Hi, I’m the Toradex AI Assistant.
I might make mistakes or occasionally get you wrong. Our support team will step in if needed.
Secure Boot Configuration for SMARC iMX95 EVK
1. Secure Boot Technology for iMX95
For iMX95 platforms, AHAB (Advanced High Assurance Boot) is the correct secure boot technology to use. AHAB is used on iMX8, iMX8X, and iMX95 platforms, while HABv4 is used on iMX6, iMX7, and iMX8M platforms.
2. Key Type Selection for iMX95
For iMX95, you can use RSA-PSS keys as you selected. The key generation process should produce the SRK table and fuse files as you mentioned:
SRK_1_2_3_4_table.bin - used for signing container imagesSRK_1_2_3_4_fuse.bin - used for fusing to the device eFuses
3. Build Configuration Issues
Based on your local.conf configuration, you need to make several corrections:
Required Configuration Variables
# Enable secure boot support
INHERIT += "tdx-signed"
TDX_IMX_HAB_ENABLE = "1"
# CST Tool Configuration
TDX_IMX_HAB_CST_DIR = "/path/to/your/cst-tool"
TDX_IMX_HAB_CST_BIN = "${TDX_IMX_HAB_CST_DIR}/linux64/bin/cst"
TDX_IMX_HAB_CST_CERTS_DIR = "${TDX_IMX_HAB_CST_DIR}/crts"
# Key Configuration for RSA-PSS
TDX_IMX_HAB_CST_CRYPTO = "rsa"
TDX_IMX_HAB_CST_KEY_SIZE = "2048" # or your chosen key size
TDX_IMX_HAB_CST_KEY_EXP = "65537"
TDX_IMX_HAB_CST_DIG_ALGO = "sha256"
TDX_IMX_HAB_CST_SRK_CA = "1"
TDX_IMX_HAB_CST_SRK_INDEX = "1"
4. Building Signed Boot Image
To build a signed boot image:
- Configure your environment with the correct variables in
local.conf
- Build the image:
bitbake imx-boot
- Deploy the signed image - the build system will automatically generate signed boot containers
5. CSF File Requirements
For AHAB (used on iMX95), CSF files are automatically generated by the build system when secure boot is enabled. You don’t need to manually create CSF files. The build process will:
- Generate appropriate CSF templates based on your configuration
- Sign the boot container using your certificates and keys
- Produce the final signed boot image
The CSF file format for AHAB follows this structure (1):
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
File = "./cst-tool/crts/SRK_1_2_3_4_table.bin"
Source = "./cst-tool/crts/SRK1_[parameters]_crt.pem"
Source index = 0
Source set = OEM
Revocations = 0x0
[Authenticate Data]
File = "flash.bin"
Offsets = [container_offsets]
6. Local.conf Corrections
Your current configuration needs these modifications:
# Remove or correct these lines:
# UBOOT_CONFIG = "fspi" # This may not be needed
# IMAGE_BOOT_FILES = "imx-boot" # This is automatically handled
# Add these essential secure boot configurations:
INHERIT += "tdx-signed"
TDX_IMX_HAB_ENABLE = "1"
TDX_IMX_HAB_CST_DIR = "/path/to/your/cst-tool-directory"
TDX_IMX_HAB_CST_CERTS_DIR = "${TDX_IMX_HAB_CST_DIR}/crts"
TDX_IMX_HAB_CST_CRYPTO = "rsa"
TDX_IMX_HAB_CST_SRK_INDEX = "1"
Important Notes
- Ensure your CST tool path is correctly specified
- Verify that your certificates and keys are in the expected locations
- The build system will generate a
fuse-cmds.txt file with commands to program the eFuses
- Warning: eFuse programming is irreversible - test thoroughly before closing the device
The build error you’re experiencing is likely due to missing or incorrectly configured CST tool paths and secure boot variables in your local.conf.
Best regards, Toradex AI Assistant.
Did you like my answer? 
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
