User Guide - nxpdevhsm#
This user’s guide describes how to interface with the MCU bootloader to provisioned chip using nxpdevhsm application.
The nxpdevhsm application is a command-line utility used on the host computer to use device HSM process to get provisioning SB3.
Communication#
The nxpdevhsm application is using blhost application and all supported communication interfaces that blhost offers(UART, USB, LPCUSBSIO[IC, SPI])
blhost - USB#
blhost could be connected to MCU Bootloader over USB HID.
blhost - UART#
blhost could be connected to MCU bootloader over UART.
blhost - LPCUSBSIO#
LPCUSBSIO - LPC USB Serial I/O(LPCUSBSIO), a firmware built in LPC Link2. The LPCUSBSIO acts as a bus translator, and establishes connection with blhost over USB-HID, and the MCU bootloader device over I2C and SPI.
Note
For more information about supported communication interface check the blhost application documentation.
Command line interface#
nxpdevhsm#
Nxpdevhsm application is designed to create SB3 provisioning file for initial provisioning of device by OEM.
nxpdevhsm [OPTIONS] COMMAND [ARGS]...
Options
- -v, --verbose#
Print more detailed information
- -vv, --debug#
Display more debugging information.
- --version#
Show the version and exit.
- --help#
Show this message and exit.
generate#
Generate provisioning SB file.
nxpdevhsm generate [OPTIONS]
Options
- -p, --port <COM[,speed>#
Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.
- -u, --usb <VID:PID|USB_PATH|DEV_NAME>#
USB device identifier.
Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name.<vid>: hex or dec string; e.g. 0x0AB12, 43794.<vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451.Use ‘nxpdevscan’ utility to list connected device names.
- -sd, --sdio <SDIO_PATH|DEV_NAME>#
SDIO device identifier.
Following formats are supported: device/instance path, device name.device/instance path: device string; e.g. /dev/mcu-sdio.Use ‘nxpdevscan’ utility to list connected device names.
- -l, --lpcusbsio <usb,VID:PID|USB_PATH|SER_NUM,]spi|i2c>#
USB-SIO bridge interface.
Optional USB device filtering formats: [usb,vid:pid|usb_path|serial_number]
Following serial interfaces are supported:
spi[index][,port,pin,speed_kHz,polarity,phase]- index … optional index of SPI peripheral. Example: “spi1” (default=0)- port … bridge GPIO port used as SPI SSEL(default=0)- pin … bridge GPIO pin used as SPI SSELdefault SSEL is set to 0.15 which worksfor the LPCLink2 bridge. The MCULink OBbridge ignores the SSEL value anyway.(default=15)- speed_kHz … SPI clock in kHz (default 1000)- polarity … SPI CPOL option (default=1)- phase … SPI CPHA option (default=1)i2c[index][,address,speed_kHz]- index … optional index of I2C peripheral. Example: “i2c1” (default=0)- address … I2C device address (default 0x10)- speed_kHz … I2C clock in kHz (default 100)
- -b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>#
Buspal settings
- -t, --timeout <ms>#
Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.
- -f, --family <family>#
Required Select the chip family.
- Options:
lpc55s3x | mc56f81xxx | mcxn23x | mcxn9xx | mwct20d2x | rw61x
- -k, --key <key>#
Customer Master Key Symmetric Key secret file (32-bytes long binary file). CUST_MK_SK (provisioned by OEM, known by OEM). This is a 256-bit pre-shared AES key provisioned by OEM. CUST_MK_SK is used to derive FW image encryption keys.
- -i, --oem-share-input <oem_share_input>#
OEM share input file to use as a seed to randomize the provisioning process (16-bytes long binary file).
- -w, --workspace <workspace>#
Workspace folder to store temporary files, that could be used for future review.
- -ir, --initial-reset, -IR, --no-init-reset#
Reset device BEFORE DevHSM operation. The DevHSM operation can run only once between resets. Do not enable this option on Linux/Mac when using USB. By default this reset is DISABLED.
- -fr, --final-reset, -FR, --no-final-reset#
Reset device AFTER DevHSM operation. This reset is required if you need to use the device after DevHSM operation for other security related operations (e.g. receive-sb-file). By default this reset is ENABLED.
- -ba, --buffer-address <buffer_address>#
Override the communication buffer base address. The default address is family-specific.
- -o, --output <output>#
Path to a file, where to store the output.
- -c, --config <config>#
Path to the YAML/JSON configuration file.
get-template#
Create template of configuration in YAML format.
The template file name is specified as argument of this command.
nxpdevhsm get-template [OPTIONS]
Options
- -f, --family <family>#
Required Select the chip family.
- Options:
lpc55s3x | mc56f81xxx | mcxn23x | mcxn9xx | mwct20d2x | rw61x
- -o, --output <output>#
Required Path to a file, where to store the output.
- --force#
Force overwriting of existing files.