User Guide - nxpdice#

This user’s guide describes how to use nxpdice application.

nxpdice serves only as a demo application. It shows how DICE works and can be useful when creating a real-life DICE infrastructure. For purposes of nxpdice application, the target is running a special firmware which allows communication with PC via MBoot protocol. The app also supports running a model of a device. Please refer to the LPC55s3x DICE Notebook

Command line interface#

nxpdice#

Application designed to cover DICE-related operations.

nxpdice [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose#

Print more detailed information

-vv, --debug#

Display more debugging information.

--version#

Show the version and exit.

--help#

Show this message and exit.

add-device#

Add virtual device to the models_dir.

nxpdice add-device [OPTIONS]

Options

-md, --models-dir <models_dir>#

Path to folder with MCU model files. When using models the –port option is used as sub-folder name in models-dir

-n, --name <name>#

Required Name for the device

create-models#

Create models directory for debugging purposes.

nxpdice create-models [OPTIONS]

Options

-md, --models-dir <models_dir>#

Path to directory where to create models directory for debugging purposes

-n, --number <number>#

Required Number of virtual devices to crate for debugging purposes.

-p, --prefix <prefix>#

Prefix for device model names. Number of device will be appended to the prefix.

get-ca-puk#

Get NXP_CUST_DICE_CA_PUK from the device.

nxpdice get-ca-puk [OPTIONS]

Options

-p, --port <COM[,speed>#

Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-t, --timeout <ms>#

Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-f, --family <family>#

Select the chip family.

Options:

lpc55s36 | mcxn546 | mcxn547 | mcxn946 | mcxn947

-md, --models-dir <models_dir>#

Path to folder with MCU model files. When using models the –port option is used as sub-folder name in models-dir

-o, --output <output>#

Required Path where to store the NXP_CUST_DICE_CA_PUK

-r, --rkth <rkth>#

Required HEX value of RKTH

get-families#

Shows the full family info for commands in this group.

nxpdice get-families [OPTIONS]

Options

-c, --cmd-name <cmd_name>#

Choose the command name to get full information about NXP families support.

Options:

register-ca-puk | get-ca-puk | register-version | verify | get-response

get-response#

Get DICE response from the device.

nxpdice get-response [OPTIONS]

Options

-p, --port <COM[,speed>#

Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-t, --timeout <ms>#

Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-f, --family <family>#

Select the chip family.

Options:

lpc55s36 | mcxn546 | mcxn547 | mcxn946 | mcxn947

-md, --models-dir <models_dir>#

Path to folder with MCU model files. When using models the –port option is used as sub-folder name in models-dir

-r, --response <response>#

Required Path where to store the DICE response

-c, --challenge <challenge>#

Optional challenge. If not specified a random challenge will be used.

register-ca-puk#

Get NXP_CUST_DICE_CA_PUK from the device and register it in the verification service.

nxpdice register-ca-puk [OPTIONS]

Options

-su, --service-url <service_url>#

DICE verification service URL. Example: http://localhost:8080

-db, --database <database>#

Path to local database instead of service-url.

-p, --port <COM[,speed>#

Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-t, --timeout <ms>#

Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-f, --family <family>#

Select the chip family.

Options:

lpc55s36 | mcxn546 | mcxn547 | mcxn946 | mcxn947

-md, --models-dir <models_dir>#

Path to folder with MCU model files. When using models the –port option is used as sub-folder name in models-dir

-r, --rkth <rkth>#

Required HEX value of RKTH

-s, --store-artifact <store_artifact>#

Path where to store artifact (data) generated by the command.

register-version#

Register new FW version, RTF, and HAD based on DICE response.

nxpdice register-version [OPTIONS]

Options

-su, --service-url <service_url>#

DICE verification service URL. Example: http://localhost:8080

-db, --database <database>#

Path to local database instead of service-url.

-p, --port <COM[,speed>#

Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-t, --timeout <ms>#

Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-f, --family <family>#

Select the chip family.

Options:

lpc55s36 | mcxn546 | mcxn547 | mcxn946 | mcxn947

-md, --models-dir <models_dir>#

Path to folder with MCU model files. When using models the –port option is used as sub-folder name in models-dir

-s, --store-artifact <store_artifact>#

Path where to store artifact (data) generated by the command.

upload-ca-puk#

Upload existing NXP_CUST_DICE_CA_PUK into the verification service.

nxpdice upload-ca-puk [OPTIONS]

Options

-su, --service-url <service_url>#

DICE verification service URL. Example: http://localhost:8080

-db, --database <database>#

Path to local database instead of service-url.

-c, --ca-puk <ca_puk>#

Required Path to binary file containing NXP_CUST_DICE_CA_PUK key.

upload-response#

Upload existing DICE response for verification.

nxpdice upload-response [OPTIONS]

Options

-su, --service-url <service_url>#

DICE verification service URL. Example: http://localhost:8080

-db, --database <database>#

Path to local database instead of service-url.

-r, --response <response_file>#

Required Path to binary file containing the DICE response.

upload-version#

Upload existing DICE response to register new FW version, RTF, and HAD.

nxpdice upload-version [OPTIONS]

Options

-su, --service-url <service_url>#

DICE verification service URL. Example: http://localhost:8080

-db, --database <database>#

Path to local database instead of service-url.

-r, --response <response_file>#

Path to DICE response binary. Info in response will be used to register new version.

verify#

Perform the DICE attestation verification.

nxpdice verify [OPTIONS]

Options

-su, --service-url <service_url>#

DICE verification service URL. Example: http://localhost:8080

-db, --database <database>#

Path to local database instead of service-url.

-p, --port <COM[,speed>#

Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-t, --timeout <ms>#

Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-f, --family <family>#

Select the chip family.

Options:

lpc55s36 | mcxn546 | mcxn547 | mcxn946 | mcxn947

-md, --models-dir <models_dir>#

Path to folder with MCU model files. When using models the –port option is used as sub-folder name in models-dir

-s, --store-artifact <store_artifact>#

Path where to store artifact (data) generated by the command.