HAB#
HAB (High Assurance Boot) provides a mechanism to ensure that the running software can be trusted. Nxpimage application is used for generation of HAB container including CSF data and image encryption(if applicable). It is an actual successor of legacy elftosb and CST tools.
Compared to other SPSDK image types, the HAB container configuration is stored in BD configuration files. The main reason for it is keeping the backwards compatibility with legacy elftosb and CST tools. BD configuration file instructs nxpimage how the image and CSF data will look like.
There are three supported types of images:
plain
authenticated
encrypted
Examples#
nxpimage hab export --command "path\to\config\file.bd" --output path\to\output.binnxpimage hab parse --binary "path\to\output.bin" path\to\output\dirConfiguration file types#
options {
flags = 0x00;
startAddress = 0x2024ff00;
ivtOffset = 0x0;
initialLoadSize = 0x100;
entryPointAddress = 0x202629e1;
}
sources {
elfFile = extern(0);
}
section (0) {
}
options {
flags = 0x08;
startAddress = 0x1000;
ivtOffset = 0x1000;
initialLoadSize = 0x2000;
entryPointAddress = 0x34e1;
}
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_INSTALL_NOCAK = 23;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
SEC_NOP = 29;
SEC_SET_MID = 30;
SEC_SET_ENGINE = 31;
SEC_INIT = 32;
SEC_UNLOCK = 33;
}
section (SEC_CSF_HEADER;
Header_Version="4.2",
Header_HashAlgorithm="sha256",
Header_Engine="ANY",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="gen_hab_certs\SRK_hash.bin",
InstallSRK_SourceIndex=0
)
{
}
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts\CSF1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallCSFK_CertificateFormat="x509"
)
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts\IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0,
InstallKey_TargetIndex=2)
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="ANY",
AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_SET_ENGINE;
SetEngine_HashAlgorithm = "sha256",
SetEngine_Engine = "ANY",
SetEngine_EngineConfiguration = "0")
{
}
section (SEC_UNLOCK;
Unlock_Engine = "SNVS",
Unlock_Features = "ZMK WRITE"
)
{
}
options {
flags = 0x0c;
startAddress = 0x80001000;
ivtOffset = 0x400;
initialLoadSize = 0x1000;
DCDFilePath = "dcd_files\evkmimxrt1166_SDRAM_dcd.bin";
entryPointAddress = 0x800041f5;
}
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_INSTALL_NOCAK = 23;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
SEC_NOP = 29;
SEC_SET_MID = 30;
SEC_SET_ENGINE = 31;
SEC_INIT = 32;
SEC_UNLOCK = 33;
}
section (SEC_CSF_HEADER;
Header_Version="4.2",
Header_HashAlgorithm="sha256",
Header_Engine="ANY",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="gen_hab_certs\SRK_hash.bin",
InstallSRK_SourceIndex=0
)
{
}
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts\CSF1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallCSFK_CertificateFormat="x509"
)
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts\IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0,
InstallKey_TargetIndex=2)
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="ANY",
AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_CSF_INSTALL_SECRET_KEY;
SecretKey_Name="gen_hab_encrypt\evkmimxrt1064_iled_blinky_SDRAM_hab_dek.bin",
SecretKey_Length=256,
SecretKey_VerifyIndex=0,
SecretKey_TargetIndex=0)
{
}
section (SEC_CSF_DECRYPT_DATA;
Decrypt_Engine="ANY",
Decrypt_EngineConfiguration="0",
Decrypt_VerifyIndex=0,
Decrypt_MacBytes=16)
{
}
Additional configuration parameters#
Name |
BD Section |
Example |
Description |
|---|---|---|---|
signatureTimestamp |
options |
signatureTimestamp = “11/05/2023 11:58:00”; |
Timestamp of generated signature |
AuthenticateCsf_PrivateKeyFile |
SEC_CSF_AUTHENTICATE_CSF |
AuthenticateCsf_PrivateKeyFile=”keys/CSF1_1_sha256_2048_65537_v3_usr_key.pem” |
Path to authenticate CSF private key file. If not set, the file will be determined from InstallCSFK_File parameter |
AuthenticateData_PrivateKeyFile |
SEC_CSF_AUTHENTICATE_DATA |
AuthenticateData_PrivateKeyFile=”keys/IMG1_1_sha256_2048_65537_v3_usr_key.pem” |
Path to authenticate IMG private key file. If not set, the file will be determined from InstallKey_File parameter |
SecretKey_ReuseDek |
SEC_CSF_INSTALL_SECRET_KEY |
SecretKey_ReuseDek=true |
If set, the secret key from SecretKey_Name parameter will be used. If not, a random key will be generated and stored. |
Decrypt_Nonce |
SEC_CSF_DECRYPT_DATA |
Decrypt_Nonce=”gen_hab_encrypt/nonce.bin” |
If set, the nonce from the given file will be used. If not, a random nonce will be generated. |
YAML Configurations#
It is also possible to use YAML configuration instead of legacy BD format.
Example of use for export
nxpimage hab export -c "path\to\config\file.yaml" -o "hab.bin"
The full HAB configuration template could be generated by nxpimage tool “get_template”.
nxpimage hab get-template -o hab_template.yaml
Supported configuration options#
HabContainer#
Properties#
inputImageFile(string, format: file_name): The input application image in plain BIN, S-REC or ELF.options(object): An options block contains zero or more name/value pairs and the option settings that assign values to global options used by the nxpimage to control the generation of the output file.flags([‘number’, ‘string’]): HAB flags. 0x0 for unsigned, 0x08 signed, 0x0C encrypted.startAddress([‘number’, ‘string’]): First address of the bootable image in the target memory.ivtOffset([‘number’, ‘string’]): Offset of IVT table(beggining of HAB container) from startAddress.initialLoadSize([‘number’, ‘string’]): Size of the segments(such as IVT, BDT, DCD, XMCD) placed before the actual application image. The value does not have to be exactly the same as the segments size, but it must be large enough to accommodate all the segments.entryPointAddress([‘number’, ‘string’]): Reset vector of the application.signatureTimestamp(string): .DCDFilePath(string): Optional path to DCD data.
sections(array): CSF Sections.Items
One of
object
Header(object, required): The Header command contains data used in the CSF header as well as default values used by the CST for other commands throughout the remaining CSF. There must be exactly one Header command and it must appear first in the CSF.Header_Version([‘string’, ‘number’], required): Version of HAB.Header_HashAlgorithm([‘string’]): Default hash algorithm. Must be one of:["sha256"].Header_Engine(string): Default engine. Must be one of:["ANY", "SAHARA", "RTIC", "DCP", "CAAM", "SW"].Header_EngineConfiguration([‘string’, ‘number’]): Default engine configuration. See the CST manual for more info.Header_CertificateFormat([‘string’]): Default certificate format. Must be one of:["x509", "WTLS"].Header_SignatureFormat([‘string’, ‘number’]): Default signature format. Must be one of:["PKCS1", "CMS"].
object
InstallSRK(object, required): The Install SRK command authenticates and installs the root public key for use in subsequent Install CSFK (HAB only) or Install Key (HAB4 only) commands. HAB or AHAB authenticates the SRK using the SRK hash (SRK_HASH) fuses. HAB4 or AHAB allows revocation of individual keys within the SRK table using the SRK revocation (SRK_REVOKE) fuses. HAB installs the SRK in slot 0 of its internal public key store. There must be exactly one Install SRK command in a CSF, and it must occur before the Install CSFK (HAB only) command.InstallSRK_Table(string, required): Valid file path.InstallSRK_SourceIndex(number, required): SRK index within SRK table. Installation fails if the SRK revocation fuse with this index is burned. Must be one of:[0, 1, 2, 3].
object
InstallCSFK(object, required): The Install CSFK command authenticates and installs a public key for use in subsequent Install Key (HAB3 only) or Authenticate CSF commands. HAB authenticates the CSFK from the CSFK certificate using the SRK. HAB installs the CSFK in slot 1 of its internal public key store. There must be exactly one Install CSFK command in a CSF, and it must occur before the Authenticate CSF command.InstallCSFK_File(string, required): Valid path.InstallCSFK_CertificateFormat(string): CSFK certificate format. Must be one of:["x509", "WTLS"].
object
InstallNOCAK(object, required): The Install NOCAK command authenticates and installs a public key for use with the fast authentication mechanism (HAB 4.1.2 and later only). With this mechanism, one key is used for all signatures. HAB installs the no-CA key in slot 1 of its internal public key store. There must be exactly one Install NOCAK command in a CSF, and it must occur before the Authenticate CSF command and there must be no Install Key commands.InstallNOCAK_File(string, required): Valid path.InstallNOCAK_CertificateFormat(string): NOCAK certificate format. Must be one of:["x509", "WTLS"].
object
AuthenticateCSF(object, required): The Authenticate CSF command authenticates the CSF from which it is executed. HAB authenticates the CSF using the CSFK public key, from a digital signature generated automatically by the CST. There must be exactly one Authenticate CSF command in a CSF file, and it must occur after the Install CSFK command. Most other CSF commands are allowed only after the Authenticate CSF command.AuthenticateCSF_EngineConfiguration([‘string’, ‘number’]): Default engine configuration. See the CST manual for more info.AuthenticateCSF_CertificateFormat([‘string’]): Default certificate format. Must be one of:["x509", "WTLS"].AuthenticateCSF_SignatureFormat([‘string’, ‘number’]): Default signature format. Must be one of:["PKCS1", "CMS"].AuthenticateCsf_SignProvider([‘string’]): Signature provider configuration string. If not set, the value from AuthenticateCsf_PrivateKeyFile parameter will be used.AuthenticateCsf_PrivateKeyFile(string, format: file_name): Path to authenticate CSF private key file. If not set, the file will be determined from InstallCSFK_File parameter.
object
InstallKey(object, required): The Install Key command authenticates and installs a public key for use in subsequent Install Key or Authenticate Data commands. HAB authenticates a public key from a public key certificate using a previously installed verifying key and a hash of the public key certificate. HAB installs the authenticated public key in an internal public key store with a zero-based array of key slots. The CSF author is responsible for managing the key slots in the internal public key store to establish the desired public key hierarchy and determine the keys used in authentication operations. Overwriting occupied key slots is not allowed, although a repeat command to re- install the same public key occupying the target slot will be skipped and not generate an error.InstallKey_File(string, required): Valid file path.InstallKey_VerificationIndex(number, required): Verification key index in key store. CSFK not supported. Must be one of:[0, 2, 4].InstallKey_TargetIndex(number, required): Target key index in key store. SRK, CSFK slots reserved. Must be one of:[2, 4].
object
AuthenticateData(object, required): The Authenticate Data command verifies the authenticity of pre-loaded data in memory. The data may include executable SW instructions and may be spread across multiple non-contiguous address ranges drawn from multiple object files. HAB authenticates the pre-loaded data using a previously installed public key from a digital signature generated automatically by the CST.AuthenticateData_VerificationIndex(number, required): Verification key index in key store. SRK, CSFK not supported. NOTE For HAB4 Fast Authentication, this must be 0. Must be one of:[0, 2, 4].AuthenticateData_Engine(string): Data signature hash engine. Must be one of:["ANY", "SAHARA", "RTIC", "DCP", "CAAM", "SW"].AuthenticateData_EngineConfiguration([‘string’, ‘number’]): Configuration flags for the engine. See the CSF manual.AuthenticateData_SignProvider([‘string’]): Signature provider configuration string. If not set, the value from AuthenticateData_PrivateKeyFile parameter will be used.AuthenticateData_PrivateKeyFile(string, format: file_name): Path to authenticate IMG private key file. If not set, the file will be determined from InstallCSFK_File parameter.
object
SetEngine(object, required): The Set Engine command selects the default engine and engine configuration for a given algorithm. HAB3 does not support the Set Engine command. Some CSF commands allow the CSF author to select the engine used for an algorithm by specifying an argument other than ANY. However, if the engine argument is ANY, then HAB selects the engine to use based on internal criteria. The Set Engine command overrides the HAB internal criteria and selects the engine and configuration to use when ANY is specified. Some algorithm types do not have an associated engine argument in the CSF commands (e.g. the signature algorithm in Authenticate Data commands). By default, HAB selects the engine to use for such algorithms based on internal criteria. The Set Engine command overrides the HAB internal criteria in such cases as well. Multiple Set Engine commands may appear anywhere in a CSF after the Header command. Subsequent commands use the engine selected by the most recent Set Engine command.SetEngine_HashAlgorithm(string, required): Hash algorithm. Must be one of:["sha256"].SetEngine_Engine(string, required): Engine, use ANY to restore internal HAB criteria. Must be one of:["ANY", "SAHARA", "RTIC", "DCP", "CAAM", "SW"].SetEngine_EngineConfiguration([‘string’, ‘number’]): Default engine configuration. See the CST manual for more info.
object
Unlock(object, required): The Unlock command prevents specified engine features from being locked when exiting the internal boot ROM. HAB3 does not support the Unlock command. Multiple Unlock commands may appear after the Authenticate CSF command. A feature will be unlocked if specified in one or more Unlock commands.Unlock_Engine(string): Engine to unlock. Must be one of:["SRTC", "CAAM", "SNVS", "OCOTP"].Unlock_Features(string): Comma-separated list of features to unlock.
object
SecretKey(object, required): This command is applicable from HAB 4.1 onwards and only on processors which include CAAM and SNVS. Each instance of this command generates a CSF command to install a secret key in CAAM’s secret key store.SecretKey_Name(string): CMS encrypted data encryption key.SecretKey_Length(number): Key length in bits. Must be one of:[128, 192, 256].SecretKey_VerifyIndex(number): Master KEK index. 0 or 1 OTPMK from fuses. 2 ZMK from SNVS, 3 CMK from SNVS. Must be one of:[0, 1, 2, 3].SecretKey_TargetIndex(number, required): Target secret key store index. Must be one of:[0, 1, 2, 3].SecretKey_ReuseDek([‘boolean’, ‘number’]): If set, the secret key from SecretKey_Name parameter will be used. If not, a random key will be generated and stored.
object
Decrypt(object, required): This command is applicable from HAB4.1 onwards. Each instance generates a CSF command to decrypt and authenticate a list of code/data blocks using secret key stored in the secret key store. CST will generate a corresponding AUT_DAT command. CST will encrypt the data blocks in- place in the given files using a secret key and generate MAC data which is appended to the CSF. The secret key index must have been the target key index in a preceding Install Secret Key command. The same secret key must never be used more than once. The secret key used is removed from the secret key store by the Decrypt Data command. A separate Install Secret Key command (which generates a fresh secret key) is required for another Decrypt Data command.Decrypt_VerifyIndex(number, required): Secret key index in Secret key store. Must be one of:[0, 1, 2, 4].Decrypt_Engine(string): MAC Engine. Must be one of:["CAAM", "ANY"].Decrypt_EngineConfiguration([‘string’, ‘number’]): Configuration flags for the engine. See the CSF manual.Decrypt_MacBytes([‘string’, ‘number’]): Size of MAC in bytes. Even value between 4 and 16.Decrypt_Nonce(string): If set, the nonce from the given file will be used. If not, a random nonce will be generated.
# ============================================ HAB template HabContainer =============================================
# ======================================================================================================================
# == HabContainer ==
# ======================================================================================================================
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image in plain BIN, S-REC or ELF.
inputImageFile: my_application.bin
# ------------------------------------------===== HAB Options [Required] =====------------------------------------------
# Description: An options block contains zero or more name/value pairs and the option settings that assign values to
# global options used by the nxpimage to control the generation of the output file.
options:
# ------------------------------------------===== HAB flags [Optional] =====------------------------------------------
# Description: HAB flags. 0x0 for unsigned, 0x08 signed, 0x0C encrypted.
flags: 8
# -------------------------------------===== Image start address [Optional] =====-------------------------------------
# Description: First address of the bootable image in the target memory.
startAddress: 1610612736
# -----------------------------------------===== IVT Offset [Optional] =====------------------------------------------
# Description: Offset of IVT table(beggining of HAB container) from startAddress.
ivtOffset: 4096
# --------------------------------------===== Initial Load size [Optional] =====--------------------------------------
# Description: Size of the segments(such as IVT, BDT, DCD, XMCD) placed before the actual application image. The value
# does not have to be exactly the same as the segments size, but it must be large enough to accommodate all the
# segments.
initialLoadSize: 8192
# -------------------------------------===== Entry Point address [Optional] =====-------------------------------------
# Description: Reset vector of the application.
entryPointAddress: 2147500533
# ---------------------------------===== Timestamp of the signature [Optional] =====----------------------------------
signatureTimestamp: 04/05/2023 11:27:43
# ----------------------------------------===== DCD file path [Optional] =====----------------------------------------
# Description: Optional path to DCD data.
DCDFilePath: dcd.bin
# -----------------------------------------===== CSF Sections [Optional] =====------------------------------------------
# Description: CSF Sections.
sections:
-
# ====================================================================================================================
# == List of possible 11 options. ==
# Options [Header, InstallSRK, InstallCSFK, InstallNOCAK, AuthenticateCSF, InstallKey, AuthenticateData, SetEngine,
# Unlock, SecretKey, Decrypt]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
# ------------------------------------------===== Header [Required] =====-------------------------------------------
# Description: The Header command contains data used in the CSF header as well as default values used by the CST for
# other commands throughout the remaining CSF. There must be exactly one Header command and it must appear first in
# the CSF.
Header:
# -----------------------------------------===== Version [Required] =====-----------------------------------------
# Description: Version of HAB.
Header_Version: '4.2'
# -------------------------------------===== Hash algorithm [Optional] =====--------------------------------------
# Description: Default hash algorithm.
# Possible options: <sha256>
Header_HashAlgorithm: sha256
# -----------------------------------------===== Engine [Optional] =====------------------------------------------
# Description: Default engine.
# Possible options: <ANY, SAHARA, RTIC, DCP, CAAM, SW>
Header_Engine: ANY
# ----------------------------------===== Engine configuration [Optional] =====-----------------------------------
# Description: Default engine configuration. See the CST manual for more info.
Header_EngineConfiguration: 0
# -----------------------------------===== Certificate format [Optional] =====------------------------------------
# Description: Default certificate format.
# Possible options: <x509, WTLS>
Header_CertificateFormat: x509
# ------------------------------------===== Signature format [Optional] =====-------------------------------------
# Description: Default signature format.
# Possible options: <PKCS1, CMS>
Header_SignatureFormat: CMS
# ====================================== [Example of possible configuration #1] ======================================
# ----------------------------------------===== Install SRK [Required] =====----------------------------------------
# Description: The Install SRK command authenticates and installs the root public key for use in subsequent Install
# CSFK (HAB only) or Install Key (HAB4 only) commands. HAB or AHAB authenticates the SRK using the SRK hash
# (SRK_HASH) fuses. HAB4 or AHAB allows revocation of individual keys within the SRK table using the SRK revocation
# (SRK_REVOKE) fuses. HAB installs the SRK in slot 0 of its internal public key store. There must be exactly one
# Install SRK command in a CSF, and it must occur before the Install CSFK (HAB only) command.
InstallSRK:
# ----------------------------------===== SRK table binary file [Required] =====----------------------------------
# Description: Valid file path
InstallSRK_Table: srk_table.bin
# ---------------------------------===== InstallSRK SourceIndex [Required] =====----------------------------------
# Description: SRK index within SRK table. Installation fails if the SRK revocation fuse with this index is
# burned.
# Possible options: <0, 1, 2, 3>
InstallSRK_SourceIndex: 0
# ====================================== [Example of possible configuration #2] ======================================
# ---------------------------------------===== Install CSFK [Required] =====----------------------------------------
# Description: The Install CSFK command authenticates and installs a public key for use in subsequent Install Key
# (HAB3 only) or Authenticate CSF commands. HAB authenticates the CSFK from the CSFK certificate using the SRK. HAB
# installs the CSFK in slot 1 of its internal public key store. There must be exactly one Install CSFK command in a
# CSF, and it must occur before the Authenticate CSF command.
InstallCSFK:
# ------------------------------------===== CSFK Certificate [Required] =====-------------------------------------
# Description: Valid path.
InstallCSFK_File: csf.der
# -----------------------------------===== Certificate Format [Optional] =====------------------------------------
# Description: CSFK certificate format.
# Possible options: <x509, WTLS>
InstallCSFK_CertificateFormat: x509
# ====================================== [Example of possible configuration #3] ======================================
# ---------------------------------------===== Install NOCAK [Required] =====---------------------------------------
# Description: The Install NOCAK command authenticates and installs a public key for use with the fast
# authentication mechanism (HAB 4.1.2 and later only). With this mechanism, one key is used for all signatures. HAB
# installs the no-CA key in slot 1 of its internal public key store. There must be exactly one Install NOCAK command
# in a CSF, and it must occur before the Authenticate CSF command and there must be no Install Key commands.
InstallNOCAK:
# ------------------------------------===== NOCAK Certificate [Required] =====------------------------------------
# Description: Valid path.
InstallNOCAK_File: srk.pem
# -----------------------------------===== Certificate Format [Optional] =====------------------------------------
# Description: NOCAK certificate format.
# Possible options: <x509, WTLS>
InstallNOCAK_CertificateFormat: x509
# ====================================== [Example of possible configuration #4] ======================================
# -------------------------------------===== Authenticate CSF [Required] =====--------------------------------------
# Description: The Authenticate CSF command authenticates the CSF from which it is executed. HAB authenticates the
# CSF using the CSFK public key, from a digital signature generated automatically by the CST. There must be exactly
# one Authenticate CSF command in a CSF file, and it must occur after the Install CSFK command. Most other CSF
# commands are allowed only after the Authenticate CSF command.
AuthenticateCSF:
# ----------------------------------===== Engine configuration [Optional] =====-----------------------------------
# Description: Default engine configuration. See the CST manual for more info.
AuthenticateCSF_EngineConfiguration: 0
# -----------------------------------===== Certificate format [Optional] =====------------------------------------
# Description: Default certificate format.
# Possible options: <x509, WTLS>
AuthenticateCSF_CertificateFormat: x509
# ------------------------------------===== Signature format [Optional] =====-------------------------------------
# Description: Default signature format.
# Possible options: <PKCS1, CMS>
AuthenticateCSF_SignatureFormat: CMS
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration string. If not set, the value from AuthenticateCsf_PrivateKeyFile
# parameter will be used.
AuthenticateCsf_SignProvider:
type=file;file_path=keys/CSF1_1_sha256_2048_65537_v3_usr_key.pem;password=PrivateKeyPwd
# ------------------------------------===== Private Key File [Optional] =====-------------------------------------
# Description: Path to authenticate CSF private key file. If not set, the file will be determined from
# InstallCSFK_File parameter.
AuthenticateCsf_PrivateKeyFile: keys/CSF1_1_sha256_2048_65537_v3_usr_key.pem
# ====================================== [Example of possible configuration #5] ======================================
# ----------------------------------------===== Install Key [Required] =====----------------------------------------
# Description: The Install Key command authenticates and installs a public key for use in subsequent Install Key or
# Authenticate Data commands. HAB authenticates a public key from a public key certificate using a previously
# installed verifying key and a hash of the public key certificate. HAB installs the authenticated public key in an
# internal public key store with a zero-based array of key slots. The CSF author is responsible for managing the key
# slots in the internal public key store to establish the desired public key hierarchy and determine the keys used
# in authentication operations. Overwriting occupied key slots is not allowed, although a repeat command to re-
# install the same public key occupying the target slot will be skipped and not generate an error.
InstallKey:
# ---------------------------------===== Public key certificate [Required] =====----------------------------------
# Description: Valid file path.
InstallKey_File: imgk.pem
# -----------------------------------===== Verification Index [Required] =====------------------------------------
# Description: Verification key index in key store. CSFK not supported.
# Possible options: <0, 2, 4>
InstallKey_VerificationIndex: 0
# --------------------------------------===== Target Index [Required] =====---------------------------------------
# Description: Target key index in key store. SRK, CSFK slots reserved.
# Possible options: <2, 4>
InstallKey_TargetIndex: 2
# ====================================== [Example of possible configuration #6] ======================================
# -------------------------------------===== Authenticate Data [Required] =====-------------------------------------
# Description: The Authenticate Data command verifies the authenticity of pre-loaded data in memory. The data may
# include executable SW instructions and may be spread across multiple non-contiguous address ranges drawn from
# multiple object files. HAB authenticates the pre-loaded data using a previously installed public key from a
# digital signature generated automatically by the CST.
AuthenticateData:
# -----------------------------------===== Verification Index [Required] =====------------------------------------
# Description: Verification key index in key store. SRK, CSFK not supported. NOTE For HAB4 Fast Authentication,
# this must be 0
# Possible options: <0, 2, 4>
AuthenticateData_VerificationIndex: 2
# -----------------------------------------===== Engine [Optional] =====------------------------------------------
# Description: Data signature hash engine.
# Possible options: <ANY, SAHARA, RTIC, DCP, CAAM, SW>
AuthenticateData_Engine: ANY
# ----------------------------------===== Engine Configuration [Optional] =====-----------------------------------
# Description: Configuration flags for the engine. See the CSF manual.
AuthenticateData_EngineConfiguration: 0
# -----------------------------------===== Signature Provider [Optional] =====------------------------------------
# Description: Signature provider configuration string. If not set, the value from AuthenticateData_PrivateKeyFile
# parameter will be used.
AuthenticateData_SignProvider:
type=file;file_path=keys/IMG1_1_sha256_2048_65537_v3_usr_key.pem;password=PrivateKeyPwd
# ------------------------------------===== Private Key File [Optional] =====-------------------------------------
# Description: Path to authenticate IMG private key file. If not set, the file will be determined from
# InstallCSFK_File parameter.
AuthenticateData_PrivateKeyFile: keys/IMG1_1_sha256_2048_65537_v3_usr_key.pem
# ====================================== [Example of possible configuration #7] ======================================
# ----------------------------------------===== Set Engine [Required] =====-----------------------------------------
# Description: The Set Engine command selects the default engine and engine configuration for a given algorithm.
# HAB3 does not support the Set Engine command. Some CSF commands allow the CSF author to select the engine used for
# an algorithm by specifying an argument other than ANY. However, if the engine argument is ANY, then HAB selects
# the engine to use based on internal criteria. The Set Engine command overrides the HAB internal criteria and
# selects the engine and configuration to use when ANY is specified.
# Some algorithm types do not have an associated engine argument in the CSF commands (e.g. the signature algorithm
# in Authenticate Data commands). By default, HAB selects the engine to use for such algorithms based on internal
# criteria. The Set Engine command overrides the HAB internal criteria in such cases as well. Multiple Set Engine
# commands may appear anywhere in a CSF after the Header command. Subsequent commands use the engine selected by the
# most recent Set Engine command
SetEngine:
# -------------------------------------===== Hash Algorithm [Required] =====--------------------------------------
# Description: Hash algorithm.
# Possible options: <sha256>
SetEngine_HashAlgorithm: sha256
# -----------------------------------------===== Engine [Required] =====------------------------------------------
# Description: Engine, use ANY to restore internal HAB criteria.
# Possible options: <ANY, SAHARA, RTIC, DCP, CAAM, SW>
SetEngine_Engine: ANY
# ----------------------------------===== Engine configuration [Optional] =====-----------------------------------
# Description: Default engine configuration. See the CST manual for more info.
SetEngine_EngineConfiguration: 0
# ====================================== [Example of possible configuration #8] ======================================
# ------------------------------------------===== Unlock [Required] =====-------------------------------------------
# Description: The Unlock command prevents specified engine features from being locked when exiting the internal
# boot ROM. HAB3 does not support the Unlock command. Multiple Unlock commands may appear after the Authenticate CSF
# command. A feature will be unlocked if specified in one or more Unlock commands.
Unlock:
# -----------------------------------------===== Engine [Optional] =====------------------------------------------
# Description: Engine to unlock.
# Possible options: <SRTC, CAAM, SNVS, OCOTP>
Unlock_Engine: OCOTP
# ----------------------------------------===== Features [Optional] =====-----------------------------------------
# Description: Comma-separated list of features to unlock.
Unlock_Features: JTAG, SRK REVOKE
# ====================================== [Example of possible configuration #9] ======================================
# ------------------------------------===== Install Secret Key [Required] =====-------------------------------------
# Description: This command is applicable from HAB 4.1 onwards and only on processors which include CAAM and SNVS.
# Each instance of this command generates a CSF command to install a secret key in CAAM's secret key store.
SecretKey:
# -------------------------------------------===== Key [Optional] =====-------------------------------------------
# Description: CMS encrypted data encryption key.
SecretKey_Name: dek.bin
# ---------------------------------------===== Key length [Optional] =====----------------------------------------
# Description: Key length in bits
# Possible options: <128, 192, 256>
SecretKey_Length: 128
# -----------------------------------===== Verification index [Optional] =====------------------------------------
# Description: Master KEK index. 0 or 1 OTPMK from fuses. 2 ZMK from SNVS, 3 CMK from SNVS.
# Possible options: <0, 1, 2, 3>
SecretKey_VerifyIndex: 0
# --------------------------------------===== Target index [Required] =====---------------------------------------
# Description: Target secret key store index.
# Possible options: <0, 1, 2, 3>
SecretKey_TargetIndex: 0
# ----------------------------------------===== Reuse DEK [Optional] =====----------------------------------------
# Description: If set, the secret key from SecretKey_Name parameter will be used. If not, a random key will be
# generated and stored.
SecretKey_ReuseDek: false
# ===================================== [Example of possible configuration #10] ======================================
# ---------------------------------------===== Decrypt Data [Required] =====----------------------------------------
# Description: This command is applicable from HAB4.1 onwards. Each instance generates a CSF command to decrypt and
# authenticate a list of code/data blocks using secret key stored in the secret key store. CST will generate a
# corresponding AUT_DAT command. CST will encrypt the data blocks in- place in the given files using a secret key
# and generate MAC data which is appended to the CSF. The secret key index must have been the target key index in a
# preceding Install Secret Key command. The same secret key must never be used more than once. The secret key used
# is removed from the secret key store by the Decrypt Data command. A separate Install Secret Key command (which
# generates a fresh secret key) is required for another Decrypt Data command.
Decrypt:
# -----------------------------------===== Verification Index [Required] =====------------------------------------
# Description: Secret key index in Secret key store.
# Possible options: <0, 1, 2, 4>
Decrypt_VerifyIndex: 0
# -----------------------------------------===== Engine [Optional] =====------------------------------------------
# Description: MAC Engine.
# Possible options: <CAAM, ANY>
Decrypt_Engine: ANY
# ----------------------------------===== Engine Configuration [Optional] =====-----------------------------------
# Description: Configuration flags for the engine. See the CSF manual.
Decrypt_EngineConfiguration: 0
# ----------------------------------------===== Mac Bytes [Optional] =====----------------------------------------
# Description: Size of MAC in bytes. Even value between 4 and 16.
Decrypt_MacBytes: 16
# ------------------------------------------===== Nonce [Optional] =====------------------------------------------
# Description: If set, the nonce from the given file will be used. If not, a random nonce will be generated.
Decrypt_Nonce: nonce.bin