| CST(1) | i.MX CST Documentation | CST(1) |
NAME¶
cst - Code Signing Tool for generating binary CSF files for NXP secure boot
SYNOPSIS¶
cst --output file --input file [--cert cert.pem] [--backend ssl|pkcs11] [--verbose]
cst --license|--version|--help
NOTE¶
This manpage is a short description of NXP cst. For a detailed discussion refer to the Code Signing Tool User Guide UG10106, section 5. The user guide can be obtained from www.nxp.com and is excluded from Debian for copyright reasons.
DESCRIPTION¶
cst (Code Signing Tool) is used to generate a binary Command Sequence File (CSF) required by the HAB or AHAB secure boot mechanisms on NXP i.MX processors. The CSF contains the authentication commands and signature data used to verify signed boot images during the secure boot process.
The tool processes a plain-text CSF description file and produces a binary CSF that can be appended to or embedded in a boot image. Optionally, a certificate can be provided to encrypt the Data Encryption Key (DEK).
The tool will load general settings and those related to discover PKCS#11 module from the system wide OpenSSL configuration file.
OPTIONS¶
- -o, --output file
- The output binary CSF file to generate.
- -i, --input file
- The input CSF description text file.
- -c, --cert cert.pem
- Public key certificate to encrypt the DEK (optional).
- -b, --backend backend
- Optional. Backend for key handling. Default is ssl (local filesystem). pkcs11 uses a PKCS#11-compatible keystore.
- -g, --verbose
- Enable verbose output.
- -l, --license
- Print license information and exit.
- -v, --version
- Print the tool version and exit.
- -h, --help
- Display a brief help message.
EXAMPLES¶
- Generate binary CSF from a text CSF file:
-
cst -o out_csf.bin -i hab4.csf - Encrypt DEK with a certificate:
-
cst -o out_csf.bin -c cert.pem -i hab4.csf
SEE ALSO¶
srktool(1), hab_csf_parser(1), config(5ssl)
| 2026-01-30 |