Flash encryption engines#
nxpimage currently supports generation of bootable images and keyblobs for NXP bus encryption engines – OTFAD (On-the-fly AES decryption engines), BEE (Bus encryption engine) and IEE (Inline encryption engine).
Note
For Prince algorithm based inline encryption & decryption engines (IPED, Prince & NPX) we don’t support offline image creation.
IEE#
nxpimage supports generation of bootable image for MIMXRT117x. More details can be found in the security reference manual: https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMXRT1170SRM&appType=moderated or in the Secure Boot modes application note https://www.nxp.com/webapp/Download?colCode=AN13250
IEE engine provides means to perform inline encryption and decryption. Following algorithms are supported AES-128/256-CTR and AES-256/512-XTS. The IEE key blob containing keys and context structures is encrypted by a KEK according to the RFC3394 key-wrapping algorithm, because the key blob resides in the external memory along with the image and it must be protected
Generation of bootable image
First step is to get a template for configuration. The template might look like the file below.
nxpimage iee get-template -f rt1170 iee_template.yaml
IEE template for rt116x#
Properties#
family
(string): MCU family name. Must be one of:["rt116x", "rt117x", "rt118x"]
.output_folder
(string): Path to directory where the IEE output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"iee_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"iee_keyblob"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.generate_fuses_script
(boolean): BCF file with fuses configuration. Default:true
.keyblob_address
([‘string’, ‘number’], format: number): Should be aligned to 1 kB.data_blobs
(array): List of all data blobs that will be encrypted.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted.address
([‘number’, ‘string’], format: number): Data blob address, it doesn’t have to be specified for S-REC.
ibkek1
([‘string’, ‘number’], format: number): IBKEK1 AES-XTS key for keyblob encryption.ibkek2
([‘string’, ‘number’], format: number): IBKEK2 AES-XTS key for keyblob encryption.key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be between 1 and 4 (inclusive).Items (object)
region_lock
(boolean): Determines if the ROM will lock the IEE configuration to prevent later changes. Default:false
.aes_mode
(string, required): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of:["Bypass", "AesXTS", "AesCTRWAddress", "AesCTRWOAddress", "AesCTRkeystream"]
.key_size
(string, required): AES mode, AES-XTS or AES-CTR. Must be one of:["CTR256XTS512", "CTR128XTS256"]
.page_offset
(number, format: number): Page offset, IEE_REG0PO value. Default:0
.key1
([‘number’, ‘string’], format: number, required): AES key for the key blob, size depends on key_size.key2
([‘number’, ‘string’], format: number, required): AES key for the key blob, size depends on key_size.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).
# ============================================= IEE template for rt116x ==============================================
# ======================================================================================================================
# == IEE template for rt116x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt116x, rt117x, rt118x>
family: CHOOSE_FROM_TABLE
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE template for rt117x#
Properties#
family
(string): MCU family name. Must be one of:["rt116x", "rt117x", "rt118x"]
.output_folder
(string): Path to directory where the IEE output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"iee_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"iee_keyblob"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.generate_fuses_script
(boolean): BCF file with fuses configuration. Default:true
.keyblob_address
([‘string’, ‘number’], format: number): Should be aligned to 1 kB.data_blobs
(array): List of all data blobs that will be encrypted.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted.address
([‘number’, ‘string’], format: number): Data blob address, it doesn’t have to be specified for S-REC.
ibkek1
([‘string’, ‘number’], format: number): IBKEK1 AES-XTS key for keyblob encryption.ibkek2
([‘string’, ‘number’], format: number): IBKEK2 AES-XTS key for keyblob encryption.key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be between 1 and 4 (inclusive).Items (object)
region_lock
(boolean): Determines if the ROM will lock the IEE configuration to prevent later changes. Default:false
.aes_mode
(string, required): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of:["Bypass", "AesXTS", "AesCTRWAddress", "AesCTRWOAddress", "AesCTRkeystream"]
.key_size
(string, required): AES mode, AES-XTS or AES-CTR. Must be one of:["CTR256XTS512", "CTR128XTS256"]
.page_offset
(number, format: number): Page offset, IEE_REG0PO value. Default:0
.key1
([‘number’, ‘string’], format: number, required): AES key for the key blob, size depends on key_size.key2
([‘number’, ‘string’], format: number, required): AES key for the key blob, size depends on key_size.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).
# ============================================= IEE template for rt117x ==============================================
# ======================================================================================================================
# == IEE template for rt117x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt116x, rt117x, rt118x>
family: CHOOSE_FROM_TABLE
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE template for rt118x#
Properties#
family
(string): MCU family name. Must be one of:["rt116x", "rt117x", "rt118x"]
.output_folder
(string): Path to directory where the IEE output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"iee_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"iee_keyblob"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.generate_fuses_script
(boolean): BCF file with fuses configuration. Default:true
.keyblob_address
([‘string’, ‘number’], format: number): Should be aligned to 1 kB.data_blobs
(array): List of all data blobs that will be encrypted.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted.address
([‘number’, ‘string’], format: number): Data blob address, it doesn’t have to be specified for S-REC.
key_blob
(object): Keyblob configuration, keyblob won’t be generated.region_lock
(boolean): Determines if the ROM will lock the IEE configuration to prevent later changes. Default:false
.aes_mode
(string, required): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of:["Bypass", "AesXTS", "AesCTRWAddress", "AesCTRWOAddress", "AesCTRkeystream"]
.key_size
(string, required): AES mode, AES-XTS or AES-CTR. Must be one of:["CTR256XTS512", "CTR128XTS256"]
.page_offset
(number, format: number): Page offset, IEE_REG0PO value. Default:0
.key1
([‘number’, ‘string’], format: number, required): AES key for the key blob, size depends on key_size.key2
([‘number’, ‘string’], format: number, required): AES key for the key blob, size depends on key_size.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).
# ============================================= IEE template for rt118x ==============================================
# ======================================================================================================================
# == IEE template for rt118x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt116x, rt117x, rt118x>
family: CHOOSE_FROM_TABLE
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
key_blob:
# -----------------------------------===== Keyblob lock attribute [Optional] =====------------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# ------------------------------------------===== AES mode [Required] =====-------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# ------------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====-------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# -----------------------------------------===== Page offset [Optional] =====-----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# ---------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====----------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====----------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# -------------------------------===== Start address of key blob data [Required] =====--------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x04001000'
# --------------------------------===== End address of key blob data [Required] =====---------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x04008000'
# =========== IEE: Inline Encryption Engine Configuration template for rt1170. ===========
# ----------------------------------------------------------------------------------------------------
# == Basic Settings ==
# ----------------------------------------------------------------------------------------------------
family: rt1170 # [Required], MCU family, MCU family name., Possible options:['rt1170']
output_folder: iee_output # [Required], IEE output directory, Path to directory where the IEE output will be generated
output_name: encrypted.bin # [Optional], Output binary image file name, File name of the output image containing keyblobs and encrypted data blobs
keyblob_name: iee_keyblob.bin # [Optional], Keyblob file name, File name of the keyblob, output_folder/keyblob_name
encrypted_name: encrypted_blob.bin # [Optional], Encrypted name, filename of the encrypted datablobs
# ----------------------------------------------------------------------------------------------------
# == IEE Settings ==
# ----------------------------------------------------------------------------------------------------
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key, IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key, IBKEK2 AES-XTS key for keyblob encryption
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob, Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list, List of all data blobs that will be encrypted
- data: my_data.bin # [Required], Binary data blob, Path to binary file with plain text data to be encrypted
address: '0x03001000' # [Optional], Data blob address, Data blob address, it doesn't have to be specified for S-REC
key_blobs: # [Required], List of Key Blobs used by IEE, The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- region_lock: false # [Optional], Keyblob lock attribute, Determines if the ROM will lock the IEE configuration to prevent later changes.
aes_mode: AesXTS # [Required], AES mode, AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only, Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS, AES mode, AES-XTS or AES-CTR, Possible options:['CTR256XTS512', 'CTR128XTS256']
page_offset: 0 # [Optional], Page offset, Page offset, IEE_REG0PO value
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key, AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2, AES key for the key blob, size depends on key_size
start_address: '0x30001000' # [Required], Start address of key blob data, Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000' # [Required], End address of key blob data, End address of key blob data, it should be aligned to 1 KB (1024 B)
Fill the configuration file and export the image.
nxpimage iee export iee_template.yaml
OTFAD#
The On-The-Fly AES Decryption (OTFAD) module provides an advanced hardware implementation that minimizes any incremental cycles of latency introduced by the decryption in the overall external memory-access time. It implements a block cipher mode of operation supporting the counter mode (CTR). The CTR mode provides a confidentiality mode that features the application of the forward cipher to a set of input blocks (called counters) to produce a sequence of output blocks that are exclusive-ORed with the plaintext to produce the ciphertext and vice versa. The OTFAD engine includes complete hardware support for a standard AES key unwrap mechanism to decrypt a key BLOB data instruction containing the parameters needed for up to 4 unique AES contexts. Each context has a unique 128-bit key, a 64-bit counter, and a 64-bit memory region descriptor.
OTFAD template for rt101x#
Properties#
family
(string): MCU family name. Must be one of:["rt101x", "rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"]
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"otfad_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"OTFAD_Table"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’], format: number): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’], format: number, required): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.Items (object)
aes_key
([‘number’, ‘string’], format: number, required): AES key for the key blob.aes_ctr
([‘number’, ‘string’], format: number, required): AES counter value for the key blob.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:true
.valid
(boolean): This field signals if the context is valid or not. Default:true
.read_only
(boolean): This field signals if the context is Read only or not. Default:true
.
key_scramble
(object): If Key scrambling is not required, this section must be commented out.key_scramble_mask
([‘number’, ‘string’], format: number, required): OTFAD Key Scramble mask (4 bytes size).key_scramble_align
([‘number’, ‘string’], format: number, required): OTFAD Key scramble mask align (1 byte size).
# ============================================ OTFAD template for rt101x =============================================
# ======================================================================================================================
# == OTFAD template for rt101x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt101x, rt116x, rt117x, rt118x, rt5xx, rt6xx>
family: CHOOSE_FROM_TABLE
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD template for rt116x#
Properties#
family
(string): MCU family name. Must be one of:["rt101x", "rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"]
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"otfad_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"OTFAD_Table"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’], format: number): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’], format: number, required): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.Items (object)
aes_key
([‘number’, ‘string’], format: number, required): AES key for the key blob.aes_ctr
([‘number’, ‘string’], format: number, required): AES counter value for the key blob.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:true
.valid
(boolean): This field signals if the context is valid or not. Default:true
.read_only
(boolean): This field signals if the context is Read only or not. Default:true
.
key_scramble
(object): If Key scrambling is not required, this section must be commented out.key_scramble_mask
([‘number’, ‘string’], format: number, required): OTFAD Key Scramble mask (4 bytes size).key_scramble_align
([‘number’, ‘string’], format: number, required): OTFAD Key scramble mask align (1 byte size).
# ============================================ OTFAD template for rt116x =============================================
# ======================================================================================================================
# == OTFAD template for rt116x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt101x, rt116x, rt117x, rt118x, rt5xx, rt6xx>
family: CHOOSE_FROM_TABLE
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD template for rt117x#
Properties#
family
(string): MCU family name. Must be one of:["rt101x", "rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"]
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"otfad_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"OTFAD_Table"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’], format: number): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’], format: number, required): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.Items (object)
aes_key
([‘number’, ‘string’], format: number, required): AES key for the key blob.aes_ctr
([‘number’, ‘string’], format: number, required): AES counter value for the key blob.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:true
.valid
(boolean): This field signals if the context is valid or not. Default:true
.read_only
(boolean): This field signals if the context is Read only or not. Default:true
.
key_scramble
(object): If Key scrambling is not required, this section must be commented out.key_scramble_mask
([‘number’, ‘string’], format: number, required): OTFAD Key Scramble mask (4 bytes size).key_scramble_align
([‘number’, ‘string’], format: number, required): OTFAD Key scramble mask align (1 byte size).
# ============================================ OTFAD template for rt117x =============================================
# ======================================================================================================================
# == OTFAD template for rt117x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt101x, rt116x, rt117x, rt118x, rt5xx, rt6xx>
family: CHOOSE_FROM_TABLE
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD template for rt118x#
Properties#
family
(string): MCU family name. Must be one of:["rt101x", "rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"]
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"otfad_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"OTFAD_Table"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’], format: number): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’], format: number, required): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.Items (object)
aes_key
([‘number’, ‘string’], format: number, required): AES key for the key blob.aes_ctr
([‘number’, ‘string’], format: number, required): AES counter value for the key blob.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:true
.valid
(boolean): This field signals if the context is valid or not. Default:true
.read_only
(boolean): This field signals if the context is Read only or not. Default:true
.
key_scramble
(object): If Key scrambling is not required, this section must be commented out.key_scramble_mask
([‘number’, ‘string’], format: number, required): OTFAD Key Scramble mask (4 bytes size).key_scramble_align
([‘number’, ‘string’], format: number, required): OTFAD Key scramble mask align (1 byte size).
# ============================================ OTFAD template for rt118x =============================================
# ======================================================================================================================
# == OTFAD template for rt118x ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt101x, rt116x, rt117x, rt118x, rt5xx, rt6xx>
family: CHOOSE_FROM_TABLE
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD template for rt5xx#
Properties#
family
(string): MCU family name. Must be one of:["rt101x", "rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"]
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"otfad_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"OTFAD_Table"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’], format: number): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’], format: number, required): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.Items (object)
aes_key
([‘number’, ‘string’], format: number, required): AES key for the key blob.aes_ctr
([‘number’, ‘string’], format: number, required): AES counter value for the key blob.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:true
.valid
(boolean): This field signals if the context is valid or not. Default:true
.read_only
(boolean): This field signals if the context is Read only or not. Default:true
.
# ============================================= OTFAD template for rt5xx =============================================
# ======================================================================================================================
# == OTFAD template for rt5xx ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt101x, rt116x, rt117x, rt118x, rt5xx, rt6xx>
family: CHOOSE_FROM_TABLE
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
OTFAD template for rt6xx#
Properties#
family
(string): MCU family name. Must be one of:["rt101x", "rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"]
.output_folder
(string): Path to directory where the OTFAD output will be generated.output_name
(string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default:"otfad_whole_image"
.keyblob_name
(string): Filename of the keyblob without file extension (.bin will be appended). Default:"OTFAD_Table"
.encrypted_name
(string): filename of the encrypted datablobs without file extension (.bin will be appended). Default:"encrypted_blob"
.generate_readme
(boolean): Readme file contains information about image layout. Default:true
.kek
(string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.otfad_table_address
([‘number’, ‘string’], format: number): The base address of key blob table, it should be aligned to 1 KB (1024 B).data_blobs
(array): List of all data blobs included in this key blob.Items (object)
data
(string, format: file, required): Path to binary file with plain text data to be encrypted if desired.address
([‘number’, ‘string’], format: number, required): Data blob address, it could be omitted if data blob starts at start_address.
key_blobs
(array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.Items (object)
aes_key
([‘number’, ‘string’], format: number, required): AES key for the key blob.aes_ctr
([‘number’, ‘string’], format: number, required): AES counter value for the key blob.start_address
([‘number’, ‘string’], format: number, required): Start address of key blob data, it should be aligned to 1 KB (1024 B).end_address
([‘number’, ‘string’], format: number, required): End address of key blob data, it should be aligned to 1 KB (1024 B).aes_decryption_enable
(boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default:true
.valid
(boolean): This field signals if the context is valid or not. Default:true
.read_only
(boolean): This field signals if the context is Read only or not. Default:true
.
# ============================================= OTFAD template for rt6xx =============================================
# ======================================================================================================================
# == OTFAD template for rt6xx ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <rt101x, rt116x, rt117x, rt118x, rt5xx, rt6xx>
family: CHOOSE_FROM_TABLE
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
BEE#
i.MX RT10xx, except i.MX1010, provides an on-the-fly encryption engine called Bus Encryption Engine(BEE) Refer to this application note for more info: AN12852.
BeeNxp#
Properties#
output_folder
(string): Folder name to store generated BEE output.input_binary
(string): Path to input binary file.output_name
(string): File name of the encrypted file, output_folder/output_name or full path (.bin will be appended).header_name
(string): output_folder/header_name or full path + index will be appended (.bin will be appended).engine_selection
(string): BEE Engine Selection, engine0, engine1 or both engines. Must be one of:["engine0", "engine1", "both"]
.engine_key_selection
(string): Random Key or Zero key. Must be one of:["random", "zero"]
.base_address
([‘string’, ‘number’], format: number): Base address of the image.bee_engine
(array): Configuration of BEE engines. Length must be between 1 and 2 (inclusive).Items
One of
object: BEE engine configuration.
bee_cfg
(object, required)user_key
([‘string’, ‘number’], format: number, required): AES key for encryption.protected_region
(array): List of protected regions, up to four regions.Items (object)
start_address
([‘string’, ‘number’], format: number, required): Start address of protected region, it should be aligned to 1 KB (1024 B).length
([‘string’, ‘number’], format: number, required): Length of protected region, it should be aligned to 1 KB (1024 B).protected_level
(number, format: number, required): Protected level (0/1/2/3), 0 is default.
object: BEE engine configuration with binary header.
bee_binary_cfg
(object, required)header_path
(string, required): Path to the existing BEE header in binary form.user_key
([‘string’, ‘number’], format: number, required): AES key that was used for header encryption.
# =================================================== BEE template ===================================================
# ======================================================================================================================
# == BeeNxp ==
# ======================================================================================================================
# ---------------------------------------===== BEE output folder [Required] =====---------------------------------------
# Description: Folder name to store generated BEE output
output_folder: bee_output
# ---------------------------------------===== Input binary file [Required] =====---------------------------------------
# Description: Path to input binary file
input_binary: input_bin.bin
# ------------------------------------===== Output binary file name [Optional] =====------------------------------------
# Description: File name of the encrypted file, output_folder/output_name or full path (.bin will be appended)
output_name: encrypted
# -------------------------===== File name of the exported BEE region headers [Optional] =====--------------------------
# Description: output_folder/header_name or full path + index will be appended (.bin will be appended)
header_name: bee_ehdr
# ---------------------------------------===== Engine selection [Required] =====----------------------------------------
# Description: BEE Engine Selection, engine0, engine1 or both engines
# Possible options: <engine0, engine1, both>
engine_selection: engine0
# -------------------------------------===== Engine Key selection [Required] =====--------------------------------------
# Description: Random Key or Zero key
# Possible options: <random, zero>
engine_key_selection: random
# -----------------------------------===== Base address of the image [Required] =====-----------------------------------
# Description: Base address of the image
base_address: '0x60001000'
# ------------------------------------------===== Bee engines [Required] =====------------------------------------------
# Description: Configuration of BEE engines
bee_engine:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [bee_cfg, bee_binary_cfg]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
bee_cfg:
# ------------------------------------===== User AES-128 key [Required] =====-------------------------------------
# Description: AES key for encryption
user_key: '0x0123456789abcdeffedcba9876543210'
# ------------------------------------===== Protected region [Optional] =====-------------------------------------
# Description: List of protected regions, up to four regions
protected_region:
-
# --------------------------===== Start address of protected region [Required] =====--------------------------
# Description: Start address of protected region, it should be aligned to 1 KB (1024 B)
start_address: '0x60001000'
# -----------------------------===== Length of protected region [Required] =====------------------------------
# Description: Length of protected region, it should be aligned to 1 KB (1024 B)
length: '0x4400'
# -----------------------------------===== Protected level [Required] =====-----------------------------------
# Description: Protected level (0/1/2/3), 0 is default
protected_level: 0
# ====================================== [Example of possible configuration #1] ======================================
bee_binary_cfg:
# -------------------------------------===== BEE header path [Required] =====-------------------------------------
# Description: Path to the existing BEE header in binary form
header_path: bee_ehdr0.bin
# ------------------------------------===== User AES-128 key [Required] =====-------------------------------------
# Description: AES key that was used for header encryption
user_key: '0x0123456789abcdeffedcba9876543210'