Yocto build imx-boot with ahab enable for colibri imx8x

Technical Support
, , ,
1

hello,

i need to build the imx-boot image to flash into the board with ahab enabled and signed.

I have this files with the keys:

CSF_crt.pem
CSF_key.pem
IMG_crt.pem
IMG_key.pem
SRK_fuse.bin
SRK_fuse_words.txt
SRK_table.bin

I am working with the yocto scarthgap_7.4.0.

Now I need a detailed list of command ad configuration to get it.

I followed some procedure but after the flash always the command:

Colibri iMX8X # ahab_status
Unknown command ‘ahab_status’ - try ‘help’

give me the same result.

Thank you

best regards

Flavio

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I’d be glad to help you enable secure boot with AHAB for your Colibri iMX8X! To provide the most accurate guidance, could you confirm which specific version of the OS you’re running? You can use the tdx-info command to get detailed information about your setup - check out this guide.

However, I notice you mentioned working with Yocto Scarthgap 7.4.0, so I can provide guidance based on that platform.

Prerequisites and Setup

First, you’ll need to set up the meta-toradex-security layer in your Yocto build environment (1). This layer provides the necessary classes and configurations for secure boot.

Configuration Steps

1. Enable Secure Boot Classes

Add the following to your conf/local.conf file to enable secure boot features (1):

INHERIT += "tdx-signed"

2. Configure HAB/AHAB Variables

Based on your key files, you’ll need to configure these variables in your local.conf. The meta-toradex-security layer uses specific variable names for the CST tool configuration:

TDX_IMX_HAB_ENABLE = "1"
TDX_IMX_HAB_CST_DIR = "${TOPDIR}/keys/cst"
TDX_IMX_HAB_CST_BIN = "${TDX_IMX_HAB_CST_DIR}/linux64/bin/cst"
TDX_IMX_HAB_CST_CERTS_DIR = "${TDX_IMX_HAB_CST_DIR}/crts"

3. Key File Organization

Organize your key files in the expected directory structure. Based on the CST tool requirements, place your files as follows:

${TOPDIR}/keys/cst/
├── crts/
│   ├── CSF_crt.pem (your SRK certificate)
│   └── IMG_crt.pem (your SGK certificate if using CA flag)
├── keys/
│   ├── CSF_key.pem
│   └── IMG_key.pem
└── SRK_table.bin

4. Build Configuration

The signing process will automatically generate signed boot container images when you build (2). The build system uses the CST tool to sign the boot container with your certificates.

Build Process

  1. Set up your build environment:
source setup-environment build
  1. Build your image:
bitbake <your-image-name>

Regarding the ahab_status Command Issue

The fact that ahab_status command is not available suggests that AHAB support wasn’t properly enabled in your U-Boot build (2). This typically happens when:

  1. The U-Boot configuration doesn’t include AHAB support
  2. The secure boot features weren’t properly enabled during the build

Make sure that when you rebuild with the tdx-signed class, the U-Boot configuration includes the necessary AHAB features.

Fusing Process

After successful build and flashing, you’ll need to program the SRK fuses using the generated fuse-cmds.txt file. The build process will create this file with the specific fuse commands for your keys.

Important: Fuse programming is irreversible, so ensure you test thoroughly before closing the device.

Could you also confirm which carrier board you’re using with your Colibri iMX8X? This will help me provide more specific guidance for your setup.

Best regards,
Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

Hi @flavio!

I saw you opened a more recent thread. Were you able to solve this issue?

Best regards.