This notebook describes the procedure for creating a certificate block v2.1 using SPSDK (Secure Provisioning SDK). It provides a step-by-step guide on how to generate and structure the certificate block, which is crucial for secure boot processes and firmware signing in embedded systems. The notebook demonstrates the practical application of SPSDK tools to create a standardized and secure certificate block format.
For more detailed information about the certificate block format, you can refer to the following file:
SPSDK is needed with examples extension. pipinstallspsdk[examples] (Please refer to the installation documentation.)
Have already generated keys for the project as per the requirements. (Refer to the How to create keys in SPSDK NXPCRYPTO documentation.)
In our scenario we will use already prepared keys from example folder ECC256 prepared keys: ../_data/keys/ecc256
Let’s prepare also workspace and variables.
# Initialization cellfromspsdk.utils.jupyter_utilsimportYamlDiffWidget# This env variable sets colored logger output to STDOUT%env JUPYTER_SPSDK=1
# Set a magic for command execution and echo%alias execute echo %l && %l
%alias_magic ! execute
env: JUPYTER_SPSDK=1
Created `%!` as an alias for `%execute`.
2. Prepare the certificate block configuration file#
As a staring point the template file has been got and modify to satisfy our requirements.
# ====================================================================================================================== # == ISK (Image signing key) Certificate Settings == # ====================================================================================================================== # ---------------------------------------===== MCU family name. [Required] =====---------------------------------------- # Description: MCU family name. family: lpc55s36 # ------------------------------===== Use ISK for signature certification [Required] =====------------------------------ # Description: Enable ISK type of signature certification. useIsk: falseIs set to false because ISK is not used in this example # ---------------------------------===== ISK public key [Conditionally required] =====---------------------------------- # Description: Path to ISK public key. iskPublicKey: sign_cert.pubIs removed because ISK is not used in this certificates # ----------------------------------===== ISK certificate constraint [Optional] =====----------------------------------- # Description: Constraint is certificate version, compared with monotonic counter in fuses. iskCertificateConstraint: 0Is removed because ISK is not used in this certificates # -----------------------------------===== ISK certificate user data [Optional] =====----------------------------------- # Description: Path to user data. iskCertData: user_cert_data.binIs removed because ISK is not used in this certificates # -----------------------===== Main root Certification Private Key [Conditionally required] =====----------------------- # Description: Path to Main root Certification Private Key. signPrivateKey: ../../_data/keys/ecc256/srk0_ecc256.pem signPrivateKey: main_cert_prv_key.pemPath to private key file for signing the certificate block # -------------------------------===== Signature Provider [Conditionally required] =====-------------------------------- # Description: Signature provider configuration in format 'type=;=;='. signProvider: type=file;file_path=root_prv_key.pemIs removed because we are using the private key directly # ====================================================================================================================== # == Root Keys Settings == # ====================================================================================================================== # -----------------------------===== Root Certificate File 0 [Conditionally required] =====----------------------------- # Description: Root certificate file index 0. rootCertificate0File: my_certificate0.pubChange to existing path of Root of Trust key rootCertificate0File: ../../_data/keys/ecc256/srk0_ecc256.pub # ------------------------------------===== Root Certificate File 1 [Optional] =====------------------------------------ # Description: Root certificate file index 1. rootCertificate1File: my_certificate1.pubChange to existing path of Root of Trust key rootCertificate1File: ../../_data/keys/ecc256/srk1_ecc256.pub # ------------------------------------===== Root Certificate File 2 [Optional] =====------------------------------------ # Description: Root certificate file index 2. rootCertificate2File: my_certificate2.pubChange to existing path of Root of Trust key rootCertificate2File: ../../_data/keys/ecc256/srk2_ecc256.pub # ------------------------------------===== Root Certificate File 3 [Optional] =====------------------------------------ # Description: Root certificate file index 3. rootCertificate3File: my_certificate3.pubChange to existing path of Root of Trust key rootCertificate3File: ../../_data/keys/ecc256/srk3_ecc256.pub # -----------------------------===== Main Certificate Index [Conditionally required] =====------------------------------ # Description: Index of certificate that is used as a main. If not defined, the certificate matching private key will be # selected. mainRootCertId: 0As good example we set the main root index of RoT to 0 # ====================================================================================================================== # == Basic Settings == # ====================================================================================================================== # --------------------------------------===== cert block filename [Required] =====-------------------------------------- # Description: Generated cert block filename. containerOutputFile: cert_block.binModify the output path to our example needs. For output files in SPSDK workspace relative paths are
always relative to configuration file location. containerOutputFile: ../workspace/cert_block_v2_1.bin
# ====================================================================================================================== # == ISK (Image signing key) Certificate Settings == # ====================================================================================================================== # ---------------------------------------===== MCU family name. [Required] =====---------------------------------------- # Description: MCU family name. family: lpc55s36 # ------------------------------===== Use ISK for signature certification [Required] =====------------------------------ # Description: Enable ISK type of signature certification. useIsk: falseIs set to false because ISK is not used in this example # -----------------------===== Main root Certification Private Key [Conditionally required] =====----------------------- # Description: Path to Main root Certification Private Key. signPrivateKey: ../../_data/keys/ecc256/srk0_ecc256.pemPath to private key file for signing the certificate block # ====================================================================================================================== # == Root Keys Settings == # ====================================================================================================================== # -----------------------------===== Root Certificate File 0 [Conditionally required] =====----------------------------- # Description: Root certificate file index 0. rootCertificate0File: ../../_data/keys/ecc256/srk0_ecc256.pubChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 1 [Optional] =====------------------------------------ # Description: Root certificate file index 1. rootCertificate1File: ../../_data/keys/ecc256/srk1_ecc256.pubChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 2 [Optional] =====------------------------------------ # Description: Root certificate file index 2. rootCertificate2File: ../../_data/keys/ecc256/srk2_ecc256.pubChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 3 [Optional] =====------------------------------------ # Description: Root certificate file index 3. rootCertificate3File: ../../_data/keys/ecc256/srk3_ecc256.pubChange to existing path of Root of Trust key # -----------------------------===== Main Certificate Index [Conditionally required] =====------------------------------ # Description: Index of certificate that is used as a main. If not defined, the certificate matching private key will be # selected. mainRootCertId: 0As good example we set the main root index of RoT to 0 # ====================================================================================================================== # == Basic Settings == # ====================================================================================================================== # --------------------------------------===== cert block filename [Required] =====-------------------------------------- # Description: Generated cert block filename. containerOutputFile: ../workspace/cert_block_v2_1.binModify the output path to our example needs. For output files in SPSDK workspace
relative paths are always relative to configuration file location.
# ====================================================================================================================== # == ISK (Image signing key) Certificate Settings == # ====================================================================================================================== # ---------------------------------------===== MCU family name. [Required] =====---------------------------------------- # Description: MCU family name. family: lpc55s36 # ------------------------------===== Use ISK for signature certification [Required] =====------------------------------ # Description: Enable ISK type of signature certification. useIsk: falseIs set to false because ISK is not used in this example # ---------------------------------===== ISK public key [Conditionally required] =====---------------------------------- # Description: Path to ISK public key. iskPublicKey: sign_cert.pubIs removed because ISK is not used in this certificates # ----------------------------------===== ISK certificate constraint [Optional] =====----------------------------------- # Description: Constraint is certificate version, compared with monotonic counter in fuses. iskCertificateConstraint: 0Is removed because ISK is not used in this certificates # -----------------------------------===== ISK certificate user data [Optional] =====----------------------------------- # Description: Path to user data. iskCertData: user_cert_data.binIs removed because ISK is not used in this certificates # -----------------------===== Main root Certification Private Key [Conditionally required] =====----------------------- # Description: Path to Main root Certification Private Key. signPrivateKey: ../../_data/keys/ecc256/srk0_ecc256.pem signPrivateKey: main_cert_prv_key.pemPath to private key file for signing the certificate block # -------------------------------===== Signature Provider [Conditionally required] =====-------------------------------- # Description: Signature provider configuration in format 'type=;=;='. signProvider: type=file;file_path=root_prv_key.pemIs removed because we are using the private key directly # ====================================================================================================================== # == Root Keys Settings == # ====================================================================================================================== # -----------------------------===== Root Certificate File 0 [Conditionally required] =====----------------------------- # Description: Root certificate file index 0. rootCertificate0File: my_certificate0.pubChange to existing path of Root of Trust key rootCertificate0File: ../../_data/keys/ecc256/srk0_ecc256.pub # ------------------------------------===== Root Certificate File 1 [Optional] =====------------------------------------ # Description: Root certificate file index 1. rootCertificate1File: my_certificate1.pubChange to existing path of Root of Trust key rootCertificate1File: ../../_data/keys/ecc256/srk1_ecc256.pub # ------------------------------------===== Root Certificate File 2 [Optional] =====------------------------------------ # Description: Root certificate file index 2. rootCertificate2File: my_certificate2.pubChange to existing path of Root of Trust key rootCertificate2File: ../../_data/keys/ecc256/srk2_ecc256.pub # ------------------------------------===== Root Certificate File 3 [Optional] =====------------------------------------ # Description: Root certificate file index 3. rootCertificate3File: my_certificate3.pubChange to existing path of Root of Trust key rootCertificate3File: ../../_data/keys/ecc256/srk3_ecc256.pub # -----------------------------===== Main Certificate Index [Conditionally required] =====------------------------------ # Description: Index of certificate that is used as a main. If not defined, the certificate matching private key will be # selected. mainRootCertId: 0As good example we set the main root index of RoT to 0 # ====================================================================================================================== # == Basic Settings == # ====================================================================================================================== # --------------------------------------===== cert block filename [Required] =====-------------------------------------- # Description: Generated cert block filename. containerOutputFile: cert_block.binModify the output path to our example needs. For output files in SPSDK workspace relative paths are
always relative to configuration file location. containerOutputFile: ../workspace/cert_block_v2_1.bin
# ====================================================================================================================== # == ISK (Image signing key) Certificate Settings == # ====================================================================================================================== # ---------------------------------------===== MCU family name. [Required] =====---------------------------------------- # Description: MCU family name. family: lpc55s36 # ------------------------------===== Use ISK for signature certification [Required] =====------------------------------ # Description: Enable ISK type of signature certification. useIsk: falseIs set to false because ISK is not used in this example # -----------------------===== Main root Certification Private Key [Conditionally required] =====----------------------- # Description: Path to Main root Certification Private Key. signPrivateKey: ../../_data/keys/ecc256/srk0_ecc256.pemPath to private key file for signing the certificate block # ====================================================================================================================== # == Root Keys Settings == # ====================================================================================================================== # -----------------------------===== Root Certificate File 0 [Conditionally required] =====----------------------------- # Description: Root certificate file index 0. rootCertificate0File: ../../_data/keys/ecc256/srk0_ecc256.pubChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 1 [Optional] =====------------------------------------ # Description: Root certificate file index 1. rootCertificate1File: ../../_data/keys/ecc256/srk1_ecc256.pubChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 2 [Optional] =====------------------------------------ # Description: Root certificate file index 2. rootCertificate2File: ../../_data/keys/ecc256/srk2_ecc256.pubChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 3 [Optional] =====------------------------------------ # Description: Root certificate file index 3. rootCertificate3File: ../../_data/keys/ecc256/srk3_ecc256.pubChange to existing path of Root of Trust key # -----------------------------===== Main Certificate Index [Conditionally required] =====------------------------------ # Description: Index of certificate that is used as a main. If not defined, the certificate matching private key will be # selected. mainRootCertId: 0As good example we set the main root index of RoT to 0 # ====================================================================================================================== # == Basic Settings == # ====================================================================================================================== # --------------------------------------===== cert block filename [Required] =====-------------------------------------- # Description: Generated cert block filename. containerOutputFile: ../workspace/cert_block_v2_1.binModify the output path to our example needs. For output files in SPSDK workspace
relative paths are always relative to configuration file location.