User Guide - nxpdevhsm
This user’s guide describes how to interface with the MCU bootloader to provisioned chip using nxpdevhsm application.
The nxpdevhsm application is a command-line utility used on the host computer to use device HSM process to get provisioning SB3.
nxpdevhsm
Nxpdevhsm application is designed to create SB3 provisioning file for initial provisioning of device by OEM.
nxpdevhsm [OPTIONS] COMMAND [ARGS]...
Options
- -d, --debug <LEVEL>
Set the level of system logging output. Available options are: critical, fatal, error, warn, warning, info, debug, notset
- Options
critical | fatal | error | warn | warning | info | debug | notset
- --version
Show the version and exit.
nxpdevhsm - Communication
The nxpdevhsm application is using blhost application and all supported communication interfaces that blhost offers(UART, USB, LPCUSBSIO[IC, SPI])
nxpdevhsm - blhost - USB
blhost could be connected to MCU Bootloader over USB HID.
nxpdevhsm - blhost - UART
blhost could be connected to MCU bootloader over UART.
nxpdevhsm - blhost - LPCUSBSIO
LPCUSBSIO - LPC USB Serial I/O(LPCUSBSIO), a firmware built in LPC Link2. The LPCUSBSIO acts as a bus translator, and establishes connection with blhost over USB-HID, and the MCU bootloader device over I2C and SPI.
nxpdevhsm - blhost - Note
For more information about supported communication interface check the blhost application documentation.
nxpdevhsm - Sub-commands
nxpdevhsm consist of a set of sub-commands followed by options and arguments. The options and the sub-command are separated with a ‘–’.
nxpdevhsm [options] -- [sub-command]
The “help” guide of nxpdevhsm lists all of the options and sub-commands supported by the nxpdevhsm utility.
nxpdevhsm --help
nxpdevhsm generate
Generate provisioning SB3.1 file.
nxpdevhsm generate [OPTIONS] OUTPUT_PATH
Options
- -p, --port <COM[,speed>
Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.
- -u, --usb <VID,PID>
USB device identifier. Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name. <vid>: hex or dec string; e.g. 0x0AB12, 43794. <vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451. Use ‘nxpdevscan’ utility to list connected device names.
- -l, --lpcusbsio <spi|i2c>
USB-SIO bridge interface. Following interfaces are supported:
- spi[,port,pin,speed_kHz,polarity,phase]
port … bridge GPIO port used as SPI SSEL
- pin … bridge GPIO pin used as SPI SSEL
default SSEL is set to 0.15 which works for the LPCLink2 bridge. The MCULink OB bridge ignores the SSEL value anyway.
speed_kHz … SPI clock in kHz (default 1000)
polarity … SPI CPOL option (default=1)
phase … SPI CPHA option (default=1)
- i2c[,address,speed_kHz]
address … I2C device address (default 0x10)
speed_kHz … I2C clock in kHz (default 100)
- -k, --key <key>
Required User PCK secret file (32-bytes long binary file). PCK (provisioned by OEM, known by OEM) - Part Common Key. This is a 256-bit pre-shared AES key provisioned by OEM. PCK is used to derive FW image encryption keys.
- -o, --oem-share-input <oem_share_input>
OEM share input file to use as a seed to randomize the provisioning process (16-bytes long binary file).
- -w, --workspace <workspace>
Workspace folder to store temporary files, that could be used for future review.
- -j, --container-conf <container_conf>
json container configuration file to produce secure binary v3.x. In this configuration file is enough to provide just commands and description section.
- -t, --timeout <ms>
Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.
Arguments
- OUTPUT_PATH
Required argument