-
NXP
-
Download and deploy
Code Signing Tool
mkdir -p /path/to/CST tar -C /path/to/CST -xf /path/to/cst-3.2.0.tgz
-
-
Generating 2048-bit PKI tree on CST v3.2.0:
cd /path/to/CST/release/keys cat << eof | ./hab4_pki_tree.sh n n 2048 5 4 y eof
-
Generating SRK Table and SRK Hash in Linux 64-bit machines:
cd /path/to/CST/release/crts ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e \ SRK_1_2_3_4_fuse.bin -d sha256 -c \ SRK1_sha256_2048_65537_v3_ca_crt.pem,\ SRK2_sha256_2048_65537_v3_ca_crt.pem,\ SRK3_sha256_2048_65537_v3_ca_crt.pem,\ SRK4_sha256_2048_65537_v3_ca_crt.pem
-
-
Refer to this
mx8mm secure boot manual
for details about the NXP CST.
-
-
Clone CompuLab HABV4 tools
cd /path/to/CST/release/linux64 git clone https://github.com/compulab-yokneam/habv4.git
Set a desire machine firts:
export MACHINE=ucm_imx8m_mini
-
imx-boot image signing
export FLASH_BD=${BUILDDIR}/tmp/work/${MACHINE}-poky-linux/imx-boot/*/git /path/to/CST/release/linux64/habv4/tools/u_signing # Output will be stored at: ls ${FLASH_BD}/iMX8M/flash.bin_signed
-
kernel image signing
export IMAGE=${BUILDDIR}/tmp/work/${MACHINE}-poky-linux/linux-imx/*/build/arch/arm64/boot/Image /path/to/CST/release/linux64/habv4/tools/k_signing ${IMAGE} # Output will be stored at: ls ${IMAGE}_signed
-
fuse script generator
/path/to/CST/release/linux64/habv4/tools/fusing