1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
=pod
=head1 NAME
srktool - Generate SRK Table and eFuse hash for secure boot on NXP i.MX processors (HAB4 and AHAB)
=head1 SYNOPSIS
B<srktool> B<--ahab_ver> B<--table> I<file> B<--efuses> I<file>
B<--digest> I<algo> B<--sign_digest> I<algo> B<--certs> I<certs,...>
[B<--fuse_format> I<format>] [B<--license>] [B<--version>] [B<--verbose>]
B<srktool> B<--hab_ver> 4 B<--table> I<file> B<--efuses> I<file>
B<--digest> I<sha256> B<--certs> I<certs,...>
[B<--fuse_format> I<format>] [B<--license>] [B<--version>] [B<--verbose>]
=head1 DESCRIPTION
B<srktool> is a utility for generating Super Root Key (SRK) tables and eFuse hash binaries required for enabling secure boot on NXP i.MX SoCs using either HAB4 or AHAB mechanisms.
It processes up to four X.509 certificates (PEM or DER format), and produces a binary SRK table and a corresponding hash file suitable for programming into fuses.
=head1 OPTIONS
=over 4
=item B<-a>, B<--ahab_ver>
Target platform uses AHAB (Advanced High Assurance Boot), e.g., i.MX 8/8X/8ULP series.
=item B<-h>, B<--hab_ver> I<version>
Target platform uses HAB (High Assurance Boot), e.g. i.MX 6. The version must be set to C<4>.
=item B<-t>, B<--table> I<file>
Output file path for the generated SRK table.
=item B<-e>, B<--efuses> I<file>
Output file path for the generated eFuse binary containing the SRK table hash.
=item B<-d>, B<--digest> I<digestalg>
Digest algorithm used to compute the SRK table hash. This is required for both AHAB and HAB4.
For AHAB, one of:
=over 8
=item * C<sha512>: supported in i.MX 8/8X and is the default.
=item * C<sha256>: supported in i.MX 8ULP.
=back
For HAB4, only C<sha256> is supported.
=item B<-s>, B<--sign_digest> I<digestalg>
Signature digest algorithm used to sign the SRK certificates.
One of: C<sha256>, C<sha384>, C<sha512>
This option is only valid for AHAB.
=item B<-c>, B<--certs> I<cert1>[,I<cert2>,...,I<cert4>]
Comma-separated list of up to 4 X.509 certificate files (PEM or DER).
=over 8
=item * PEM or DER format supported
=item * No whitespace allowed between filenames
=item * For HAB4: Prefix a cert with C<%> to include only its public key hash instead of the full key
=back
=item B<-f>, B<--fuse_format> I<format>
Optional fuse data output format:
=over 8
=item * C<0>: 8 fuses per word (e.g., C<00 00 00 0a 00 00 00 01 ...>)
=item * C<1>: 32 fuses per word (default; e.g., C<0a 01 ff 8e>)
=back
=item B<-l>, B<--license>
Print license information and exit.
=item B<-v>, B<--version>
Print the tool version and exit.
=item B<-b>, B<--verbose>
Enable verbose output.
=back
=head1 EXAMPLES
=head2 AHAB Example
Generate an AHAB-compatible SRK table and eFuse file with SHA-512 digest and certificate signatures using SHA-384:
srktool --ahab_ver \
--digest sha512 --sign_digest sha384 \
--table srk_table.bin --efuses srk_fuse.bin \
--certs srk1.pem,srk2.pem,srk3.pem
=head2 HAB4 Example
Generate a HAB4-compatible SRK table using SHA-256 and a mix of full and digest-style certificates:
srktool --hab_ver 4 --digest sha256 \
--table srk_table.bin --efuses srk_fuse.bin \
--certs srk1.pem,srk2.pem,%srk3.pem
=head1 FILE FORMATS
=over 4
=item * Certificates may be DER or PEM format.
=item * Output files (SRK table and efuse) are binary.
=back
=head1 SEE ALSO
L<cst(1)>, L<csf_parser(1)>
=cut
|
