MBI-A-TZV-I-LA-FVHIV-AC-A-EATCA

Type: object

root family

The chip family name

Type: enum (of string)

NXP chip family identifier.

Must be one of:

  • "mcxa344"
  • "mcxa567"
  • "mcxa145"
  • "lpc5502"
  • "mcxa265"
  • "kw45b41z8"
  • "mcxa142"
  • "mcxc242"
  • "mcxn526"
  • "mcxn946"
  • "mcxw236"
  • "mcxa556"
  • "mcxa144"
  • "mcxa153"
  • "mcxa356"
  • "lpc5504"
  • "mcxa152"
  • "mimxrt555s"
  • "kw45z41082"
  • "mcxa133"
  • "mcxa536"
  • "mcxw727c"
  • "mcxa185"
  • "mcxc162"
  • "mc56f81768"
  • "mc56f81868"
  • "mcxc041"
  • "rw612"
  • "kw47b42zb3"
  • "mcxa146"
  • "mcxa457"
  • "lpc55s04"
  • "mcxa366"
  • "mcxa176"
  • "mcxa143"
  • "mcxa566"
  • "mcxa256"
  • "mcxc143"
  • "mcxa154"
  • "lpc55s36"
  • "mc56f81666"
  • "mcxa456"
  • "mcxe245"
  • "lpc5534"
  • "mcxa343"
  • "mcxl254"
  • "mcxn947"
  • "mcxa537"
  • "kw47z42082"
  • "mcxc144"
  • "mcxa186"
  • "kw47z420b2"
  • "mcxl255"
  • "mcxc244"
  • "mcxa156"
  • "mcxl253"
  • "kw47b42zb7"
  • "mcxa155"
  • "mcxa175"
  • "mcxc444"
  • "mc56f81646"
  • "lpc5528"
  • "mcxc142"
  • "mcxn546"
  • "mcxe246"
  • "kw47b42zb2"
  • "lpc55s14"
  • "kw47z42092"
  • "mcxn556s"
  • "mimxrt595s"
  • "mcxa174"
  • "mimxrt685s"
  • "mc56f81748"
  • "mimxrt533s"
  • "kw45b41z5"
  • "mcxe247"
  • "mcxe316"
  • "mcxn537"
  • "kw47z420b3"
  • "mcxa346"
  • "lpc5516"
  • "lpc55s28"
  • "mimxrt758s"
  • "mcxa287"
  • "mc56f81746"
  • "mcxc151"
  • "mcxc141"
  • "lpc5536"
  • "lpc55s16"
  • "mcxa577"
  • "lpc55s06"
  • "mcxa286"
  • "mcxw727a"
  • "lpc55s66"
  • "lpc5514"
  • "mcxn536"
  • "mcxn236"
  • "mcxe31b"
  • "mcxa266"
  • "mcxn547"
  • "mcxa132"
  • "mcxa173"
  • "kw45z41083"
  • "mimxrt798s"
  • "mcxe315"
  • "mcxc443"
  • "kw47b42z97"
  • "mimxrt735s"
  • "mcxa355"
  • "mwct20d2"
  • "mcxn557s"
  • "mwct2012"
  • "mc56f81668"
  • "mcxa255"
  • "mcxw235"
  • "lpc55s26"
  • "mcxc243"
  • "mcxw727d"
  • "lpc5506"
  • "mcxe317"
  • "mcxn247"
  • "mc56f81648"
  • "mcxn235"
  • "mc56f81866"
  • "mcxw716c"
  • "kw47b42z96"
  • "kw47b42zb6"
  • "lpc55s69"
  • "nhs52s04"
  • "mwct2012a"
  • "mcxn527"
  • "mcxa345"
  • "mcxw716a"
  • "mcxc161"
  • "kw45z41053"
  • "kw45z41052"
  • "k32w148"
  • "rw610"
  • "mcxa365"
  • "lpc5526"
  • "mwct20d2a"
  • "kw47b42z83"
  • "lpc5512"
  • "mc56f81766"
  • "kw45xx"
  • "mcxa1xx"
  • "mcxn9xx"
  • "mc56f817xx"
  • "mc56f818xx"
  • "rw61x"
  • "lpc55s3x"
  • "mcxe24x"
  • "mcxn94x"
  • "kw47xx"
  • "lpc552x"
  • "mcxn54x"
  • "rt5xx"
  • "rt6xx"
  • "lpc551x"
  • "lpc553x"
  • "lpc55s1x"
  • "lpc55s0x"
  • "mcxn23x"
  • "rt7xx"
  • "mwct2xd2"
  • "mwct2x12"
  • "mc56f816xx"
  • "lpc55s2x"
  • "lpc550x"
  • "mcxw71xx"
  • "lpc55s6x"
  • "nhs52sxx"
  • "k32w1xx"

root revision

MCU revision

Type: enum (of string)

Revision of silicon. The 'latest' name, means most current revision.

Must be one of:

  • "a0"
  • "latest"

root outputImageExecutionTarget

Application target

Type: enum (of string)

Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.

Must be one of:

  • "xip"
  • "load-to-ram"
  • "Internal flash (XIP)"
  • "External flash (XIP)"
  • "Internal Flash (XIP)"
  • "External Flash (XIP)"
  • "RAM"
  • "ram"

root outputImageAuthenticationType

Type of boot image authentication

Type: enum (of string)

Specification of final master boot image authentication.

Must be one of:

  • "plain"
  • "crc"
  • "signed"
  • "signed-encrypted"
  • "signed-nxp"
  • "nxp_signed"
  • "nbu-signed"
  • "Plain"
  • "CRC"
  • "Signed"
  • "Encrypted + Signed"
  • "NXP Signed"
  • "NXP signed"
  • "NBU Signed"
  • "encrypted"
  • "misr"
  • "smr"
  • "SMR"

root masterBootOutputFile

Output Image name

Type: stringFormat: file_name

The path for result binary file.

root inputImageFile

Plain application image

Type: stringFormat: file

The input application image to by modified to Master Boot Image.

root trustZonePresetFile

TrustZone Customization file in version 2

Type: stringFormat: optional_file

Specification of Trust Zone configuration file for advanced settings. It could be as YAML TrustZone configuration file as pre-prepared binary TrustZone configuration.

root outputImageExecutionAddress

Loading address of application

Type: number or string

Application loading address in RAM if not XiP, otherwise address of load in XiP.

root firmwareVersion

Firmware version.

Type: number or stringFormat: number

Value compared with SecureFWVersion monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

root add_crc_check

The additional CRC images check

Type: boolean

If true, add additional CRC image that is computed from all data execution image and optionally TrustZone.

root srk_set

Super Root Key (SRK) set

Type: enum (of string)

Defines which set is used to authenticate the container.

Must be one of:

  • "oem"
  • "nxp"

root used_srk_id

Used SRK

Type: number or stringFormat: number

Which key from SRK set is being used.

root signer

AHAB container signer

Type: string

Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have been revoked.

root signer_#2

AHAB container signer for second signature (PQC only)

Type: string

Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced SRK must not have been revoked.

root srk_table

SRK Table

Type: object

SRK (Super Root key) table definition.

root srk_table flag_ca

CA Flag

Type: boolean

CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys

root srk_table srk_array

Super Root Key (SRK) table

Type: array of string

Table containing the used SRK records. All SRKs must be of the same type. Supported signing algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3256, sha3384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new type of AHAB container

Must contain a minimum of 4 items

Must contain a maximum of 4 items

No Additional Items

Each item of this array must be:

root srk_table srk_array SRK key

SRK key

Type: stringFormat: file

Path to SRK Key file.

root srk_table srk_table_#2

Second SRK Table

Type: object

root srk_table srk_table_#2 flag_ca

CA Flag

Type: boolean

CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys

root srk_table srk_table_#2 srk_array

Super Root Key (SRK) table

Type: array of string

Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3256, sha3384, sha3_512. Certificate may be of Certificate Authority.

Must contain a minimum of 4 items

Must contain a maximum of 4 items

No Additional Items

Each item of this array must be:

root srk_table srk_table_#2 srk_array SRK key

SRK key

Type: stringFormat: file

Path to SRK Key file.

root certificate

The AHAB certificate

Type: stringFormat: file

The file that contains AHAB certificate. It could be used already prepared binary form signed by SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export it itself.

root image_hash_type

Images HASH type

Type: enum (of string)

HASH type of image.

Must be one of:

  • "sha256"
  • "sha384"

root core_id

Target Core ID

Type: enum (of string)

Target core id to select kind of image.

Must be one of:

  • "cortex-m33"
  • "nbu"