How to create a Certificate Block v2.1#

This notebook describes the procedure for creating a certificate block v2.1 using SPSDK (Secure Provisioning SDK). It provides a step-by-step guide on how to generate and structure the certificate block, which is crucial for secure boot processes and firmware signing in embedded systems. The notebook demonstrates the practical application of SPSDK tools to create a standardized and secure certificate block format.

For more detailed information about the certificate block format, you can refer to the following file:

Certificate blocks specification

This resource contains a comprehensive description of the certificate block format and its specifications.

Procedure of creating a certificate block v2.1 in SPSDK

  1. Optionally generate configuration template file as a starting point

    nxpimage cert-block get-template -f lpc55s36 -o .\workspace\cert_block_lpc55s36.yaml --force

  2. Create a configuration file (modify already created template or use any from other project)

  3. Export the certificate block binary

There is two major ways to export certificate block and for both is added example:

  • Without ISK certificate

  • With ISK certificate

1. Prerequisites#

  • SPSDK is needed with examples extension. pip install spsdk[examples] (Please refer to the installation documentation.)

  • Have already generated keys for the project as per the requirements. (Refer to the How to create keys in SPSDK NXPCRYPTO documentation.) In our scenario we will use already prepared keys from example folder ECC256 prepared keys: ../_data/keys/ecc256

Let’s prepare also workspace and variables.

# Initialization cell
from spsdk.utils.jupyter_utils import YamlDiffWidget

# This env variable sets colored logger output to STDOUT
%env JUPYTER_SPSDK=1
# Set a magic for command execution and echo
%alias execute echo %l && %l
%alias_magic ! execute
env: JUPYTER_SPSDK=1
Created `%!` as an alias for `%execute`.

2. Prepare the certificate block configuration file#

As a staring point the template file has been got and modify to satisfy our requirements.

2.1 Without ISK#

The example of configuration without ISK certificate.

# Get Explanation of our configuration file changes
YamlDiffWidget("./inputs/cert_block_v2_1.diffc").html
nxpimage cert-block get-template -f lpc55s36 -o ./workspace/cert_block_v2_1_template.yaml --force
Creating workspace/cert_block_v2_1_template.yaml template file.

Configuration Differences

2.2 With ISK#

The example of configuration with ISK certificate.

# Get Explanation of our configuration file changes
YamlDiffWidget("./inputs/cert_block_v2_1_isk.diffc").html
nxpimage cert-block get-template -f lpc55s36 -o ./workspace/cert_block_v2_1_template.yaml --force
Creating workspace/cert_block_v2_1_template.yaml template file.

Configuration Differences

3. Export final certificate block binary#

To get more information regarding the export command read help: nxpimage cert-block export --help

3.1 Without ISK#

When we have the certificate block configuration file, we can export the certificate block binary using the following code: 
%! nxpimage cert-block export -f lpc55s36 -c ./inputs/cert_block_v2_1_cfg.yaml
nxpimage cert-block export -f lpc55s36 -c ./inputs/cert_block_v2_1_cfg.yaml
RKTH: e2cca7cf09a45d2f1942969fda1c68ecaad78fad416d143292dad2f618291ddd
Success. (Certificate Block: workspace/cert_block_v2_1.bin created.)

3.2 With ISK#

When we have the certificate block configuration file, we can export the certificate block binary using the following code: 
%! nxpimage cert-block export -f lpc55s36 -c ./inputs/cert_block_v2_1_isk_cfg.yaml
nxpimage cert-block export -f lpc55s36 -c ./inputs/cert_block_v2_1_isk_cfg.yaml
RKTH: e2cca7cf09a45d2f1942969fda1c68ecaad78fad416d143292dad2f618291ddd
Success. (Certificate Block: workspace/cert_block_v2_1.bin created.)