| SRKTOOL(1) | i.MX CST Documentation | SRKTOOL(1) |
NAME¶
srktool - generate SRK Table and eFuse hash for secure boot on NXP i.MX processors (HAB4 and AHAB)
SYNOPSIS¶
srktool --ahab_ver [version] --table file --efuses file --digest algo --sign_digest algo --certs certs,... [--fuse_format format] [--license] [--version] [--verbose]
srktool --hab_ver 4 --table file --efuses file --digest sha256 --certs certs,... [--fuse_format format] [--license] [--version] [--verbose]
NOTE¶
This manpage is a short description of NXP srktool. For a detailed discussion refer to the Code Signing Tool User Guide UG10106, sections 4 and 5.2. The user guide can be obtained from www.nxp.com and is excluded from Debian for copyright reasons.
DESCRIPTION¶
srktool is a utility for generating Super Root Key (SRK) tables and eFuse hash binaries required for enabling secure boot on NXP i.MX SoCs using either HAB4 or AHAB mechanisms.
It processes up to four X.509 certificates (PEM or DER encoded), and produces a binary SRK table and a corresponding hash file suitable for programming into fuses.
OPTIONS¶
- -a, --ahab_ver [version]
- Target platform uses AHAB (Advanced High Assurance Boot), e.g., i.MX
8/8X/8ULP series.
Takes an optional version argument which can be one of
- 1: legacy (default)
- 2: hybrid
- -h, --hab_ver version
- Target platform uses HAB (High Assurance Boot), e.g. i.MX 6. The version must be set to 4.
- -t, --table file
- Output file path for the generated SRK table.
- -e, --efuses file
- Output file path for the generated eFuse binary containing the SRK table hash.
- -d, --digest digestalg
- Digest algorithm used to compute the SRK table hash. This is required for
both AHAB and HAB4.
For AHAB 1 (legacy), one of:
- sha512: supported in i.MX 8/8X and is the default.
- sha256: supported in i.MX 8ULP.
For AHAB 2 (hybrid), only sha512 is supported.
For HAB4, only sha256 is supported.
- -s, --sign_digest digestalg
- Signature digest algorithm used to sign the SRK certificates. One of:
sha256, sha384, sha512
This option is only valid for AHAB.
- -c, --certs cert1[,cert2,...,cert4]
- Comma-separated list of up to 4 X.509 certificate files (PEM or DER).
- PEM or DER format supported
- No whitespace allowed between filenames
- For HAB4: Prefix a cert with "%" to include only its public key hash instead of the full key
- -f, --fuse_format format
- Optional fuse data output format:
- 0: 8 fuses per word (e.g., "00 00 00 0a 00 00 00 01 ...")
- 1: 32 fuses per word (default; e.g., "0a 01 ff 8e")
- -l, --license
- Print license information and exit.
- -v, --version
- Print the tool version and exit.
- -b, --verbose
- Enable verbose output.
EXAMPLES¶
AHAB Example¶
Generate an AHAB-compatible SRK table and eFuse file with SHA-512 digest and certificate signatures using SHA-384:
srktool --ahab_ver \
--digest sha512 --sign_digest sha384 \
--table srk_table.bin --efuses srk_fuse.bin \
--certs srk1.pem,srk2.pem,srk3.pem
HAB4 Example¶
Generate a HAB4-compatible SRK table using SHA-256 and a mix of full and digest-style certificates:
srktool --hab_ver 4 --digest sha256 \
--table srk_table.bin --efuses srk_fuse.bin \
--certs srk1.pem,srk2.pem,%srk3.pem
SEE ALSO¶
cst(1), ahab_pki_tree, hab4_pki_tree
| 2026-01-30 |