NOTE The NXP-CST-SIGNER tool will be renamed to NXP-IMX-SIGNER in upcoming release. The NXP-IMX-SIGNER tool will support multiple signing tools i.e. CST and SPSDK.
NOTE The CST signing support for AHAB images (i.MX 8/8x, 8ULP and 9 family) is not being maintained going forward and will be deprecated. It will be replaced with SPSDK signing support. Eventually HAB images (i.MX 6/7/8M) will be supported by CST and AHAB images will be supported by SPSDK.
The IMX signer tool works in conjunction with the Code Signing Tool (CST) and Secure Provisioning SDK (SPSDK) provided by NXP. This tool allows a way to automate the signing process in conjunction with a configuration file that can be populated with necessary inputs. In addition, this tool parses the "to be signed" image and extracts the offset and length information needed to sign the image, thus reducing the possible human error while signing.
This tool requires the CST/SPSDK to be present at a preset location. Provide the path to CST/SPSDK using the environment variable SIG_TOOL_PATH.
In addition, optionally, location of keys and certificates can be provided using the environment variable SIG_DATA_PATH.
By default, the location of private keys and certificates are expected to be available in keys and crts folder, respectively.
CST file structure:
<cst folder>
|--crts
|--keys
SPSDK file structure:
<spsdk folder>
|--crts
|--keys
NOTE If SIG_DATA_PATH is not provided, it assumes the path of SIG_TOOL_PATH.
Build this tool using make command.
To run this tool, along with CST/SPSDK, you would also need to have the CSF/ YAML config file filled with appropriate values based on the setup.
To help start the signing process, sample CSF/YAML configuration files have been provided as part of this package.
CFG file supporting HAB images: csf_hab4.cfg.sample CFG file supporting AHAB images: csf_ahab.cfg.sample, spsdk_ahab.cfg.sample
Invoke the imx_signer executable as follows (example):
CST Example: SIG_TOOL_PATH=<cst> SIG_DATA_PATH=<keys/crts folder> ./imx_signer -i flash.bin -c csf.cfg
SPSDK Example: SIG_TOOL_PATH=<spsdk> SIG_DATA_PATH=<keys/crts folder> ./imx_signer -i flash.bin -c spsdk.cfg
This tool generates final signed binary as "signed-<input_filename>". In case of CST, CSF files are created and in case of SPSDK, YAML config file is created, which are used to generate the final signed binary.