Ctrl+K

User Guide - nxpdevhsm

User Guide - nxpdevhsm#

This user’s guide describes how to interface with the MCU bootloader to provisioned chip using nxpdevhsm application.

The nxpdevhsm application is a command-line utility used on the host computer to use device HSM process to get provisioning SB3.

Communication#

The nxpdevhsm application is using blhost application and all supported communication interfaces that blhost offers(UART, USB, LPCUSBSIO[IC, SPI])

blhost - USB#

blhost could be connected to MCU Bootloader over USB HID.

USB device identification in SPSDK

blhost - UART#

blhost could be connected to MCU bootloader over UART.

UART device identification in SPSDK

blhost - LPCUSBSIO#

LPCUSBSIO - LPC USB Serial I/O(LPCUSBSIO), a firmware built in LPC Link2. The LPCUSBSIO acts as a bus translator, and establishes connection with blhost over USB-HID, and the MCU bootloader device over I2C and SPI.

Note

For more information about supported communication interface check the blhost application documentation.

Command line interface#

nxpdevhsm#

Nxpdevhsm application is designed to create SB3 provisioning file for initial provisioning of device by OEM.

nxpdevhsm [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose#

Print more detailed information

-vv, --debug#

Display more debugging information.

--version#

Show the version and exit.

--help#

Show this message and exit.

generate#

Generate provisioning SB file.

nxpdevhsm generate [OPTIONS]

Options

-p, --port <COM[,speed>#

Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-u, --usb <VID:PID|USB_PATH|DEV_NAME>#

USB device identifier.

Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name.
<vid>: hex or dec string; e.g. 0x0AB12, 43794.
<vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451.
Use ‘nxpdevscan’ utility to list connected device names.
-sd, --sdio <SDIO_PATH|DEV_NAME>#

SDIO device identifier.

Following formats are supported: device/instance path, device name.
device/instance path: device string; e.g. /dev/mcu-sdio.
Use ‘nxpdevscan’ utility to list connected device names.
-l, --lpcusbsio <usb,VID:PID|USB_PATH|SER_NUM,]spi|i2c>#

USB-SIO bridge interface.

Optional USB device filtering formats: [usb,vid:pid|usb_path|serial_number]

Following serial interfaces are supported:

spi[index][,port,pin,speed_kHz,polarity,phase]
- index … optional index of SPI peripheral. Example: “spi1” (default=0)
- port … bridge GPIO port used as SPI SSEL(default=0)
- pin … bridge GPIO pin used as SPI SSEL
default SSEL is set to 0.15 which works
for the LPCLink2 bridge. The MCULink OB
bridge ignores the SSEL value anyway.(default=15)
- speed_kHz … SPI clock in kHz (default 1000)
- polarity … SPI CPOL option (default=1)
- phase … SPI CPHA option (default=1)
i2c[index][,address,speed_kHz]
- index … optional index of I2C peripheral. Example: “i2c1” (default=0)
- address … I2C device address (default 0x10)
- speed_kHz … I2C clock in kHz (default 100)
-b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>#

Buspal settings

-t, --timeout <ms>#

Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-f, --family <family>#

Required Select the chip family.

Options:

lpc55s3x | mc56f81xxx | mcxn23x | mcxn9xx | mwct20d2x | rw61x

-k, --key <key>#

Customer Master Key Symmetric Key secret file (32-bytes long binary file). CUST_MK_SK (provisioned by OEM, known by OEM). This is a 256-bit pre-shared AES key provisioned by OEM. CUST_MK_SK is used to derive FW image encryption keys.

-i, --oem-share-input <oem_share_input>#

OEM share input file to use as a seed to randomize the provisioning process (16-bytes long binary file).

-w, --workspace <workspace>#

Workspace folder to store temporary files, that could be used for future review.

-ir, --initial-reset, -IR, --no-init-reset#

Reset device BEFORE DevHSM operation. The DevHSM operation can run only once between resets. Do not enable this option on Linux/Mac when using USB. By default this reset is DISABLED.

-fr, --final-reset, -FR, --no-final-reset#

Reset device AFTER DevHSM operation. This reset is required if you need to use the device after DevHSM operation for other security related operations (e.g. receive-sb-file). By default this reset is ENABLED.

-ba, --buffer-address <buffer_address>#

Override the communication buffer base address. The default address is family-specific.

-o, --output <output>#

Path to a file, where to store the output.

-c, --config <config>#

Path to the YAML/JSON configuration file.

get-template#

Create template of configuration in YAML format.

The template file name is specified as argument of this command.

nxpdevhsm get-template [OPTIONS]

Options

-f, --family <family>#

Required Select the chip family.

Options:

lpc55s3x | mc56f81xxx | mcxn23x | mcxn9xx | mwct20d2x | rw61x

-o, --output <output>#

Required Path to a file, where to store the output.

--force#

Force overwriting of existing files.

Contents