Secure boot issue

Hi @jeremias.tx Firstly thanks for support, as per above suggestion i worked on it still facing issue and below image shows the error.

Screenshot from 2025-10-31 10-06-431910×948 271 KB

Below image shows my local.conf file check is it correct if not let me know what i need to do.

Screenshot from 2025-10-31 10-08-061571×525 68.9 KB

Below image shows generated keys and certificates.Let me know anything wrong.

Screenshot from 2025-10-30 16-34-331915×554 166 KB

Screenshot from 2025-10-31 10-08-341452×165 50.3 KB

As per your solution, SRK_1_2_3_4_fuse.bin and SRK_1_2_3_4_table.bin are placed in crts folder. Same i mention in local.conf .

image1828×320 96.9 KB

Let me clarify my doubt that keys folder should be in /home/vvdn/yocto-b/build_smarc_imx95 instead of /home/vvdn/yocto-b/build_smarc_imx95/CST/cst-4.0.1/keys. Is i am facing error due to this issue.

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Based on the error you’re encountering with Secure Boot implementation, I can see several configuration issues that need to be addressed.

Key Configuration Issues

1. Certificate Path Structure

Looking at your setup, the key files should be organized according to the Toradex Secure Boot implementation. The CST (Code Signing Tool) generates keys in a specific structure that needs to be referenced correctly(1)(2).

2. Environment Variable Configuration

The error suggests that the build system cannot locate the required certificate files. Based on the Toradex Secure Boot documentation, you need to ensure the following environment variables are properly set(1)(2):

• TDX_IMX_HAB_CST_BIN - Path to the CST binary
• TDX_IMX_HAB_CST_SRK - Path to the SRK table file
• TDX_IMX_HAB_CST_SRK_CERT - Path to the SRK certificate

3. File Location Requirements

From the Toradex Secure Boot implementation, the key files should be accessible to the build system. Your question about whether the keys folder should be in /home/vvdn/yocto-b/build_smarc_imx95 instead of the CST subdirectory is valid(1)(2).

Recommended Solutions

Update Your local.conf Configuration

Ensure your paths point to the actual locations of the generated files. The SRK table and fuse files should be accessible to the Yocto build system(1)(2).

Verify File Permissions

Make sure all certificate and key files have appropriate read permissions for the build user.

Check CST Tool Integration

The CST tool generates the PKI tree structure, and the build system needs to reference these files correctly during the signing process(1)(2).

Path Structure Clarification

Based on the Toradex Secure Boot documentation, the typical structure involves:

• CST tool generating keys in its own directory structure
• Build system referencing these keys through environment variables
• SRK table and fuse files being accessible for the signing process(1)(2)

Your suspicion about the keys folder location may be correct - the build system likely expects the keys to be in a location accessible relative to your build directory rather than deep within the CST tool’s directory structure.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

Greetings,

It looks like the error here, according to your first screenshot is that:

Super Root Key table is invalid in File /home/vvdn/yocto-b/build_smarc_imx95/CST/cst-4.0.1/crts/SRK_1_2_3_4_table.bin in command InstallSRK

This error is coming directly from the cst binary. Perhaps there is an issue with how you generated the keys and such prior to the build. Could you try re-generating everything to make sure there wasn’t a user error. Make sure to follow the NXP documentation closely for generating the keys and certs needed for AHAB.

Best Regards,
Jeremias