NAME

cst - Code Signing Tool for generating binary CSF files for NXP secure boot

SYNOPSIS

cst --output file --input file [--cert cert.pem] [--backend ssl|pkcs11] [--verbose]

cst --license|--version|--help

DESCRIPTION

cst (Code Signing Tool) is used to generate a binary Command Sequence File (CSF) required by the HAB or AHAB secure boot mechanisms on NXP i.MX processors. The CSF contains the authentication commands and signature data used to verify signed boot images during the secure boot process.

The tool processes a plain-text CSF description file and produces a binary CSF that can be appended to or embedded in a boot image. Optionally, a certificate can be provided to encrypt the Data Encryption Key (DEK).

OPTIONS

-o, --output file

The output binary CSF file to generate.

-i, --input file

The input CSF description text file.

-c, --cert cert.pem

Public key certificate to encrypt the DEK (optional).

-b, --backend ssl|pkcs11

Optional. Backend for key handling. Default is 'ssl' (local filesystem). 'pkcs11' uses a PKCS#11-compatible keystore.

-g, --verbose

Enable verbose output.

-l, --license

Print license information and exit.

-v, --version

Print the tool version and exit.

-h, --help

Display a brief help message.

EXAMPLES

Generate binary CSF from a text CSF file:

  cst -o out_csf.bin -i hab4.csf
    

Encrypt DEK with a certificate:

  cst -o out_csf.bin -c cert.pem -i hab4.csf
    

SEE ALSO

srktool(1), csf_parser(1)