AHAB#
AHAB (Advanced High Assurance Boot) is a container format supported on some devices. A configuration file in YAML or JSON is used to instruct nxpimage how the output should look like.
Example of use for export
nxpimage ahab export -c "path\to\config\file.yaml"
Example of use for parse binary AHAB container
nxpimage ahab parse -b "my_ahab_container.bin" -o "path\to_parsed_data"
The full AHAB configuration template could be generated by nxpimage tool “get_template” sub-command for family that supports AHAB, example:
nxpimage ahab get-template -f rt118x -o ahab_template_rt118x.yaml
AHAB Extensions#
Since SPSDK version 2.2.0, support for AHAB extensions have been added. This allows the user to create the standard images like U-Boot for example in the similar manner as with the imx-mkimage tool, without knowing the details of the AHAB format.
AHAB Sign#
Since SPSDK version 2.3.0 it is possible to sign and encrypt existing image or image container set, without parsing.
It parses the input image, loads the configuration file and iterates over the segments in the image. If the segment is AHAB image, it iterates over all the containers and if the container is not NXP signed, it signs them with the key (signature provider) provided in the configuration.
If the blob is specified, it also iterates over all images in the container and encrypt them.
Then signed (encrypted) image is saved to the path provided.
Template for signing might be generated using the get-template command with –sign/-s flag:
nxpimage ahab get-template -f <family> -o sign_template.yaml --sign
Example of use for sign and encrypt AHAB container
nxpimage -v ahab sign -c "path\to\config\file.yaml" -c "ahab_image_to_be_signed.bin" -o "path\to_signed_image"
Supported configuration options#
AHABImage for mimx8ulp#
AHABImage for mimx8ulp JSON schema
AHABImage for mimx8ulp YAML configuration template
# ======================================= AHAB template AHABImage for mimx8ulp =======================================
# ======================================================================================================================
# == AHABImage for mimx8ulp ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, a2, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [uPower, SPL, Uboot ATF, Uboot, TEE Trusted Execution Environment, MCU Image, General Image Entry]
# ==============================================================================================================
# ===================== [Example of possible configuration: #0 uPower, erase if not used] ======================
# uPower firmware
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000028300200
# image_type: executable
# core_id: cortex-a53
# hash_type: SHA384
# ---------------------------------------===== uPower [Required] =====----------------------------------------
# Description: uPower firmware
upower: upower.bin
# ======================= [Example of possible configuration: #1 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000022020000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #2 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020040000
# image_type: executable
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #3 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #4 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000A6000000
# image_type: executable
# core_id: cortex-a55
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# ==================== [Example of possible configuration: #5 MCU Image, erase if not used] ====================
# MCU Image
# --------------------------------------===== MCU Image [Required] =====--------------------------------------
# Description: MCU Image
mcu: m33_image.bin
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, dek_validation_fcb_chk, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, cortex-a53, ele, hdmi-tx, hdmi-rx>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9131#
AHABImage for mimx9131 JSON schema
AHABImage for mimx9131 YAML configuration template
# ======================================= AHAB template AHABImage for mimx9131 =======================================
# ======================================================================================================================
# == AHABImage for mimx9131 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204A0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204C0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <reserved, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9352#
AHABImage for mimx9352 JSON schema
AHABImage for mimx9352 YAML configuration template
# ======================================= AHAB template AHABImage for mimx9352 =======================================
# ======================================================================================================================
# == AHABImage for mimx9352 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx943#
AHABImage for mimx943 JSON schema
AHABImage for mimx943 YAML configuration template
# ======================================= AHAB template AHABImage for mimx943 ========================================
# ======================================================================================================================
# == AHABImage for mimx943 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# - enabled: Fast boot enabled.
# - slice_hash: Slice and hash mode.
# - on_fly: On the fly hash.
# Possible options: <enabled, slice_hash, on_fly>
fast_boot: enabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ---------------===== AHAB container signing key for second signature (PQC only) [Optional] =====----------------
# Description: Private key used for second sign (PQC only) of the container header. Header can be signed by SRK.
# The referenced SRK must not have been revoked.
signing_key_#2: my_signing_key.pem
# ----------------------===== Signature Provider for second signature (PQC) [Optional] =====----------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 11 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, Boot system manager, Cortex M7
# additional application, Cortex M7 second core additional application, Cortex M33 second core additional
# application, SPL, Uboot ATF, Uboot, TEE Trusted Execution Environment, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr_imem.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr_imem_qb.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr_dmem.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr_dmem_qb.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei_ddr.bin
# -----------------------------------===== Quick Boot Data [Optional] =====-----------------------------------
# Description: QB data - Optional Quick boot data, if defined a new empty record will be added just behing DDR
# FW entry
qb_data: qb_data.bin
# =============== [Example of possible configuration: #2 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #3 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# == [Example of possible configuration: #4 Cortex M7 second core additional application, erase if not used] ===
# Cortex M7 second core additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000302C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-2
# meta_data_start_cpu_id: 7
# hash_type: SHA384
# --------------------===== Cortex M7 second core additional application [Required] =====---------------------
# Description: Cortex M7 second core additional application
cortex_m7_2_app: cortex_m7_2_app.bin
# == [Example of possible configuration: #5 Cortex M33 second core additional application, erase if not used] ==
# Cortex M33 second core additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000309C0000
# entry_point: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33-2
# meta_data_start_cpu_id: 8
# hash_type: SHA384
# --------------------===== Cortex M33 second core additional application [Required] =====--------------------
# Description: Cortex M33 second core additional application
cortex_m33_2_app: cortex_m33_2_app.bin
# ======================= [Example of possible configuration: #6 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# ============== [Example of possible configuration: #10 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, cortex-m7-2, cortex-m33-2,
# ddr>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_output_256,
# shake_256_output_512>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9596#
AHABImage for mimx9596 JSON schema
AHABImage for mimx9596 YAML configuration template
# ======================================= AHAB template AHABImage for mimx9596 =======================================
# ======================================================================================================================
# == AHABImage for mimx9596 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# - enabled: Fast boot enabled.
# - slice_hash: Slice and hash mode.
# - on_fly: On the fly hash.
# Possible options: <enabled, slice_hash, on_fly>
fast_boot: enabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ---------------===== AHAB container signing key for second signature (PQC only) [Optional] =====----------------
# Description: Private key used for second sign (PQC only) of the container header. Header can be signed by SRK.
# The referenced SRK must not have been revoked.
signing_key_#2: my_signing_key.pem
# ----------------------===== Signature Provider for second signature (PQC) [Optional] =====----------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 11 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr_imem.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr_imem_qb.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr_dmem.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr_dmem_qb.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei_ddr.bin
# -----------------------------------===== Quick Boot Data [Optional] =====-----------------------------------
# Description: QB data - Optional Quick boot data, if defined a new empty record will be added just behing DDR
# FW entry
qb_data: qb_data.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# ============== [Example of possible configuration: #10 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_output_256,
# shake_256_output_512>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1181#
AHABImage for mimxrt1181 JSON schema
AHABImage for mimxrt1181 YAML configuration template
# ====================================== AHAB template AHABImage for mimxrt1181 ======================================
# ======================================================================================================================
# == AHABImage for mimxrt1181 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1182#
AHABImage for mimxrt1182 JSON schema
AHABImage for mimxrt1182 YAML configuration template
# ====================================== AHAB template AHABImage for mimxrt1182 ======================================
# ======================================================================================================================
# == AHABImage for mimxrt1182 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1187#
AHABImage for mimxrt1187 JSON schema
AHABImage for mimxrt1187 YAML configuration template
# ====================================== AHAB template AHABImage for mimxrt1187 ======================================
# ======================================================================================================================
# == AHABImage for mimxrt1187 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1189#
AHABImage for mimxrt1189 JSON schema
AHABImage for mimxrt1189 YAML configuration template
# ====================================== AHAB template AHABImage for mimxrt1189 ======================================
# ======================================================================================================================
# == AHABImage for mimxrt1189 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx8ulp, mimx9131, mimx9352, mimx943, mimx9596, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
# Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
# must not have been revoked.
signing_key: my_signing_key.pem
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>'. The
# signature provider could be used instead of definition of 'signing_key'.
signature_provider: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Required] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
flag_ca: false
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt