Secure Binary 3.1#
SB 3.1 is an evolution of the SB 2 format. The configuration is done in a similar way as a master boot image by configuration file in YAML or JSON. BD files are no longer used, commands are supplied in the configuration file.
Example of use
nxpimage: nxpimage sb31 export "sb3_config.yaml
Supported commands#
List of SB 3.1 supported commands#
Command |
Command Description |
k32w1xx |
kw45xx |
lpc55s3x |
mcxn23x |
mcxn54x |
mcxn94x |
mcxw71xx |
rw61x |
---|---|---|---|---|---|---|---|---|---|
erase |
Performs a flash erase of the given address range. The erase will be rounded up to the sector size. |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
load |
If set, then the data to write immediately follows the range header. The length field contains the actual data length |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
execute |
Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return. |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
call |
Address is address to jump. However, the state machine should expect a return to the next statement to continue processing the SB file |
NO |
NO |
NO |
NO |
NO |
NO |
NO |
NO |
programFuses |
Address is OTP index of fuses to be programmed (Check the reference manual for more information). Values is a comma separated list of 32bit values. |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
programIFR |
The startAddress will be the address into the IFR region, length will be in number of bytes to write to IFR region. The data to write to IFR region at the given address will immediately follow the header |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
loadCMAC |
If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on startAddress. |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
NO |
copy |
Used for copying data from one place to another. 32 bytes fixed size. |
NO |
NO |
YES |
YES |
YES |
YES |
NO |
YES |
loadHashLocking |
If set, then the data to write immediately follows the range header. The length field contains the actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded data, which are reserved for it. |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
NO |
loadKeyBlob |
Wrapped key blob immediately follows the range key blob header. The length field contains the actual data length. |
NO |
NO |
YES |
YES |
YES |
YES |
NO |
YES |
configureMemory |
Configure memory. |
NO |
NO |
YES |
YES |
YES |
YES |
NO |
YES |
fillMemory |
Used for filling of the memory range by same repeated int32 pattern. |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
checkFwVersion |
Checks FW version value specified in command for specified counter ID. FW version value in command must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
Supported configuration options#
SecureBinary31 for k32w1xx#
SecureBinary31 for k32w1xx JSON schema
SecureBinary31 for k32w1xx YAML configuration template
# ============================== Secure Binary v3.1 Configuration template for k32w1xx. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: k32w1xx
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 9 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, loadHashLocking, fillMemory, checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for kw45xx#
SecureBinary31 for kw45xx JSON schema
SecureBinary31 for kw45xx YAML configuration template
# ============================== Secure Binary v3.1 Configuration template for kw45xx. ===============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: kw45xx
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 9 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, loadHashLocking, fillMemory, checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for lpc55s3x#
SecureBinary31 for lpc55s3x JSON schema
SecureBinary31 for lpc55s3x YAML configuration template
# ============================= Secure Binary v3.1 Configuration template for lpc55s3x. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: lpc55s3x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 12 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, copy, loadHashLocking, loadKeyBlob,
# configureMemory, fillMemory, checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# =========================== [Example of possible configuration: #9 , erase if not used] ============================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# =========================== [Example of possible configuration: #10 , erase if not used] ===========================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #11 , erase if not used] ===========================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for mcxn23x#
SecureBinary31 for mcxn23x JSON schema
SecureBinary31 for mcxn23x YAML configuration template
# ============================== Secure Binary v3.1 Configuration template for mcxn23x. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: mcxn23x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 12 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, copy, loadHashLocking, loadKeyBlob,
# configureMemory, fillMemory, checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# =========================== [Example of possible configuration: #9 , erase if not used] ============================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# =========================== [Example of possible configuration: #10 , erase if not used] ===========================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #11 , erase if not used] ===========================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for mcxn54x#
SecureBinary31 for mcxn54x JSON schema
SecureBinary31 for mcxn54x YAML configuration template
# ============================== Secure Binary v3.1 Configuration template for mcxn54x. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: mcxn54x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 12 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, copy, loadHashLocking, loadKeyBlob,
# configureMemory, fillMemory, checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# =========================== [Example of possible configuration: #9 , erase if not used] ============================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# =========================== [Example of possible configuration: #10 , erase if not used] ===========================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #11 , erase if not used] ===========================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for mcxn94x#
SecureBinary31 for mcxn94x JSON schema
SecureBinary31 for mcxn94x YAML configuration template
# ============================== Secure Binary v3.1 Configuration template for mcxn94x. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: mcxn94x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 12 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, copy, loadHashLocking, loadKeyBlob,
# configureMemory, fillMemory, checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# =========================== [Example of possible configuration: #9 , erase if not used] ============================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# =========================== [Example of possible configuration: #10 , erase if not used] ===========================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #11 , erase if not used] ===========================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for mcxw71xx#
SecureBinary31 for mcxw71xx JSON schema
SecureBinary31 for mcxw71xx YAML configuration template
# ============================= Secure Binary v3.1 Configuration template for mcxw71xx. ==============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: mcxw71xx
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 9 options. ==
# Options [erase, load, execute, programFuses, programIFR, loadCMAC, loadHashLocking, fillMemory, checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -----------------------------------------===== Load CMAC [Required] =====-----------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating cmac from loaded data and storing on address known by ROM decided based on
# startAddress.
loadCMAC:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be CMAC loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be CMAC loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_cmac_binary.bin
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# ----------------------------------===== Load with HASH locking [Required] =====-----------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length. ROM is calculating hash of the data and storing the value in the last 64 bytes of the loaded
# data, which are reserved for it.
loadHashLocking:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_hashlocking_binary.bin
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure
SecureBinary31 for rw61x#
SecureBinary31 for rw61x JSON schema
SecureBinary31 for rw61x YAML configuration template
# =============================== Secure Binary v3.1 Configuration template for rw61x. ===============================
# ======================================================================================================================
# == Basic Settings ==
# ======================================================================================================================
# ---------------------------------------===== Firmware version. [Optional] =====---------------------------------------
# Description: Value compared with Secure_FW_Version monotonic counter value stored in protected memory (MCU specific).
# If value is lower than value in protected memory, then is image rejected (rollback protection).
firmwareVersion: 0
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: MCU family name.
# Possible options: <k32w1xx, kw45xx, lpc55s3x, mcxn23x, mcxn54x, mcxn94x, mcxn9xx, mcxw71xx, rw61x>
family: rw61x
# -----------------------------------------===== SB3 filename [Required] =====------------------------------------------
# Description: Generated SB3 container filename.
containerOutputFile: my_new.sb3
# ======================================================================================================================
# == Image Signing Settings ==
# ======================================================================================================================
# --------------------------===== Main Certificate private key [Conditionally required] =====---------------------------
# Description: Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signPrivateKey: main_prv_key.pem
# -------------------------------===== Signature Provider [Conditionally required] =====--------------------------------
# Description: Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>'.
signProvider: type=file;file_path=my_prv_key.pem
# ======================================================================================================================
# == Certificate Block V2.1 ==
# ======================================================================================================================
# -----------------------------===== Certificate Block binary/config file [Required] =====------------------------------
# Description: Path to certificate block binary or config file.
certBlock: cert_block.yaml
# ======================================================================================================================
# == Secure Binary v3.1 Settings ==
# ======================================================================================================================
# ----------------------------------------===== Part Common Key [Optional] =====----------------------------------------
# Description: Path to PCK/NPK 256 or 128 bit key in plain hex string format or path to binary file or hex string.
containerKeyBlobEncryptionKey: my_pck.txt
# ----------------------------------===== Enable NXP Container format [Optional] =====----------------------------------
# Description: Internal usage only, used for generating SB files with NXP content e.g. provisioning firmware, etc...
isNxpContainer: false
# ---------------------------------------===== KDK access rights [Optional] =====---------------------------------------
# Description: Accepted values are 0, 1, 2 and 3. Value used as key properties for key derivation process, more details
# can be found in CSSv2 manual.
# Possible options: <0, 1, 2, 3>
kdkAccessRights: 0
# ---------------------------------===== Container configuration word [Optional] =====----------------------------------
# Description: Flag value in SB3.1 manifest, not used by silicons with LPC55S3x ROM. Value can be kept 0, or it can be
# removed from the configuration file.
containerConfigurationWord: 0
# ------------------------------------------===== Description [Optional] =====------------------------------------------
# Description: Description up to 16 characters, longer will be truncated. Stored in SB3.1 manifest.
description: This is description of generated SB file.
# ======================================================================================================================
# == Secure Binary v3.1 Commands Settings ==
# ======================================================================================================================
# ----------------------------------------===== SB3.1 Commands [Required] =====-----------------------------------------
# Description: Secure Binary v3.1 commands block, list of all possible options - Modify it according to your application
commands:
-
# ====================================================================================================================
# == List of possible 10 options. ==
# Options [erase, load, execute, programFuses, programIFR, copy, loadKeyBlob, configureMemory, fillMemory,
# checkFwVersion]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -------------------------------------------===== Erase [Required] =====-------------------------------------------
# Description: Performs a flash erase of the given address range. The erase will be rounded up to the sector size.
erase:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be erased.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be erased.
size: 4096
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be erased.
memoryId: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# -------------------------------------------===== Load [Required] =====--------------------------------------------
# Description: If set, then the data to write immediately follows the range header. The length field contains the
# actual data length
load:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be loaded.
address: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be loaded.
memoryId: 0
# --------------------------------------===== Binary file. [Optional] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_binary.bin
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be loaded.
values: 0x1234, 0x5678, 0, 12345678
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be loaded. Value will be converted to binary little endian format.
value: '0xB38AA899'
# -------------------------------------===== Authentication [Optional] =====--------------------------------------
# Description: If authentication is not used, just omit this option or set 'none'.
# Possible options: <none, cmac, hashlocking>
authentication: cmac
# =========================== [Example of possible configuration: #2 , erase if not used] ============================
# ------------------------------------------===== Execute [Required] =====------------------------------------------
# Description: Address is the jump-to address. No further processing of SB after jump, ROM do not expect to return.
execute:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Jump-to address to start execute code.
address: 0
# =========================== [Example of possible configuration: #3 , erase if not used] ============================
# ---------------------------------------===== Program Fuses [Required] =====---------------------------------------
# Description: Address is OTP index of fuses to be programmed (Check the reference manual for more information).
# Values is a comma separated list of 32bit values.
programFuses:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: OTP Index of fuses to be programmed. Depends on the chip ROM.
address: 0
# --------------------------------------===== Binary values [Required] =====--------------------------------------
# Description: 32bit binary values delimited by comma or one 32 bit integer to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #4 , erase if not used] ============================
# ----------------------------------------===== Program IFR [Required] =====----------------------------------------
# Description: The startAddress will be the address into the IFR region, length will be in number of bytes to write
# to IFR region. The data to write to IFR region at the given address will immediately follow the header
programIFR:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of IFR region to be programmed.
address: 0
# ---------------------------------------===== Binary file [Optional] =====---------------------------------------
# Description: Binary file to be programmed.
file: my_binary.bin
# --------------------------------------===== Binary value [Optional] =====---------------------------------------
# Description: Binary value to be programmed, at least 4 bytes. Value will be converted to binary little endian
# format.
value: '0xB38AA899'
# -------------------------------------===== Binary values. [Optional] =====--------------------------------------
# Description: 32-bit binary values delimited by comma to be programmed.
values: 0x1234, 0x5678, 0, 12345678
# =========================== [Example of possible configuration: #5 , erase if not used] ============================
# -------------------------------------------===== Copy [Required] =====--------------------------------------------
# Description: Used for copying data from one place to another. 32 bytes fixed size.
copy:
# --------------------------------------===== Address From [Required] =====---------------------------------------
# Description: Address of memory block to be copied.
addressFrom: 0
# -------------------------------------===== Memory ID From [Optional] =====--------------------------------------
# Description: ID of memory block to be copied.
memoryIdFrom: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be copied.
size: 4096
# ---------------------------------------===== Address To [Required] =====----------------------------------------
# Description: Address of memory where block to be copied.
addressTo: 536870912
# --------------------------------------===== Memory ID To [Optional] =====---------------------------------------
# Description: ID of memory block where to be copied.
memoryIdTo: 0
# =========================== [Example of possible configuration: #6 , erase if not used] ============================
# ---------------------------------------===== Load Key Blob [Required] =====---------------------------------------
# Description: Wrapped key blob immediately follows the range key blob header. The length field contains the actual
# data length.
loadKeyBlob:
# -----------------------------------------===== Offset [Required] =====------------------------------------------
# Description: Offset of the key blob.
offset: 0
# -------------------------------------===== Wrapping key ID [Required] =====-------------------------------------
# Description: Wrapping ID of key blob.
# Possible options: <NXP_CUST_KEK_INT_SK, NXP_CUST_KEK_EXT_SK>
wrappingKeyId: 0
# ---------------------------------------===== Binary file [Required] =====---------------------------------------
# Description: Binary file to be loaded.
file: my_keyblob.bin
# =========================== [Example of possible configuration: #7 , erase if not used] ============================
# -------------------------------------===== Configure memory [Required] =====--------------------------------------
# Description: Configure memory.
configureMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Configuration address.
configAddress: 0
# ----------------------------------------===== Memory ID [Optional] =====----------------------------------------
# Description: ID of memory block to be configured.
memoryId: 0
# =========================== [Example of possible configuration: #8 , erase if not used] ============================
# ----------------------------------------===== Fill memory [Required] =====----------------------------------------
# Description: Used for filling of the memory range by same repeated int32 pattern.
fillMemory:
# -----------------------------------------===== Address [Required] =====-----------------------------------------
# Description: Address of memory block to be filled.
address: 0
# ------------------------------------------===== Size [Required] =====-------------------------------------------
# Description: Size of memory block to be filled.
size: 4096
# -----------------------------------------===== Pattern [Required] =====-----------------------------------------
# Description: Pattern which will be used to fill memory.
pattern: 2779096485
# =========================== [Example of possible configuration: #9 , erase if not used] ============================
# ----------------------------------===== Check firmware version [Required] =====-----------------------------------
# Description: Checks FW version value specified in command for specified counter ID. FW version value in command
# must be greater than value programmed in OTP to be accepted, otherwise rollback is detected and receive SB fails
checkFwVersion:
# --------------------------------===== Value - Firmware version [Required] =====---------------------------------
# Description: Firmware version to be compared.
value: 1
# ---------------------------------------===== Counter ID [Required] =====----------------------------------------
# Description: ID of FW counter to be checked.
# Possible options: <none, nonsecure, secure, radio, snt, bootloader>
counterId: secure