Verdin-IMX8MM secure boot missing certificate files

Hi,

I am trying to create my secure boot image for the Verdin-IMX8MM module (Which i believe should have the AHAB instead of the HABv4, correct me if i am wrong here), but during the build it gives an error on missing certificates file, see below:
“ERROR: u-boot-toradex-1_2024.07-r0 do_uboot_assemble_fitimage: Could not find file ‘/workdir/torizon/layers/cst/cst-3.4.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem’ (required for HAB).”

According to the NXP documentation the CST tooling should not generate the CSF files since i use the AHAB and not the HABV4.

I generated the keys certificates and the SRK table and e-fuse hash which should be all the steps according to the documentation.

My local.conf settings regarding the secure boot are the following:

And i placed the CST tooling at the given location, for reference i am running the yocto build environment in the docker CROPS container and this builds correctly for the IMX8MM without the added secure boot configs.

Any help would be appreciated.

Kind regards,
Richard

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Hello Richard,

Thank you for reaching out with your question. You’re correct that the Verdin iMX8MM module uses AHAB (Advanced High Assurance Boot) rather than HABv4. The error you’re encountering suggests that the build process is mistakenly looking for a certificate file associated with HABv4, which is not applicable for AHAB.

To address this issue, please consider the following steps:

  1. Verify CST Tool Configuration: Ensure that your Code Signing Tool (CST) is set up specifically for AHAB. It should not generate or expect HABv4-related files like CSF1_1_sha256_2048_65537_v3_usr_crt.pem. Double-check the version and configuration of your CST to confirm it aligns with AHAB requirements.

  2. Check Certificate Files: Make sure the certificates and keys you generated are intended for AHAB. The AHAB process involves different certificate handling compared to HABv4. Verify that the paths and filenames in your build configuration match those of the AHAB-specific certificates.

  3. Review Yocto Configuration: In your local.conf, ensure that the secure boot settings are correctly specified for AHAB. This includes any references to certificate files and paths. If your configuration mistakenly includes HABv4 settings, adjust them to reflect AHAB requirements.

  4. Consult NXP Documentation: Reviewing the NXP documentation for AHAB on the i.MX 8M Mini can provide additional insights into the correct setup and any nuances that might affect your build process.

  5. Rebuild with Correct Settings: After verifying and correcting your setup, attempt to rebuild the image. Ensure that all paths and configurations are updated to reflect the AHAB process.

By ensuring that your build environment and configurations are tailored for AHAB, you should be able to resolve the missing certificate file error and successfully create a secure boot image for your Verdin iMX8MM module.

I hope this helps! If you have any further questions, feel free to ask.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

https://community.nxp.com/t5/-/-/m-p/489919.

Update:

I was wrong thinking it was the AHAB, the IMX8MM uses the HABv4, i just completely read over that line in the NXP documentation:

On iMX6, iMX7 and iMX8M, this feature is available and it is called HAB (High Assurance Boot).

On iMX8 and iMX8X, this feature is available and it is called AHAB (Advanced High Assurance Boot).

My bad.
Richard