User Guide - nxpkeygen¶

This user’s guide describes how to use nxpkeygen application.

nxpkeygen¶

NXP Key Generator Tool.

nxpkeygen [OPTIONS] COMMAND [ARGS]...

Options

-d, --debug <LEVEL>¶

Set the level of system logging output. Available options are: critical, fatal, error, warn, warning, info, debug, notset

Options: critical | fatal | error | warn | warning | info | debug | notset

--version¶: Show the version and exit.

nxpkeygen - Sub-commands¶

nxpkeygen consist of a set of sub-commands followed by options and arguments. The options and the sub-command are separated with a ‘–’.

nxpkeygen [options] -- [sub-command]

The “help” guide of nxpkeygen lists all of the options and sub-commands supported by the nxpkeygen utility.

nxpkeygen --help

nxpkeygen gendc¶

Generate debug certificate (DC).

PATH - path to dc file

nxpkeygen gendc [OPTIONS] PATH

Options

-p, --protocol <VERSION>¶: Set the protocol version. Default is 1.0 (RSA). NXP Protocol Version Encryption Type 1.0 RSA 2048 1.1 RSA 4096 2.0 NIST P-256 SECP256R1 2.1 NIST P-384 SECP384R1 2.2 NIST P-521 SECP521R1

-c, --config <config>¶: Required Specify YAML credential config file.

-e, --elf2sb-config <elf2sb_config>¶: Specify Root Of Trust from configuration file used by elf2sb tool

--force¶: Force overwriting of an existing file. Create destination folder, if doesn’t exist already.

--plugin <plugin>¶: External python file containing a custom SignatureProvider implementation.

Arguments

PATH¶: Required argument

nxpkeygen genkey¶

Generate key pair for RoT or DCK.

PATH - output file path, where the key pairs (private and public key) will be stored.

Each key will be stored in separate file (.pub and .pem).

nxpkeygen genkey [OPTIONS] PATH

Options

-k, --key-type <KEY-TYPE>¶

Set of the supported key types. Default is RSA2048.

Note: NXP DAT protocol is using encryption keys by this table:

NXP Protocol Version Encryption Type: 1.0 RSA 2048 1.1 RSA 4096 2.0 SECP256R1 2.1 SECP384R1 2.2 SECP521R1

All possible options: rsa2048, rsa3072, rsa4096, prime192v1, prime256v1, secp192r1, secp224r1, secp256r1, secp384r1, secp521r1, secp256k1, sect163k1, sect233k1, sect283k1, sect409k1, sect571k1, sect163r2, sect233r1, sect283r1, sect409r1, sect571r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1.

Options: rsa2048 | rsa3072 | rsa4096 | prime192v1 | prime256v1 | secp192r1 | secp224r1 | secp256r1 | secp384r1 | secp521r1 | secp256k1 | sect163k1 | sect233k1 | sect283k1 | sect409k1 | sect571k1 | sect163r2 | sect233r1 | sect283r1 | sect409r1 | sect571r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1

--password <PASSWORD>¶: Password with which the output file will be encrypted. If not provided, the output will be unencrypted.

--force¶: Force overwriting of an existing file.

Arguments

PATH¶: Required argument

nxpkeygen get-cfg-template¶

Generate the template of Debug Credentials YML configuration file.

PATH - file name path to write template config file

nxpkeygen get-cfg-template [OPTIONS] PATH

Options

-f, --force¶: Force overwriting of an existing file. Create destination folder, if doesn’t exist already.

Arguments

PATH¶: Required argument