User Guide - nxpdevhsm
This user’s guide describes how to interface with the MCU bootloader to provisioned chip using nxpdevhsm application.
The nxpdevhsm application is a command-line utility used on the host computer to use device HSM process to get provisioning SB3.
Communication
The nxpdevhsm application is using blhost application and all supported communication interfaces that blhost offers(UART, USB, LPCUSBSIO[IC, SPI])
blhost - USB
blhost could be connected to MCU Bootloader over USB HID.
blhost - UART
blhost could be connected to MCU bootloader over UART.
blhost - LPCUSBSIO
LPCUSBSIO - LPC USB Serial I/O(LPCUSBSIO), a firmware built in LPC Link2. The LPCUSBSIO acts as a bus translator, and establishes connection with blhost over USB-HID, and the MCU bootloader device over I2C and SPI.
Note
For more information about supported communication interface check the blhost application documentation.
Command line interface
nxpdevhsm
Nxpdevhsm application is designed to create SB3 provisioning file for initial provisioning of device by OEM.
nxpdevhsm [OPTIONS] COMMAND [ARGS]...
Options
- -v, --verbose
Print more detailed information
- -vv, --debug
Display more debugging information.
- --version
Show the version and exit.
- --help
Show this message and exit.
generate
Generate provisioning SB3.1 file.
nxpdevhsm generate [OPTIONS] OUTPUT_PATH
Options
- -p, --port <COM[,speed>
Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.
- -u, --usb <VID:PID|USB_PATH|DEV_NAME>
USB device identifier.
Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name.<vid>: hex or dec string; e.g. 0x0AB12, 43794.<vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451.Use ‘nxpdevscan’ utility to list connected device names.
- -l, --lpcusbsio <usb,VID:PID|USB_PATH|SER_NUM,]spi|i2c>
USB-SIO bridge interface.
Optional USB device filtering formats: [usb,vid:pid|usb_path|serial_number]
Following serial interfaces are supported:
spi[index][,port,pin,speed_kHz,polarity,phase]- index … optional index of SPI peripheral. Example: “spi1” (default=0)- port … bridge GPIO port used as SPI SSEL(default=0)- pin … bridge GPIO pin used as SPI SSELdefault SSEL is set to 0.15 which worksfor the LPCLink2 bridge. The MCULink OBbridge ignores the SSEL value anyway.(default=15)- speed_kHz … SPI clock in kHz (default 1000)- polarity … SPI CPOL option (default=1)- phase … SPI CPHA option (default=1)i2c[index][,address,speed_kHz]- index … optional index of I2C peripheral. Example: “i2c1” (default=0)- address … I2C device address (default 0x10)- speed_kHz … I2C clock in kHz (default 100)
- -b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>
buspal settings
- -t, --timeout <ms>
Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.
- -k, --key <key>
Required User PCK secret file (32-bytes long binary file). PCK (provisioned by OEM, known by OEM) - Part Common Key. This is a 256-bit pre-shared AES key provisioned by OEM. PCK is used to derive FW image encryption keys.
- -o, --oem-share-input <oem_share_input>
OEM share input file to use as a seed to randomize the provisioning process (16-bytes long binary file).
- -w, --workspace <workspace>
Workspace folder to store temporary files, that could be used for future review.
- -j, --container-conf <container_conf>
json container configuration file to produce secure binary v3.x. In this configuration file is enough to provide just commands and description section.
Arguments
- OUTPUT_PATH
Required argument