Flash encryption engines
nxpimage currently supports generation of bootable images and keyblobs for NXP bus encryption engines – OTFAD (On-the-fly AES decryption engines), BEE (Bus encryption engine) and IEE (Inline encryption engine).
Note
For Prince algorithm based inline encryption & decryption engines (IPED, Prince & NPX) we don’t support offline image creation.
IEE
nxpimage supports generation of bootable image for MIMXRT117x. More details can be found in the security reference manual: https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMXRT1170SRM&appType=moderated or in the Secure Boot modes application note https://www.nxp.com/webapp/Download?colCode=AN13250
IEE engine provides means to perform inline encryption and decryption. Following algorithms are supported AES-128/256-CTR and AES-256/512-XTS. The IEE key blob containing keys and context structures is encrypted by a KEK according to the RFC3394 key-wrapping algorithm, because the key blob resides in the external memory along with the image and it must be protected
Generation of bootable image
First step is to get a template for configuration. The template might look like the file below.
nxpimage iee get-template -f rt1170 iee_template.yaml
IEE template for rt116x
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x']
.output_folder
(string): Path to directory where the IEE output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:iee_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:iee_keyblob
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.generate_fuses_script
(boolean): BCF file with fuses configuration. Default:True
.keyblob_address
([‘string’, ‘number’]): Should be aligned to 1 kB.data_blobs
(array): List of all data blobs that will be encrypted.Items (object)
data
(string): Path to binary file with plain text data to be encrypted.address
([‘number’, ‘string’]): Data blob address, it doesn’t have to be specified for S-REC.
ibkek1
([‘string’, ‘number’]): IBKEK1 AES-XTS key for keyblob encryption.ibkek2
([‘string’, ‘number’]): IBKEK2 AES-XTS key for keyblob encryption.key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows.Items (object)
region_lock
(boolean): Determines if the ROM will lock the IEE configuration to prevent later changes. Default:False
.aes_mode
(string): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
.key_size
(string): AES mode, AES-XTS or AES-CTR. Must be one of:['CTR256XTS512', 'CTR128XTS256']
.page_offset
(number): Page offset, IEE_REG0PO value. Default:0
.key1
([‘number’, ‘string’]): AES key for the key blob, size depends on key_size.key2
([‘number’, ‘string’]): AES key for the key blob, size depends on key_size.start_address
([‘number’, ‘string’]): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’]): End address of key blob data, it should be aligned to 1 KB (1024 B).
# =========== IEE template for rt116x ===========
# ----------------------------------------------------------------------------------------------------
# == IEE template for rt116x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x']
output_folder: iee_output # [Required], IEE output directory; Path to directory where the IEE output will be generated
output_name: iee_whole_image # [Optional], Output binary image filename; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: iee_keyblob # [Optional], Keyblob filename; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
generate_fuses_script: true # [Optional], Generate blhost batch file to burn fuses; BCF file with fuses configuration
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob; Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list; List of all data blobs that will be encrypted
- data: my_data.bin # [Required], Binary data blob; Path to binary file with plain text data to be encrypted
address: '0x30001000' # [Optional], Data blob address, it doesn't have to be specified for S-REC
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key; IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key; IBKEK2 AES-XTS key for keyblob encryption
key_blobs: # [Required], The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- region_lock: false # [Optional], Keyblob lock attribute; Determines if the ROM will lock the IEE configuration to prevent later changes.
aes_mode: AesXTS # [Required], AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only; Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS; AES mode, AES-XTS or AES-CTR; Possible options:['CTR256XTS512', 'CTR128XTS256']
page_offset: 0 # [Optional], Page offset, IEE_REG0PO value
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key; AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2; AES key for the key blob, size depends on key_size
start_address: '0x30001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
IEE template for rt117x
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x']
.output_folder
(string): Path to directory where the IEE output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:iee_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:iee_keyblob
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.generate_fuses_script
(boolean): BCF file with fuses configuration. Default:True
.keyblob_address
([‘string’, ‘number’]): Should be aligned to 1 kB.data_blobs
(array): List of all data blobs that will be encrypted.Items (object)
data
(string): Path to binary file with plain text data to be encrypted.address
([‘number’, ‘string’]): Data blob address, it doesn’t have to be specified for S-REC.
ibkek1
([‘string’, ‘number’]): IBKEK1 AES-XTS key for keyblob encryption.ibkek2
([‘string’, ‘number’]): IBKEK2 AES-XTS key for keyblob encryption.key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows.Items (object)
region_lock
(boolean): Determines if the ROM will lock the IEE configuration to prevent later changes. Default:False
.aes_mode
(string): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
.key_size
(string): AES mode, AES-XTS or AES-CTR. Must be one of:['CTR256XTS512', 'CTR128XTS256']
.page_offset
(number): Page offset, IEE_REG0PO value. Default:0
.key1
([‘number’, ‘string’]): AES key for the key blob, size depends on key_size.key2
([‘number’, ‘string’]): AES key for the key blob, size depends on key_size.start_address
([‘number’, ‘string’]): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’]): End address of key blob data, it should be aligned to 1 KB (1024 B).
# =========== IEE template for rt117x ===========
# ----------------------------------------------------------------------------------------------------
# == IEE template for rt117x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x']
output_folder: iee_output # [Required], IEE output directory; Path to directory where the IEE output will be generated
output_name: iee_whole_image # [Optional], Output binary image filename; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: iee_keyblob # [Optional], Keyblob filename; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
generate_fuses_script: true # [Optional], Generate blhost batch file to burn fuses; BCF file with fuses configuration
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob; Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list; List of all data blobs that will be encrypted
- data: my_data.bin # [Required], Binary data blob; Path to binary file with plain text data to be encrypted
address: '0x30001000' # [Optional], Data blob address, it doesn't have to be specified for S-REC
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key; IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key; IBKEK2 AES-XTS key for keyblob encryption
key_blobs: # [Required], The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- region_lock: false # [Optional], Keyblob lock attribute; Determines if the ROM will lock the IEE configuration to prevent later changes.
aes_mode: AesXTS # [Required], AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only; Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS; AES mode, AES-XTS or AES-CTR; Possible options:['CTR256XTS512', 'CTR128XTS256']
page_offset: 0 # [Optional], Page offset, IEE_REG0PO value
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key; AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2; AES key for the key blob, size depends on key_size
start_address: '0x30001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
IEE template for rt118x
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x']
.output_folder
(string): Path to directory where the IEE output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:iee_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:iee_keyblob
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.generate_fuses_script
(boolean): BCF file with fuses configuration. Default:True
.keyblob_address
([‘string’, ‘number’]): Should be aligned to 1 kB.data_blobs
(array): List of all data blobs that will be encrypted.Items (object)
data
(string): Path to binary file with plain text data to be encrypted.address
([‘number’, ‘string’]): Data blob address, it doesn’t have to be specified for S-REC.
master
(string): M33 or M7 core. Must be one of:['CM33', 'CM7']
.key_blob
(object): Keyblob configuration, keyblob won’t be generated.aes_mode
(string): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
.key_size
(string): AES mode, AES-XTS or AES-CTR. Must be one of:['CTR256XTS512', 'CTR128XTS256']
.key1
([‘number’, ‘string’]): AES key for the key blob, size depends on key_size.key2
([‘number’, ‘string’]): AES key for the key blob, size depends on key_size.
# =========== IEE template for rt118x ===========
# ----------------------------------------------------------------------------------------------------
# == IEE template for rt118x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x']
output_folder: iee_output # [Required], IEE output directory; Path to directory where the IEE output will be generated
output_name: iee_whole_image # [Optional], Output binary image filename; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: iee_keyblob # [Optional], Keyblob filename; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
generate_fuses_script: true # [Optional], Generate blhost batch file to burn fuses; BCF file with fuses configuration
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob; Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list; List of all data blobs that will be encrypted
- data: my_data.bin # [Required], Binary data blob; Path to binary file with plain text data to be encrypted
address: '0x30001000' # [Optional], Data blob address, it doesn't have to be specified for S-REC
master: CM7 # [Optional], Master ID for RT118x; M33 or M7 core; Possible options:['CM33', 'CM7']
key_blob: # [Optional], Keyblob configuration, keyblob won't be generated.
aes_mode: AesXTS # [Required], AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only; Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS; AES mode, AES-XTS or AES-CTR; Possible options:['CTR256XTS512', 'CTR128XTS256']
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key; AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2; AES key for the key blob, size depends on key_size
# =========== IEE: Inline Encryption Engine Configuration template for rt1170. ===========
# ----------------------------------------------------------------------------------------------------
# == Basic Settings ==
# ----------------------------------------------------------------------------------------------------
family: rt1170 # [Required], MCU family, MCU family name., Possible options:['rt1170']
output_folder: iee_output # [Required], IEE output directory, Path to directory where the IEE output will be generated
output_name: encrypted.bin # [Optional], Output binary image file name, File name of the output image containing keyblobs and encrypted data blobs
keyblob_name: iee_keyblob.bin # [Optional], Keyblob file name, File name of the keyblob, output_folder/keyblob_name
encrypted_name: encrypted_blob.bin # [Optional], Encrypted name, filename of the encrypted datablobs
# ----------------------------------------------------------------------------------------------------
# == IEE Settings ==
# ----------------------------------------------------------------------------------------------------
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key, IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key, IBKEK2 AES-XTS key for keyblob encryption
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob, Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list, List of all data blobs that will be encrypted
- data: my_data.bin # [Required], Binary data blob, Path to binary file with plain text data to be encrypted
address: '0x03001000' # [Optional], Data blob address, Data blob address, it doesn't have to be specified for S-REC
key_blobs: # [Required], List of Key Blobs used by IEE, The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- region_lock: false # [Optional], Keyblob lock attribute, Determines if the ROM will lock the IEE configuration to prevent later changes.
aes_mode: AesXTS # [Required], AES mode, AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only, Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS, AES mode, AES-XTS or AES-CTR, Possible options:['CTR256XTS512', 'CTR128XTS256']
page_offset: 0 # [Optional], Page offset, Page offset, IEE_REG0PO value
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key, AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2, AES key for the key blob, size depends on key_size
start_address: '0x30001000' # [Required], Start address of key blob data, Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000' # [Required], End address of key blob data, End address of key blob data, it should be aligned to 1 KB (1024 B)
Fill the configuration file and export the image.
nxpimage iee export iee_template.yaml
OTFAD
The On-The-Fly AES Decryption (OTFAD) module provides an advanced hardware implementation that minimizes any incremental cycles of latency introduced by the decryption in the overall external memory-access time. It implements a block cipher mode of operation supporting the counter mode (CTR). The CTR mode provides a confidentiality mode that features the application of the forward cipher to a set of input blocks (called counters) to produce a sequence of output blocks that are exclusive-ORed with the plaintext to produce the ciphertext and vice versa. The OTFAD engine includes complete hardware support for a standard AES key unwrap mechanism to decrypt a key BLOB data instruction containing the parameters needed for up to 4 unique AES contexts. Each context has a unique 128-bit key, a 64-bit counter, and a 64-bit memory region descriptor.
OTFAD template for rt116x
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:otfad_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:OTFAD_Table
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’]): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows.Items (object)
aes_key
([‘number’, ‘string’]): AES key for the key blob.aes_ctr
([‘number’, ‘string’]): AES counter value for the key blob.start_address
([‘number’, ‘string’]): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’]): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:True
.valid
(boolean): This field signals if the context is valid or not. Default:True
.read_only
(boolean): This field signals if the context is Read only or not. Default:True
.
key_scramble
(object): If Key scrambling is not required, this section must be commented out.key_scramble_mask
([‘number’, ‘string’]): OTFAD Key Scramble mask (4 bytes size).key_scramble_align
([‘number’, ‘string’]): OTFAD Key scramble mask align (1 byte size).
# =========== OTFAD template for rt116x ===========
# ----------------------------------------------------------------------------------------------------
# == OTFAD template for rt116x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
- data: my_data.bin # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D' # [Required], AES key for the key blob
aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
valid: true # [Optional], Valid flag; This field signals if the context is valid or not
read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
key_scramble: # [Optional], If Key scrambling is not required, this section must be commented out
key_scramble_mask: '0x12345678' # [Required], Key Scramble; OTFAD Key Scramble mask (4 bytes size)
key_scramble_align: '0x72' # [Required], Key Scramble Align; OTFAD Key scramble mask align (1 byte size)
OTFAD template for rt117x
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:otfad_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:OTFAD_Table
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’]): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows.Items (object)
aes_key
([‘number’, ‘string’]): AES key for the key blob.aes_ctr
([‘number’, ‘string’]): AES counter value for the key blob.start_address
([‘number’, ‘string’]): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’]): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:True
.valid
(boolean): This field signals if the context is valid or not. Default:True
.read_only
(boolean): This field signals if the context is Read only or not. Default:True
.
key_scramble
(object): If Key scrambling is not required, this section must be commented out.key_scramble_mask
([‘number’, ‘string’]): OTFAD Key Scramble mask (4 bytes size).key_scramble_align
([‘number’, ‘string’]): OTFAD Key scramble mask align (1 byte size).
# =========== OTFAD template for rt117x ===========
# ----------------------------------------------------------------------------------------------------
# == OTFAD template for rt117x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
- data: my_data.bin # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D' # [Required], AES key for the key blob
aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
valid: true # [Optional], Valid flag; This field signals if the context is valid or not
read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
key_scramble: # [Optional], If Key scrambling is not required, this section must be commented out
key_scramble_mask: '0x12345678' # [Required], Key Scramble; OTFAD Key Scramble mask (4 bytes size)
key_scramble_align: '0x72' # [Required], Key Scramble Align; OTFAD Key scramble mask align (1 byte size)
OTFAD template for rt118x
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:otfad_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:OTFAD_Table
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’]): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows.Items (object)
aes_key
([‘number’, ‘string’]): AES key for the key blob.aes_ctr
([‘number’, ‘string’]): AES counter value for the key blob.start_address
([‘number’, ‘string’]): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’]): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:True
.valid
(boolean): This field signals if the context is valid or not. Default:True
.read_only
(boolean): This field signals if the context is Read only or not. Default:True
.
key_scramble
(object): If Key scrambling is not required, this section must be commented out.key_scramble_mask
([‘number’, ‘string’]): OTFAD Key Scramble mask (4 bytes size).key_scramble_align
([‘number’, ‘string’]): OTFAD Key scramble mask align (1 byte size).
# =========== OTFAD template for rt118x ===========
# ----------------------------------------------------------------------------------------------------
# == OTFAD template for rt118x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
- data: my_data.bin # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D' # [Required], AES key for the key blob
aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
valid: true # [Optional], Valid flag; This field signals if the context is valid or not
read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
key_scramble: # [Optional], If Key scrambling is not required, this section must be commented out
key_scramble_mask: '0x12345678' # [Required], Key Scramble; OTFAD Key Scramble mask (4 bytes size)
key_scramble_align: '0x72' # [Required], Key Scramble Align; OTFAD Key scramble mask align (1 byte size)
OTFAD template for rt5xx
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:otfad_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:OTFAD_Table
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’]): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows.Items (object)
aes_key
([‘number’, ‘string’]): AES key for the key blob.aes_ctr
([‘number’, ‘string’]): AES counter value for the key blob.start_address
([‘number’, ‘string’]): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’]): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:True
.valid
(boolean): This field signals if the context is valid or not. Default:True
.read_only
(boolean): This field signals if the context is Read only or not. Default:True
.
# =========== OTFAD template for rt5xx ===========
# ----------------------------------------------------------------------------------------------------
# == OTFAD template for rt5xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
- data: my_data.bin # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D' # [Required], AES key for the key blob
aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
valid: true # [Optional], Valid flag; This field signals if the context is valid or not
read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
OTFAD template for rt6xx
family
(string): MCU family name. Must be one of:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:otfad_whole_image
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:OTFAD_Table
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:encrypted_blob
.generate_readme
(boolean): Readme file contains information about image layout. Default:True
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’]): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows.Items (object)
aes_key
([‘number’, ‘string’]): AES key for the key blob.aes_ctr
([‘number’, ‘string’]): AES counter value for the key blob.start_address
([‘number’, ‘string’]): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’]): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:True
.valid
(boolean): This field signals if the context is valid or not. Default:True
.read_only
(boolean): This field signals if the context is Read only or not. Default:True
.
# =========== OTFAD template for rt6xx ===========
# ----------------------------------------------------------------------------------------------------
# == OTFAD template for rt6xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
- data: my_data.bin # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D' # [Required], AES key for the key blob
aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
valid: true # [Optional], Valid flag; This field signals if the context is valid or not
read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
BEE
i.MX RT10xx, except i.MX1010, provides an on-the-fly encryption engine called Bus Encryption Engine(BEE) Refer to this application note for more info: AN12852.
BeeNxp
output_folder
(string): Folder name to store generated BEE output.input_binary
(string): Path to input binary file.output_name
(string): File name of the encrypted file, output_folder/output_name.header_name
(string): output_folder/header_name + index will be prepended.engine_selection
(string): BEE Engine Selection, engine0, engine1 or both engines. Must be one of:['engine0', 'engine1', 'both']
.engine_key_selection
(string): Random Key or Zero key. Must be one of:['random', 'zero']
.base_address
([‘string’, ‘number’]): Base address of the image.bee_engine
(array): Configuration of BEE engines.Items
# =========== BEE template ===========
# ----------------------------------------------------------------------------------------------------
# == BeeNxp ==
# ----------------------------------------------------------------------------------------------------
output_folder: bee_output # [Required], BEE output folder; Folder name to store generated BEE output
input_binary: input_bin.bin # [Required], Input binary file; Path to input binary file
output_name: encrypted.bin # [Optional], Output binary file name; File name of the encrypted file, output_folder/output_name
header_name: bee_ehdr.bin # [Optional], File name of the exported BEE region headers; output_folder/header_name + index will be prepended
engine_selection: engine0 # [Required], Engine selection; BEE Engine Selection, engine0, engine1 or both engines; Possible options:['engine0', 'engine1', 'both']
engine_key_selection: random # [Required], Engine Key selection; Random Key or Zero key; Possible options:['random', 'zero']
base_address: '0x60001000' # [Required], Base address of the image
bee_engine: # [Required], Bee engines; Configuration of BEE engines
# ----------------------------------------------------------------------------------------------------
# == List of possible 2 options. Option types[object,object] ==
# ----------------------------------------------------------------------------------------------------
- # [Example of possible configuration #0]
user_key: '0x0123456789abcdeffedcba9876543210' # [Required], User AES-128 key; AES key for encryption
aes_mode: CTR # [Required], AES mode - counter or ECB; Possible options:['CTR', 'ECB']
protected_region: # [Optional], Protected region; List of protected regions, up to four regions
- start_address: '0x60001000' # [Required], Start address of protected region, it should be aligned to 1 KB (1024 B)
length: '0x4400' # [Required], Length of protected region, it should be aligned to 1 KB (1024 B)
protected_level: 0 # [Required], Protected level (0/1/2/3), 0 is default
- # [Example of possible configuration #1]
header_path: bee_ehdr0.bin # [Required], BEE header path; Path to the existing BEE header in binary form
user_key: '0x0123456789abcdeffedcba9876543210' # [Required], User AES-128 key; AES key that was used for header encryption