Keys

If you don’t have the private key files, you’ll need to regenerate your entire PKI using the NXP CST tool following the Code-Signing Tool User’s Guide (1).

3. Update Configuration

Modify your conf/local.conf to point to the correct certificate directory:

TDX_IMX_HAB_CST_CERTS_DIR = "${TDX_IMX_HAB_CST_DIR}/crts"

4. Verify File Extensions

Ensure your private key files have the .pem extension, not just the base name. The CST tool expects:

Certificate: SRK1_sha256_4096_65537_v3_usr_crt.pem
Private key: SRK1_sha256_4096_65537_v3_usr_key.pem

Additional Troubleshooting

If you continue to experience issues, verify that:

Your CST tool version 4.0.1 is compatible with your Linux distribution (1)
The certificate file naming matches your configuration parameters exactly (1)
File permissions allow the build process to access the private keys

The error suggests the build system is correctly identifying your configuration but cannot locate the required private key file in the expected location.

Best regards,
Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

flavio · January 25, 2026, 10:14pm

i created this structure of file:

flavio@simde:/opt/yocto/scarthgap-7.4.0/simde/secure-boot$ tree
.
├── crts
│ ├── SRK_1_2_3_4_fuse.bin
│ ├── SRK_1_2_3_4_fuse.txt
│ ├── SRK_1_2_3_4_table.bin
│ ├── SRK1_sha256_4096_65537_v3_usr_crt.pem
│ ├── SRK2_sha256_4096_65537_v3_usr_crt.pem
│ ├── SRK3_sha256_4096_65537_v3_usr_crt.pem
│ └── SRK4_sha256_4096_65537_v3_usr_crt.pem
├── keys
│ ├── SRK1_sha256_4096_65537_v3_usr_key.pem
│ ├── SRK2_sha256_4096_65537_v3_usr_key.pem
│ ├── SRK3_sha256_4096_65537_v3_usr_key.pem
│ └── SRK4_sha256_4096_65537_v3_usr_key.pem

but i get the same error.
Now the question how can i verify if the file are correctly generated

ToradexAI · January 25, 2026, 10:15pm

File Verification Methods

Your directory structure looks correct now. Let’s verify the files are properly generated and configured:

1. Check Private Key File Format

First, verify that your private key files are valid PEM format:

openssl rsa -in /opt/yocto/scarthgap-7.4.0/simde/secure-boot/keys/SRK1_sha256_4096_65537_v3_usr_key.pem -check -noout

This should return “RSA key ok” if the file is valid.

2. Verify Certificate and Key Pair Match

Check that your certificate and private key are a matching pair:

# Get the public key from the certificate
openssl x509 -in /opt/yocto/scarthgap-7.4.0/simde/secure-boot/crts/SRK1_sha256_4096_65537_v3_usr_crt.pem -pubkey -noout > cert_pubkey.pem

# Get the public key from the private key
openssl rsa -in /opt/yocto/scarthgap-7.4.0/simde/secure-boot/keys/SRK1_sha256_4096_65537_v3_usr_key.pem -pubout > key_pubkey.pem

# Compare them
diff cert_pubkey.pem key_pubkey.pem

No output means they match.

3. Update Your Configuration

Based on the meta-toradex-security documentation, ensure your conf/local.conf has the correct certificate directory path:

TDX_IMX_HAB_CST_CERTS_DIR = "${TDX_IMX_HAB_CST_DIR}/crts"

4. Verify CST Tool Configuration

The CST tool expects specific file naming conventions. For Colibri iMX8X with AHAB, verify your configuration matches the requirements from the NXP CST documentation (1).

5. Check File Permissions

Ensure the build process can access your private keys:

chmod 600 /opt/yocto/scarthgap-7.4.0/simde/secure-boot/keys/*.pem
chmod 644 /opt/yocto/scarthgap-7.4.0/simde/secure-boot/crts/*.pem

6. Regenerate Keys if Needed

If the files were not generated correctly using the NXP CST tool, you may need to regenerate them following the CST User Guide documentation (1). The key generation process for AHAB differs from HAB and requires specific parameters for iMX8X.

7. Debug the Build Process

Add verbose logging to see exactly what the build system is looking for:

TDX_IMX_HAB_CST_ARGS = "-v"

This will provide more detailed output from the CST tool during the signing process.

The error suggests the build system still cannot locate the private key file, even with the correct directory structure. Double-check that the file naming exactly matches what the CST tool expects for your specific configuration parameters.

Best regards,
Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

flavio · January 25, 2026, 10:22pm

One question, could be that the error is related with the password assigned at private key.

flavio@simde:/opt/yocto/scarthgap-7.4.0/simde/secure-boot$ openssl rsa -in /opt/yocto/scarthgap-7.4.0/simde/secure-boot/keys/SRK1_sha256_4096_65537_v3_usr_key.pem -check -noout
Enter pass phrase for /opt/yocto/scarthgap-7.4.0/simde/secure-boot/keys/SRK1_sha256_4096_65537_v3_usr_key.pem:
RSA key ok

i had to assign the password.

flavio · January 25, 2026, 10:35pm

now i get this error:

| /opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/mx8_sign.sh -t flash
| Verified TDX_IMX_HAB_CST_BIN=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/cst-4.0.1/linux64/bin/cst
| Verified TDX_IMX_HAB_CST_SRK=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/crts/SRK_1_2_3_4_table.bin
| Verified TDX_IMX_HAB_CST_SRK_CERT=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/crts/SRK1_sha256_4096_65537_v3_usr_crt.pem
| Verified TDX_IMX_HAB_CST_TEMPLATE=mx8_template.csf
| Verified UNSIGNED_IMAGE=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/git/iMX8QX/flash.bin
| Verified LOG_MKIMAGE=/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/mkimage-flash.log
| Creating CSF file: /opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/flash.csf
| Using SRK1 for signing.
| Inferred that CA flag was not set; signing with SRK only.
| Signing ‘/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/git/iMX8QX/flash.bin’ with CST tool.
| Tool location: ‘/opt/yocto/scarthgap-7.4.0/TEST-AHAB/../simde/secure-boot/cst-4.0.1/linux64/bin/cst’
| CSF location: ‘/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/flash.csf’
|
| Code Signing Tool Version: 4.0.1
|
| Compiled with:
| OpenSSL 3.2.0 23 Nov 2023
| OPENSSLDIR: “/opt/cst”
| ENGINESDIR: “/opt/cst/lib64/engines-3”
|
| cp: cannot stat ‘/opt/yocto/scarthgap-7.4.0/TEST-AHAB/tmp/work/colibri_imx8x-tdx-linux/imx-boot/1.0/git/iMX8QX/flash.bin-signed’: No such file or directory

lucas_az.tx · January 26, 2026, 11:56am

Hi @flavio!

I saw you opened a more recent thread. Were you able to solve this issue?

Best regards.

lucas_az.tx · January 27, 2026, 4:33pm

Hi @flavio!

Could you please share the solution?

Best regards.