AHAB#
AHAB (Advanced High Assurance Boot) is a container format supported on some devices. A configuration file in YAML or JSON is used to instruct nxpimage how the output should look like.
Example of use for export
nxpimage ahab export -c "path\to\config\file.yaml"
Example of use for parse binary AHAB container
nxpimage ahab parse -b "my_ahab_container.bin" -o "path\to_parsed_data"
The full AHAB configuration template could be generated by nxpimage tool “get_template” sub-command for family that supports AHAB, example:
nxpimage ahab get-template -f rt118x -o ahab_template_rt118x.yaml
AHAB Extensions#
Since SPSDK version 2.2.0, support for AHAB extensions have been added. This allows the user to create the standard images like U-Boot for example in the similar manner as with the imx-mkimage tool, without knowing the details of the AHAB format.
Supported configuration options#
AHABImage for mx8ulp#
AHABImage for mx8ulp JSON schema
AHABImage for mx8ulp YAML configuration template
# ======================================== AHAB template AHABImage for mx8ulp ========================================
# ======================================================================================================================
# == AHABImage for mx8ulp ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: Family identifier including the chip revision. If revision is not present, latest revision is used as
# default.
# Possible options: <mx8mn, mx8mp, mx8ulp, mx91, mx93, mx95, rt118x>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, ele, provisioning_image, dek_validation_fcb_chk>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, cortex-a53, ele, hdmi-tx, hdmi-rx, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image. All images in the container must have the same HASH type.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSASSA-PSS, ECDSA or SM2. Supported hash algorithms: sha256, sha384, sha512, sm3. Supported
# key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, sm2. Certificate may be of Certificate
# Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mx93#
AHABImage for mx93 JSON schema
AHABImage for mx93 YAML configuration template
# ========================================= AHAB template AHABImage for mx93 =========================================
# ======================================================================================================================
# == AHABImage for mx93 ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: Family identifier including the chip revision. If revision is not present, latest revision is used as
# default.
# Possible options: <mx8mn, mx8mp, mx8ulp, mx91, mx93, mx95, rt118x>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 4 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# =============== [Example of possible configuration: #3 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, ele, provisioning_image, provisioning_data, v2x_primary, v2x_secondary,
# v2x_rom_patch, v2x_dummy>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image. All images in the container must have the same HASH type.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSASSA-PSS, ECDSA or SM2. Supported hash algorithms: sha256, sha384, sha512, sm3. Supported
# key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, sm2. Certificate may be of Certificate
# Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for rt118x#
AHABImage for rt118x JSON schema
AHABImage for rt118x YAML configuration template
# ======================================== AHAB template AHABImage for rt118x ========================================
# ======================================================================================================================
# == AHABImage for rt118x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: Family identifier including the chip revision. If revision is not present, latest revision is used as
# default.
# Possible options: <mx8mn, mx8mp, mx8ulp, mx91, mx93, mx95, rt118x>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, ele, provisioning_image, provisioning_data>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image. All images in the container must have the same HASH type.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSASSA-PSS, ECDSA or SM2. Supported hash algorithms: sha256, sha384, sha512, sm3. Supported
# key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, sm2. Certificate may be of Certificate
# Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt