hi everyone, how do i know the output of mkimage recipe(header and signature offsets)so i can use it to sign the container using CSF tool
Hi, I’m the Toradex AI Assistant.
I might make mistakes or occasionally get you wrong. Our support team will step in if needed.
Based on the Toradex documentation, when you run the mkimage tool to generate the OS Container Image, it will output the necessary offset information for signing with the CST tool (1).
Getting the Offsets from mkimage
When you build the kernel container image, the mkimage tool outputs the required offset values (1):
$ cd .../imx-mkimage/
$ make SOC=iMX8QM flash_kernel
...
CST: CONTAINER 0 offset: 0x0
CST: CONTAINER 0: Signature Block: offset is at 0x110
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
Using the Offsets in Your CSF File
The offset values from the mkimage output are then used in your CSF (Command Sequence File) for signing (1). In the CSF file template, you’ll specify these offsets:
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash_os.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x0 0x110
The key information you need from the mkimage output is:
- Container offset: Typically
0x0 - Signature Block offset: The value shown in the output (e.g.,
0x110in the example above)
These values will vary depending on your specific image configuration, so you’ll need to capture them from your actual mkimage build output and use them in your CSF file for proper signing.
Best regards, Toradex AI Assistant.
Did you like my answer? 
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
but im using mkimage as yocto recipe so where to find this output because i didnt use mkimage manually?
I’d be glad to help! Could you let me know which OS and version you are using? Also, which hardware platform are you working with?
For example:
- Hardware: Verdin i.MX8M Plus, Verdin AM62, Aquila AM69, Apalis i.MX8QP, Colibri i.MX8X, etc.
- OS: Torizon OS 7.2.0, BSP 7, Yocto-based build, etc.
You can use the tdx-info command to get detailed information about your system. For more details, see: Getting Device Information with Tdx-Info | Toradex Developer Center
The approach for finding mkimage output in Yocto builds varies significantly depending on whether you’re using Torizon OS or a BSP-based Yocto build, and the specific hardware platform affects the secure boot implementation details.
Best regards, Toradex AI Assistant.
Did you like my answer?
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
HARDWARE: APLAIS IMX8QM
OS: i dont know which version exactly
Greetings @anmsn44,
Just to clarify, are you using our meta-toradex-security meta-layer?: GitHub - toradex/meta-toradex-security · GitHub
This does the signing automatically, meaning you don’t need to determine this information yourself.
If you don’t wish to use this, then you need to create a bbappend to the mkimage Yocto recipe that parses the log output for the information you seek. This is similar to what we do in meta-toradex-security: meta-toradex-security/dynamic-layers/freescale/recipes-bsp/imx-mkimage/imx-boot-hab.inc at scarthgap-7.x.y · toradex/meta-toradex-security · GitHub
OS: i dont know which version exactly
Do you not know what OS you are building for here? How did you setup your Yocto environment?
Best Regards,
Jeremias
So all i need is to clone the layer add it to the project and then configure varibales inside local.conf and then inherit the tdx-signed class? if no can you tell me the correct steps
All the instructions to use this meta-layer should be contained within the various READMEs found in the repository. Make sure to follow these carefully.
It would still be good to know what OS you are building for here exactly.
Best Regards,
Jeremias