Release Notes

1.5.0 (07-August-2021)

New features

• nxpdevhsm - new application added:

  • The nxpdevhsm is a tool to create initial provisioning SB3 file for LPC55S36 to provision device with SB KEK needed to validate in device all standard SB3 files.

• LIBUSBSIO integration as a replacement for HID_API module:

  • blhost - extend blhost by LPCUSBSIO interface

• blhost - following trust-provisioning sub-commands added:

  • oem_get_cust_cert_dice_puk - creates the initial trust provisioning keys

  • oem_gen_master_share - creates shares for initial trust provisioning keys

  • oem_set_master_share - takes the entropy seed and the Encrypted OEM Master Share

  • hsm_gen_key - creates OEM common keys, including encryption keys and signing keys

  • hsm_store_key - stores known keys, and generate the corresponding key blob

  • hsm_enc_blk - encrypts the given SB3 data bloc

  • hsm_enc_sign - signs the given data

• elftosb:

  • support for SB 2.1 generation using BD file

  • LPC55S3x - add support for unsigned/plain images

  • SB2.1 - SHA256 digest of all sections included in signed SB2.1 header

  • add supported families listing into elftosb

  • implement chip family option as a click.Choice

  • allow loading certificates for MBI in PEM format

• nxpcertgen:

  • generate the template for yml configuration file containing the parameters for certificate

  • improve yml template description for nxpcertgen

  • add support for generating certificates in DER format

• nxpkeygen:

  • moved option -p from general space to gendc subcommand.

  • add new -k keygen subcommand option to specify key type to generate

• nxpdebugmbox:

  • refactor DebugCredential base class so that it will be possible to pass certificates in yml config file

  • check nxpdebugmbox on LPC55S3x

• pfr - update CMPA/CFPA registers XML data for LPC55S3x with CRR update

• SPSDK Applications:

  • spsdk applications show help message when no parameter on command line provided

  • improved help messages

  • support Ctrl+C in cmd applications

• replace functional asserts with raising a SPSDK-based exception

• replace all general exception with SPSDK-based exceptions

Bugfixes

• nxpkeygen - regenerates a key without –force

• elftosb - unclear error message: No such file or directory: ‘None’

• pfr - duplicated error message: The silicon revision is not specified

• nxpdebugmbox - fix Retry of AP register reads after Chip reset

• nxpdebugmbox - add timeout to never ending loops in spin_read/write methods in Debug mailbox

• blhost - flash-erase-region command doesn’t accept the memory_id argument in hex form

• elftosb - using kdkAccessRigths = 0 in SB31 is throwing an error in KeyDerivator

1.4.0 (25-June-2021)

New features

• version flag added for all command-line application

• support for Python 3.9 added

• blhost - following sub-commands added:

  • list-memory

  • flash-program-once

  • set-property

  • flash-erase-all-unsecure

  • flash-security-disable

  • flash-read-resource

  • reliable-update

  • fuse-program

  • flash-image

  • program-aeskey

• blhost - memoryId calmp-down for mapped external memories added

• elftosb - support for SB 2.1 added

• elftosb - basic support for BD configuration file added

• nxpdebugmbox - debug port enabled check added

• nxpkeygen - new sub-command added to nxpkeygen to create a template for configuration YML file for DC keys

• nxpkeygen - new sub-command added to create a template for configuration YML file for DC keys

• pfr - default JSON config file generation removed, but still accepted as an input. The preferred is the YML configuration format.

• docs - Read The Docs documentation improvements

Bugfixes

• wrong DCD size by BootImgRT.parse

• cmdKeyStoreBackupRestore wrong param description

• blhost - typo in McuBootConnectionError exception

• blhost - mcuBoot Uart doesn’t close the device after failed ping command

• blhost - assertion error when connection lost during fuses readout

• blhost - sub-command flash-read-resource fails when the length is not aligned

• pfr - incorrect keys hash computation for LPC55S3x

• pfr - wrong LPC55S69 silicon revision

• pfr - parse does not show PRINCE IV fields

• sdphost - running spdhost –help fails

• shadowregs - bad DEV_TEST_BIT in shadow registers

1.3.1 (29-March-2021)

• pfr - configuration template supports YAML with description, backward compatibility with JSON ensured

• pfr - API change: “keys” parameter has been moved from __init__ to export

• pfr - sub-commands renamed: * user-config -> get-cfg-template * parse -> parse-binary * generate -> generate-binary

• blhost - allow key names for key-provisioning commands

• blhost - support for RT1170, RT1160

• shadowregs - shadow registers tool is now top-level module

• blhost - fix baud rate parameter

• pfr - fix in data for LPC55S6x, LPC55S1x, LPC55S0x

• blhost - communication stack breaks down on RT1170 after unsuccessful key-prov enroll command

1.3.0 (5-March-2021)

• support creation of SB version 3.1

• elftosb application based on legacy elf2sb supporting SB 3.1 support

• nxpdevscan - application for connected USB, UART devices discovery

• shadowregs - application for shadow registers management using DebugProbe

• support USB path argument in blhost/sdphost (all supported OS)

• nxpcertgen CLI application (basicConstrains, self-signed)

• blhost - commands added:

  • flash-erase-all

  • call

  • load-image

  • execute

  • key-provisioning

  • receive-sb-file

• blhost - extend commands’ options:

  • configure-memory now allows usage of internal memory

  • extend error code in the output

  • add parameters lock/nolock into efuse-program-once command

  • add key selector option to the generate-key-blob command

  • add nolock/lock selector to efuse-program-once command

  • add hexdata option to the write-memory command

1.2.0 (11-December-2020)

• support for LPC55S3x devices

• extend support for LPC55S1x, LPC55S0x

• pfrc - console script for searching for brick conditions in pfr settings

• custom HSM support

• sdpshost CLI utility using sdpshost communication protocol

• remote signing for Debug Credential

• added command read-register into sdphost CLI

• dynamic plugin support

• MCU Link Debugger support

• pfr - added CMAC-based seal

• pfr - load Root of Trust from elf2sb configuration file

1.1.0 (4-September-2020)

• support for i.MX RT1170 device

• support for elliptic-curve cryptography (ECC)

• support for SDPS protocol

• included Debug Authentication functionality

• included support for debuggers

• nxpkeygen - utility for generating debug credential files and corresponding keys

1.0.0 (4-April-2020)

• support for LPC55S69 and LPC55S16 devices

• support for i.MX RT105x and RT106x devices

• support for i.MX RT595S and RT685S devices

• connectivity to the target via UART, USB-HID.

• support for generating, saving, loading RSA keys with different sizes

• generation and management of certificate

• blhost - CLI utility for communication with boot loader on a target

• sdphost - CLI utility for communication with ROM on a target

• pfr - CLI utility for generating and parsing Protected Flash Regions - CMPA and CFPA regions