User Guide - nxpdevhsm

This user’s guide describes how to interface with the MCU bootloader to provisioned chip using nxpdevhsm application.

The nxpdevhsm application is a command-line utility used on the host computer to use device HSM process to get provisioning SB3.

Communication

The nxpdevhsm application is using blhost application and all supported communication interfaces that blhost offers(UART, USB, LPCUSBSIO[IC, SPI])

blhost - USB

blhost could be connected to MCU Bootloader over USB HID.

USB device identification in SPSDK

blhost - UART

blhost could be connected to MCU bootloader over UART.

UART device identification in SPSDK

blhost - LPCUSBSIO

LPCUSBSIO - LPC USB Serial I/O(LPCUSBSIO), a firmware built in LPC Link2. The LPCUSBSIO acts as a bus translator, and establishes connection with blhost over USB-HID, and the MCU bootloader device over I2C and SPI.

Note

For more information about supported communication interface check the blhost application documentation.

Command line interface

nxpdevhsm

Nxpdevhsm application is designed to create SB3 provisioning file for initial provisioning of device by OEM.

nxpdevhsm [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose: Print more detailed information

-vv, --debug: Display more debugging information.

--version: Show the version and exit.

--help: Show this message and exit.

generate

Generate provisioning SB3.1 file.

PATH - output file path, where the final provisioned SB file will be stored.

nxpdevhsm generate [OPTIONS] OUTPUT_PATH

Options

-p, --port <COM[,speed>: Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-u, --usb <VID:PID|USB_PATH|DEV_NAME>: USB device identifier.

Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name.

<vid>: hex or dec string; e.g. 0x0AB12, 43794.

<vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451.

Use ‘nxpdevscan’ utility to list connected device names.

-sd, --sdio <SDIO_PATH|DEV_NAME>: SDIO device identifier.

Following formats are supported: device/instance path, device name.

device/instance path: device string; e.g. /dev/mcu-sdio.

Use ‘nxpdevscan’ utility to list connected device names.

-l, --lpcusbsio <usb,VID:PID|USB_PATH|SER_NUM,]spi|i2c>

USB-SIO bridge interface.

Optional USB device filtering formats: [usb,vid:pid|usb_path|serial_number]

Following serial interfaces are supported:

spi[index][,port,pin,speed_kHz,polarity,phase]

- index … optional index of SPI peripheral. Example: “spi1” (default=0)
- port … bridge GPIO port used as SPI SSEL(default=0)
- pin  … bridge GPIO pin used as SPI SSEL
default SSEL is set to 0.15 which works
for the LPCLink2 bridge. The MCULink OB
bridge ignores the SSEL value anyway.(default=15)
- speed_kHz … SPI clock in kHz (default 1000)
- polarity … SPI CPOL option (default=1)
- phase … SPI CPHA option (default=1)

i2c[index][,address,speed_kHz]

- index … optional index of I2C peripheral. Example: “i2c1” (default=0)
- address … I2C device address (default 0x10)
- speed_kHz … I2C clock in kHz (default 100)

-b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>: buspal settings

-t, --timeout <ms>: Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-k, --key <key>: Required Customer Master Key Symmetric Key secret file (32-bytes long binary file). CUST_MK_SK (provisioned by OEM, known by OEM). This is a 256-bit pre-shared AES key provisioned by OEM. CUST_MK_SK is used to derive FW image encryption keys.

-o, --oem-share-input <oem_share_input>: OEM share input file to use as a seed to randomize the provisioning process (16-bytes long binary file).

-w, --workspace <workspace>: Workspace folder to store temporary files, that could be used for future review.

-j, --container-conf <container_conf>: JSON/YAML container configuration file to produce secure binary v3.x. This configuration file must contain family, list of commands and description

-f, --family <family>

Required Select the chip family.

Options: lpc55s3x | mcxn9xx | rw61x

-ir, --initial-reset, -IR, --no-init-reset: Reset device BEFORE DevHSM operation. The DevHSM operation can run only once between resets. Do not enable this option on Linux/Mac when using USB. By default this reset is DISABLED.

-fr, --final-reset, -FR, --no-final-reset: Reset device AFTER DevHSM operation. This reset is required if you need to use the device after DevHSM operation for other security related operations (e.g. receive-sb-file). By default this reset is ENABLED.

Arguments

OUTPUT_PATH: Required argument

get-template

Create template of configuration in YAML format.

The template file name is specified as argument of this command.

nxpdevhsm get-template [OPTIONS] OUTPUT

Options

-f, --family <family>

Required Select the chip family.

Options: lpc55s3x | mcxn9xx | rw61x

-o, --overwrite: Allow overwriting existing template file.

Arguments

OUTPUT: Required argument