How to create a Certificate Block v1#

This notebook describes the procedure for creating a certificate block v1 using SPSDK (Secure Provisioning SDK). It provides a step-by-step guide on how to generate and structure the certificate block, which is crucial for secure boot processes and firmware signing in embedded systems. The notebook demonstrates the practical application of SPSDK tools to create a standardized and secure certificate block format.

For more detailed information about the certificate block format, you can refer to the following file:

Certificate blocks specification

This resource contains a comprehensive description of the certificate block format and its specifications.

Procedure of creating a certificate block v1 in SPSDK

  1. Optionally generate configuration template file as a starting point

    nxpimage cert-block get-template -f mimxrt595s -o .\workspace\cert_block_rt5xx.yaml --force

  2. Create a configuration file (modify already created template or use any from other project)

  3. Export the certificate block binary

1. Prerequisites#

  • SPSDK is needed with examples extension. pip install spsdk[examples] (Please refer to the installation documentation.)

  • Have already generated X.509 certificates for the project as per the requirements. (Refer to the Certificates in SPSDK documentation.) In our scenario we will use already prepared X.509 certificates from example folder X.509 prepared certificates: ../_data/keys/rsa2048

Let’s prepare also workspace and variables.

# Initialization cell
from spsdk.utils.jupyter_utils import YamlDiffWidget

# This env variable sets colored logger output to STDOUT
%env JUPYTER_SPSDK=1
# Set a magic for command execution and echo
%alias execute echo %l && %l
%alias_magic ! execute
env: JUPYTER_SPSDK=1
Created `%!` as an alias for `%execute`.

2. Prepare the certificate block configuration file#

As a staring point the template file has been got and modify to satisfy our requirements.

# Get Explanation of our configuration file changes
YamlDiffWidget("./inputs/cert_block_v1.diffc").html
nxpimage cert-block get-template -f mimxrt595s -o ./workspace/cert_block_v1_template.yaml --force
Creating workspace/cert_block_v1_template.yaml template file.

Configuration Differences

3. Export final certificate block binary#

To get more information regarding the export command read help: nxpimage cert-block export --help

When we have the certificate block configuration file, we can export the certificate block binary using the following code:

%! nxpimage cert-block export -f mimxrt595s -c ./inputs/cert_block_v1_cfg.yaml
nxpimage cert-block export -f mimxrt595s -c ./inputs/cert_block_v1_cfg.yaml
RKTH: 44b45886d6ec1194a87ccc7d767e74c9191049ad2f2b26bd1578e011a4fdd038
Success. (Certificate Block: workspace/cert_block_v1.bin created.)