User Guide - elftosb

This user guide describes how to use elftosb application. elftosb is a tool for generating TrustZone, Master Boot Image and Secure Binary images.

Master Boot Image (MBI)

Master Boot Image can be used directly (e.g. by using blhost write-memory command) or it can be used for further processing (e.g. used as input to Secure Binary image container). Image is created based on a supplied configuration file, either JSON or YAML is supported.

Example of use elftosb –J <path to config file>

Sample configuration for LPC55s6x plain signed XIP image. Other sample configurations might be obtained with the -Y option.

# ===========  Master Boot Image Configuration template for lpc55s6x, Plain Signed XIP Image.  ===========
#
#  == Basic Settings ==
#
family: lpc55s6x  # MCU family., MCU family name.
outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.
masterBootOutputFile: my_mbi.bin # Master Boot Image name., The file for Master Boot Image result file.
inputImageFile: my_application.bin # Plain application image., The input application image to by modified to Master Boot Image.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
#  == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # Image Build Number, If it's omitted, it will be used 0 as default value.
rootCertificate0File: my_certificate0.pem # Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # Root Certificate File 3, Root certificate file index 3.
mainCertChainId: 0 # Main Certificate Index, Index of certificate that is used as a main.
chainCertificate0File0: chain_certificate0_depth0.pem # Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3

Supported devices for MBI

Elftosb support devices from LPC55xx family (LPC55S0x, LPC55S1x, LPC55S2x, LPC552x, LPC55S6x), RT5xx, RT6xx and LPC55S3x. Supported execution targets are: Internal flash (XIP), External Flash (XIP) and RAM and image authentication types: Plain, CRC, Signed and Encrypted.

The following table shows the supported image types for each device, it either shows “N/A” if the configuration is not available or respective class that will be used for image creation.

Target in the table represents outputImageExecutionTarget in the configuration file and authentication in the table represents outputImageAuthenticationType.

Supported devices

Targets

Internal flash (XIP)

Internal flash (XIP)

Internal flash (XIP)

Internal flash (XIP)

External flash (XIP)

External flash (XIP)

External flash (XIP)

External flash (XIP)

RAM

RAM

RAM

RAM

Authentication

Plain

CRC

Signed

Encrypted + Signed

Plain

CRC

Signed

Encrypted + Signed

Plain

CRC

Signed

Encrypted + Signed

lpc55xx

Mbi_PlainXip

Mbi_CrcXip

Mbi_SignedXip

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

lpc55s0x

Mbi_PlainXipRtxxx

Mbi_CrcXipRtxxx

Mbi_PlainSignedXipRtxxx

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

lpc55s1x

Mbi_PlainXipRtxxx

Mbi_CrcXipRtxxx

Mbi_PlainSignedXipRtxxx

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

lpc552x

Mbi_PlainXip

Mbi_CrcXip

Mbi_SignedXip

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

lpc55s2x

Mbi_PlainXip

Mbi_CrcXip

Mbi_SignedXip

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

lpc55s6x

Mbi_PlainXip

Mbi_CrcXip

Mbi_SignedXip

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

rt5xx

N/A

N/A

N/A

N/A

Mbi_PlainXipRtxxx

Mbi_CrcXipRtxxx

Mbi_PlainSignedXipRtxxx

N/A

Mbi_PlainRamRtxxx

Mbi_CrcRamRtxxx

Mbi_PlainSignedRamRtxxx

Mbi_EncryptedRamRtxxx

rt6xx

N/A

N/A

N/A

N/A

Mbi_PlainXipRtxxx

Mbi_CrcXipRtxxx

Mbi_PlainSignedXipRtxxx

N/A

Mbi_PlainRamRtxxx

Mbi_CrcRamRtxxx

Mbi_PlainSignedRamRtxxx

Mbi_EncryptedRamRtxxx

lpc55s3x

N/A

Mbi_CrcXipLpc55s3x

Mbi_PlainXipSignedLpc55s3x

N/A

N/A

Mbi_CrcExtXipLpc55s3x

Mbi_PlainExtXipSignedLpc55s3x

N/A

Mbi_PlainRamLpc55s3x

Mbi_CrcRamLpc55s3x

N/A

N/A

Supported configuration options

Refer to the documentation below for the supported configuration options for each image type. Please note that the outputImageExecutionTarget and outputImageAuthenticationType must be filled in addition to the basic settings according to the table with supported devices.

outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.

Mbi_PlainXip

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

# ===========  YAML template Mbi_PlainXip  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_CrcXip

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

# ===========  YAML template Mbi_CrcXip  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_SignedXip

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • mainCertPrivateKeyFile (string): Main Certificate private key used to sign certificate.

  • imageBuildNumber ([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.

  • chainCertificate0File0 (string): Chain certificate 0 for root certificate 0.

  • chainCertificate0File1 (string): Chain certificate 1 for root certificate 0.

  • chainCertificate0File2 (string): Chain certificate 2 for root certificate 0.

  • chainCertificate0File3 (string): Chain certificate 3 for root certificate 0.

  • chainCertificate1File0 (string): Chain certificate 0 for root certificate 1.

  • chainCertificate1File1 (string): Chain certificate 1 for root certificate 1.

  • chainCertificate1File2 (string): Chain certificate 2 for root certificate 1.

  • chainCertificate1File3 (string): Chain certificate 3 for root certificate 1.

  • chainCertificate2File0 (string): Chain certificate 0 for root certificate 2.

  • chainCertificate2File1 (string): Chain certificate 1 for root certificate 2.

  • chainCertificate2File2 (string): Chain certificate 2 for root certificate 2.

  • chainCertificate2File3 (string): Chain certificate 3 for root certificate 2.

  • chainCertificate3File0 (string): Chain certificate 0 for root certificate 3.

  • chainCertificate3File1 (string): Chain certificate 1 for root certificate 3.

  • chainCertificate3File2 (string): Chain certificate 2 for root certificate 3.

  • chainCertificate3File3 (string): Chain certificate 3 for root certificate 3.

  • mainCertChainId ([‘number’, ‘string’]): Index of chain certificate that is used as a main.

  • rootCertificate0File (string): Root certificate file index 0.

  • rootCertificate1File (string): Root certificate file index 1.

  • rootCertificate2File (string): Root certificate file index 2.

  • rootCertificate3File (string): Root certificate file index 3.

  • mainRootCertId ([‘number’, ‘string’]): Index of certificate that is used as a main.

# ===========  YAML template Mbi_SignedXip  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
#  == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
#
#  == Certificate Settings ==
#
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.

Mbi_PlainXipRtxxx

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ===========  YAML template Mbi_PlainXipRtxxx  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing., Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_CrcXipRtxxx

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ===========  YAML template Mbi_CrcXipRtxxx  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing., Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_PlainSignedXipRtxxx

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • mainCertPrivateKeyFile (string): Main Certificate private key used to sign certificate.

  • imageBuildNumber ([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.

  • chainCertificate0File0 (string): Chain certificate 0 for root certificate 0.

  • chainCertificate0File1 (string): Chain certificate 1 for root certificate 0.

  • chainCertificate0File2 (string): Chain certificate 2 for root certificate 0.

  • chainCertificate0File3 (string): Chain certificate 3 for root certificate 0.

  • chainCertificate1File0 (string): Chain certificate 0 for root certificate 1.

  • chainCertificate1File1 (string): Chain certificate 1 for root certificate 1.

  • chainCertificate1File2 (string): Chain certificate 2 for root certificate 1.

  • chainCertificate1File3 (string): Chain certificate 3 for root certificate 1.

  • chainCertificate2File0 (string): Chain certificate 0 for root certificate 2.

  • chainCertificate2File1 (string): Chain certificate 1 for root certificate 2.

  • chainCertificate2File2 (string): Chain certificate 2 for root certificate 2.

  • chainCertificate2File3 (string): Chain certificate 3 for root certificate 2.

  • chainCertificate3File0 (string): Chain certificate 0 for root certificate 3.

  • chainCertificate3File1 (string): Chain certificate 1 for root certificate 3.

  • chainCertificate3File2 (string): Chain certificate 2 for root certificate 3.

  • chainCertificate3File3 (string): Chain certificate 3 for root certificate 3.

  • mainCertChainId ([‘number’, ‘string’]): Index of chain certificate that is used as a main.

  • rootCertificate0File (string): Root certificate file index 0.

  • rootCertificate1File (string): Root certificate file index 1.

  • rootCertificate2File (string): Root certificate file index 2.

  • rootCertificate3File (string): Root certificate file index 3.

  • mainRootCertId ([‘number’, ‘string’]): Index of certificate that is used as a main.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ===========  YAML template Mbi_PlainSignedXipRtxxx  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing., Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
#  == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
#
#  == Certificate Settings ==
#
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.

Mbi_PlainRamRtxxx

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address if not XiP.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ===========  YAML template Mbi_PlainRamRtxxx  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
outputImageExecutionAddress: 0 # [Required], Loading address of application., Application loading address if not XiP.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing., Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_CrcRamRtxxx

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • app_table (array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.

    • Items (object)

      • binary (string): The binary file to be added to final application.

      • destAddress ([‘string’, ‘number’]): Destination address in RAM of additional binary.

      • load (boolean): Enabler to load/use the image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address if not XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • outputImageEncryptionKeyFile (string): The output image encryption key (file path).

  • useKeyStore (boolean): Enables using key store on device.

  • deviceKeySource (string): Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image). Must be one of: ['OTP', 'Keystore'].

  • keyStoreFile (string): Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ===========  YAML template Mbi_CrcRamRtxxx  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
app_table: # [Optional], The list of additional binaries., This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
  - my_additional_binary.bin
  - 536870912
  - true
outputImageExecutionAddress: 0 # [Required], Loading address of application., Application loading address if not XiP.
family: lpc55s6x # [Required], MCU family., MCU family name.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing., Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
#  == Signing Settings ==
#
outputImageEncryptionKeyFile: my_encryption_key.bin # [Optional], The output image encryption file used also for HMAC., The output image encryption key (file path).
#
#  == Encryption Settings ==
#
useKeyStore: false # [Optional], The Key store enabler., Enables using key store on device.
deviceKeySource: OTP # [Optional], The Key store location., Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image).
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file., Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.

Mbi_PlainSignedRamRtxxx

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • app_table (array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.

    • Items (object)

      • binary (string): The binary file to be added to final application.

      • destAddress ([‘string’, ‘number’]): Destination address in RAM of additional binary.

      • load (boolean): Enabler to load/use the image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address if not XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • mainCertPrivateKeyFile (string): Main Certificate private key used to sign certificate.

  • imageBuildNumber ([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.

  • chainCertificate0File0 (string): Chain certificate 0 for root certificate 0.

  • chainCertificate0File1 (string): Chain certificate 1 for root certificate 0.

  • chainCertificate0File2 (string): Chain certificate 2 for root certificate 0.

  • chainCertificate0File3 (string): Chain certificate 3 for root certificate 0.

  • chainCertificate1File0 (string): Chain certificate 0 for root certificate 1.

  • chainCertificate1File1 (string): Chain certificate 1 for root certificate 1.

  • chainCertificate1File2 (string): Chain certificate 2 for root certificate 1.

  • chainCertificate1File3 (string): Chain certificate 3 for root certificate 1.

  • chainCertificate2File0 (string): Chain certificate 0 for root certificate 2.

  • chainCertificate2File1 (string): Chain certificate 1 for root certificate 2.

  • chainCertificate2File2 (string): Chain certificate 2 for root certificate 2.

  • chainCertificate2File3 (string): Chain certificate 3 for root certificate 2.

  • chainCertificate3File0 (string): Chain certificate 0 for root certificate 3.

  • chainCertificate3File1 (string): Chain certificate 1 for root certificate 3.

  • chainCertificate3File2 (string): Chain certificate 2 for root certificate 3.

  • chainCertificate3File3 (string): Chain certificate 3 for root certificate 3.

  • mainCertChainId ([‘number’, ‘string’]): Index of chain certificate that is used as a main.

  • rootCertificate0File (string): Root certificate file index 0.

  • rootCertificate1File (string): Root certificate file index 1.

  • rootCertificate2File (string): Root certificate file index 2.

  • rootCertificate3File (string): Root certificate file index 3.

  • mainRootCertId ([‘number’, ‘string’]): Index of certificate that is used as a main.

  • outputImageEncryptionKeyFile (string): The output image encryption key (file path).

  • useKeyStore (boolean): Enables using key store on device.

  • deviceKeySource (string): Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image). Must be one of: ['OTP', 'Keystore'].

  • keyStoreFile (string): Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ===========  YAML template Mbi_PlainSignedRamRtxxx  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
app_table: # [Optional], The list of additional binaries., This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
  - my_additional_binary.bin
  - 536870912
  - true
outputImageExecutionAddress: 0 # [Required], Loading address of application., Application loading address if not XiP.
family: lpc55s6x # [Required], MCU family., MCU family name.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing., Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
#  == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
#
#  == Certificate Settings ==
#
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.
#
#  == Signing Settings ==
#
outputImageEncryptionKeyFile: my_encryption_key.bin # [Optional], The output image encryption file used also for HMAC., The output image encryption key (file path).
#
#  == Encryption Settings ==
#
useKeyStore: false # [Optional], The Key store enabler., Enables using key store on device.
deviceKeySource: OTP # [Optional], The Key store location., Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image).
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file., Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.

Mbi_EncryptedRamRtxxx

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • app_table (array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.

    • Items (object)

      • binary (string): The binary file to be added to final application.

      • destAddress ([‘string’, ‘number’]): Destination address in RAM of additional binary.

      • load (boolean): Enabler to load/use the image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address if not XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • mainCertPrivateKeyFile (string): Main Certificate private key used to sign certificate.

  • imageBuildNumber ([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.

  • chainCertificate0File0 (string): Chain certificate 0 for root certificate 0.

  • chainCertificate0File1 (string): Chain certificate 1 for root certificate 0.

  • chainCertificate0File2 (string): Chain certificate 2 for root certificate 0.

  • chainCertificate0File3 (string): Chain certificate 3 for root certificate 0.

  • chainCertificate1File0 (string): Chain certificate 0 for root certificate 1.

  • chainCertificate1File1 (string): Chain certificate 1 for root certificate 1.

  • chainCertificate1File2 (string): Chain certificate 2 for root certificate 1.

  • chainCertificate1File3 (string): Chain certificate 3 for root certificate 1.

  • chainCertificate2File0 (string): Chain certificate 0 for root certificate 2.

  • chainCertificate2File1 (string): Chain certificate 1 for root certificate 2.

  • chainCertificate2File2 (string): Chain certificate 2 for root certificate 2.

  • chainCertificate2File3 (string): Chain certificate 3 for root certificate 2.

  • chainCertificate3File0 (string): Chain certificate 0 for root certificate 3.

  • chainCertificate3File1 (string): Chain certificate 1 for root certificate 3.

  • chainCertificate3File2 (string): Chain certificate 2 for root certificate 3.

  • chainCertificate3File3 (string): Chain certificate 3 for root certificate 3.

  • mainCertChainId ([‘number’, ‘string’]): Index of chain certificate that is used as a main.

  • rootCertificate0File (string): Root certificate file index 0.

  • rootCertificate1File (string): Root certificate file index 1.

  • rootCertificate2File (string): Root certificate file index 2.

  • rootCertificate3File (string): Root certificate file index 3.

  • mainRootCertId ([‘number’, ‘string’]): Index of certificate that is used as a main.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

  • useKeyStore (boolean): Enables using key store on device.

  • deviceKeySource (string): Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image). Must be one of: ['OTP', 'Keystore'].

  • keyStoreFile (string): Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.

  • outputImageEncryptionKeyFile (string): The output image encryption key (file path).

  • ctr_init_vector (string): The initial vector for encryption counter.

# ===========  YAML template Mbi_EncryptedRamRtxxx  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
app_table: # [Optional], The list of additional binaries., This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
  - my_additional_binary.bin
  - 536870912
  - true
outputImageExecutionAddress: 0 # [Required], Loading address of application., Application loading address if not XiP.
family: lpc55s6x # [Required], MCU family., MCU family name.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing., Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
#  == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
#
#  == Certificate Settings ==
#
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.
#
#  == Encryption Settings ==
#
useKeyStore: false # [Optional], The Key store enabler., Enables using key store on device.
deviceKeySource: OTP # [Optional], The Key store location., Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image).
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file., Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.
ctr_init_vector: '0xc3df2316fd40b15586cb5ae49483aee2' # [Optional], The output image encryption initial vector for encryption counter., The initial vector for encryption counter.
#
#  == Signing Settings ==
#
outputImageEncryptionKeyFile: my_encryption_key.bin # [Required], The output image encryption file used also for HMAC., The output image encryption key (file path).

Mbi_CrcXipLpc55s3x

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • firmwareVersion ([‘number’, ‘string’]): Version of application image firmware.

# ===========  YAML template Mbi_CrcXipLpc55s3x  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_CrcExtXipLpc55s3x

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • firmwareVersion ([‘number’, ‘string’]): Version of application image firmware.

# ===========  YAML template Mbi_CrcExtXipLpc55s3x  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_PlainXipSignedLpc55s3x

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • useIsk (boolean): Enable ISK type of signature certification.

  • signingCertificatePrivateKeyFile (string): ISK Certificate private key used to sign certificate.

  • mainRootCertPrivateKeyFile (string): Path to Main root Certification Private Key.

  • signingCertificateFile (string): Path to Signing Certificate.

  • signingCertificateConstraint ([‘string’, ‘number’]): Signing certificate constrain number.

  • signCertData (string): Path to Signing Certificate data.

  • rootCertificate0File (string): Root certificate file index 0.

  • rootCertificate1File (string): Root certificate file index 1.

  • rootCertificate2File (string): Root certificate file index 2.

  • rootCertificate3File (string): Root certificate file index 3.

  • mainRootCertId ([‘number’, ‘string’]): Index of certificate that is used as a main.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • firmwareVersion ([‘number’, ‘string’, ‘number’, ‘string’]): Version of application image firmware.

  • manifestSigningHashLength (number): Optional Manifest signing hash length to create Certificate v3.1 Manifest. Must be one of: [0, 32, 48, 64].

# ===========  YAML template Mbi_PlainXipSignedLpc55s3x  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
#
#  == Certificate V3.1 Settings ==
#
useIsk: false # [Required], Use ISK for signature certification, Enable ISK type of signature certification
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Conditionally required], ISK Certificate private key, ISK Certificate private key used to sign certificate
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key, Path to Main root Certification Private Key
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate, Path to Signing Certificate
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain, Signing certificate constrain number
signCertData: sign_cert.bin # [Optional], Signing Certificate data, Path to Signing Certificate data
manifestSigningHashLength: 32 # [Optional], Manifest signing hash length., Optional Manifest signing hash length to create Certificate v3.1 Manifest.
#
#  == Certificate Settings ==
#
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Required], Main Certificate Index, Index of certificate that is used as a main.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_PlainExtXipSignedLpc55s3x

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • useIsk (boolean): Enable ISK type of signature certification.

  • signingCertificatePrivateKeyFile (string): ISK Certificate private key used to sign certificate.

  • mainRootCertPrivateKeyFile (string): Path to Main root Certification Private Key.

  • signingCertificateFile (string): Path to Signing Certificate.

  • signingCertificateConstraint ([‘string’, ‘number’]): Signing certificate constrain number.

  • signCertData (string): Path to Signing Certificate data.

  • rootCertificate0File (string): Root certificate file index 0.

  • rootCertificate1File (string): Root certificate file index 1.

  • rootCertificate2File (string): Root certificate file index 2.

  • rootCertificate3File (string): Root certificate file index 3.

  • mainRootCertId ([‘number’, ‘string’]): Index of certificate that is used as a main.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • firmwareVersion ([‘number’, ‘string’, ‘number’, ‘string’]): Version of application image firmware.

  • manifestSigningHashLength (number): Optional Manifest signing hash length to create Certificate v3.1 Manifest. Must be one of: [0, 32, 48, 64].

# ===========  YAML template Mbi_PlainExtXipSignedLpc55s3x  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
#
#  == Certificate V3.1 Settings ==
#
useIsk: false # [Required], Use ISK for signature certification, Enable ISK type of signature certification
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Conditionally required], ISK Certificate private key, ISK Certificate private key used to sign certificate
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key, Path to Main root Certification Private Key
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate, Path to Signing Certificate
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain, Signing certificate constrain number
signCertData: sign_cert.bin # [Optional], Signing Certificate data, Path to Signing Certificate data
manifestSigningHashLength: 32 # [Optional], Manifest signing hash length., Optional Manifest signing hash length to create Certificate v3.1 Manifest.
#
#  == Certificate Settings ==
#
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Required], Main Certificate Index, Index of certificate that is used as a main.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_PlainRamLpc55s3x

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address if not XiP.

  • firmwareVersion ([‘number’, ‘string’]): Version of application image firmware.

# ===========  YAML template Mbi_PlainRamLpc55s3x  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
outputImageExecutionAddress: 0 # [Required], Loading address of application., Application loading address if not XiP.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Mbi_CrcRamLpc55s3x

  • inputImageFile (string): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • family (string): MCU family name. Must be one of: ['lpc55xx', 'lpc55s0x', 'lpc55s1x', 'lpc552x', 'lpc55s2x', 'lpc55s3x', 'lpc55s6x', 'rt5xx', 'rt6xx'].

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address if not XiP.

  • firmwareVersion ([‘number’, ‘string’]): Version of application image firmware.

# ===========  YAML template Mbi_CrcRamLpc55s3x  ===========
#
#  == Basic Settings ==
#
inputImageFile: my_application.bin  # [Required], Plain application image., The input application image to by modified to Master Boot Image.
family: lpc55s6x # [Required], MCU family., MCU family name.
outputImageExecutionAddress: 0 # [Required], Loading address of application., Application loading address if not XiP.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
#
#  == Trust Zone Settings ==
#
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

Secure binary

Secure binary is a binary output file that contains the user’s application image along with a series of bootloader commands. The output file is known as a “Secure Binary” or SB file for short. These files typically have a .sb extension.

This format has a long history, the latest version is 3.1. (2022). SPSDK elftosb tool supports SB 2.1 (2.0) and SB 3.1.

Version 2.1 added support for digital signatures.

The SB 2.0 and 2.1 file format also uses AES encryption for confidentiality and HMAC for extending trust from the signed part of the SB file to the command and data part of the SB file. These two keys (AES decrypt key and HMAC key) are wrapped in the RFC3394 key blob, for which the key wrapping key is the SBKEK key

SB2 generation using BD file

The tool uses an input command file to control the sequence of bootloader commands present in the output file. This command file is called a “boot descriptor file” or BD file for short.

The image location is stated in the “sources” section of the .bd file. The SB key in the text file is used for encryption with the elftosb command line tool.

Description of how to use BD file is in bellow chapter.

For more information about the Secure boot setup for LPC55Sxx family follow the AN12283.

Example of SB2 generation for 4 root keys

elftosb -f lpc55xx -k "sbkek.txt" -c "commandFile.bd" -o "output.sb2" -s private_key_1_2048.pem -S certificate_1_2048.der.crt -R certificate_1_2048.der.crt -R certificate_2_2048.der.crt -R certificate_3_2048.der.crt -R certificate_4_2048.der.crt -h "RHKT.bin" "input.bin"

Created SB2 file can be loaded into the device using blhost receive-sb-file command. blhost -p COMxx receive-sb-file <path to the secured binary(.sb2)>

SB 3.1

SB 3.1 is an evolution of the SB 2 format. The configuration is done in a similar way as a master boot image by configuration file in YAML or JSON. BD files are no longer used, commands are supplied in the configuration file.

Example of use elftosb.exe -j "sb3_config.yaml

Legacy elftosb documentation

It is possible to use NXP elftosb tool user guide located here.

Note

Please note that some functionality described in the UG may not be supported in SPSDK elftosb application.

Command line interface

elftosb

Tool for generating TrustZone, MasterBootImage and SecureBinary images.

elftosb [OPTIONS] [EXTERNAL]...

Options

-c, --command <command>

BD configuration file to produce secure binary v2.x

-J, --image-conf <image_conf>

YAML/JSON image configuration file to produce master boot image

-j, --container-conf <container_conf>

YAML/JSON container configuration file to produce secure binary v3.x

-T, --tzm-conf <tzm_conf>

YAML/JSON trust zone configuration file to produce trust zone binary

-Y, --config-template <config_template>

Path to store all configuration templates for selected family

-f, --chip-family <chip_family>

Select the chip family (default is lpc55s3x), this field is used with -Y/–config_template option only.

Options

lpc55xx | lpc55s0x | lpc55s1x | lpc55s2x | lpc55s6x | lpc55s3x | rt5xx | rt6xx

-o, --output <output>

Output file path.

-k, --key <key>

Add a key file and enable encryption.

-s, --pkey <pkey>

Path to private key for signing.

-S, --cert <cert>

Path to certificate files for signing. The first certificate will be the self signed root key certificate.

-R, --root-key-cert <root_key_cert>

Path to root key certificate file(s) for verifying other certificates. Only 4 root key certificates are allowed, others are ignored. One of the certificates must match the first certificate passed with -S/–cert arg.

-h, --hash-of-hashes <hash_of_hashes>

Path to output hash of hashes of root keys. If argument is not provided, then by default the tool creates hash.bin in the working directory.

-v, --version

Show the version and exit.

--help

Show this message and exit.

Arguments

EXTERNAL

Optional argument(s)