Ctrl+K

Master Boot Image (MBI)

Contents

Master Boot Image (MBI)#

Master Boot Image can be used directly (e.g. by using blhost write-memory command) or it can be used for further processing (e.g. used as input to Secure Binary image container). Image is created based on a supplied configuration file, either JSON or YAML is supported.

We can divide divide into two categories based on layout.

  • eXecute-In-Place (XIP) images

    • Plain

    • CRC

    • Signed

  • Load-to-RAM images

    • Plain

    • CRC

    • Signed images with HMAC signed header. Since load-to-RAM copies the image from untrusted media to on-chip RAM, the length field in header should be authenticated before copy. Hence HMAC signed headers are used.

    • Encrypted (plain header with HMAC + AES-CBC encrypted).

Example of use

nxpimage: nxpimage mbi export -c <path to config file>

Supported devices for MBI#

Supported execution targets are: XIP (Execute in place) and Load to RAM and image authentication types: Plain, CRC, Signed, Encrypted and NXP Signed.

The following table shows the supported image types for each device.

Target in the table represents outputImageExecutionTarget in the configuration file and authentication in the table represents outputImageAuthenticationType.

Supported devices#

Targets

xip

xip

xip

xip

xip

load-to-ram

load-to-ram

load-to-ram

load-to-ram

load-to-ram

Authentication

plain

crc

signed

signed-nxp

signed-encrypted

plain

crc

signed

signed-nxp

signed-encrypted

k32w1xx

kw45xx

lpc550x

lpc551x

lpc552x

lpc553x

lpc55s0x

lpc55s1x

lpc55s2x

lpc55s3x

lpc55s6x

mc56f81xxx

mcxa1xx

mcxn23x

mcxn9xx

mwct20d2x

nhs52sxx

rt5xx

rt6xx

rw61x

Note

For LPC55xx (except for the LPC55S36 with external flash), MCXN9xx and MCXN23x the load-to-RAM images are intended only for recovery boot from 1-bit SPI flash.

Supported configuration options#

Refer to the documentation below for the supported configuration options for each image type. Please note that the outputImageExecutionTarget and outputImageAuthenticationType must be filled in addition to the basic settings according to the table with supported devices.

outputImageExecutionTarget: xip # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: signed # Type of boot image authentication., Specification of final master boot image authentication.

MBI-A-I-LA-TZM-IST-EATZ#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinImageSubType

  • Mbi_ExportMixinAppTrustZone

Schema#

Class name: plain#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageSubtype (string): Image subtype determine the image use in MCU. “main” for main application, “nbu” for Narrow Band Unit image and “recovery” for recovery image type. Must be one of: ["main", "nbu", "recovery"].

# ===============================================  YAML template plain  ================================================

# ======================================================================================================================
#                                             == MBI-A-I-LA-TZM-IST-EATZ ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# -----------------------------------------===== Image SubType [Optional] =====-----------------------------------------
# Description: Image subtype determine the image use in MCU. "main" for main application, "nbu" for Narrow Band Unit
# image and "recovery" for recovery image type
# Possible options: <main, nbu, recovery>
outputImageSubtype: main

MBI-A-I-LA-TZM-IST-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinImageSubType

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageSubtype (string): Image subtype determine the image use in MCU. “main” for main application, “nbu” for Narrow Band Unit image and “recovery” for recovery image type. Must be one of: ["main", "nbu", "recovery"].

# ================================================  YAML template crc  =================================================

# ======================================================================================================================
#                                           == MBI-A-I-LA-TZM-IST-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# -----------------------------------------===== Image SubType [Optional] =====-----------------------------------------
# Description: Image subtype determine the image use in MCU. "main" for main application, "nbu" for Narrow Band Unit
# image and "recovery" for recovery image type
# Possible options: <main, nbu, recovery>
outputImageSubtype: main

MBI-A-I-LA-CBV-MD-NS-EACBM-EES#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinCertBlockV21

  • Mbi_MixinManifestDigest

  • Mbi_MixinNoSignature

  • Mbi_ExportMixinAppCertBlockManifest

  • Mbi_ExportMixinEccSign

Schema#

Class name: signed#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • firmwareVersion ([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

  • manifestDigestHashAlgorithm (string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of: ["sha256", "sha384", "sha521"].

  • noSignature (boolean): When is set, the signature is not included. The signature could be later added by HSM.

# ===============================================  YAML template signed  ===============================================

# ======================================================================================================================
#                                          == MBI-A-I-LA-CBV-MD-NS-EACBM-EES ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# --------------------------------===== Manifest signing hash algorithm [Optional] =====--------------------------------
# Description: Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest.
# Possible options: <sha256, sha384, sha521>
manifestDigestHashAlgorithm: sha256
# -----------------------------------------===== No Signature [Optional] =====------------------------------------------
# Description: When is set, the signature is not included. The signature could be later added by HSM.
noSignature: false

MBI-A-I-LA-CBV-MD-IST-NS-EACBM-EES#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinCertBlockV21

  • Mbi_MixinManifestDigest

  • Mbi_MixinImageSubType

  • Mbi_MixinNoSignature

  • Mbi_ExportMixinAppCertBlockManifest

  • Mbi_ExportMixinEccSign

Schema#

Class name: nxp_signed#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • firmwareVersion ([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

  • manifestDigestHashAlgorithm (string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of: ["sha256", "sha384", "sha521"].

  • outputImageSubtype (string): Image subtype determine the image use in MCU. “main” for main application, “nbu” for Narrow Band Unit image and “recovery” for recovery image type. Must be one of: ["main", "nbu", "recovery"].

  • noSignature (boolean): When is set, the signature is not included. The signature could be later added by HSM.

# =============================================  YAML template nxp_signed  =============================================

# ======================================================================================================================
#                                        == MBI-A-I-LA-CBV-MD-IST-NS-EACBM-EES ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# --------------------------------===== Manifest signing hash algorithm [Optional] =====--------------------------------
# Description: Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest.
# Possible options: <sha256, sha384, sha521>
manifestDigestHashAlgorithm: sha256
# -----------------------------------------===== Image SubType [Optional] =====-----------------------------------------
# Description: Image subtype determine the image use in MCU. "main" for main application, "nbu" for Narrow Band Unit
# image and "recovery" for recovery image type
# Possible options: <main, nbu, recovery>
outputImageSubtype: main
# -----------------------------------------===== No Signature [Optional] =====------------------------------------------
# Description: When is set, the signature is not included. The signature could be later added by HSM.
noSignature: false

MBI-A-I-EA#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_ExportMixinApp

Schema#

Class name: plain#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

# ===============================================  YAML template plain  ================================================

# ======================================================================================================================
#                                                    == MBI-A-I-EA ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin

MBI-A-I-EA-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_ExportMixinApp

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

# ==============================================  YAML template crc_xip  ===============================================

# ======================================================================================================================
#                                                  == MBI-A-I-EA-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin

MBI-A-I-LA-EA-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_ExportMixinApp

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

# ==============================================  YAML template crc_ram  ===============================================

# ======================================================================================================================
#                                                == MBI-A-I-LA-EA-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0

MBI-A-IV-I-LA-EA#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinImageVersion

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_ExportMixinApp

Schema#

Class name: plain#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

# ===============================================  YAML template plain  ================================================

# ======================================================================================================================
#                                                 == MBI-A-IV-I-LA-EA ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0

MBI-A-IV-I-LA-EA-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinImageVersion

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_ExportMixinApp

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

# ==============================================  YAML template crc_ram  ===============================================

# ======================================================================================================================
#                                               == MBI-A-IV-I-LA-EA-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0

MBI-A-I-TZ-HK-EATZ#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinHwKey

  • Mbi_ExportMixinAppTrustZone

Schema#

Class name: plain#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ===============================================  YAML template plain  ================================================

# ======================================================================================================================
#                                                == MBI-A-I-TZ-HK-EATZ ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ----------------------------------===== Enable User HW key sharing [Required] =====-----------------------------------
# Description: Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure
# bus from non-secure application, else non-secure application will read zeros.
enableHwUserModeKeys: false

MBI-A-I-TZ-LA-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinLoadAddress

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

# ==============================================  YAML template crc_ram  ===============================================

# ======================================================================================================================
#                                              == MBI-A-I-TZ-LA-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0

MBI-A-I-LA-TZ-HK-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinTrustZone

  • Mbi_MixinHwKey

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ==============================================  YAML template crc_xip  ===============================================

# ======================================================================================================================
#                                            == MBI-A-I-LA-TZ-HK-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ----------------------------------===== Enable User HW key sharing [Required] =====-----------------------------------
# Description: Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure
# bus from non-secure application, else non-secure application will read zeros.
enableHwUserModeKeys: false

MBI-A-I-TZ-LA-CBV-EATZCB-ERS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinLoadAddress

  • Mbi_MixinCertBlockV1

  • Mbi_ExportMixinAppTrustZoneCertBlock

  • Mbi_ExportMixinRsaSign

Schema#

Class name: signed_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

# =============================================  YAML template signed_ram  =============================================

# ======================================================================================================================
#                                           == MBI-A-I-TZ-LA-CBV-EATZCB-ERS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem

MBI-A-I-LA-TZ-CBV-HK-EATZCB-ERS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinTrustZone

  • Mbi_MixinCertBlockV1

  • Mbi_MixinHwKey

  • Mbi_ExportMixinAppTrustZoneCertBlock

  • Mbi_ExportMixinRsaSign

Schema#

Class name: signed_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# =============================================  YAML template signed_xip  =============================================

# ======================================================================================================================
#                                         == MBI-A-I-LA-TZ-CBV-HK-EATZCB-ERS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ----------------------------------===== Enable User HW key sharing [Required] =====-----------------------------------
# Description: Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure
# bus from non-secure application, else non-secure application will read zeros.
enableHwUserModeKeys: false

MBI-A-I-TZ-EATZ#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_ExportMixinAppTrustZone

Schema#

Class name: plain#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

# ===============================================  YAML template plain  ================================================

# ======================================================================================================================
#                                                 == MBI-A-I-TZ-EATZ ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml

MBI-A-I-TZ-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

# ==============================================  YAML template crc_xip  ===============================================

# ======================================================================================================================
#                                               == MBI-A-I-TZ-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml

MBI-A-I-TZ-CBV-EATZCB-ERS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinCertBlockV1

  • Mbi_ExportMixinAppTrustZoneCertBlock

  • Mbi_ExportMixinRsaSign

Schema#

Class name: signed_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

# =============================================  YAML template signed_xip  =============================================

# ======================================================================================================================
#                                            == MBI-A-I-TZ-CBV-EATZCB-ERS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem

MBI-A-IV-I-TZM-LA-EATZ#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinImageVersion

  • Mbi_MixinIvt

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinLoadAddress

  • Mbi_ExportMixinAppTrustZone

Schema#

Class name: plain#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

# ===============================================  YAML template plain  ================================================

# ======================================================================================================================
#                                              == MBI-A-IV-I-TZM-LA-EATZ ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0

MBI-A-IV-I-TZM-LA-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinImageVersion

  • Mbi_MixinIvt

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinLoadAddress

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

# ==============================================  YAML template crc_ram  ===============================================

# ======================================================================================================================
#                                            == MBI-A-IV-I-TZM-LA-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0

MBI-A-IV-I-CBV-MD-LA-FV-EACBM-EES#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinImageVersion

  • Mbi_MixinIvt

  • Mbi_MixinCertBlockV21

  • Mbi_MixinManifestDigest

  • Mbi_MixinLoadAddress

  • Mbi_MixinFwVersion

  • Mbi_ExportMixinAppCertBlockManifest

  • Mbi_ExportMixinEccSign

Schema#

Class name: signed#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • firmwareVersion ([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

  • manifestDigestHashAlgorithm (string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of: ["sha256", "sha384", "sha521"].

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

# ===============================================  YAML template signed  ===============================================

# ======================================================================================================================
#                                        == MBI-A-IV-I-CBV-MD-LA-FV-EACBM-EES ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# --------------------------------===== Manifest signing hash algorithm [Optional] =====--------------------------------
# Description: Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest.
# Possible options: <sha256, sha384, sha521>
manifestDigestHashAlgorithm: sha256
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0

MBI-A-B-CBV-EAB-EESV#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinBca

  • Mbi_MixinCertBlockVx

  • Mbi_ExportMixinAppBca

  • Mbi_ExportMixinEccSignVx

Schema#

Class name: signed_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • firmwareVersion ([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

  • certBlock (string, format: file): Path to certificate block.

  • addCertHash (boolean): Not mandatory if the hash is written in OTP.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

# =============================================  YAML template signed_xip  =============================================

# ======================================================================================================================
#                                               == MBI-A-B-CBV-EAB-EESV ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ---------------------------------===== Certificate Block binary file [Required] =====---------------------------------
# Description: Path to certificate block.
certBlock: cert_block.bin
# --------------===== True to append SHA256 hash [0:127] at the end of certificate block [Optional] =====---------------
# Description: Not mandatory if the hash is written in OTP
addCertHash: true
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem

MBI-A-I-IV-EA#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinImageVersion

  • Mbi_ExportMixinApp

Schema#

Class name: plain_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# =============================================  YAML template plain_xip  ==============================================

# ======================================================================================================================
#                                                  == MBI-A-I-IV-EA ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-IV-EA-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinImageVersion

  • Mbi_ExportMixinApp

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# ==============================================  YAML template crc_xip  ===============================================

# ======================================================================================================================
#                                                == MBI-A-I-IV-EA-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-TZM-LA-IV-EATZ#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinLoadAddress

  • Mbi_MixinImageVersion

  • Mbi_ExportMixinAppTrustZone

Schema#

Class name: plain_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# =============================================  YAML template plain_xip  ==============================================

# ======================================================================================================================
#                                              == MBI-A-I-TZM-LA-IV-EATZ ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-TZM-LA-IV-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinLoadAddress

  • Mbi_MixinImageVersion

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# ==============================================  YAML template crc_ram  ===============================================

# ======================================================================================================================
#                                            == MBI-A-I-TZM-LA-IV-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-LA-CBV-MC-IST-IV-FV-EACBM-EES#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinCertBlockV21

  • Mbi_MixinManifestCrc

  • Mbi_MixinImageSubType

  • Mbi_MixinImageVersion

  • Mbi_MixinFwVersion

  • Mbi_ExportMixinAppCertBlockManifest

  • Mbi_ExportMixinEccSign

Schema#

Class name: signed_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • firmwareVersion ([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

  • outputImageSubtype (string): Image subtype determine the image use in MCU. “main” for main application, “nbu” for Narrow Band Unit image and “recovery” for recovery image type. Must be one of: ["main", "nbu", "recovery"].

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# =============================================  YAML template signed_xip  =============================================

# ======================================================================================================================
#                                      == MBI-A-I-LA-CBV-MC-IST-IV-FV-EACBM-EES ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# -----------------------------------------===== Image SubType [Optional] =====-----------------------------------------
# Description: Image subtype determine the image use in MCU. "main" for main application, "nbu" for Narrow Band Unit
# image and "recovery" for recovery image type
# Possible options: <main, nbu, recovery>
outputImageSubtype: main
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-CBV-MC-IST-LA-IV-FV-EACBM-EES#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinCertBlockV21

  • Mbi_MixinManifestCrc

  • Mbi_MixinImageSubType

  • Mbi_MixinLoadAddress

  • Mbi_MixinImageVersion

  • Mbi_MixinFwVersion

  • Mbi_ExportMixinAppCertBlockManifest

  • Mbi_ExportMixinEccSign

Schema#

Class name: signed_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • firmwareVersion ([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

  • outputImageSubtype (string): Image subtype determine the image use in MCU. “main” for main application, “nbu” for Narrow Band Unit image and “recovery” for recovery image type. Must be one of: ["main", "nbu", "recovery"].

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# =============================================  YAML template signed_ram  =============================================

# ======================================================================================================================
#                                      == MBI-A-I-CBV-MC-IST-LA-IV-FV-EACBM-EES ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# -----------------------------------------===== Image SubType [Optional] =====-----------------------------------------
# Description: Image subtype determine the image use in MCU. "main" for main application, "nbu" for Narrow Band Unit
# image and "recovery" for recovery image type
# Possible options: <main, nbu, recovery>
outputImageSubtype: main
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-TZM-IV-EATZ#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinImageVersion

  • Mbi_ExportMixinAppTrustZone

Schema#

Class name: plain_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# =============================================  YAML template plain_xip  ==============================================

# ======================================================================================================================
#                                               == MBI-A-I-TZM-IV-EATZ ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-LA-TZM-IV-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinLoadAddress

  • Mbi_MixinTrustZoneMandatory

  • Mbi_MixinImageVersion

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_xip#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# ==============================================  YAML template crc_xip  ===============================================

# ======================================================================================================================
#                                            == MBI-A-I-LA-TZM-IV-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0

MBI-A-I-TZ-LA-HK-EATZ#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinLoadAddress

  • Mbi_MixinHwKey

  • Mbi_ExportMixinAppTrustZone

Schema#

Class name: plain_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# =============================================  YAML template plain_ram  ==============================================

# ======================================================================================================================
#                                              == MBI-A-I-TZ-LA-HK-EATZ ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ----------------------------------===== Enable User HW key sharing [Required] =====-----------------------------------
# Description: Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure
# bus from non-secure application, else non-secure application will read zeros.
enableHwUserModeKeys: false

MBI-A-RT-LA-I-TZ-CBV-HM-KS-HK-EATZCB-ERS-EHKSF#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinRelocTable

  • Mbi_MixinLoadAddress

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinCertBlockV1

  • Mbi_MixinHmacMandatory

  • Mbi_MixinKeyStore

  • Mbi_MixinHwKey

  • Mbi_ExportMixinAppTrustZoneCertBlock

  • Mbi_ExportMixinRsaSign

  • Mbi_ExportMixinHmacKeyStoreFinalize

Schema#

Class name: signed_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • applicationTable (array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.

    • Items (object)

      • binary (string, format: file, required): The binary file to be added to final application.

      • destAddress ([‘string’, ‘number’], format: number, required): Destination address in RAM of additional binary.

      • load (boolean, required): Enabler to load/use the image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • outputImageEncryptionKeyFile (string): The OTP Master key that is used to compute HMAC encryption key. Could be defined as hex number and also as hex/binary file.\n Used algorithm by tool the get HMAC Key; AES_ENCRYPT (OTP_MASTER_KEK, 0x00000000000000000000000000000000).

  • keyStoreFile (string, format: optional_file): Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added into MBI.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# =============================================  YAML template signed_ram  =============================================

# ======================================================================================================================
#                                  == MBI-A-RT-LA-I-TZ-CBV-HM-KS-HK-EATZCB-ERS-EHKSF ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== The list of additional binaries [Optional] =====--------------------------------
# Description: This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
applicationTable:
  -
    # ----------------------------------------===== Binary file [Required] =====----------------------------------------
    # Description: The binary file to be added to final application.
    binary: my_additional_binary.bin
    # ------------------------------------===== Destination address [Required] =====------------------------------------
    # Description: Destination address in RAM of additional binary.
    destAddress: 536870912
    # ----------------------------------------===== Enable load [Required] =====----------------------------------------
    # Description: Enabler to load/use the image.
    load: true
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# -----------------------------------===== OTP Master key (HMAC Key) [Required] =====-----------------------------------
# Description: The OTP Master key that is used to compute HMAC encryption key. Could be defined as hex number and also
# as hex/binary file.\n Used algorithm by tool the get HMAC Key; AES_ENCRYPT (OTP_MASTER_KEK,
# 0x00000000000000000000000000000000)
outputImageEncryptionKeyFile: otp_master_key.bin
# ------------------------------------===== The Key store data file [Optional] =====------------------------------------
# Description: Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added
# into MBI.
keyStoreFile: my_key_store_data.bin
# ----------------------------------===== Enable User HW key sharing [Required] =====-----------------------------------
# Description: Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure
# bus from non-secure application, else non-secure application will read zeros.
enableHwUserModeKeys: false

MBI-A-RT-LA-I-TZ-HK-EATZ-ECS#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinRelocTable

  • Mbi_MixinLoadAddress

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinHwKey

  • Mbi_ExportMixinAppTrustZone

  • Mbi_ExportMixinCrcSign

Schema#

Class name: crc_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • applicationTable (array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.

    • Items (object)

      • binary (string, format: file, required): The binary file to be added to final application.

      • destAddress ([‘string’, ‘number’], format: number, required): Destination address in RAM of additional binary.

      • load (boolean, required): Enabler to load/use the image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

# ==============================================  YAML template crc_ram  ===============================================

# ======================================================================================================================
#                                           == MBI-A-RT-LA-I-TZ-HK-EATZ-ECS ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== The list of additional binaries [Optional] =====--------------------------------
# Description: This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
applicationTable:
  -
    # ----------------------------------------===== Binary file [Required] =====----------------------------------------
    # Description: The binary file to be added to final application.
    binary: my_additional_binary.bin
    # ------------------------------------===== Destination address [Required] =====------------------------------------
    # Description: Destination address in RAM of additional binary.
    destAddress: 536870912
    # ----------------------------------------===== Enable load [Required] =====----------------------------------------
    # Description: Enabler to load/use the image.
    load: true
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ----------------------------------===== Enable User HW key sharing [Required] =====-----------------------------------
# Description: Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure
# bus from non-secure application, else non-secure application will read zeros.
enableHwUserModeKeys: false

MBI-A-RT-LA-I-TZ-CBV-HK-KS-HM-CIV-EATZCBE-ERS-EHKSF#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinRelocTable

  • Mbi_MixinLoadAddress

  • Mbi_MixinIvt

  • Mbi_MixinTrustZone

  • Mbi_MixinCertBlockV1

  • Mbi_MixinHwKey

  • Mbi_MixinKeyStore

  • Mbi_MixinHmacMandatory

  • Mbi_MixinCtrInitVector

  • Mbi_ExportMixinAppTrustZoneCertBlockEncrypt

  • Mbi_ExportMixinRsaSign

  • Mbi_ExportMixinHmacKeyStoreFinalize

Schema#

Class name: encrypted_signed_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • applicationTable (array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.

    • Items (object)

      • binary (string, format: file, required): The binary file to be added to final application.

      • destAddress ([‘string’, ‘number’], format: number, required): Destination address in RAM of additional binary.

      • load (boolean, required): Enabler to load/use the image.

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableHwUserModeKeys ([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.

  • keyStoreFile (string, format: optional_file): Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added into MBI.

  • outputImageEncryptionKeyFile (string): The OTP Master key that is used to compute HMAC encryption key. Could be defined as hex number and also as hex/binary file.\n Used algorithm by tool the get HMAC Key; AES_ENCRYPT (OTP_MASTER_KEK, 0x00000000000000000000000000000000).

  • CtrInitVector (string): The initial vector for encryption counter. Could be defined as hex number and also as hex/binary file.

# ========================================  YAML template encrypted_signed_ram  ========================================

# ======================================================================================================================
#                               == MBI-A-RT-LA-I-TZ-CBV-HK-KS-HM-CIV-EATZCBE-ERS-EHKSF ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# --------------------------------===== The list of additional binaries [Optional] =====--------------------------------
# Description: This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
applicationTable:
  -
    # ----------------------------------------===== Binary file [Required] =====----------------------------------------
    # Description: The binary file to be added to final application.
    binary: my_additional_binary.bin
    # ------------------------------------===== Destination address [Required] =====------------------------------------
    # Description: Destination address in RAM of additional binary.
    destAddress: 536870912
    # ----------------------------------------===== Enable load [Required] =====----------------------------------------
    # Description: Enabler to load/use the image.
    load: true
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ----------------------------------===== Enable User HW key sharing [Required] =====-----------------------------------
# Description: Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure
# bus from non-secure application, else non-secure application will read zeros.
enableHwUserModeKeys: false
# ------------------------------------===== The Key store data file [Optional] =====------------------------------------
# Description: Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added
# into MBI.
keyStoreFile: my_key_store_data.bin
# -----------------------------------===== OTP Master key (HMAC Key) [Required] =====-----------------------------------
# Description: The OTP Master key that is used to compute HMAC encryption key. Could be defined as hex number and also
# as hex/binary file.\n Used algorithm by tool the get HMAC Key; AES_ENCRYPT (OTP_MASTER_KEK,
# 0x00000000000000000000000000000000)
outputImageEncryptionKeyFile: otp_master_key.bin
# ---------------===== The output image encryption initial vector for encryption counter [Optional] =====---------------
# Description: The initial vector for encryption counter. Could be defined as hex number and also as hex/binary file
CtrInitVector: '0xc3df2316fd40b15586cb5ae49483aee2'

MBI-A-I-CBV-MD-LA-FV-IV-EACBM-EES#

MBI Mixins#

  • MasterBootImage

  • Mbi_MixinApp

  • Mbi_MixinIvt

  • Mbi_MixinCertBlockV21

  • Mbi_MixinManifestDigest

  • Mbi_MixinLoadAddress

  • Mbi_MixinFwVersion

  • Mbi_MixinImageVersion

  • Mbi_ExportMixinAppCertBlockManifest

  • Mbi_ExportMixinEccSign

Schema#

Class name: signed_ram#

  • family (string): MCU family name.

  • outputImageExecutionTarget (string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of: ["xip", "load-to-ram", "Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram"].

  • outputImageAuthenticationType (string): Specification of final master boot image authentication. Must be one of: ["plain", "crc", "signed", "signed-encrypted", "signed-nxp", "Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "NXP signed", "encrypted"].

  • masterBootOutputFile (string, format: file_name): The path for result binary file.

  • inputImageFile (string, format: file): The input application image to by modified to Master Boot Image.

  • certBlock (string, format: file): Path to certificate block binary or config file.

  • mainRootCertPrivateKeyFile (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signPrivateKey (string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.

  • signProvider (string): Signature provider configuration in format ‘type=<sp_type>;=;=”.

  • enableTrustZone (boolean): If not specified, the Trust zone is disabled.

  • trustZonePresetFile (string, format: optional_file): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.

  • firmwareVersion ([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).

  • manifestDigestHashAlgorithm (string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of: ["sha256", "sha384", "sha521"].

  • outputImageExecutionAddress ([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.

  • imageVersion ([‘number’, ‘string’], format: number): Image version is used for dual boot. The boot ROM decides which image to boot first based on the image version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.

# =============================================  YAML template signed_ram  =============================================

# ======================================================================================================================
#                                        == MBI-A-I-CBV-MD-LA-FV-IV-EACBM-EES ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
family: CHOOSE_FROM_TABLE
# --------------------------------------===== Application target [Required] =====---------------------------------------
# Description: Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
# Possible options: <xip, load-to-ram, Internal flash (XIP), External flash (XIP), Internal Flash (XIP), External Flash
# (XIP), RAM, ram>
outputImageExecutionTarget: CHOOSE_FROM_TABLE
# -------------------------------===== Type of boot image authentication [Required] =====-------------------------------
# Description: Specification of final master boot image authentication.
# Possible options: <plain, crc, signed, signed-encrypted, signed-nxp, Plain, CRC, Signed, Encrypted + Signed, NXP
# Signed, NXP signed, encrypted>
outputImageAuthenticationType: CHOOSE_FROM_TABLE
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
masterBootOutputFile: my_mbi.bin
# ------------------------------------===== Plain application image [Required] =====------------------------------------
# Description: The input application image to by modified to Master Boot Image.
inputImageFile: my_application.bin
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ------------------------------------===== TrustZone enable option [Optional] =====------------------------------------
# Description: If not specified, the Trust zone is disabled.
enableTrustZone: false
# ---------------------------------===== TrustZone Customization file [Optional] =====----------------------------------
# Description: If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
trustZonePresetFile: my_tz_custom.yaml
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# --------------------------------===== Manifest signing hash algorithm [Optional] =====--------------------------------
# Description: Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest.
# Possible options: <sha256, sha384, sha521>
manifestDigestHashAlgorithm: sha256
# --------------------------------===== Loading address of application [Required] =====---------------------------------
# Description: Application loading address in RAM if not XiP, otherwise address of load in XiP.
outputImageExecutionAddress: 0
# ----------------------------------------===== Image version. [Optional] =====-----------------------------------------
# Description: Image version is used for dual boot. The boot ROM decides which image to boot first based on the image
# version. It boots the one with the newer image version first, and in case of a failure, it boots the older one.
imageVersion: 0
Contents