Supported binary images
Master Boot Image (MBI)
Master Boot Image can be used directly (e.g. by using blhost write-memory command) or it can be used for further processing (e.g. used as input to Secure Binary image container). Image is created based on a supplied configuration file, either JSON or YAML is supported.
Example of use
nxpimage: nxpimage mbi export <path to config file>
elftosb: elftosb –J <path to config file>
Sample configuration for LPC55s6x plain signed XIP image. Other sample configurations might be obtained with the get-templates sub-command.
# =========== Master Boot Image Configuration template for lpc55s6x, Plain Signed XIP Image. ===========
#
# == Basic Settings ==
#
family: lpc55s6x # MCU family., MCU family name.
outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.
masterBootOutputFile: my_mbi.bin # Master Boot Image name., The file for Master Boot Image result file.
inputImageFile: my_application.bin # Plain application image., The input application image to by modified to Master Boot Image.
#
# == Trust Zone Settings ==
#
enableTrustZone: false # TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
# == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # Image Build Number, If it's omitted, it will be used 0 as default value.
rootCertificate0File: my_certificate0.pem # Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # Root Certificate File 3, Root certificate file index 3.
mainCertChainId: 0 # Main Certificate Index, Index of certificate that is used as a main.
chainCertificate0File0: chain_certificate0_depth0.pem # Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
Supported devices for MBI
NXPIMAGE support devices from LPC55xx family (LPC55S0x, LPC55S1x, LPC55S2x, LPC552x, LPC55S6x), RT5xx, RT6xx and LPC55S3x. Supported execution targets are: Internal flash (XIP), External Flash (XIP) and RAM and image authentication types: Plain, CRC, Signed and Encrypted.
The following table shows the supported image types for each device, it either shows “N/A” if the configuration is not available or respective class that will be used for image creation.
Target in the table represents outputImageExecutionTarget in the configuration file and authentication in the table represents outputImageAuthenticationType.
Targets |
Internal flash (XIP) |
Internal flash (XIP) |
Internal flash (XIP) |
Internal flash (XIP) |
External flash (XIP) |
External flash (XIP) |
External flash (XIP) |
External flash (XIP) |
RAM |
RAM |
RAM |
RAM |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Authentication |
Plain |
CRC |
Signed |
Encrypted + Signed |
Plain |
CRC |
Signed |
Encrypted + Signed |
Plain |
CRC |
Signed |
Encrypted + Signed |
lpc55xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s0x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc550x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s1x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc551x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s2x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc552x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s6x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
rt5xx |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||||
rt6xx |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||||
lpc55s3x |
N/A |
N/A |
N/A |
N/A |
||||||||
lpc553x |
N/A |
N/A |
N/A |
N/A |
Supported configuration options
Refer to the documentation below for the supported configuration options for each image type. Please note that the outputImageExecutionTarget and outputImageAuthenticationType must be filled in addition to the basic settings according to the table with supported devices.
outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.
Mbi_CrcExtXipLpc55s3x
family(string): MCU family name. Must be one of:['lpc55s3x', 'lpc553x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcExtXipLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcExtXipLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
Mbi_CrcRam
family(string): MCU family name. Must be one of:['lpc552x', 'lpc550x', 'lpc55s1x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x', 'lpc55s0x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_CrcRam ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRam ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc552x', 'lpc550x', 'lpc55s1x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x', 'lpc55s0x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_CrcRamLpc55s3x
family(string): MCU family name. Must be one of:['lpc55s3x', 'lpc553x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcRamLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
Mbi_CrcRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string): The binary file to be added to final application.destAddress([‘string’, ‘number’]): Destination address in RAM of additional binary.load(boolean): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_CrcRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries, This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file, The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address, Destination address in RAM of additional binary.
load: true # [Required], Enable load, Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing, Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_CrcXip
family(string): MCU family name. Must be one of:['lpc552x', 'lpc550x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
# =========== YAML template Mbi_CrcXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc552x', 'lpc550x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
Mbi_CrcXipLpc55s3x
family(string): MCU family name. Must be one of:['lpc55s3x', 'lpc553x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcXipLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
Mbi_CrcXipRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'lpc55s1x', 'lpc55s0x', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_CrcXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['rt6xx', 'lpc55s1x', 'lpc55s0x', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing, Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_EncryptedRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string): The binary file to be added to final application.destAddress([‘string’, ‘number’]): Destination address in RAM of additional binary.load(boolean): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate.imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.mainCertChainId([‘number’, ‘string’]): Index of chain certificate that is used as a main.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.useKeyStore(boolean): Enables using key store on device.deviceKeySource(string): Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image). Must be one of:['OTP', 'Keystore'].keyStoreFile(string): Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.outputImageEncryptionKeyFile(string): The HMAC encryption key (file path).ctr_init_vector(string): The initial vector for encryption counter.
# =========== YAML template Mbi_EncryptedRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_EncryptedRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries, This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file, The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address, Destination address in RAM of additional binary.
load: true # [Required], Enable load, Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing, Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
useKeyStore: false # [Optional], The Key store enabler, Enables using key store on device.
deviceKeySource: OTP # [Optional], The Key store location, Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image)., Possible options:['OTP', 'Keystore']
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file, Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.
outputImageEncryptionKeyFile: hmac_key.bin # [Required], HMAC Key, The HMAC encryption key (file path).
ctr_init_vector: '0xc3df2316fd40b15586cb5ae49483aee2' # [Optional], The output image encryption initial vector for encryption counter, The initial vector for encryption counter.
Mbi_PlainExtXipSignedLpc55s3x
family(string): MCU family name. Must be one of:['lpc55s3x', 'lpc553x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.useIsk(boolean): Enable ISK type of signature certification.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key.signingCertificateFile(string): Path to Signing Certificate.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number.signCertData(string): Path to Signing Certificate data.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestSigningHashLength(number): Optional Manifest signing hash length to create Certificate v3.1 Manifest. Must be one of:[0, 32, 48, 64].
# =========== YAML template Mbi_PlainExtXipSignedLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainExtXipSignedLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
useIsk: false # [Required], Use ISK for signature certification, Enable ISK type of signature certification
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Conditionally required], ISK Certificate private key, ISK Certificate private key used to sign certificate
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key, Path to Main root Certification Private Key
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate, Path to Signing Certificate
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain, Signing certificate constrain number
signCertData: sign_cert.bin # [Optional], Signing Certificate data, Path to Signing Certificate data
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Required], Main Certificate Index, Index of certificate that is used as a main.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
manifestSigningHashLength: 32 # [Optional], Manifest signing hash length, Optional Manifest signing hash length to create Certificate v3.1 Manifest., Possible options:[0, 32, 48, 64]
Mbi_PlainRamLpc55s3x
family(string): MCU family name. Must be one of:['lpc55s3x', 'lpc553x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_PlainRamLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
Mbi_PlainRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing, Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainSignedRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string): The binary file to be added to final application.destAddress([‘string’, ‘number’]): Destination address in RAM of additional binary.load(boolean): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate.imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.mainCertChainId([‘number’, ‘string’]): Index of chain certificate that is used as a main.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.outputImageEncryptionKeyFile(string): The HMAC encryption key (file path).useKeyStore(boolean): Enables using key store on device.deviceKeySource(string): Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image). Must be one of:['OTP', 'Keystore'].keyStoreFile(string): Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainSignedRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainSignedRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries, This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file, The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address, Destination address in RAM of additional binary.
load: true # [Required], Enable load, Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.
outputImageEncryptionKeyFile: hmac_key.bin # [Required], HMAC Key, The HMAC encryption key (file path).
useKeyStore: false # [Optional], The Key store enabler, Enables using key store on device.
deviceKeySource: OTP # [Optional], The Key store location, Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image)., Possible options:['OTP', 'Keystore']
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file, Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing, Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainSignedXipRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'lpc55s1x', 'lpc55s0x', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate.imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.mainCertChainId([‘number’, ‘string’]): Index of chain certificate that is used as a main.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainSignedXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainSignedXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['rt6xx', 'lpc55s1x', 'lpc55s0x', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing, Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainXip
family(string): MCU family name. Must be one of:['lpc552x', 'lpc550x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
# =========== YAML template Mbi_PlainXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc552x', 'lpc550x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
Mbi_PlainXipRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'lpc55s1x', 'lpc55s0x', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['rt6xx', 'lpc55s1x', 'lpc55s0x', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing, Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainXipSignedLpc55s3x
family(string): MCU family name. Must be one of:['lpc55s3x', 'lpc553x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.useIsk(boolean): Enable ISK type of signature certification.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key.signingCertificateFile(string): Path to Signing Certificate.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number.signCertData(string): Path to Signing Certificate data.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestSigningHashLength(number): Optional Manifest signing hash length to create Certificate v3.1 Manifest. Must be one of:[0, 32, 48, 64].
# =========== YAML template Mbi_PlainXipSignedLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipSignedLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
useIsk: false # [Required], Use ISK for signature certification, Enable ISK type of signature certification
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Conditionally required], ISK Certificate private key, ISK Certificate private key used to sign certificate
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key, Path to Main root Certification Private Key
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate, Path to Signing Certificate
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain, Signing certificate constrain number
signCertData: sign_cert.bin # [Optional], Signing Certificate data, Path to Signing Certificate data
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Required], Main Certificate Index, Index of certificate that is used as a main.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
manifestSigningHashLength: 32 # [Optional], Manifest signing hash length, Optional Manifest signing hash length to create Certificate v3.1 Manifest., Possible options:[0, 32, 48, 64]
Mbi_SignedRam
family(string): MCU family name. Must be one of:['lpc552x', 'lpc550x', 'lpc55s1x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x', 'lpc55s0x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate.imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.mainCertChainId([‘number’, ‘string’]): Index of chain certificate that is used as a main.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.
# =========== YAML template Mbi_SignedRam ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_SignedRam ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc552x', 'lpc550x', 'lpc55s1x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x', 'lpc55s0x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application, Application loading address in RAM if not XiP, otherwise address of load in XiP.
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.
Mbi_SignedXip
family(string): MCU family name. Must be one of:['lpc552x', 'lpc550x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate.imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.mainCertChainId([‘number’, ‘string’]): Index of chain certificate that is used as a main.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.
# =========== YAML template Mbi_SignedXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_SignedXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc552x', 'lpc550x', 'lpc551x', 'lpc55s6x', 'lpc55xx', 'lpc55s2x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target, Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence., Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication, Specification of final master boot image authentication., Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name, The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image, The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yml # [Optional], TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Optional], Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # [Optional], Image Build Number, If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
mainCertChainId: 0 # [Optional], Main Certificate Chain Index, Index of chain certificate that is used as a main.
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Optional], Main Certificate Index, Index of certificate that is used as a main.
SecureBinary31
firmwareVersion([‘number’, ‘string’]): Version of application image firmware.useIsk(boolean): Enable ISK type of signature certification.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key.rootCertificateEllipticCurve(string): Elliptic curve type used for root key. Must be one of:['secp256r1', 'secp384r1'].iskCertificateEllipticCurve(string): Elliptic curve type used for ISK key. Must be one of:['secp256r1', 'secp384r1'].signingCertificateFile(string): Path to Signing Certificate.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number.signCertData(string): Path to Signing Certificate data.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main.family(string): MCU family name. Must be one of:['lpc55s3x'].containerKeyBlobEncryptionKey(string): Path to PCK/NPK key in plain hex string format.isNxpContainer(boolean): Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, sentinel firmware…kdkAccessRights(number): Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be in CSSv2 manual. Once will be development finished, one fixed value will be used and probably not required as user input. Must be one of:[0, 1, 2, 3].containerConfigurationWord([‘string’, ‘number’]): Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be keep 0, or item removed from json file.description(string): Description up to 16 characters, longer will be truncated by elftosb, stored in SB3.1 manifest. If not provided, inserted elftosb version automatically.commands(array): Secure Binary v3.1 commands block, take this list as a full possible example - Modify it regarding your application.Items
# =========== YAML template SecureBinary31 ===========
# ----------------------------------------------------------------------------------------------------
# == SecureBinary31 ==
# ----------------------------------------------------------------------------------------------------
firmwareVersion: 0 # [Optional], Firmware version., Version of application image firmware.
useIsk: false # [Required], Use ISK for signature certification, Enable ISK type of signature certification
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Conditionally required], ISK Certificate private key, ISK Certificate private key used to sign certificate
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key, Path to Main root Certification Private Key
rootCertificateEllipticCurve: secp256r1 # [Optional], Type of elliptic curve of root key, Elliptic curve type used for root key., Possible options:['secp256r1', 'secp384r1']
iskCertificateEllipticCurve: secp256r1 # [Optional], Type of elliptic curve of ISK key, Elliptic curve type used for ISK key., Possible options:['secp256r1', 'secp384r1']
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate, Path to Signing Certificate
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain, Signing certificate constrain number
signCertData: sign_cert.bin # [Optional], Signing Certificate data, Path to Signing Certificate data
rootCertificate0File: my_certificate0.pem # [Required], Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # [Optional], Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # [Optional], Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # [Optional], Root Certificate File 3, Root certificate file index 3.
mainRootCertId: 0 # [Required], Main Certificate Index, Index of certificate that is used as a main.
family: CHOOSE_FROM_TABLE # [Required], MCU family, MCU family name., Possible options:['lpc55s3x']
containerKeyBlobEncryptionKey: my_pck.txt # [Optional], Part Common Key, Path to PCK/NPK key in plain hex string format.
isNxpContainer: false # [Optional], Enable NXP Container format, Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, sentinel firmware...
kdkAccessRights: 0 # [Optional], KDK access rights, Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be in CSSv2 manual. Once will be development finished, one fixed value will be used and probably not required as user input., Possible options:[0, 1, 2, 3]
containerConfigurationWord: 0 # [Optional], Container configuration word, Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be keep 0, or item removed from json file.
description: This is description of my generated SB file. # [Optional], Description, Description up to 16 characters, longer will be truncated by elftosb, stored in SB3.1 manifest. If not provided, inserted elftosb version automatically.
commands: # [Required], SB3.1 Commands, Secure Binary v3.1 commands block, take this list as a full possible example - Modify it regarding your application
# ----------------------------------------------------------------------------------------------------
# == List of possible 13 options. Option types[object,object,object,object,object,object,object,object,object,object,object,object,object] ==
# ----------------------------------------------------------------------------------------------------
- # [Example of possible configuration #0]
erase: # [Required], Erase, Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
address: 0 # [Required], Address, Address of memory block to be erased.
size: 4096 # [Required], Size, Size of memory block to be erased.
memoryId: 0 # [Optional], Memory ID, ID of memory block to be erased.
- # [Example of possible configuration #1]
load: # [Required], Load, If set, then the data to write immediately follows the range header. The length field contains the actual data length
address: 0 # [Required], Address, Address of memory block to be loaded.
memoryId: 0 # [Optional], Memory ID, ID of memory block to be loaded.
file: my_binary.bin # [Optional], Binary file., Binary file to be loaded.
values: 0x1234, 0x5678, 0, 12345678 # [Optional], Binary values., Binary values delimited by comma to be loaded.
authentication: cmac # [Optional], Authentication, Type of Image authentication [None, cmac, hashlocking]. If authentication is not used, just omit this option.
- # [Example of possible configuration #2]
execute: # [Required], Execute, The startAddress will be the jump-to address. No further processing of SB after jump, ROM do not expect to return.
address: 0 # [Required], Address, Jump-to address to start execute code.
- # [Example of possible configuration #3]
call: # [Required], Call, The startAddress will be the address to jump, however, the state machine should expect a return to the next statement to continue processing the sb file
address: 0 # [Required], Address, Jump-to address to start execute code.
- # [Example of possible configuration #4]
programFuses: # [Required], Program Fuses, The startAddress will be the address of fuse register, length will be number of fuse words to program. The data to write to the fuse registers will immediately follow the header.
address: 0 # [Required], Address, Address of fuses to be burned.
values: 0x1234, 0x5678, 0, 12345678 # [Required], Binary values, Binary values delimited by comma to be burned.
- # [Example of possible configuration #5]
programIFR: # [Required], Program IFR, The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header
address: 0 # [Required], Address, Address of IFR region to be programmed.
file: my_binary.bin # [Required], Binary file, Binary file to be programmed.
- # [Example of possible configuration #6]
loadCMAC: # [Required], Load CMAC, If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress.
address: 0 # [Required], Address, Address of memory block to be CMAC loaded.
memoryId: 0 # [Optional], Memory ID, ID of memory block to be CMAC loaded.
file: my_cmac_binary.bin # [Required], Binary file, Binary file to be loaded.
- # [Example of possible configuration #7]
copy: # [Required], Copy, Used for copying data from one place to another. 32 bytes fixed size.
addressFrom: 0 # [Required], Address From, Address of memory block to be copied.
memoryIdFrom: 0 # [Optional], Memory ID From, ID of memory block to be copied.
size: 4096 # [Required], Size, Size of memory block to be copied.
addressTo: 536870912 # [Required], Address To, Address of memory where block to be copied.
memoryIdTo: 0 # [Optional], Memory ID To, ID of memory block where to be copied.
- # [Example of possible configuration #8]
loadHashLocking: # [Required], Load with HASH locking, If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it.
address: 0 # [Required], Address, Address of memory block to be loaded.
memoryId: 0 # [Optional], Memory ID, ID of memory block to be loaded.
file: my_hashlocking_binary.bin # [Required], Binary file, Binary file to be loaded.
- # [Example of possible configuration #9]
loadKeyBlob: # [Required], Load Key Blob, Wrapped key blob immediately follows the range key blob header. The length field contains the actual data length.
offset: 0 # [Required], Offset, Offset of the key blob.
wrappingKeyId: 0 # [Required], Wrapping key ID, Wrapping ID of key blob., Possible options:['NXP_CUST_KEK_INT_SK', 'NXP_CUST_KEK_EXT_SK']
file: my_keyblob.bin # [Required], Binary file, Binary file to be loaded.
- # [Example of possible configuration #10]
configureMemory: # [Required], Configure memory, Configure memory.
configAddress: 0 # [Required], Address, Configuration address.
memoryId: 0 # [Optional], Memory ID, ID of memory block to be configured.
- # [Example of possible configuration #11]
fillMemory: # [Required], Fill memory, Used for filling of the memory range by same repeated int32 pattern.
address: 0 # [Required], Address, Address of memory block to be filled.
size: 4096 # [Required], Size, Size of memory block to be filled.
pattern: 2779096485 # [Required], Pattern, Pattern which will be used to fill memory.
- # [Example of possible configuration #12]
checkFwVersion: # [Required], Check firmware version, Used to execute check of provided counter value with value stored in specified monotonous counter in device. If values are not same, SB file is rejected.
value: 1 # [Required], Value - Firmware version, Firmware version to be compared.
counterId: secure # [Required], Counter ID, ID of FW counter to be checked., Possible options:['none', 'nonsecure', 'secure', 'radio', 'snt', 'bootloader']
Secure binary
Secure binary is a binary output file that contains the user’s application image along with a series of bootloader commands. The output file is known as a “Secure Binary” or SB file for short. These files typically have a .sb extension.
This format has a long history, the latest version is 3.1. (2022). SPSDK elftosb tool supports SB 2.1 (2.0) and SB 3.1.
Version 2.1 added support for digital signatures.
The SB 2.0 and 2.1 file format also uses AES encryption for confidentiality and HMAC for extending trust from the signed part of the SB file to the command and data part of the SB file. These two keys (AES decrypt key and HMAC key) are wrapped in the RFC3394 key blob, for which the key wrapping key is the SBKEK key
SB2 generation using BD file
The tool uses an input command file to control the sequence of bootloader commands present in the output file. This command file is called a “boot descriptor file” or BD file for short.
The image location is stated in the “sources” section of the .bd file. The SB key in the text file is used for encryption with the nxpimage command line tool.
Description of how to use BD file is in bellow chapter.
For more information about the Secure boot setup for LPC55Sxx family follow the AN12283.
Example of SB2 generation for 4 root keys
nxpimage: nxpimage sb21 export -k "sbkek.txt" -c "commandFile.bd" -o "output.sb2" -s private_key_1_2048.pem
-S certificate_1_2048.der.crt -R certificate_1_2048.der.crt -R
certificate_2_2048.der.crt -R certificate_3_2048.der.crt -R certificate_4_2048.der.crt -h "RHKT.bin"
"input.bin"
elftosb: elftosb -f lpc55xx -k "sbkek.txt" -c "commandFile.bd" -o "output.sb2" -s private_key_1_2048.pem
-S certificate_1_2048.der.crt -R certificate_1_2048.der.crt -R
certificate_2_2048.der.crt -R certificate_3_2048.der.crt -R certificate_4_2048.der.crt -h "RHKT.bin"
"input.bin"
Created SB2 file can be loaded into the device using blhost receive-sb-file command.
blhost -p COMxx receive-sb-file <path to the secured binary(.sb2)>
SB 3.1
SB 3.1 is an evolution of the SB 2 format. The configuration is done in a similar way as a master boot image by configuration file in YAML or JSON. BD files are no longer used, commands are supplied in the configuration file.
Example of use
nxpimage: nxpimage sb31 export "sb3_config.yaml
elftosb: elftosb -j "sb3_config.yaml
AHAB
AHAB (Advanced High Assurance Boot) is a container format supported on some devices. A configuration file in YAML or JSON is used to instruct nxpimage how the output should look like.
AHAB container is not supported by elftosb tool.
Example of use for export
nxpimage ahab export "path\to\config\file.yaml"
Example of use for parse binary AHAB container
nxpimage ahab parse -b "my_ahab_container.bin" "path\to_parsed_data"
# =========== Advanced High-Assurance Boot Configuration template for rt1180. ===========
# ----------------------------------------------------------------------------------------------------
# == General Options ==
# ----------------------------------------------------------------------------------------------------
family: rt1180 # [Required], MCU family, Family identifier including the chip revision. If revision is not present, latest revision is used as default., Possible options:['rt1180']
revision: a0 # [Optional], MCU revision, Revision of silicon, Possible options:['a0']
output: generated_ahab.bin # [Required], Output AHAB file name, Revision of silicon
containers: # [Required], List of containers present in AHAB., The order of containers in the list defines the order in AHAB.
-
# ----------------------------------------------------------------------------------------------------
# == Optional Binary Container format to add to AHAB image ==
# ----------------------------------------------------------------------------------------------------
binary_container: # [Required], Binary AHAB container
path: my_ahab_container.bin # [Required], The AHAB container binary file, The binary file that contains AHAB "my_binary_container.bin
-
# ----------------------------------------------------------------------------------------------------
# == Optional Configuration Container format to add to AHAB image ==
# ----------------------------------------------------------------------------------------------------
container: # [Required], AHAB Container
srk_set: oem # [Required], Super Root Key (SRK) set, Defines which set is used to authenticate the container., Possible options:['none', 'oem', 'nxp']
used_srk_id: 0 # [Conditionally required], Used SRK, Which key from SRK set is being used.
srk_revoke_mask: 0 # [Optional], SRK revoke mask, Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit 1 = revoke SRK_1 etc.
fuse_version: 0 # [Required], Fuse version, The value must be equal or greater than the version stored in fuses to allow loading this container.
sw_version: 0 # [Required], Software version, Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same Fuse version field.
signing_key: my_signing_key.pem # [Conditionally required], AHAB container signing key, Private key used for sign the container header. Header can be signed by SRK or by image key that was signed by SRK. If an image key is used, it must be the same algorithm and key size as the SRK. In both cases, the referenced SRK must not have been revoked.
# ----------------------------------------------------------------------------------------------------
# == Configuration of AHAB Container images (array of multiple images) ==
# ----------------------------------------------------------------------------------------------------
images: # [Required], Image array, Array of image entries.
- image_path: my_image.bin # [Required], Image path, Path to image binary (absolute/relative).
image_offset: '0x4000' # [Required], Image offset in AHAB container, Relative address for start of AHAB image (can contain multiple AHAB containers). In case of XiP type of AHAB image, the load_address and entry_point must correspond to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS
load_address: '0x5000' # [Required], Image destination address, Address the image is written to in memory (absolute address in system memory).
entry_point: '0x5000' # [Required], Image entry point, Image entry point (absolute address). Valid only for executable image types.
image_type: executable # [Required], Image type, Kind of image., Possible options:['executable', 'data', 'dcd_image', 'seco', 'provisioning_image', 'provisioning_data']
core_id: cortex-m33 # [Required], Core ID, Defines the core the image is dedicated for., Possible options:['cortex-m33', 'cortex-m7']
is_encrypted: false # [Required], Image encryption, Determines, whether image is encrypted or not.
boot_flags: 0 # [Optional], Boot flags, Boot flags controlling SCFW boot.
meta_data_start_cpu_id: 0 # [Optional], Start CPU ID, Resource ID of CPU to be started
meta_data_mu_cpu_id: 0 # [Optional], CPU memory unit start ID, Resource ID of the MU associated with the CPU
meta_data_start_partition_id: 0 # [Optional], Start partition ID, Partition ID of the partition to start
hash_type: sha256 # [Optional], Images HASH type, HASH type of image. All images in the container must have the same HASH type., Possible options:['sha256', 'sha384', 'sha512']
iv_path: my_IV.bin # [Optional], IV file path, Used only for encrypted images (zero otherwise); SHA256 of the plain text image. Fixed size at 256 bits. The lower 128-bit part of the SHA256 value will be retained as IV in the encryption/decryption process.
# ----------------------------------------------------------------------------------------------------
# == Configuration of AHAB SRK table ==
# ----------------------------------------------------------------------------------------------------
srk_table: # [Conditionally required], SRK Table, SRK (Super Root key) table definition.
hash_type: sha256 # [Required], SRK HASH type, HASH type of image. All images in the container must have the same HASH type., Possible options:['sha256', 'sha384', 'sha512']
srk_array: # [Required], Super Root Key (SRK) table, Table containing the used SRK records. All SRKs must be of the same type. Supported signing algorithms are; RSASSA-PSS or ECDSA. Supported hash algorithms; sha256, sha384, sha512. Supported key sizes/curves; prime256v1, sec384r1, sec512r1, rsa2048, rsa4096. Certificate may be of Certificate Authority.
- my_srk_public_key0.pem
- my_srk_public_key1.pem
- my_srk_public_key2.pem
- my_srk_public_key3.pem
# ----------------------------------------------------------------------------------------------------
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ----------------------------------------------------------------------------------------------------
certificate: # [Optional], Certificate container, Optional certificate container definition."
permissions: # [Optional], Certificate permissions, Permissions used to indicate what a certificate can be used for
- container
- secure_enclave_debug
- phbc_debug
- hdmi_debug
- soc_debug_domain_1
- soc_debug_domain_2
- life_cycle
- hdcp_fuses
- monotonic_counter
uuid: 00001111aaaabbbb22223333ccccdddd # [Optional], UUID, (Optional) 128-bit unique identifier
public_key: my_cert_public_key.pem # [Required], Certificate public key, Path to Public key file (RSA and ECDSA).
hash_type: sha256 # [Required], Certificate HASH type, HASH type of public key. The hash type should correspond to SRK keys., Possible options:['sha256', 'sha384', 'sha512']
signing_key: my_cert_signing_key.pem # [Required], Certificate container signing key, Private key used for sign the certificate container.
# ----------------------------------------------------------------------------------------------------
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ----------------------------------------------------------------------------------------------------
blob: # [Optional], Encryption blob, Encryption blob container definition
wrapped_key_path: my_wrapped_key.pem # [Required], KEK blob wrapped key, Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size).
The full AHAB configuration template could be generated by nxpimage tool “get_template” sub-command for family that supports AHAB, example:
nxpimage ahab get-template -f rt1180 ./my_config_templates