Release Notes#
2.4.0 (15-November-2024)#
New features
- el2go-host:
implement parallel download of Secure Objects using database
speed up repeated calls to EL2GO server
allow to specify scope of Secure Objects to download
- nxpdebugmbox:
support halt, resume commands
AHB access test address remove as an option and move into database
support for block memory transfer over debug probes
- nxpmemcfg:
add support for RT700
Bugfixes
- el2go-host:
fix memory buffer used for data exchange for KW45
- nxpimage:
allow to parse AHAB image with empty image hash for rt118x
2.3.0 (11-October-2024)#
ANNOUNCEMENT
Current version introduces breaking changes, which are described in details in migration guide.
New features
- blhost:
support nIRQ pin feature
- el2go-host:
unify subcommands for RW61x
add get-otp-binary command
add UUID harvesting
add default handler to unknown errors while assigning device to a group
add checker for max amount of Secure Objects and their size
add Remote Database for Secure Objects for Azurewave
add close_device to blhost; display response of RW TPFW responses
implement database storage for UUIDs harvesting
erase CMPA in EdgeLock2GO indirect flow
- lpcprog:
add programmer for LPC8xx parts
- nxpcrypto:
add subcommand for creating PKI tree
- nxpdebugmbox:
support for MX95 revision A0/A1/B0 (PQC support)
- nxpdevhsm:
add execute command for mcxn9xx
allow SB files without loading the wrapped CUST_MK_SK
implement oem duk certificate provisioning
- nxpdice:
add nxpdice application
- nxpele:
support nxpele over fastboot
- nxpimage:
support AHAB version 2
add verificator to bootable image
support linux image in bootable image
add ahab sign command for signing existing AHAB images
- nxpmemcfg:
add blhost-script option for exporting configuration for secure address
- nxpuuu:
new tool based on the UUU (Universal Update Utility), add capability to deploy images to i.MX MPU targets
- nxpwpc:
add special handler when pre-CSR are are empty
support MCXC series (blhost)
support RT7xx
support MCXN23x, MCXN9xx, KW45xx EL2Go
support MCXW71 and its variants
Bugfixes
- el2go-host:
fix general error when database has no blob
fix revision in configuration
- nxpdebugmbox:
fix get-crp command for mcxa series
fix template for famode-image
fix dat for RT1180
fix template for RT1180
- nxpele:
fix get-info details
- nxpimage:
fix flag in AHAB
fix plain MBI for NHS52sxx
fix trustzone for NHS52Sxx
remove header form XMCD segment
- pfr:
fix erase-cmpa for mcxa series
- Shadowregs:
fix fuses-script
fix loading shadow registers on RW61x
2.2.1 (26-July-2024)#
Bugfixes
2.2.0 (7-June-2024)#
ANNOUNCEMENT
Current version introduces breaking changes, which are described in details in migration guide.
New features
- blhost:
add can interface
- el2go-host:
support for mwct2x12, mwct2xd2
- ifr:
add option to configure sector 2
- nxpdebugmbox:
add family and revision info into DAC config file
- nxpdevhsm:
commands limited based on specific devices capabilities
- nxpele:
add fuses script
- nxpimage:
add support for RAW image
add re-sign subcommand to ahab
support parsing FCB block with swapped bytes
support MBI CRC for mwct2x12, mwct2xd2, mc56f818xx, mc56f817xx
support BinaryImage in MBI export
support i.MX 95 unsigned build image
- nxpwpc:
add correlation-id into REST request
drop support for Python 3.8
support NHS52Sxx, mcxw71xx
support RW61x EL2Go
P&E Micro and J-Link as separate plugins
all options in sub-commands case-insensitive
Bugfixes
- nxpdebugmbox:
fix debug authentication on NHS52Sxx
fix generation of DC config file
fix dac response length on kw45xx
- nxpele:
fix timeout
fix verify image for i.mx93
fix failure in communication with uboot
- nxpimage:
fix signed-msg incorrect signature
fix wrong offset in FCB
fix xmcd generation
fix mbi export
fix ahab with invalid SRK
fix bootable-image for RW61x
fix mbi config for kw45xx
fix bootable-image with dynamic offset segments
fix inconsistent core ID in parser and export
- pfr:
fix generate-binary argument position
fix generating cmpa template for mcxa1xx
fix default cmpa page for mcxa1xx
- Shadowregs:
fix shadow registers on RW61x
fix loadconfig command
2.1.1 (27-March-2024)#
New features
Bugfixes
2.1.0 (2-February-2024)#
New features
- nxpcrypto:
add signing commands (create, verify)
- nxpdebugmbox:
add subcommands for Fault Analysis Mode (export, parse, get-templates)
add printing the result of auth command
add dedicated plugin system
- nxpele:
U-BOOT interface
add commit command
add commands related to release-container
- nxpimage:
enable IEE encryption for RT1180
add key exchange signed message
add signature provider for RT1xxx
support mcxn23x
deployment of new database
EL2GO mockup for S32K WPC
introduce memory configuration tool
Bugfixes
- nxpele:
fix get-trng state command
- nxpimage:
fix cmpa template
fix parsing ahab image for i.MX95
fix xmcd export command
fix certificate block as binary file
fix sb21 get-template command
- nxpmemcfg:
fix export command
- pfr:
fix pfr generate command
- Shadowregs:
fix default family parameter
2.0.1 (15-December-2023)#
Bugfixes
- nxpele:
remove temporary file
- nxpdebugmbox:
fix test memory AP address
- nxpimage:
fix detection of input file for FCB in bootable image
fix IEE encryption for RT1180
fix signed MBI for Anguilla Nano
fix SB21 export with yaml config
- Shadowregs:
fix behavior of the RKTH registers
fix invalid names of CRC field in database
fix setting a register value as raw value when loading from configuration
2.0.0 (13-October-2023)#
ANNOUNCEMENT
Current version introduces breaking changes, which are described in details in migration guide.
New features
- blhost:
dedicated plugin system
check of written data length in USB Interface
- nxpcrypto:
remove dependency on PyCryptodome
add rot command for calculating RoT hash
- nxpimage:
distinguish between fw version and image version
support YAML configuration for HAB
support build RT11xx image with ECC keys
support OSCCA
support AHAB NAND
implement HTTP Proxy Signature Provider
signature provider for OSCCA
add validation of signature in AHAB
support OTFAD for RT1010
export HAB from yaml config in bootable image
revision of offsets in AHAB container
command filter in SB 2.1 based on family
refactor memory types for mbi
add to AHAB key identifier for encrypted images
- sdpshost:
connection support for iMX91 and iMX95
- Shadowregs:
unify endianness
tool for converting JSON configuration into YAML with comments
support mcxa1xx
unify naming: RKTH/RKHT
remove nxpkeygen and nxpcertgen apps, replaced by nxpcrypto
remove elftosb app, replaced by nxpcrypto
positional arguments replaced by options for all parameters with an exception to blhost, sdphost and dk6prog
remove backward compatibility with command get-cfg-template, replaced fully with get-template(s)
unify family name within all modules
remove lpc55xx from family names
Bugfixes
- blhost:
fix error of SPI connection
- nxpdevhsm:
add missing sdio in generate command
- nxpele:
fix generate-keyblob IEE
fix issue with get-info command
- nxpimage:
fix certificate block in AHAB
fix signature in AHAB
fix some commands for SB21
fix non generated keys for AHAB parse
fix RAM images for LPC55Sxx
fix MBI signed for xip for MCXN9xx
fix sb21 export yaml errors
fix OTFAD with DUK
fix wrong core ID in parse for iMX93
fix binary certificate block for MBI
fix manifest for mcxn9xx
fix bootable image merge
fix in MBI configurations
fix missing parameters in MBI config in bootable-image parse
fix sb21 file generation without SBKEK
update list of supported MBI images for mcxn9xx
1.11.0 (7-July-2023)#
ANNOUNCEMENT
Next version of spsdk (2.0) will introduce breaking changes:
elftosb will be replaced by nxpimage
nxpcertgen and nxpkeygen will be replaced by nxpcrypto
select appropriate family will be done using: -f/–family parameter
move towards options for all parameters with an exception to BLHost
removal of crypto backends
extend dedicated spsdk.crypto module - serve as the de-facto backend of SPSDK
module level imports via init files
New features
- nxpimage:
enable signature providers for AHAB image and signed messages
add support for rt104x in bootable-image
add support for mcxn9xx
add API for FuseLockedStatus
possibility to declare private keys with passphrase in signature provider config
add checking of written data length in usb interface
add support for dk6 tools
Bugfixes
- nxpimage:
fix offset on NAND memory in AHAB image
fix plugin error for signature Provider for sb21
1.10.2 (7-July-2023)#
New features
1.10.1 (26-May-2023)#
New features
- nxpimage:
support encrypted image hab
support for RT11xx and RT10xx
improve OTFAD/IEE names generation
add API to retrieve info about fuses
Bugfixes
- nxpimage:
fix XMCD load_from_config
fix IEE template
fix circular dependency in signature provider import
fix issue with loading keys as INT
not enable logging when spsdk is used as a library
1.10.0 (5-April-2023)#
New features
- blhost:
add new command: ele_message
- nxpdebugmbox:
add command: read UUID from device
update PyOCD to latest version to support MCU LINK FW v3, implementing CMSIS-DAP v2.1
- nxpdevhsm:
USER_PCK rename to CUST_MK_SK
- nxpimage:
add subcommand group for generate and parse certificate block
replace private key to signature provider in master boot image
OTFAD support for RT1170
- ifr:
add commands read/write
- pfr:
add CMPA erase command
Bugfixes
- nxpdebugmbox:
fix AP selection issue for PyOCD and PEMICRO
fix DAC verification when there is only 1 root key
- nxpimage:
fix MBI issue with HMAC
- Shadowregs:
fix endianness for OTP MASTER KEY
drop support for Python 3.7
1.9.1 (17-March-2023)#
New features
- nxpdevhsm:
split reset option in nxpdevhsm into two; disable init reset by default
Bugfixes
- nxpdebugmbox:
fix Linux error on PyOCD
fix PyOCD and PEmicro connection for kw45xx and k32w1xx
- nxpdevhsm:
fix buffer base address for DevHSM operations
- nxpimage:
fix handling exception when the root cert index is wrong
1.9.0 (30-January-2023)#
New features
- nxpdebugmbox:
add check of root of trust hash in dat authentication
enable debug authentication protocol on RT1180
- nxpdevhsm:
reset target before and after DevHSM SB3 file creation
- nxpimage:
XMCD support
signed messages support for RT1180
add bootable image for RT10xx, RT1180, RT1170, LPC55S3x
implement IEE encryption
support Memory ID for erase in sb21
support Memory ID for enable and load in sb21
implement JUMP and JUMP_SP commands in BD file for SB2.1
enable encryption in AHAB container
debug authentication improvements
unify memory access cross all debuggers
replace json file with yml file for TZ
support for k32w1xx, kw45xx
improve format of debugging logger
Bugfixes
- nxpdebugmbox:
remove duplicated option –protocol for gendc command
- nxpdevhsm:
fix skipping commands from config file
- nxpimage:
fix non working 384/521 ECC keys for signature in AHAB container
fix CRC mode in external flash for lpc55s3x
failure on start due to boot_image hook definition
- pfr:
command line parameter ‘-t’ is duplicated
Known issues
- nxpdebugmbox:
we do not support CMSIS-DAP version 2 (bulk pipes, https://arm-software.github.io/CMSIS_5/DAP/html/group__DAP__ConfigUSB__gr.html) This means sw debuggers such as MCU-Link v3 will not work (nxpdebugmbox will not detect the debugger probe) This issue will be resolved in next version of SPSDK
1.8.0 (21-October-2022)#
New features
- nxpimage:
add support for BEE
enable OTFAD on RT1180
- pfr:
move the functionality of pfrc tool into PFR tool
unify option for getting template across tools
add API for parsing XMCD
support cryptography >= 37.0.0
support bincopy 17.14
Bugfixes
- nxpdevscan:
fix hanging up for serial communication
fix documentation regarding SB31 programFuses
1.7.1 (16-September-2022)#
New features
- nxpimage:
add OTFAD support for RT5xx and RT6xx devices
- pfr:
read command allows independent binary and yaml exports
- Shadowregs:
new subcommand: fuses-script
add OEM cert size check into TPConfig
Bugfixes
- nxpdebugmbox:
fix debug authentication for RT595
- nxpimage:
fix sb21 command line argument in documentation
fix the use of pyyaml’s load in tests (use safe_load())
1.7.0 (29-July-2022)#
New features
nxpimage application as replacement for elftosb
nxpcrypto application for generating and verifying keys, certificates, hash digest, converting key’s format
- blhost:
support LifeCycleUpdate command for RT1180
add option to specify peripheral index of SPI/I2C for LIBUSBSIO
allow lowercase names in the filter for USB mboot devices
- nxpdebugmbox:
utility to read/write memory using debug probe
- nxpimage:
support of Master Boot Images
support AHAB container for RT1180
support of Secure Binary 2.1 / 3.1
support for TrustZone blocks
support for Bootable images for RTxxx devices
support for FCB block parsing and exporting for RTxxx and some RTxxxx devices
simply binary image support, like create, merge, extract and convert (S19,HEX,ELF and BIN format)
- pfr:
load PFR configuration directly from chip using BLHOST
- sdphost:
support for SET_BAUDRATE command
support for iMX93
drop support for Python 3.6
pypemicro dependency update in order to cover latest bug fixes in this package
libusbsio update to version 2.1.11
unify debug options within applications
add API to compute RKTH
support LPC553x in elftosb/nxpimage
support dual image boot on RT5xx and RT6xx
replace click/sys.exit with raising an SPSDKAppError exception
encryption of remapped images
Bugfixes
- blhost:
efuse_program_once returns failure message when using ‘lock’ option but still the fuse is burnt
fix in re-scanning LIBUSBSIO devices when target MCU is not connected
scan_usb() should return nxp devices
read memory command doesn’t print read data when mem region is defined
- elftosb:
fix trustzone config template for rt5xx and rt6xx
fix MBI_PLainRamRTxxx image
fix CRC bootable image on RT685 EVK
fix image located in FLASH executed in RAM on RT6xx
fix burning fuses in BD file
- nxpdebugmbox:
fix in Jlink debugger probe initialization
fix get-crp command
1.6.3 (1-April-2022)#
New features
pypemicro dependency update in order to cover latest bug fixes in this package
libusbsio update to version 2.1.11
Bugfixes
fix in rescanning LIBUSBSIO devices when target MCU is not connected
efuse_program_once returns failure message when using ‘lock’ option but still the fuse is burnt
fix memory leaks in elftosb
1.6.2 (11-March-2022)#
New features
bump-up version of bincopy to <17.11
add plain load image to build example bootable i.MX-RT image
align docs requirements with project dependencies
add stability notice to documentation
speed-up application’s start due to move of bincopy import
1.6.1 (04-March-2022)#
New features
- blhost:
add parameter –no-verify for efuse-program-once
add possibility to select USBSIO bridge device via VID:PID, USB path, serial number
lower the timeout during MBoot’s UART Ping command
improve type hints for scan_* functions for detecting devices
- elftosb:
dynamically generate config json schema per family
- nxpdevscan:
extend scan with device serial number information
list all connected USB or UART or SIO devices
update device’s USB path (usb_device_identification)
- sdphost:
improve type hints for scan_* functions for detecting SDP devices
reduce number of findings from Pylint
update JINJA2 requirement
Bugfixes
1.6.0 (04-February-2022)#
New features
-
add experimental batch mode into blhost
support command get property 30
change output display for blhost get-property 8
provide the real exit code (status code) from BLHOST application
report progress of data transfer operations in blhost
performance boost in receive-sb-file
-
validation inputs using jsonschemas
reorganize and improve elftosb
add support for more input file types
[RTxxx] HMAC_KEY is now accepted in binary form
-
move gendc into nxpdebugmbox
pfr:
unify CMPA/CFPA fields descriptions and bit-field values within XML registers data
implement CMPA data generator and parser
improve documentation
remove dependency on munch and construct modules
add support for reserved bitfields in registers
support multiple occurrence of certificate attributes for subject/issuer
remove backward compatibility mode in Registers
reorganize functions from misc.py
add support for bumpversion
Bugfixes
-
generate-key-blob does not generate blob.bin on RT1176
parse_property_tag in blhost_helper converts incorrectly in some cases
different return code on Linux/Mac and Windows
USBSIO - fixed issue when busy signal on I2C was interpreted as data
-
DER encoded certificates are loaded as PEM
fixed dependency on cryptography’s internal keys
moved to fully typed versions of cryptography
-
cannot build CRC image into ext flash for lpc55s3x
cannot generate signed image with <4 ROT keys
fixed some failing cases in regards of TZ
[rtxxx] missing plain for load-to-ram image
configuration validation failed in some cases
-
return code is 0 in case of fail
nxpdebugmbox fails on Linux
-
generate ends with general error when no container is provided
pfr:
fix problem in registers class with another size of register than 32 bits
pfrc:
displays false brick conditions
wrong validation of CMPA.CC_SOCU_PIN bits
1.5.0 (07-August-2021)#
New features
nxpdevhsm - new application added:
The nxpdevhsm is a tool to create initial provisioning SB3 file for LPC55S36 to provision device with SB KEK needed to validate in device all standard SB3 files.
LIBUSBSIO integration as a replacement for HID_API module:
blhost - extend blhost by LPCUSBSIO interface
blhost - following trust-provisioning sub-commands added:
oem_get_cust_cert_dice_puk - creates the initial trust provisioning keys
oem_gen_master_share - creates shares for initial trust provisioning keys
oem_set_master_share - takes the entropy seed and the Encrypted OEM Master Share
hsm_gen_key - creates OEM common keys, including encryption keys and signing keys
hsm_store_key - stores known keys, and generate the corresponding key blob
hsm_enc_blk - encrypts the given SB3 data bloc
hsm_enc_sign - signs the given data
-
support for SB 2.1 generation using BD file
LPC55S3x - add support for unsigned/plain images
SB2.1 - SHA256 digest of all sections included in signed SB2.1 header
add supported families listing into elftosb
implement chip family option as a click.Choice
allow loading certificates for MBI in PEM format
-
generate the template for yml configuration file containing the parameters for certificate
improve yml template description for nxpcertgen
add support for generating certificates in DER format
-
moved option -p from general space to gendc subcommand.
add new -k keygen subcommand option to specify key type to generate
-
refactor DebugCredential base class so that it will be possible to pass certificates in yml config file
check nxpdebugmbox on LPC55S3x
pfr: - update CMPA/CFPA registers XML data for LPC55S3x with CRR update
SPSDK Applications:
spsdk applications show help message when no parameter on command line provided
improved help messages
support Ctrl+C in cmd applications
replace functional asserts with raising a SPSDK-based exception
replace all general exception with SPSDK-based exceptions
Bugfixes
nxpkeygen - regenerates a key without –force
elftosb - unclear error message: No such file or directory: ‘None’
pfr: - duplicated error message: The silicon revision is not specified
nxpdebugmbox - fix Retry of AP register reads after Chip reset
nxpdebugmbox - add timeout to never ending loops in spin_read/write methods in Debug mailbox
blhost - flash-erase-region command doesn’t accept the memory_id argument in hex form
elftosb - using kdkAccessRights = 0 in SB31 is throwing an error in KeyDerivator
1.4.0 (25-June-2021)#
New features
version flag added for all command-line application
support for Python 3.9 added
- blhost - following sub-commands added:
list-memory
flash-program-once
set-property
flash-erase-all-unsecure
flash-security-disable
flash-read-resource
reliable-update
fuse-program
flash-image
program-aeskey
blhost - memoryId clamp-down for mapped external memories added
elftosb - support for SB 2.1 added
elftosb - basic support for BD configuration file added
nxpdebugmbox - debug port enabled check added
nxpkeygen - new sub-command added to nxpkeygen to create a template for configuration YML file for DC keys
nxpkeygen - new sub-command added to create a template for configuration YML file for DC keys
pfr: - default JSON config file generation removed, but still accepted as an input. The preferred is the YML configuration format.
docs - Read The Docs documentation improvements
Bugfixes
wrong DCD size by BootImgRT.parse
cmdKeyStoreBackupRestore wrong param description
blhost - typo in McuBootConnectionError exception
blhost - mcuBoot Uart doesn’t close the device after failed ping command
blhost - assertion error when connection lost during fuses readout
blhost - sub-command flash-read-resource fails when the length is not aligned
pfr: - incorrect keys hash computation for LPC55S3x
pfr: - wrong LPC55S69 silicon revision
pfr: - parse does not show PRINCE IV fields
sdphost - running spdhost –help fails
Shadowregs - bad DEV_TEST_BIT in shadow registers
1.3.1 (29-March-2021)#
pfr: - configuration template supports YAML with description, backward compatibility with JSON ensured
pfr: - API change: “keys” parameter has been moved from __init__ to export
pfr: - sub-commands renamed: * user-config -> get-cfg-template * parse -> parse-binary * generate -> generate-binary
blhost - allow key names for key-provisioning commands
blhost - support for RT1170, RT1160
Shadowregs - shadow registers tool is now top-level module
blhost - fix baud rate parameter
pfr: - fix in data for LPC55S6x, LPC55S1x, LPC55S0x
blhost - communication stack breaks down on RT1170 after unsuccessful key-prov enroll command
1.3.0 (5-March-2021)#
support creation of SB version 3.1
elftosb application based on legacy elf2sb supporting SB 3.1 support
nxpdevscan - application for connected USB, UART devices discovery
Shadowregs - application for shadow registers management using DebugProbe
support USB path argument in blhost/sdphost (all supported OS)
nxpcertgen CLI application (basicConstrains, self-signed)
- blhost - commands added:
flash-erase-all
call
load-image
execute
key-provisioning
receive-sb-file
- blhost - extend commands’ options:
configure-memory now allows usage of internal memory
extend error code in the output
add parameters lock/nolock into efuse-program-once command
add key selector option to the generate-key-blob command
add nolock/lock selector to efuse-program-once command
add hexdata option to the write-memory command
1.2.0 (11-December-2020)#
support for LPC55S3x devices
extend support for LPC55S1x, LPC55S0x
pfrc - console script for searching for brick conditions in pfr settings
custom HSM support
sdpshost CLI utility using sdpshost communication protocol
remote signing for Debug Credential
added command read-register into sdphost CLI
dynamic plugin support
MCU Link Debugger support
pfr: - added CMAC-based seal
pfr: - load Root of Trust from elf2sb configuration file
1.1.0 (4-September-2020)#
support for i.MX RT1170 device
support for elliptic-curve cryptography (ECC)
support for SDPS protocol
included Debug Authentication functionality
included support for debuggers
nxpkeygen - utility for generating debug credential files and corresponding keys
1.0.0 (4-April-2020)#
support for LPC55S69 and LPC55S16 devices
support for i.MX RT105x and RT106x devices
support for i.MX RT595S and RT685S devices
connectivity to the target via UART, USB-HID.
support for generating, saving, loading RSA keys with different sizes
generation and management of certificate
blhost - CLI utility for communication with boot loader on a target
sdphost - CLI utility for communication with ROM on a target
pfr: - CLI utility for generating and parsing Protected Flash Regions - CMPA and CFPA regions