Secure Binary 3.1#
SB 3.1 is an evolution of the SB 2 format. The configuration is done in a similar way as a master boot image by configuration file in YAML or JSON. BD files are no longer used, commands are supplied in the configuration file.
Example of use
nxpimage: nxpimage sb31 export "sb3_config.yaml
Supported commands#
List of SB 3.1 supported commands#
Command |
Command Description |
k32w1xx |
kw45xx |
lpc55s3x |
mcxn23x |
mcxn9xx |
rw61x |
---|---|---|---|---|---|---|---|
erase |
Performs a flash erase of the given address range. The erase will be rounded up to the sector size. |
YES |
YES |
YES |
YES |
YES |
YES |
load |
If set, then the data to write immediately follows the range header. The length field contains the actual data length |
YES |
YES |
YES |
YES |
YES |
YES |
execute |
Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return. |
YES |
YES |
YES |
YES |
YES |
YES |
call |
Address is address to jump. However, the state machine should expect a return to the next statement to continue processing the SB file |
NO |
NO |
NO |
NO |
NO |
NO |
programFuses |
Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values. |
YES |
YES |
YES |
YES |
YES |
YES |
programIFR |
The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header |
YES |
YES |
YES |
YES |
YES |
YES |
loadCMAC |
If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress. |
YES |
YES |
YES |
YES |
YES |
NO |
copy |
Used for copying data from one place to another. 32 bytes fixed size. |
NO |
NO |
YES |
YES |
YES |
YES |
loadHashLocking |
If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it. |
YES |
YES |
YES |
YES |
YES |
NO |
loadKeyBlob |
Wrapped key blob immediately follows the range key blob header. The length field contains the actual data length. |
NO |
NO |
YES |
YES |
YES |
YES |
configureMemory |
Configure memory. |
NO |
NO |
YES |
YES |
YES |
YES |
fillMemory |
Used for filling of the memory range by same repeated int32 pattern. |
YES |
YES |
YES |
YES |
YES |
YES |
checkFwVersion |
Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails |
YES |
YES |
YES |
YES |
YES |
YES |
Supported configuration options#
SecureBinary31 for k32w1xx#
Properties#
firmwareVersion
([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).mainRootCertPrivateKeyFile
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signPrivateKey
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider
(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. certBlock
(string, format: file): Path to certificate block binary or config file.family
(string): MCU family name. Must be one of:["k32w1xx", "kw45xx", "lpc55s3x", "mcxn23x", "mcxn9xx", "rw61x"]
.containerKeyBlobEncryptionKey
(string): Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.isNxpContainer
(boolean): Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc…kdkAccessRights
(number): Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be found in CSSv2 manual. Must be one of:[0, 1, 2, 3]
.containerConfigurationWord
([‘string’, ‘number’], format: number): Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be removed from the configuration file.description
(string): Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.isEncrypted
(boolean): If false, generated SB3.1 blocks are not encrypted, only for testing, ROM won’t accept unencrypted SB3.1 file. If option is missing, SB3.1 file is automatically encrypted.timestamp
([‘string’, ‘number’], format: number): For testing purposes. This option can override real timestamp of SB3 file.containerOutputFile
(string): Generated SB3 container filename.commands
(array): Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application.Items
One of
object
erase
(object, required): Performs a flash erase of the given address range. The erase will be rounded up to the sector size.address
([‘string’, ‘number’], format: number, required): Address of memory block to be erased.size
([‘string’, ‘number’], format: number, required): Size of memory block to be erased.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be erased.
object
load
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file): Binary file to be loaded.values
(string): Binary values delimited by comma to be loaded.authentication
(string): If authentication is not used, just omit this option or set ‘none’. Must be one of:["none", "cmac", "hashlocking"]
.
object
execute
(object, required): Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.address
([‘string’, ‘number’], format: number, required): Jump-to address to start execute code.
object
programFuses
(object, required): Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values.address
([‘string’, ‘number’], format: number, required): OTP Index of fuses to be programmed. Depends on the chip ROM.values
([‘string’, ‘number’], required): 32bit binary values delimited by comma or one 32 bit integer to be programmed.
object
programIFR
(object, required): The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header.address
([‘string’, ‘number’], format: number, required): Address of IFR region to be programmed.file
(string, format: file): Binary file to be programmed.value
([‘string’, ‘number’]): Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian format.
object
loadCMAC
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress.address
([‘string’, ‘number’], format: number, required): Address of memory block to be CMAC loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be CMAC loaded.file
(string, format: file, required): Binary file to be loaded.
object
loadHashLocking
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file, required): Binary file to be loaded.
object
fillMemory
(object, required): Used for filling of the memory range by same repeated int32 pattern.address
([‘string’, ‘number’], format: number, required): Address of memory block to be filled.size
([‘string’, ‘number’], format: number, required): Size of memory block to be filled.pattern
([‘string’, ‘number’], format: number, required): Pattern which will be used to fill memory.
object
checkFwVersion
(object, required): Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails.value
([‘string’, ‘number’], format: number, required): Firmware version to be compared.counterId
(string, required): ID of FW counter to be checked. Must be one of:["none", "nonsecure", "secure", "radio", "snt", "bootloader"]
.
# ============================== Secure Binary v3.1 Configuration template for k32w1xx. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn9xx, rw61x>
family: k32w1xx
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 9 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, loadHashLocking, fillMemory, checkFwVersion]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# ====================================== [Example of possible configuration #1] ======================================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: Binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# ====================================== [Example of possible configuration #2] ======================================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# ====================================== [Example of possible configuration #3] ======================================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# ====================================== [Example of possible configuration #4] ======================================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# ====================================== [Example of possible configuration #5] ======================================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# ====================================== [Example of possible configuration #6] ======================================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# ====================================== [Example of possible configuration #7] ======================================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# ====================================== [Example of possible configuration #8] ======================================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for kw45xx#
Properties#
firmwareVersion
([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).mainRootCertPrivateKeyFile
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signPrivateKey
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider
(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. certBlock
(string, format: file): Path to certificate block binary or config file.family
(string): MCU family name. Must be one of:["k32w1xx", "kw45xx", "lpc55s3x", "mcxn23x", "mcxn9xx", "rw61x"]
.containerKeyBlobEncryptionKey
(string): Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.isNxpContainer
(boolean): Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc…kdkAccessRights
(number): Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be found in CSSv2 manual. Must be one of:[0, 1, 2, 3]
.containerConfigurationWord
([‘string’, ‘number’], format: number): Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be removed from the configuration file.description
(string): Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.isEncrypted
(boolean): If false, generated SB3.1 blocks are not encrypted, only for testing, ROM won’t accept unencrypted SB3.1 file. If option is missing, SB3.1 file is automatically encrypted.timestamp
([‘string’, ‘number’], format: number): For testing purposes. This option can override real timestamp of SB3 file.containerOutputFile
(string): Generated SB3 container filename.commands
(array): Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application.Items
One of
object
erase
(object, required): Performs a flash erase of the given address range. The erase will be rounded up to the sector size.address
([‘string’, ‘number’], format: number, required): Address of memory block to be erased.size
([‘string’, ‘number’], format: number, required): Size of memory block to be erased.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be erased.
object
load
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file): Binary file to be loaded.values
(string): Binary values delimited by comma to be loaded.authentication
(string): If authentication is not used, just omit this option or set ‘none’. Must be one of:["none", "cmac", "hashlocking"]
.
object
execute
(object, required): Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.address
([‘string’, ‘number’], format: number, required): Jump-to address to start execute code.
object
programFuses
(object, required): Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values.address
([‘string’, ‘number’], format: number, required): OTP Index of fuses to be programmed. Depends on the chip ROM.values
([‘string’, ‘number’], required): 32bit binary values delimited by comma or one 32 bit integer to be programmed.
object
programIFR
(object, required): The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header.address
([‘string’, ‘number’], format: number, required): Address of IFR region to be programmed.file
(string, format: file): Binary file to be programmed.value
([‘string’, ‘number’]): Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian format.
object
loadCMAC
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress.address
([‘string’, ‘number’], format: number, required): Address of memory block to be CMAC loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be CMAC loaded.file
(string, format: file, required): Binary file to be loaded.
object
loadHashLocking
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file, required): Binary file to be loaded.
object
fillMemory
(object, required): Used for filling of the memory range by same repeated int32 pattern.address
([‘string’, ‘number’], format: number, required): Address of memory block to be filled.size
([‘string’, ‘number’], format: number, required): Size of memory block to be filled.pattern
([‘string’, ‘number’], format: number, required): Pattern which will be used to fill memory.
object
checkFwVersion
(object, required): Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails.value
([‘string’, ‘number’], format: number, required): Firmware version to be compared.counterId
(string, required): ID of FW counter to be checked. Must be one of:["none", "nonsecure", "secure", "radio", "snt", "bootloader"]
.
# ============================== Secure Binary v3.1 Configuration template for kw45xx. ===============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn9xx, rw61x>
family: kw45xx
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 9 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, loadHashLocking, fillMemory, checkFwVersion]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# ====================================== [Example of possible configuration #1] ======================================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: Binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# ====================================== [Example of possible configuration #2] ======================================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# ====================================== [Example of possible configuration #3] ======================================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# ====================================== [Example of possible configuration #4] ======================================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# ====================================== [Example of possible configuration #5] ======================================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# ====================================== [Example of possible configuration #6] ======================================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# ====================================== [Example of possible configuration #7] ======================================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# ====================================== [Example of possible configuration #8] ======================================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for lpc55s3x#
Properties#
firmwareVersion
([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).mainRootCertPrivateKeyFile
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signPrivateKey
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider
(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. certBlock
(string, format: file): Path to certificate block binary or config file.family
(string): MCU family name. Must be one of:["k32w1xx", "kw45xx", "lpc55s3x", "mcxn23x", "mcxn9xx", "rw61x"]
.containerKeyBlobEncryptionKey
(string): Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.isNxpContainer
(boolean): Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc…kdkAccessRights
(number): Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be found in CSSv2 manual. Must be one of:[0, 1, 2, 3]
.containerConfigurationWord
([‘string’, ‘number’], format: number): Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be removed from the configuration file.description
(string): Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.isEncrypted
(boolean): If false, generated SB3.1 blocks are not encrypted, only for testing, ROM won’t accept unencrypted SB3.1 file. If option is missing, SB3.1 file is automatically encrypted.timestamp
([‘string’, ‘number’], format: number): For testing purposes. This option can override real timestamp of SB3 file.containerOutputFile
(string): Generated SB3 container filename.commands
(array): Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application.Items
One of
object
erase
(object, required): Performs a flash erase of the given address range. The erase will be rounded up to the sector size.address
([‘string’, ‘number’], format: number, required): Address of memory block to be erased.size
([‘string’, ‘number’], format: number, required): Size of memory block to be erased.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be erased.
object
load
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file): Binary file to be loaded.values
(string): Binary values delimited by comma to be loaded.authentication
(string): If authentication is not used, just omit this option or set ‘none’. Must be one of:["none", "cmac", "hashlocking"]
.
object
execute
(object, required): Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.address
([‘string’, ‘number’], format: number, required): Jump-to address to start execute code.
object
programFuses
(object, required): Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values.address
([‘string’, ‘number’], format: number, required): OTP Index of fuses to be programmed. Depends on the chip ROM.values
([‘string’, ‘number’], required): 32bit binary values delimited by comma or one 32 bit integer to be programmed.
object
programIFR
(object, required): The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header.address
([‘string’, ‘number’], format: number, required): Address of IFR region to be programmed.file
(string, format: file): Binary file to be programmed.value
([‘string’, ‘number’]): Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian format.
object
loadCMAC
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress.address
([‘string’, ‘number’], format: number, required): Address of memory block to be CMAC loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be CMAC loaded.file
(string, format: file, required): Binary file to be loaded.
object
copy
(object, required): Used for copying data from one place to another. 32 bytes fixed size.addressFrom
([‘string’, ‘number’], format: number, required): Address of memory block to be copied.memoryIdFrom
([‘string’, ‘number’], format: number): ID of memory block to be copied.size
([‘string’, ‘number’], format: number, required): Size of memory block to be copied.addressTo
([‘string’, ‘number’], format: number, required): Address of memory where block to be copied.memoryIdTo
([‘string’, ‘number’], format: number): ID of memory block where to be copied.
object
loadHashLocking
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file, required): Binary file to be loaded.
object
loadKeyBlob
(object, required): Wrapped key blob immediately follows the range key blob header. The length field contains the actual data length.offset
([‘string’, ‘number’], format: number, required): Offset of the key blob.wrappingKeyId
(string, required): Wrapping ID of key blob. Must be one of:["NXP_CUST_KEK_INT_SK", "NXP_CUST_KEK_EXT_SK"]
.file
(string, format: file, required): Binary file to be loaded.
object
configureMemory
(object, required): Configure memory.configAddress
([‘string’, ‘number’], format: number, required): Configuration address.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be configured.
object
fillMemory
(object, required): Used for filling of the memory range by same repeated int32 pattern.address
([‘string’, ‘number’], format: number, required): Address of memory block to be filled.size
([‘string’, ‘number’], format: number, required): Size of memory block to be filled.pattern
([‘string’, ‘number’], format: number, required): Pattern which will be used to fill memory.
object
checkFwVersion
(object, required): Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails.value
([‘string’, ‘number’], format: number, required): Firmware version to be compared.counterId
(string, required): ID of FW counter to be checked. Must be one of:["none", "nonsecure", "secure", "radio", "snt", "bootloader"]
.
# ============================= Secure Binary v3.1 Configuration template for lpc55s3x. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn9xx, rw61x>
family: lpc55s3x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 12 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, copy, loadHashLocking, loadKeyBlob,
# configureMemory, fillMemory, checkFwVersion]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# ====================================== [Example of possible configuration #1] ======================================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: Binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# ====================================== [Example of possible configuration #2] ======================================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# ====================================== [Example of possible configuration #3] ======================================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# ====================================== [Example of possible configuration #4] ======================================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# ====================================== [Example of possible configuration #5] ======================================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# ====================================== [Example of possible configuration #6] ======================================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# ====================================== [Example of possible configuration #7] ======================================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# ====================================== [Example of possible configuration #8] ======================================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# ====================================== [Example of possible configuration #9] ======================================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# ===================================== [Example of possible configuration #10] ======================================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# ===================================== [Example of possible configuration #11] ======================================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for mcxn23x#
Properties#
firmwareVersion
([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).mainRootCertPrivateKeyFile
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signPrivateKey
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider
(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. certBlock
(string, format: file): Path to certificate block binary or config file.family
(string): MCU family name. Must be one of:["k32w1xx", "kw45xx", "lpc55s3x", "mcxn23x", "mcxn9xx", "rw61x"]
.containerKeyBlobEncryptionKey
(string): Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.isNxpContainer
(boolean): Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc…kdkAccessRights
(number): Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be found in CSSv2 manual. Must be one of:[0, 1, 2, 3]
.containerConfigurationWord
([‘string’, ‘number’], format: number): Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be removed from the configuration file.description
(string): Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.isEncrypted
(boolean): If false, generated SB3.1 blocks are not encrypted, only for testing, ROM won’t accept unencrypted SB3.1 file. If option is missing, SB3.1 file is automatically encrypted.timestamp
([‘string’, ‘number’], format: number): For testing purposes. This option can override real timestamp of SB3 file.containerOutputFile
(string): Generated SB3 container filename.commands
(array): Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application.Items
One of
object
erase
(object, required): Performs a flash erase of the given address range. The erase will be rounded up to the sector size.address
([‘string’, ‘number’], format: number, required): Address of memory block to be erased.size
([‘string’, ‘number’], format: number, required): Size of memory block to be erased.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be erased.
object
load
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file): Binary file to be loaded.values
(string): Binary values delimited by comma to be loaded.authentication
(string): If authentication is not used, just omit this option or set ‘none’. Must be one of:["none", "cmac", "hashlocking"]
.
object
execute
(object, required): Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.address
([‘string’, ‘number’], format: number, required): Jump-to address to start execute code.
object
programFuses
(object, required): Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values.address
([‘string’, ‘number’], format: number, required): OTP Index of fuses to be programmed. Depends on the chip ROM.values
([‘string’, ‘number’], required): 32bit binary values delimited by comma or one 32 bit integer to be programmed.
object
programIFR
(object, required): The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header.address
([‘string’, ‘number’], format: number, required): Address of IFR region to be programmed.file
(string, format: file): Binary file to be programmed.value
([‘string’, ‘number’]): Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian format.
object
loadCMAC
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress.address
([‘string’, ‘number’], format: number, required): Address of memory block to be CMAC loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be CMAC loaded.file
(string, format: file, required): Binary file to be loaded.
object
copy
(object, required): Used for copying data from one place to another. 32 bytes fixed size.addressFrom
([‘string’, ‘number’], format: number, required): Address of memory block to be copied.memoryIdFrom
([‘string’, ‘number’], format: number): ID of memory block to be copied.size
([‘string’, ‘number’], format: number, required): Size of memory block to be copied.addressTo
([‘string’, ‘number’], format: number, required): Address of memory where block to be copied.memoryIdTo
([‘string’, ‘number’], format: number): ID of memory block where to be copied.
object
loadHashLocking
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file, required): Binary file to be loaded.
object
loadKeyBlob
(object, required): Wrapped key blob immediately follows the range key blob header. The length field contains the actual data length.offset
([‘string’, ‘number’], format: number, required): Offset of the key blob.wrappingKeyId
(string, required): Wrapping ID of key blob. Must be one of:["NXP_CUST_KEK_INT_SK", "NXP_CUST_KEK_EXT_SK"]
.file
(string, format: file, required): Binary file to be loaded.
object
configureMemory
(object, required): Configure memory.configAddress
([‘string’, ‘number’], format: number, required): Configuration address.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be configured.
object
fillMemory
(object, required): Used for filling of the memory range by same repeated int32 pattern.address
([‘string’, ‘number’], format: number, required): Address of memory block to be filled.size
([‘string’, ‘number’], format: number, required): Size of memory block to be filled.pattern
([‘string’, ‘number’], format: number, required): Pattern which will be used to fill memory.
object
checkFwVersion
(object, required): Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails.value
([‘string’, ‘number’], format: number, required): Firmware version to be compared.counterId
(string, required): ID of FW counter to be checked. Must be one of:["none", "nonsecure", "secure", "radio", "snt", "bootloader"]
.
# ============================== Secure Binary v3.1 Configuration template for mcxn23x. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn9xx, rw61x>
family: mcxn23x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 12 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, copy, loadHashLocking, loadKeyBlob,
# configureMemory, fillMemory, checkFwVersion]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# ====================================== [Example of possible configuration #1] ======================================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: Binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# ====================================== [Example of possible configuration #2] ======================================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# ====================================== [Example of possible configuration #3] ======================================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# ====================================== [Example of possible configuration #4] ======================================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# ====================================== [Example of possible configuration #5] ======================================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# ====================================== [Example of possible configuration #6] ======================================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# ====================================== [Example of possible configuration #7] ======================================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# ====================================== [Example of possible configuration #8] ======================================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# ====================================== [Example of possible configuration #9] ======================================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# ===================================== [Example of possible configuration #10] ======================================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# ===================================== [Example of possible configuration #11] ======================================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for mcxn9xx#
Properties#
firmwareVersion
([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).mainRootCertPrivateKeyFile
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signPrivateKey
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider
(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. certBlock
(string, format: file): Path to certificate block binary or config file.family
(string): MCU family name. Must be one of:["k32w1xx", "kw45xx", "lpc55s3x", "mcxn23x", "mcxn9xx", "rw61x"]
.containerKeyBlobEncryptionKey
(string): Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.isNxpContainer
(boolean): Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc…kdkAccessRights
(number): Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be found in CSSv2 manual. Must be one of:[0, 1, 2, 3]
.containerConfigurationWord
([‘string’, ‘number’], format: number): Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be removed from the configuration file.description
(string): Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.isEncrypted
(boolean): If false, generated SB3.1 blocks are not encrypted, only for testing, ROM won’t accept unencrypted SB3.1 file. If option is missing, SB3.1 file is automatically encrypted.timestamp
([‘string’, ‘number’], format: number): For testing purposes. This option can override real timestamp of SB3 file.containerOutputFile
(string): Generated SB3 container filename.commands
(array): Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application.Items
One of
object
erase
(object, required): Performs a flash erase of the given address range. The erase will be rounded up to the sector size.address
([‘string’, ‘number’], format: number, required): Address of memory block to be erased.size
([‘string’, ‘number’], format: number, required): Size of memory block to be erased.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be erased.
object
load
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file): Binary file to be loaded.values
(string): Binary values delimited by comma to be loaded.authentication
(string): If authentication is not used, just omit this option or set ‘none’. Must be one of:["none", "cmac", "hashlocking"]
.
object
execute
(object, required): Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.address
([‘string’, ‘number’], format: number, required): Jump-to address to start execute code.
object
programFuses
(object, required): Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values.address
([‘string’, ‘number’], format: number, required): OTP Index of fuses to be programmed. Depends on the chip ROM.values
([‘string’, ‘number’], required): 32bit binary values delimited by comma or one 32 bit integer to be programmed.
object
programIFR
(object, required): The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header.address
([‘string’, ‘number’], format: number, required): Address of IFR region to be programmed.file
(string, format: file): Binary file to be programmed.value
([‘string’, ‘number’]): Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian format.
object
loadCMAC
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress.address
([‘string’, ‘number’], format: number, required): Address of memory block to be CMAC loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be CMAC loaded.file
(string, format: file, required): Binary file to be loaded.
object
copy
(object, required): Used for copying data from one place to another. 32 bytes fixed size.addressFrom
([‘string’, ‘number’], format: number, required): Address of memory block to be copied.memoryIdFrom
([‘string’, ‘number’], format: number): ID of memory block to be copied.size
([‘string’, ‘number’], format: number, required): Size of memory block to be copied.addressTo
([‘string’, ‘number’], format: number, required): Address of memory where block to be copied.memoryIdTo
([‘string’, ‘number’], format: number): ID of memory block where to be copied.
object
loadHashLocking
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file, required): Binary file to be loaded.
object
loadKeyBlob
(object, required): Wrapped key blob immediately follows the range key blob header. The length field contains the actual data length.offset
([‘string’, ‘number’], format: number, required): Offset of the key blob.wrappingKeyId
(string, required): Wrapping ID of key blob. Must be one of:["NXP_CUST_KEK_INT_SK", "NXP_CUST_KEK_EXT_SK"]
.file
(string, format: file, required): Binary file to be loaded.
object
configureMemory
(object, required): Configure memory.configAddress
([‘string’, ‘number’], format: number, required): Configuration address.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be configured.
object
fillMemory
(object, required): Used for filling of the memory range by same repeated int32 pattern.address
([‘string’, ‘number’], format: number, required): Address of memory block to be filled.size
([‘string’, ‘number’], format: number, required): Size of memory block to be filled.pattern
([‘string’, ‘number’], format: number, required): Pattern which will be used to fill memory.
object
checkFwVersion
(object, required): Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails.value
([‘string’, ‘number’], format: number, required): Firmware version to be compared.counterId
(string, required): ID of FW counter to be checked. Must be one of:["none", "nonsecure", "secure", "radio", "snt", "bootloader"]
.
# ============================== Secure Binary v3.1 Configuration template for mcxn9xx. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn9xx, rw61x>
family: mcxn9xx
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 12 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, copy, loadHashLocking, loadKeyBlob,
# configureMemory, fillMemory, checkFwVersion]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# ====================================== [Example of possible configuration #1] ======================================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: Binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# ====================================== [Example of possible configuration #2] ======================================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# ====================================== [Example of possible configuration #3] ======================================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# ====================================== [Example of possible configuration #4] ======================================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# ====================================== [Example of possible configuration #5] ======================================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# ====================================== [Example of possible configuration #6] ======================================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# ====================================== [Example of possible configuration #7] ======================================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# ====================================== [Example of possible configuration #8] ======================================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# ====================================== [Example of possible configuration #9] ======================================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# ===================================== [Example of possible configuration #10] ======================================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# ===================================== [Example of possible configuration #11] ======================================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for rw61x#
Properties#
firmwareVersion
([‘number’, ‘string’], format: number): Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific). If value is lower than value in protected memory, then is image rejected (rollback protection).mainRootCertPrivateKeyFile
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signPrivateKey
(string, format: file): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider
(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. certBlock
(string, format: file): Path to certificate block binary or config file.family
(string): MCU family name. Must be one of:["k32w1xx", "kw45xx", "lpc55s3x", "mcxn23x", "mcxn9xx", "rw61x"]
.containerKeyBlobEncryptionKey
(string): Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.isNxpContainer
(boolean): Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc…kdkAccessRights
(number): Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details can be found in CSSv2 manual. Must be one of:[0, 1, 2, 3]
.containerConfigurationWord
([‘string’, ‘number’], format: number): Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be removed from the configuration file.description
(string): Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.isEncrypted
(boolean): If false, generated SB3.1 blocks are not encrypted, only for testing, ROM won’t accept unencrypted SB3.1 file. If option is missing, SB3.1 file is automatically encrypted.timestamp
([‘string’, ‘number’], format: number): For testing purposes. This option can override real timestamp of SB3 file.containerOutputFile
(string): Generated SB3 container filename.commands
(array): Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application.Items
One of
object
erase
(object, required): Performs a flash erase of the given address range. The erase will be rounded up to the sector size.address
([‘string’, ‘number’], format: number, required): Address of memory block to be erased.size
([‘string’, ‘number’], format: number, required): Size of memory block to be erased.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be erased.
object
load
(object, required): If set, then the data to write immediately follows the range header. The length field contains the actual data length.address
([‘string’, ‘number’], format: number, required): Address of memory block to be loaded.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be loaded.file
(string, format: file): Binary file to be loaded.values
(string): Binary values delimited by comma to be loaded.authentication
(string): If authentication is not used, just omit this option or set ‘none’. Must be one of:["none", "cmac", "hashlocking"]
.
object
execute
(object, required): Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.address
([‘string’, ‘number’], format: number, required): Jump-to address to start execute code.
object
programFuses
(object, required): Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values.address
([‘string’, ‘number’], format: number, required): OTP Index of fuses to be programmed. Depends on the chip ROM.values
([‘string’, ‘number’], required): 32bit binary values delimited by comma or one 32 bit integer to be programmed.
object
programIFR
(object, required): The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header.address
([‘string’, ‘number’], format: number, required): Address of IFR region to be programmed.file
(string, format: file): Binary file to be programmed.value
([‘string’, ‘number’]): Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian format.
object
copy
(object, required): Used for copying data from one place to another. 32 bytes fixed size.addressFrom
([‘string’, ‘number’], format: number, required): Address of memory block to be copied.memoryIdFrom
([‘string’, ‘number’], format: number): ID of memory block to be copied.size
([‘string’, ‘number’], format: number, required): Size of memory block to be copied.addressTo
([‘string’, ‘number’], format: number, required): Address of memory where block to be copied.memoryIdTo
([‘string’, ‘number’], format: number): ID of memory block where to be copied.
object
loadKeyBlob
(object, required): Wrapped key blob immediately follows the range key blob header. The length field contains the actual data length.offset
([‘string’, ‘number’], format: number, required): Offset of the key blob.wrappingKeyId
(string, required): Wrapping ID of key blob. Must be one of:["NXP_CUST_KEK_INT_SK", "NXP_CUST_KEK_EXT_SK"]
.file
(string, format: file, required): Binary file to be loaded.
object
configureMemory
(object, required): Configure memory.configAddress
([‘string’, ‘number’], format: number, required): Configuration address.memoryId
([‘string’, ‘number’], format: number): ID of memory block to be configured.
object
fillMemory
(object, required): Used for filling of the memory range by same repeated int32 pattern.address
([‘string’, ‘number’], format: number, required): Address of memory block to be filled.size
([‘string’, ‘number’], format: number, required): Size of memory block to be filled.pattern
([‘string’, ‘number’], format: number, required): Pattern which will be used to fill memory.
object
checkFwVersion
(object, required): Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails.value
([‘string’, ‘number’], format: number, required): Firmware version to be compared.counterId
(string, required): ID of FW counter to be checked. Must be one of:["none", "nonsecure", "secure", "radio", "snt", "bootloader"]
.
# =============================== Secure Binary v3.1 Configuration template for rw61x. ===============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn9xx, rw61x>
family: rw61x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 10 options. ==
# Options [erase, load, execute, programFuses, programIFR, copy, loadKeyBlob, configureMemory, fillMemory,
# checkFwVersion]
# ====================================================================================================================
# ====================================== [Example of possible configuration #0] ======================================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# ====================================== [Example of possible configuration #1] ======================================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: Binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# ====================================== [Example of possible configuration #2] ======================================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# ====================================== [Example of possible configuration #3] ======================================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# ====================================== [Example of possible configuration #4] ======================================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# ====================================== [Example of possible configuration #5] ======================================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# ====================================== [Example of possible configuration #6] ======================================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# ====================================== [Example of possible configuration #7] ======================================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# ====================================== [Example of possible configuration #8] ======================================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# ====================================== [Example of possible configuration #9] ======================================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure