AHAB#

AHAB (Advanced High Assurance Boot) is a container format supported on some devices. A configuration file in YAML or JSON is used to instruct nxpimage how the output should look like.

Example of use for export nxpimage ahab export -c "path\to\config\file.yaml"

Example of use for parse binary AHAB container nxpimage ahab parse -b "my_ahab_container.bin" -o "path\to_parsed_data"

The full AHAB configuration template could be generated by nxpimage tool “get_template” sub-command for family that supports AHAB, example: nxpimage ahab get-template -f rt118x -o ahab_template_rt118x.yaml

AHAB Extensions#

Since SPSDK version 2.2.0, support for AHAB extensions have been added. This allows the user to create the standard images like U-Boot for example in the similar manner as with the imx-mkimage tool, without knowing the details of the AHAB format.

Supported configuration options#

AHABImage for mx8ulp#

AHABImage for mx8ulp JSON schema

Open it in full page

AHABImage for mx8ulp YAML configuration template
# ========================================  AHAB template AHABImage for mx8ulp  ========================================

# ======================================================================================================================
#                                               == AHABImage for mx8ulp ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: Family identifier including the chip revision. If revision is not present, latest revision is used as
# default.
# Possible options: <mx8mn, mx8mp, mx8ulp, mx91, mx93, mx95, rt118x>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
  -
  # ====================================================================================================================
  #                                          == List of possible 2 options. ==
  #                                        Options [binary_container, container]
  # ====================================================================================================================

  #  =========================== [Example of possible configuration: #0 , erase if not used] ============================
    # -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
    # Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
    binary_container:
      # -----------------------------===== The AHAB container binary file [Required] =====------------------------------
      # Description: The binary file that contains AHAB "my_binary_container.bin
      path: my_ahab_container.bin

  #  =========================== [Example of possible configuration: #1 , erase if not used] ============================
    # --------------------------------------===== AHAB Container [Required] =====---------------------------------------
    # Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
    # container.
    container:
      # --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
      # Description: Defines which set is used to authenticate the container.
      # Possible options: <none, oem, nxp>
      srk_set: none
      # ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
      # Description: Which key from SRK set is being used.
      used_srk_id: 0
      # -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
      # Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
      # 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
      srk_revoke_mask: '0x00'
      # ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
      # Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
      # firmware.
      #  - disabled:       GDET is disabled after the first OEM container has been authenticated (default behavior)
      #  - enabled_eleapi: Automatically enable GDET during all ELE API calls
      #  - enabled:        Leave GDET enabled
      # Possible options: <disabled, enabled_eleapi, enabled>
      gdet_runtime_behavior: disabled
      # --------------------------------------===== Fuse version [Optional] =====---------------------------------------
      # Description: The value must be equal or greater than the version stored in fuses to allow loading this
      # container.
      fuse_version: 0
      # ------------------------------------===== Software version [Optional] =====-------------------------------------
      # Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
      # Fuse version field.
      sw_version: 0
      # -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
      # Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
      # must not have been revoked.
      signing_key: my_signing_key.pem
      # -----------------------------------===== Signature Provider [Optional] =====------------------------------------
      # Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'. The
      # signature provider could be used instead of definition of 'signing_key'.
      signature_provider: type=file;file_path=my_prv_key.pem

      # ================================================================================================================
      #                     == Configuration of AHAB Container images (array of multiple images) ==
      # ================================================================================================================
      # ---------------------------------------===== Image array [Required] =====---------------------------------------
      # Description: Array of image entries.
      images:
        -
          # -------------------------------------===== Image path [Optional] =====--------------------------------------
          # Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
          # image is needed, Just do not use the image path.
          image_path: my_image.bin
          # ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
          # Description: Offset in bytes from start of container header to beginning of the image. Zero value means
          # automatic placing the image with proper alignment after previous one, this is recommended for
          # serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
          # to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
          # Booting core images must be located after the other ones
          image_offset: 0
          # ------------------------------===== Image destination address [Required] =====------------------------------
          # Description: Address the image is written to in memory (absolute address in system memory).
          load_address: '0x1FFC_0000'
          # ----------------------------------===== Image entry point [Required] =====----------------------------------
          # Description: Image entry point (absolute address). Valid only for executable image types.
          entry_point: '0x1FFC_0000'
          # -------------------------------------===== Image type [Required] =====--------------------------------------
          # Description: Kind of image.
          # Possible options: <executable, data, ele, provisioning_image, dek_validation_fcb_chk>
          image_type: executable
          # ---------------------------------------===== Core ID [Required] =====---------------------------------------
          # Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
          # Possible options: <cortex-m33, cortex-a55, cortex-a53, ele, hdmi-tx, hdmi-rx, v2x-1, v2x-2>
          core_id: cortex-m33
          # ----------------------------------===== Image encryption [Required] =====-----------------------------------
          # Description: Determines, whether image is encrypted or not.
          is_encrypted: false
          # -------------------------------------===== Boot flags [Optional] =====--------------------------------------
          # Description: Boot flags controlling SCFW boot.
          boot_flags: 0
          # ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
          # Description: Resource ID of CPU to be started
          meta_data_start_cpu_id: 0
          # ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
          # Description: Resource ID of the MU associated with the CPU
          meta_data_mu_cpu_id: 0
          # ---------------------------------===== Start partition ID [Optional] =====----------------------------------
          # Description: Partition ID of the partition to start
          meta_data_start_partition_id: 0
          # ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
          # Description: HASH type of image. All images in the container must have the same HASH type.
          # Possible options: <sha256, sha384, sha512, sm3>
          hash_type: sha512

      # ================================================================================================================
      #                                      == Configuration of AHAB SRK table ==
      # ================================================================================================================
      # ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
      # Description: SRK (Super Root key) table definition.
      srk_table:
        # ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
        # Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
        flag_ca: false
        # ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
        # Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
        # algorithms are: RSASSA-PSS, ECDSA or SM2. Supported hash algorithms: sha256, sha384, sha512, sm3. Supported
        # key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, sm2. Certificate may be of Certificate
        # Authority.
        srk_array:
          - my_srk_public_key0.pub
          - my_srk_public_key1.pub
          - my_srk_public_key2.pub
          - my_srk_public_key3.pub

      # ================================================================================================================
      #           == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
      # ================================================================================================================
      # ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
      # Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
      # SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
      # it itself.
      certificate: my_ahab_certificate.bin

      # ================================================================================================================
      #         == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
      # ================================================================================================================
      # -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
      # Description: Encryption blob container definition
      blob:
        # ------------------------------------===== Key identifier [Required] =====-------------------------------------
        # Description: The key identifier that has been used to generate DEK keyblob.
        key_identifier: 0
        # -------------------------------------===== DEK key size [Required] =====--------------------------------------
        # Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
        # Possible options: <128, 192, 256>
        dek_key_size: 128
        # ----------------------------------------===== DEK key [Required] =====----------------------------------------
        # Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
        dek_key: my_dek_key.txt
        # --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
        # Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
        # If NOT used, the empty keyblob is inserted into container and need to be updated later.
        dek_keyblob: my_wrapped_key.txt

AHABImage for mx93#

AHABImage for mx93 JSON schema

Open it in full page

AHABImage for mx93 YAML configuration template
# =========================================  AHAB template AHABImage for mx93  =========================================

# ======================================================================================================================
#                                                == AHABImage for mx93 ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: Family identifier including the chip revision. If revision is not present, latest revision is used as
# default.
# Possible options: <mx8mn, mx8mp, mx8ulp, mx91, mx93, mx95, rt118x>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
  -
  # ====================================================================================================================
  #                                          == List of possible 2 options. ==
  #                                        Options [binary_container, container]
  # ====================================================================================================================

  #  =========================== [Example of possible configuration: #0 , erase if not used] ============================
    # -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
    # Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
    binary_container:
      # -----------------------------===== The AHAB container binary file [Required] =====------------------------------
      # Description: The binary file that contains AHAB "my_binary_container.bin
      path: my_ahab_container.bin

  #  =========================== [Example of possible configuration: #1 , erase if not used] ============================
    # --------------------------------------===== AHAB Container [Required] =====---------------------------------------
    # Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
    # container.
    container:
      # --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
      # Description: Defines which set is used to authenticate the container.
      # Possible options: <none, oem, nxp>
      srk_set: none
      # ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
      # Description: Which key from SRK set is being used.
      used_srk_id: 0
      # -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
      # Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
      # 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
      srk_revoke_mask: '0x00'
      # ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
      # Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
      # firmware.
      #  - disabled:       GDET is disabled after the first OEM container has been authenticated (default behavior)
      #  - enabled_eleapi: Automatically enable GDET during all ELE API calls
      #  - enabled:        Leave GDET enabled
      # Possible options: <disabled, enabled_eleapi, enabled>
      gdet_runtime_behavior: disabled
      # --------------------------------------===== Fuse version [Optional] =====---------------------------------------
      # Description: The value must be equal or greater than the version stored in fuses to allow loading this
      # container.
      fuse_version: 0
      # ------------------------------------===== Software version [Optional] =====-------------------------------------
      # Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
      # Fuse version field.
      sw_version: 0
      # -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
      # Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
      # must not have been revoked.
      signing_key: my_signing_key.pem
      # -----------------------------------===== Signature Provider [Optional] =====------------------------------------
      # Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'. The
      # signature provider could be used instead of definition of 'signing_key'.
      signature_provider: type=file;file_path=my_prv_key.pem

      # ================================================================================================================
      #                     == Configuration of AHAB Container images (array of multiple images) ==
      # ================================================================================================================
      # ---------------------------------------===== Image array [Required] =====---------------------------------------
      # Description: Array of image entries.
      images:
        -
        # ==============================================================================================================
        #                                       == List of possible 4 options. ==
        #             Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, General Image Entry]
        # ==============================================================================================================

        #  ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
        # U-Boot SPL with optional DDR PHY tunning images
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x000000002049A000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
          # Description: Firmware for LPDDR4/5 memory in 1D mode.
          lpddr_imem_1d: lpddr_imem_1d.bin
          # -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
          # Description: Firmware for LPDDR4/5 memory in 2D mode.
          lpddr_imem_2d: lpddr_imem_2d.bin
          # ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
          # Description: Data for LPDDR4/5 memory in 1D mode.
          lpddr_dmem_1d: lpddr_dmem_1d.bin
          # ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
          # Description: Data for LPDDR4/5 memory in 2D mode.
          lpddr_dmem_2d: lpddr_dmem_2d.bin
          # -----------------------------------------===== SPL [Required] =====-----------------------------------------
          # Description: SPL firmware
          spl_ddr: spl.bin

        #  ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
        # U-Boot ATF container definition
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x00000000204E0000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # -------------------------------------===== ATF binary [Required] =====--------------------------------------
          # Description: ARM Trusted Firmware binary file.
          atf: bl31.bin

        #  ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
        # U-Boot container definition
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x0000000080200000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # ------------------------------------===== U-Boot binary [Required] =====------------------------------------
          # Description: U-Boot binary file.
          uboot: u-boot.bin

        #  =============== [Example of possible configuration: #3 General Image Entry, erase if not used] ===============
        # General Image Entry
          # -------------------------------------===== Image path [Optional] =====--------------------------------------
          # Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
          # image is needed, Just do not use the image path.
          image_path: my_image.bin
          # ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
          # Description: Offset in bytes from start of container header to beginning of the image. Zero value means
          # automatic placing the image with proper alignment after previous one, this is recommended for
          # serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
          # to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
          # Booting core images must be located after the other ones
          image_offset: 0
          # ------------------------------===== Image destination address [Required] =====------------------------------
          # Description: Address the image is written to in memory (absolute address in system memory).
          load_address: '0x1FFC_0000'
          # ----------------------------------===== Image entry point [Required] =====----------------------------------
          # Description: Image entry point (absolute address). Valid only for executable image types.
          entry_point: '0x1FFC_0000'
          # -------------------------------------===== Image type [Required] =====--------------------------------------
          # Description: Kind of image.
          # Possible options: <executable, data, ele, provisioning_image, provisioning_data, v2x_primary, v2x_secondary,
          # v2x_rom_patch, v2x_dummy>
          image_type: executable
          # ---------------------------------------===== Core ID [Required] =====---------------------------------------
          # Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
          # Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
          core_id: cortex-m33
          # ----------------------------------===== Image encryption [Required] =====-----------------------------------
          # Description: Determines, whether image is encrypted or not.
          is_encrypted: false
          # -------------------------------------===== Boot flags [Optional] =====--------------------------------------
          # Description: Boot flags controlling SCFW boot.
          boot_flags: 0
          # ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
          # Description: Resource ID of CPU to be started
          meta_data_start_cpu_id: 0
          # ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
          # Description: Resource ID of the MU associated with the CPU
          meta_data_mu_cpu_id: 0
          # ---------------------------------===== Start partition ID [Optional] =====----------------------------------
          # Description: Partition ID of the partition to start
          meta_data_start_partition_id: 0
          # ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
          # Description: HASH type of image. All images in the container must have the same HASH type.
          # Possible options: <sha256, sha384, sha512, sm3>
          hash_type: sha512

      # ================================================================================================================
      #                                      == Configuration of AHAB SRK table ==
      # ================================================================================================================
      # ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
      # Description: SRK (Super Root key) table definition.
      srk_table:
        # ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
        # Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
        flag_ca: false
        # ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
        # Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
        # algorithms are: RSASSA-PSS, ECDSA or SM2. Supported hash algorithms: sha256, sha384, sha512, sm3. Supported
        # key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, sm2. Certificate may be of Certificate
        # Authority.
        srk_array:
          - my_srk_public_key0.pub
          - my_srk_public_key1.pub
          - my_srk_public_key2.pub
          - my_srk_public_key3.pub

      # ================================================================================================================
      #           == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
      # ================================================================================================================
      # ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
      # Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
      # SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
      # it itself.
      certificate: my_ahab_certificate.bin

      # ================================================================================================================
      #         == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
      # ================================================================================================================
      # -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
      # Description: Encryption blob container definition
      blob:
        # ------------------------------------===== Key identifier [Required] =====-------------------------------------
        # Description: The key identifier that has been used to generate DEK keyblob.
        key_identifier: 0
        # -------------------------------------===== DEK key size [Required] =====--------------------------------------
        # Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
        # Possible options: <128, 192, 256>
        dek_key_size: 128
        # ----------------------------------------===== DEK key [Required] =====----------------------------------------
        # Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
        dek_key: my_dek_key.txt
        # --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
        # Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
        # If NOT used, the empty keyblob is inserted into container and need to be updated later.
        dek_keyblob: my_wrapped_key.txt

AHABImage for rt118x#

AHABImage for rt118x JSON schema

Open it in full page

AHABImage for rt118x YAML configuration template
# ========================================  AHAB template AHABImage for rt118x  ========================================

# ======================================================================================================================
#                                               == AHABImage for rt118x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: Family identifier including the chip revision. If revision is not present, latest revision is used as
# default.
# Possible options: <mx8mn, mx8mp, mx8ulp, mx91, mx93, mx95, rt118x>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon
revision: latest
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
  -
  # ====================================================================================================================
  #                                          == List of possible 2 options. ==
  #                                        Options [binary_container, container]
  # ====================================================================================================================

  #  =========================== [Example of possible configuration: #0 , erase if not used] ============================
    # -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
    # Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
    binary_container:
      # -----------------------------===== The AHAB container binary file [Required] =====------------------------------
      # Description: The binary file that contains AHAB "my_binary_container.bin
      path: my_ahab_container.bin

  #  =========================== [Example of possible configuration: #1 , erase if not used] ============================
    # --------------------------------------===== AHAB Container [Required] =====---------------------------------------
    # Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
    # container.
    container:
      # --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
      # Description: Defines which set is used to authenticate the container.
      # Possible options: <none, oem, nxp>
      srk_set: none
      # ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
      # Description: Which key from SRK set is being used.
      used_srk_id: 0
      # -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
      # Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
      # 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
      srk_revoke_mask: '0x00'
      # ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
      # Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
      # firmware.
      #  - disabled:       GDET is disabled after the first OEM container has been authenticated (default behavior)
      #  - enabled_eleapi: Automatically enable GDET during all ELE API calls
      #  - enabled:        Leave GDET enabled
      # Possible options: <disabled, enabled_eleapi, enabled>
      gdet_runtime_behavior: disabled
      # --------------------------------------===== Fuse version [Optional] =====---------------------------------------
      # Description: The value must be equal or greater than the version stored in fuses to allow loading this
      # container.
      fuse_version: 0
      # ------------------------------------===== Software version [Optional] =====-------------------------------------
      # Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
      # Fuse version field.
      sw_version: 0
      # -------------------------------===== AHAB container signing key [Optional] =====--------------------------------
      # Description: Private key used for sign the container header. Header can be signed by SRK. The referenced SRK
      # must not have been revoked.
      signing_key: my_signing_key.pem
      # -----------------------------------===== Signature Provider [Optional] =====------------------------------------
      # Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'. The
      # signature provider could be used instead of definition of 'signing_key'.
      signature_provider: type=file;file_path=my_prv_key.pem

      # ================================================================================================================
      #                     == Configuration of AHAB Container images (array of multiple images) ==
      # ================================================================================================================
      # ---------------------------------------===== Image array [Required] =====---------------------------------------
      # Description: Array of image entries.
      images:
        -
          # -------------------------------------===== Image path [Optional] =====--------------------------------------
          # Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
          # image is needed, Just do not use the image path.
          image_path: my_image.bin
          # ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
          # Description: Offset in bytes from start of container header to beginning of the image. Zero value means
          # automatic placing the image with proper alignment after previous one, this is recommended for
          # serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
          # to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
          # Booting core images must be located after the other ones
          image_offset: 0
          # ------------------------------===== Image destination address [Required] =====------------------------------
          # Description: Address the image is written to in memory (absolute address in system memory).
          load_address: '0x1FFC_0000'
          # ----------------------------------===== Image entry point [Required] =====----------------------------------
          # Description: Image entry point (absolute address). Valid only for executable image types.
          entry_point: '0x1FFC_0000'
          # -------------------------------------===== Image type [Required] =====--------------------------------------
          # Description: Kind of image.
          # Possible options: <executable, data, ele, provisioning_image, provisioning_data>
          image_type: executable
          # ---------------------------------------===== Core ID [Required] =====---------------------------------------
          # Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
          # Possible options: <cortex-m33, cortex-m7, ele>
          core_id: cortex-m33
          # ----------------------------------===== Image encryption [Required] =====-----------------------------------
          # Description: Determines, whether image is encrypted or not.
          is_encrypted: false
          # -------------------------------------===== Boot flags [Optional] =====--------------------------------------
          # Description: Boot flags controlling SCFW boot.
          boot_flags: 0
          # ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
          # Description: Resource ID of CPU to be started
          meta_data_start_cpu_id: 0
          # ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
          # Description: Resource ID of the MU associated with the CPU
          meta_data_mu_cpu_id: 0
          # ---------------------------------===== Start partition ID [Optional] =====----------------------------------
          # Description: Partition ID of the partition to start
          meta_data_start_partition_id: 0
          # ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
          # Description: HASH type of image. All images in the container must have the same HASH type.
          # Possible options: <sha256, sha384, sha512, sm3>
          hash_type: sha512

      # ================================================================================================================
      #                                      == Configuration of AHAB SRK table ==
      # ================================================================================================================
      # ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
      # Description: SRK (Super Root key) table definition.
      srk_table:
        # ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
        # Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys
        flag_ca: false
        # ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
        # Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
        # algorithms are: RSASSA-PSS, ECDSA or SM2. Supported hash algorithms: sha256, sha384, sha512, sm3. Supported
        # key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, sm2. Certificate may be of Certificate
        # Authority.
        srk_array:
          - my_srk_public_key0.pub
          - my_srk_public_key1.pub
          - my_srk_public_key2.pub
          - my_srk_public_key3.pub

      # ================================================================================================================
      #           == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
      # ================================================================================================================
      # ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
      # Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
      # SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
      # it itself.
      certificate: my_ahab_certificate.bin

      # ================================================================================================================
      #         == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
      # ================================================================================================================
      # -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
      # Description: Encryption blob container definition
      blob:
        # ------------------------------------===== Key identifier [Required] =====-------------------------------------
        # Description: The key identifier that has been used to generate DEK keyblob.
        key_identifier: 0
        # -------------------------------------===== DEK key size [Required] =====--------------------------------------
        # Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
        # Possible options: <128, 192, 256>
        dek_key_size: 128
        # ----------------------------------------===== DEK key [Required] =====----------------------------------------
        # Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
        dek_key: my_dek_key.txt
        # --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
        # Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
        # If NOT used, the empty keyblob is inserted into container and need to be updated later.
        dek_keyblob: my_wrapped_key.txt