User Guide - nxpdevhsm¶

This user’s guide describes how to interface with the MCU bootloader to provisioned chip using nxpdevhsm application.

The nxpdevhsm application is a command-line utility used on the host computer to use device HSM process to get provisioning SB3.

nxpdevhsm¶

Nxpdevhsm application is designed to create SB3 provisioning file for initial provisioning of device by OEM.

nxpdevhsm [OPTIONS] COMMAND [ARGS]...

Options

-d, --debug <LEVEL>¶

Set the level of system logging output. Available options are: critical, fatal, error, warn, warning, info, debug, notset

Options: critical | fatal | error | warn | warning | info | debug | notset

--version¶: Show the version and exit.

nxpdevhsm - Communication¶

The nxpdevhsm application is using blhost application and all supported communication interfaces that blhost offers(UART, USB, LPCUSBSIO[IC, SPI])

nxpdevhsm - blhost - USB¶

blhost could be connected to MCU Bootloader over USB HID.

USB device identification in SPSDK

nxpdevhsm - blhost - UART¶

blhost could be connected to MCU bootloader over UART.

UART device identification in SPSDK

nxpdevhsm - blhost - LPCUSBSIO¶

LPCUSBSIO - LPC USB Serial I/O(LPCUSBSIO), a firmware built in LPC Link2. The LPCUSBSIO acts as a bus translator, and establishes connection with blhost over USB-HID, and the MCU bootloader device over I2C and SPI.

nxpdevhsm - blhost - Note¶

For more information about supported communication interface check the blhost application documentation.

nxpdevhsm - Sub-commands¶

nxpdevhsm consist of a set of sub-commands followed by options and arguments. The options and the sub-command are separated with a ‘–’.

nxpdevhsm [options] -- [sub-command]

The “help” guide of nxpdevhsm lists all of the options and sub-commands supported by the nxpdevhsm utility.

nxpdevhsm --help

nxpdevhsm generate¶

Generate provisioned SB file.

PATH - output file path, where the final provisioned SB file will be stored.

nxpdevhsm generate [OPTIONS] OUTPUT_PATH

Options

-p, --port <COM[,speed>¶: Serial port configuration. Use ‘nxpdevscan’ utility to list devices on serial port.

-u, --usb <VID,PID>¶: USB device identifier. Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name. <vid>: hex or dec string; e.g. 0x0AB12, 43794. <vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451. Use ‘nxpdevscan’ utility to list connected device names.

-l, --lpcusbsio <spi|i2c>¶

USB-SIO bridge interface. Following interfaces are supported:

spi[,port,pin,speed_kHz,polarity,phase]

port … bridge GPIO port used as SPI SSEL
pin … bridge GPIO pin used as SPI SSEL
default SSEL is set to 0.15 which works for the LPCLink2 bridge. The MCULink OB bridge ignores the SSEL value anyway.
speed_kHz … SPI clock in kHz (default 1000)
polarity … SPI CPOL option (default=1)
phase … SPI CPHA option (default=1)

i2c[,address,speed_kHz]

address … I2C device address (default 0x10)
speed_kHz … I2C clock in kHz (default 100)

-k, --key <key>¶: Required User PCK secret file (32-bytes long binary file). PCK (provisioned by OEM, known by OEM) - Part Common Key. This is a 256-bit pre-shared AES key provisioned by OEM. PCK is used to derive FW image encryption keys.

-o, --oem-share-input <oem_share_input>¶: OEM share input file to use as a seed to randomize the provisioning process (16-bytes long binary file).

-w, --workspace <workspace>¶: Workspace folder to store temporary files, that could be used for future review.

-j, --container-conf <container_conf>¶: json container configuration file to produce secure binary v3.x. In this configuration file is enough to provide just commands and description section.

-t, --timeout <ms>¶: Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

Arguments

OUTPUT_PATH¶: Required argument