Software summary
Bootloader: U-Boot
Kernel version: 6.6.88-7.3.0-devel-00045-gc19659d5d18c #1-Torizon SMP PREEMPT Thu Feb 27 10:29:52 UTC 2025
Kernel command line: root=LABEL=otaroot rootfstype=ext4 quiet logo.nologo vt.global_cursor_default=0 plymouth.ignore-serial-consoles splash fbcon=map:3 ostree=/ostree/boot.1/torizon/d52fcf09a2ff954c755ae21f0ff7d0f1d9d08c7d12ba310276ce6c91b49e67ea/0
Distro name: NAME=“Torizon OS Upstream”
Distro version: VERSION_ID=7.3.0-devel-20250519112255-build.0
Distro variant: VARIANT=“Minimal”
Hostname: apalis-imx6-11367513
Hardware info
HW model: Toradex Apalis iMX6Q/D Module on Ixora Carrier Board V1.1
Toradex version: 0083 V1.1A
Serial number: 11367513
Processor arch: armv7l
This is the summary of my software loaded
here i m build torizon using yocto to achieve secureboot process while booting.
here the problem, is in bitbake task do_uboot_assemble_fitimage of u-boot-toradex,
I ll add the log file for detailed description of the error
how to solve this proble, and achieve secure boot in torizon os 7.
log.do_uboot_assemble_fitimage.283630 (40.9 KB)
i have included this below in my local.conf file
INHERIT += “torizon-signed”
DM_VERITY_IMAGE = “torizon-minimal”
Hi, I’m the Toradex AI Assistant.
I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.
Did you like my answer? 
Hello! Thank you for sharing the details of your system and your current build setup. You’re on the right track to enable Secure Boot on Torizon OS using Yocto and the appropriate BitBake classes. Let’s go through some common causes and next steps to resolve issues with the do_uboot_assemble_fitimage task, especially when using the torizon-signed class.
Key Points for Secure Boot on Torizon OS with Yocto
-
INHERIT Usage in local.conf
When enabling Secure Boot, you should use:
INHERIT += "tdx-signed"
or (for full root filesystem protection)
INHERIT += "torizon-signed"
However, ensure you are not using smart quotes (like “ and ”) in your local.conf. Only regular double quotes (") should be used:
INHERIT += "torizon-signed"
DM_VERITY_IMAGE = "torizon-minimal"
-
Additional Variables in local.conf
If you use "torizon-signed", make sure to configure the following (you can rely on defaults, but double-check the key directory exists and is writeable):
CFS_GENERATE_KEYS = "1"
CFS_SIGN_KEYDIR = "${TOPDIR}/keys/ostree"
CFS_SIGN_KEYNAME = "cfs-dev"
See detailed explanation here:
Build Secure Boot Image - Torizon OS
-
Analyzing the do_uboot_assemble_fitimage Error
Since you mentioned a failure at this task, it is often due to:
- Missing or misconfigured keys.
- Environment variables not set or incorrect.
- Syntax errors or wrong character encoding in local.conf.
- Required files/directories missing due to a prior step failure.
If you look at the error log file, check for:
- “No such file or directory”
- “Permission denied”
- “Could not sign ”
-
General Steps to Debug
-
Secure Boot Image Guide
Follow this step-by-step guideline to ensure nothing is missed:
Secure Boot on Torizon OS Guide
What to do next:
- Double-check your
local.conf for proper formatting and correct quotation marks.
- Make sure the
CFS_SIGN_KEYDIR and other variables are correctly set or left at their defaults.
- Inspect your log file for specific errors and match them to the points above.
- If you find an error in the log and need further help, you can paste the relevant portion here.
If you’d like, share the relevant snippet of the log.do_uboot_assemble_fitimage file (showing the actual error), and I can help you further pinpoint the issue.
Best regards,
Toradex AI Assistant.
Greetings @Karthik-Gnanaguru,
I don’t see an obvious error/warning message that describes what exactly failed in the logs you provided.
There is a current known issue with FIT images where keys aren’t automatically being generated by the build. But, your logs do not show the same errors as this issue.
When the build fails is there an obvious error message printed to the console?
Best Regards,
Jeremias
Hiii jeremias,
Here the build actually fails in do_uboot_assemble_fitimage task. What may be the issue and is there is any dependencies in CST Tool Version
i have signed with Code Signing Tool release version 3.1.0
the task exit in this stage
| ./tools/mkimage -n spl/u-boot-spl.cfgout -T imximage -e 0x00908000 -d spl/u-boot-spl.bin SPL >SPL.log && cat SPL.log
| Image Type: Freescale IMX Boot Image
| Image Ver: 2 (i.MX53/6/7 compatible)
| Mode: DCD
| Data Size: 61536 Bytes = 60.09 KiB = 0.06 MiB
| Load Address: 00907420
| Entry Point: 00908000
| HAB Blocks: 0x00907400 0x00000000 0x0000cc00
| DCD Blocks: 0x00910000 0x0000002c 0x00000004
| arm-tdx-linux-gnueabi-objcopy -j .text -j .secure_text -j .secure_data -j .rodata -j .hash -j .data -j .got -j .got.plt -j __u_boot_list -j .rel.dyn -j .binman_sym_table -j .text_rest -j .dtb.init.rodata -j .efi_runtime -j .efi_runtime_rel -I binary -O binary --pad-to=0x11000 SPL u-boot-with-spl.imx && cat u-boot.img >> u-boot-with-spl.imx || rm -f u-boot-with-spl.imx
| /home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/git/scripts/check-of.sh .config /home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/git/scripts/of_allowlist.txt
| DEBUG: Generating CSF for U-Boot
| /home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/imx6_imx7_create_csf.sh -m IMX6 -c csf_uboot
| Verified TDX_IMX_HAB_CST_SRK=/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/SRK_1_2_3_4_table.bin
| Verified TDX_IMX_HAB_CST_CSF_CERT=/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem
| Verified TDX_IMX_HAB_CST_IMG_CERT=/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem
| Verified TDX_IMX_HAB_CST_BIN=/home/home/Yocto_Projects/oe-core/build/keys/cst/linux64/bin/cst
| Verified IMXBOOT=u-boot-ivt.img
| Verified HAB_LOG=u-boot-ivt.img.log
| WARNING: exit code 1 from a shell command.
ERROR: Task (/home/home/Yocto_Projects/oe-core/build/conf/…/…/layers/meta-toradex-bsp-common/recipes-bsp/u-boot/u-boot-toradex_2024.07.bb:do_uboot_assemble_fitimage) failed with exit code ‘1’
NOTE: Tasks Summary: Attempted 1281 tasks of which 1280 didn’t need to be rerun and 1 failed.
NOTE: Writing buildhistory
NOTE: Writing buildhistory took: 3 seconds
Summary: 1 task failed:
/home/home/Yocto_Projects/oe-core/build/conf/…/…/layers/meta-toradex-bsp-common/recipes-bsp/u-boot/u-boot-toradex_2024.07.bb:do_uboot_assemble_fitimage
log: /home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/temp/log.do_uboot_assemble_fitimage.320991
Summary: There was 1 WARNING message.
Summary: There was 1 ERROR message, returning a non-zero exit code.
in the above chat i have uploaded the complete log.
here , because of this error i cant proceed with next step.
Still not clear what the issue is. Strange maybe it’s a silent error or something.
I noticed you are setting DM_VERITY_IMAGE = “torizon-minimal” in your local.conf. Could you remove this and do the build again. For context, the use of DM Verity is not compatible with torizon-signed. Now your issue doesn’t seem related to this, but perhaps try a build without it just to be sure.
Also, try re-making the keys/certs used for high assurance boot. Just to make sure those were generated properly. Perhaps even share exactly how you are generating these. An issue with those could cause CST to error and fail silently.
Best Regards,
Jeremias
Hii jeremias.tx
I tried to build again after removing DM_VERITY_IMAGE = “torizon-minimal” from local.conf
but i edded up with the same build error.
the actual error is the task is not completed, exits in this step
| /home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/imx6_imx7_create_csf.sh -m IMX6 -c csf_uboot
| Verified TDX_IMX_HAB_CST_SRK=/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/SRK_1_2_3_4_table.bin
| Verified TDX_IMX_HAB_CST_CSF_CERT=/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem
| Verified TDX_IMX_HAB_CST_IMG_CERT=/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem
| Verified TDX_IMX_HAB_CST_BIN=/home/home/Yocto_Projects/oe-core/build/keys/cst/linux64/bin/cst
| Verified IMXBOOT=u-boot-ivt.img
| Verified HAB_LOG=u-boot-ivt.img.log
but while verifying run.do_uboot_assemble_fitimage
imx6_imx7_sign_habv4() {
local soc=“$1”
local type=“$2”
local binary=“$3”
if [ ! -e "/home/home/Yocto_Projects/oe-core/build/keys/cst/linux64/bin/cst" ]; then
bbfatal "Could not find CST binary at /home/home/Yocto_Projects/oe-core/build/keys/cst/linux64/bin/cst."
fi
for f in "/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/SRK_1_2_3_4_table.bin" "/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" \
"/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" "/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/SRK_1_2_3_4_fuse.bin"; do
if [ ! -e "${f}" ]; then
bbfatal "Could not find file '${f}' (required for HAB)."
fi
done
bbdebug 1 "Generating CSF for U-Boot"
# Generate CSF file:
TDX_IMX_HAB_CST_SRK="/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/SRK_1_2_3_4_table.bin" \
TDX_IMX_HAB_CST_CSF_CERT="/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" \
TDX_IMX_HAB_CST_IMG_CERT="/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" \
TDX_IMX_HAB_CST_BIN="/home/home/Yocto_Projects/oe-core/build/keys/cst/linux64/bin/cst" \
IMXBOOT="u-boot-ivt.img" \
HAB_LOG="u-boot-ivt.img.log" \
/home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/imx6_imx7_create_csf.sh -m "${soc}" -c "csf_uboot"
# Save unsigned image and generate signed version by concatenating with the CSF.
bbdebug 1 "Concatenating CSF binary to U-Boot"
if [ -n "${type}" ]; then
cp "u-boot-ivt.img" "u-boot-${type}.img-unsigned"
cat "u-boot-ivt.img" "csf_uboot.bin" > "u-boot-${type}.img"
else
mv "u-boot-ivt.img" "u-boot.img-unsigned"
cat "u-boot.img-unsigned" "csf_uboot.bin" > "u-boot.img"
fi
# Repeat the process for SPL if SPL was also built.
if [ -n "SPL" ]; then
bbdebug 1 "Generating CSF for the U-Boot SPL"
TDX_IMX_HAB_CST_SRK="/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/SRK_1_2_3_4_table.bin" \
TDX_IMX_HAB_CST_CSF_CERT="/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" \
TDX_IMX_HAB_CST_IMG_CERT="/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" \
TDX_IMX_HAB_CST_BIN="/home/home/Yocto_Projects/oe-core/build/keys/cst/linux64/bin/cst" \
IMXBOOT="SPL" \
HAB_LOG="SPL.log" \
/home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/imx6_imx7_create_csf.sh -m "${soc}" -c "csf_SPL"
bbdebug 1 "Concatenating CSF binary to the U-Boot SPL"
# Save unsigned SPL and replace original with signed one:
mv "SPL" "SPL-unsigned"
cat "SPL-unsigned" "csf_SPL.bin" > "SPL"
# TODO: Regenerate u-boot-with-spl.imx
fi
# Create fuse commands
/home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/create_fuse_cmds.sh "${soc}" \
"/home/home/Yocto_Projects/oe-core/build/keys/cst/crts/SRK_1_2_3_4_fuse.bin" \
"/home/home/Yocto_Projects/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/2024.07/fuse-cmds.txt"
}
the next step for csf_SPL is not got executed.
I have updated the CST Steps that i have followed here.
kindly review this.
CST_Steps.txt (26.5 KB)
Hiii jeremias,
i have forgeot to update the new lof of do_uboot_assemble_fitimage.
do_uboot_assemble_fitimage-LOG.txt (65.7 KB)
to my guess
this step is getting exited i think ,
Concatenating CSF binary to U-Boot
Hiii jeremias,
i have successfully solved that issue.
thank you.
i have successfully solved that issue.
I’m glad to hear that. If you don’t mind could you share what you did to solve the issue?
Best Regards,
Jeremias
