AHAB#
AHAB (Advanced High Assurance Boot) is a container format supported on some devices. A configuration file in YAML or JSON is used to instruct nxpimage how the output should look like.
Example of use for export
nxpimage ahab export -c "path\to\config\file.yaml"
Example of use for parse binary AHAB container
nxpimage ahab parse -b "my_ahab_container.bin" -o "path\to_parsed_data"
The full AHAB configuration template could be generated by nxpimage tool “get_template” sub-command for family that supports AHAB, example:
nxpimage ahab get-template -f rt118x -o ahab_template_rt118x.yaml
Generating Multiple Bootable Image Templates#
For families that support IMX bootloaders (like i.MX 8/9 series), you can generate multiple template configurations using the get-templates command:
nxpimage bootable-image get-templates -f <family> -o <output_directory>
This command generates:
- Standard templates for all memory types
- Extra templates with simplified naming (e.g., spl for primary image, uboot for secondary image)
- Board-specific template variants in sub-folders
To generate a specific template type:
nxpimage bootable-image get-templates -f <family> -o <output_directory> --template imx_boot_flash_all
To generate templates for a specific board:
nxpimage bootable-image get-templates -f <family> -o <output_directory> --board imx95-19x19-lpddr5-evk
Use nxpimage bootable-image list-boards -f <family> to see available boards.
AHAB Extensions#
Since SPSDK version 2.2.0, support for AHAB extensions have been added. This allows the user to create the standard images like U-Boot for example in the similar manner as with the imx-mkimage tool, without knowing the details of the AHAB format.
AHAB Sign#
Since SPSDK version 2.3.0 it is possible to sign and encrypt existing image or image container set, without parsing.
It parses the input image, loads the configuration file and iterates over the segments in the image. If the segment is AHAB image, it iterates over all the containers and if the container is not NXP signed, it signs them with the key (signature provider) provided in the configuration.
If the blob is specified, it also iterates over all images in the container and encrypt them.
Then signed (encrypted) image is saved to the path provided.
Template for signing might be generated using the get-template command with –sign/-s flag:
nxpimage ahab get-template -f <family> -o sign_template.yaml --sign
Example of use for sign and encrypt AHAB container
nxpimage -v ahab sign -c "path\to\config\file.yaml" -c "ahab_image_to_be_signed.bin" -o "path\to_signed_image"
AHAB Re-sign#
It is possible to re-sign an existing AHAB container without modifying other parts of the image. This is useful when you need to update the signature of a specific container without rebuilding the entire image.
The re-sign command allows you to specify a private key or signature provider configuration to sign a specific container in the AHAB image.
Example of use for re-signing a container in an AHAB image:
nxpimage ahab re-sign -f <family> -b "ahab_image.bin" -k "path/to/private_key.pem" -i <container_id>
For bootable images that contain FCB or XMCD segments, you need to specify the memory type:
nxpimage ahab re-sign -f <family> -b "bootable_image.bin" -k "path/to/private_key.pem" -i <container_id> -m <memory_type>
AHAB Update Keyblob#
It is possible to update the encryption keyblob in an existing AHAB container. This is useful when you need to update the encryption keys without rebuilding the entire image.
The update-keyblob command allows you to replace the keyblob in a specific container of an AHAB image with a new one.
Example of use for updating a keyblob in an AHAB image:
nxpimage ahab update-keyblob -f <family> -b "ahab_image.bin" -k "path/to/new_keyblob.bin" -i <container_id>
For bootable images that contain FCB or XMCD segments, you need to specify the memory type:
nxpimage ahab update-keyblob -f <family> -b "bootable_image.bin" -k "path/to/new_keyblob.bin" -i <container_id> -m <memory_type>
AHAB Container Structure for imx-boot (i.MX 9x)#
On i.MX 9x devices (i.MX93, i.MX95, etc.), the imx-boot image is composed of multiple AHAB containers,
each carrying different firmware and application images. The boot ROM processes these containers sequentially.
Understanding this structure is essential when creating or modifying bootable images with SPSDK.
Common Structure#
All i.MX 9x families share a two-stage boot concept:
Primary Container Set — loaded first by boot ROM to on-chip SRAM (OCRAM)
Secondary Container Set — loaded to DDR after memory initialization
Container |
Contents |
Signed By |
Purpose |
|---|---|---|---|
Container 0 |
ELE firmware |
NXP |
EdgeLock Enclave security subsystem; loaded and verified first by ROM |
Container 1 |
SPL + DDR firmware (LPDDR FW or OEI) |
OEM |
Initializes DDR memory and hands off to U-Boot |
Container 2 |
ATF (BL31) + U-Boot proper (+ optional OP-TEE) |
OEM |
Main bootloader loaded into DDR |
i.MX93 Container Layout#
The i.MX93 uses AHAB Container v1. DDR initialization uses legacy LPDDR training firmware
(4 separate binaries merged with SPL into a single spl_ddr image), not OEI.
Container |
Contents |
Notes |
|---|---|---|
Container 0 (NXP) |
ELE firmware ( |
NXP-signed; mandatory; processed first by ROM |
Container 1 (OEM, OCRAM) |
spl_ddr — U-Boot SPLlpddr_imem_1d — LPDDR4 instruction memory 1Dlpddr_dmem_1d — LPDDR4 data memory 1Dlpddr_imem_2d — LPDDR4 instruction memory 2Dlpddr_dmem_2d — LPDDR4 data memory 2D |
Loaded to OCRAM; SPL initializes DDR
SPL + LPDDR FW are merged into single image
|
Container 2 (OEM, DDR) |
atf — ATF / BL31uboot — U-Boot propertee — OP-TEE (optional)Optional:
kernel, dtb |
Loaded to DDR after initialization |
Supported cores: Cortex-A55, Cortex-M33, ELE, V2X_1, V2X_2
i.MX95 Container Layout#
The i.MX95 has a more complex structure, supporting both AHAB Container v1 (a0/a1) and v2 (b0+), and adds System Manager, OEI-based DDR initialization, and Fast Boot capabilities.
Container |
Contents |
Notes |
|---|---|---|
Container 0 (NXP) |
ELE firmware ( |
NXP-signed; mandatory; processed first by ROM |
Container 1 (OEM, OCRAM) |
oei_ddr — OEI DDR firmwarelpddr_imem — LPDDR4/5 instruction memorylpddr_dmem — LPDDR4/5 data memorylpddr_imem_qb — LPDDR4/5 instruction memory (Quick Boot)lpddr_dmem_qb — LPDDR4/5 data memory (Quick Boot)system_manager — System Manager (CM33)cortex_m7_app — M7 application (optional)spl — U-Boot SPLv2x_dummy — V2X dummy image |
System Manager runs on dedicated CM33 core
QB data is optional (dummy variant available on b0)
OEI TCM (
oei_tcm) available as extra image |
Container 2 (OEM, DDR) |
atf — ATF / BL31uboot — U-Boot propertee — OP-TEE (optional)Optional:
kernel, dtb |
Loaded to DDR after initialization |
Supported cores: Cortex-A55, Cortex-M33, Cortex-M7, ELE, V2X_1, V2X_2, DDR
Key Differences: i.MX93 vs i.MX95#
Feature |
i.MX93 |
i.MX95 |
|---|---|---|
AHAB container types |
v1 only |
v1 (a0/a1), v2+v1 (b0+) |
DDR initialization |
Legacy LPDDR training FW (merged with SPL) |
OEI DDR firmware (separate image) |
System Manager |
No |
Yes (dedicated CM33) |
OEI support |
No |
Yes ( |
SPL container images |
|
|
Core IDs |
Cortex-A55, Cortex-M33, ELE, V2X_1, V2X_2 |
Cortex-A55, Cortex-M33, Cortex-M7, ELE, V2X_1, V2X_2, DDR, Dummy |
SPSDK Commands for imx-boot#
Generate bootable image templates for a specific family:
nxpimage bootable-image get-templates -f mimx9352 -o imx93_templates/
nxpimage bootable-image get-templates -f mimx9596 -o imx95_templates/
List available board configurations:
nxpimage bootable-image list-boards -f mimx9352
nxpimage bootable-image list-boards -f mimx9596
Export an AHAB container:
nxpimage ahab export -c config.yaml
For complete examples, see:
i.MX 95 Container Parameters#
The following container header fields are relevant when building AHAB images for
i.MX 95 (AHABContainerV2). They control the GDET (Glitch Detector) runtime
behavior and the fast boot hardware-acceleration mode.
Note
Both gdet_runtime_behavior and fast_boot are optional in the OEM
container YAML. When a field is omitted, SPSDK preserves the flag bits already
present in the parsed container (e.g., from the NXP-signed ELE firmware container)
rather than overwriting them with a default. Set either field explicitly only when
you want to override the value that was read from the original image.
GDET Runtime Behavior#
The gdet_runtime_behavior field controls the Glitch Detector (GDET) managed by
the EdgeLock Secure Enclave (ELE) during and after container authentication.
Value |
Description |
|---|---|
|
GDET is disabled after the first OEM container has been authenticated. |
|
GDET is automatically enabled during all ELE API calls. |
|
GDET remains enabled after container authentication. |
Example YAML snippet:
containers:
- container:
gdet_runtime_behavior: disabled # or enabled_eleapi / enabled
Fast Boot (V2X Accelerator)#
The fast_boot field enables hardware-accelerated authentication using the V2X
subsystem of i.MX 95 (B0 revision and later). It corresponds to bits [17:16] in the
32-bit container header Flags field. This acceleration can dramatically reduce boot
time — e.g., Linux kernel verification was measured at ~2671 ms in normal mode
vs ~445 ms with fast hash (on an i.MX 95 LPDDR5 EVK).
Value |
Description |
|---|---|
|
Regular secure boot, no V2X acceleration (bits 16:17 = |
|
ELE performs hash and copy instead of BootROM (bit 16 only, |
|
Fast Hash — V2X handles container/image authentication. Works with
all boot sources including SD and eMMC (bit 17 only, |
|
Full Fast Boot — ELE does hash + copy using V2X accelerator directly.
Requires boot from FlexSPI NOR flash. Maximum performance
(bits 16:17 = |
Note
Full Fast Boot (hash_and_copy_with_external_accelerator) additionally
requires the FAST_BOOT_ENABLE hardware fuse to be programmed
(bit 4 of fuse word 58, fuse index 1860 on i.MX 95).
Fast Hash (external_accelerator) also requires the fuse to be programmed.
The fuse enables the feature globally; the container header selects the mode.
See the Fast Boot with V2X Accelerator on i.MX 95 application note for details.
Note
The V2X subsystem on i.MX 95 B0 operates in direct mode for fast boot: no V2X firmware is running during the fast boot phase, and the ELE controls the V2X hardware accelerators directly. After fast boot completes, V2X firmware is downloaded and executed normally.
Example YAML snippet:
containers:
- container:
fast_boot: disabled # or hash_and_copy / external_accelerator /
# hash_and_copy_with_external_accelerator
gdet_runtime_behavior: disabled
Supported configuration options#
AHABImage for mimx8dxl, Revision: a0#
AHABImage for mimx8dxl, Revision: a0 JSON schema
AHABImage for mimx8dxl, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx8dxl, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx8dxl, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080020000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, seco, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m4, cortex-a35, seco, v2x-1, v2x-2>
core_id: cortex-m4
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx8qm, Revision: a0#
AHABImage for mimx8qm, Revision: a0 JSON schema
AHABImage for mimx8qm, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx8qm, Revision: a0 =================================
# ======================================================================================================================
# == AHABImage for mimx8qm, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080020000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, dcd, provisioning_image, dek_validation, provisioning_data, seco>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m4-0, cortex-m4-1, cortex-a72, cortex-a53>
core_id: cortex-m4-0
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx8qxp, Revision: a0#
AHABImage for mimx8qxp, Revision: a0 JSON schema
AHABImage for mimx8qxp, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx8qxp, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx8qxp, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080020000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, dcd, provisioning_image, dek_validation, provisioning_data, seco>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m4, cortex-a35>
core_id: cortex-m4
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx8ulp, Revision: a2#
AHABImage for mimx8ulp, Revision: a2 JSON schema
AHABImage for mimx8ulp, Revision: a2 YAML configuration template
# ================================ AHAB template AHABImage for mimx8ulp, Revision: a2 ================================
# ======================================================================================================================
# == AHABImage for mimx8ulp, Revision: a2 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, a2, latest>
revision: a2
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 9 options. ==
# Options [uPower, SPL, Uboot ATF, Uboot, TEE Trusted Execution Environment, MCU Image, Linux Kernel Image,
# Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===================== [Example of possible configuration: #0 uPower, erase if not used] ======================
# uPower firmware
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000028300200
# image_type: executable
# core_id: cortex-a35-2
# hash_type: SHA384
# ---------------------------------------===== uPower [Required] =====----------------------------------------
# Description: uPower firmware
upower: upower.bin
# ======================= [Example of possible configuration: #1 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000022020000
# image_type: executable
# core_id: cortex-a35-1
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #2 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020040000
# image_type: executable
# core_id: cortex-a35-1
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #3 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a35-1
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #4 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000A6000000
# image_type: executable
# core_id: cortex-a35-1
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# ==================== [Example of possible configuration: #5 MCU Image, erase if not used] ====================
# MCU Image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC2000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== MCU Image [Required] =====--------------------------------------
# Description: MCU Image
mcu: m33_image.bin
# =============== [Example of possible configuration: #6 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a35-1
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #7 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a35-1
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #8 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, dek_validation_fcb_chk, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a35-1, cortex-a35-2, ele, hdmi-tx, hdmi-rx>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9131, Revision: a0#
AHABImage for mimx9131, Revision: a0 JSON schema
AHABImage for mimx9131, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9131, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx9131, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204A0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204C0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <reserved, cortex-a55, ele, v2x-1, v2x-2>
core_id: reserved
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9301, Revision: a1#
AHABImage for mimx9301, Revision: a1 JSON schema
AHABImage for mimx9301, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9301, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9301, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9302, Revision: a1#
AHABImage for mimx9302, Revision: a1 JSON schema
AHABImage for mimx9302, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9302, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9302, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9311, Revision: a1#
AHABImage for mimx9311, Revision: a1 JSON schema
AHABImage for mimx9311, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9311, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9311, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9312, Revision: a1#
AHABImage for mimx9312, Revision: a1 JSON schema
AHABImage for mimx9312, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9312, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9312, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9321, Revision: a1#
AHABImage for mimx9321, Revision: a1 JSON schema
AHABImage for mimx9321, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9321, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9321, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9322, Revision: a1#
AHABImage for mimx9322, Revision: a1 JSON schema
AHABImage for mimx9322, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9322, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9322, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9331, Revision: a1#
AHABImage for mimx9331, Revision: a1 JSON schema
AHABImage for mimx9331, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9331, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9331, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9332, Revision: a1#
AHABImage for mimx9332, Revision: a1 JSON schema
AHABImage for mimx9332, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9332, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9332, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9351, Revision: a1#
AHABImage for mimx9351, Revision: a1 JSON schema
AHABImage for mimx9351, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9351, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9351, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9352, Revision: a1#
AHABImage for mimx9352, Revision: a1 JSON schema
AHABImage for mimx9352, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9352, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9352, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx943, Revision: a0#
AHABImage for mimx943, Revision: a0 JSON schema
AHABImage for mimx943, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx943, Revision: a0 =================================
# ======================================================================================================================
# == AHABImage for mimx943, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 14 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, Cortex M7 second core additional
# application, Cortex M33 second core additional application, SPL, Uboot ATF, Uboot, TEE Trusted Execution
# Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr_imem.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr_imem_qb.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr_dmem.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr_dmem_qb.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei_ddr.bin
# -----------------------------------===== Quick Boot Data [Optional] =====-----------------------------------
# Description: QB data - Optional Quick boot data, if defined a new empty record will be added just behind DDR
# FW entry
qb_data: qb_data.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# == [Example of possible configuration: #5 Cortex M7 second core additional application, erase if not used] ===
# Cortex M7 second core additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000302C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-2
# meta_data_start_cpu_id: 7
# hash_type: SHA384
# --------------------===== Cortex M7 second core additional application [Required] =====---------------------
# Description: Cortex M7 second core additional application
cortex_m7_2_app: cortex_m7_2_app.bin
# == [Example of possible configuration: #6 Cortex M33 second core additional application, erase if not used] ==
# Cortex M33 second core additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000309C0000
# entry_point: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33-2
# meta_data_start_cpu_id: 8
# hash_type: SHA384
# --------------------===== Cortex M33 second core additional application [Required] =====--------------------
# Description: Cortex M33 second core additional application
cortex_m33_2_app: cortex_m33_2_app.bin
# ======================= [Example of possible configuration: #7 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #8 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #9 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======= [Example of possible configuration: #10 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #11 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #12 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #13 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, cortex-m7-2, cortex-m33-2,
# ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9512, Revision: b0#
AHABImage for mimx9512, Revision: b0 JSON schema
AHABImage for mimx9512, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9512, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9512, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9514, Revision: b0#
AHABImage for mimx9514, Revision: b0 JSON schema
AHABImage for mimx9514, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9514, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9514, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9516, Revision: b0#
AHABImage for mimx9516, Revision: b0 JSON schema
AHABImage for mimx9516, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9516, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9516, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx95294, Revision: a0#
AHABImage for mimx95294, Revision: a0 JSON schema
AHABImage for mimx95294, Revision: a0 YAML configuration template
# =============================== AHAB template AHABImage for mimx95294, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx95294, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, V2X Dummy, SPL, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr_imem.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr_imem_qb.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr_dmem.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr_dmem_qb.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei_ddr.bin
# -----------------------------------===== Quick Boot Data [Optional] =====-----------------------------------
# Description: QB data - Optional Quick boot data, if defined a new empty record will be added just behind DDR
# FW entry
qb_data: qb_data.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ==================== [Example of possible configuration: #5 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ======================= [Example of possible configuration: #6 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9532, Revision: b0#
AHABImage for mimx9532, Revision: b0 JSON schema
AHABImage for mimx9532, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9532, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9532, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9534, Revision: b0#
AHABImage for mimx9534, Revision: b0 JSON schema
AHABImage for mimx9534, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9534, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9534, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9536, Revision: b0#
AHABImage for mimx9536, Revision: b0 JSON schema
AHABImage for mimx9536, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9536, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9536, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9542, Revision: b0#
AHABImage for mimx9542, Revision: b0 JSON schema
AHABImage for mimx9542, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9542, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9542, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9544, Revision: b0#
AHABImage for mimx9544, Revision: b0 JSON schema
AHABImage for mimx9544, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9544, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9544, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9546, Revision: b0#
AHABImage for mimx9546, Revision: b0 JSON schema
AHABImage for mimx9546, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9546, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9546, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9554, Revision: b0#
AHABImage for mimx9554, Revision: b0 JSON schema
AHABImage for mimx9554, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9554, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9554, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9584, Revision: b0#
AHABImage for mimx9584, Revision: b0 JSON schema
AHABImage for mimx9584, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9584, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9584, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9586, Revision: b0#
AHABImage for mimx9586, Revision: b0 JSON schema
AHABImage for mimx9586, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9586, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9586, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9594, Revision: b0#
AHABImage for mimx9594, Revision: b0 JSON schema
AHABImage for mimx9594, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9594, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9594, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9596, Revision: b0#
AHABImage for mimx9596, Revision: b0 JSON schema
AHABImage for mimx9596, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9596, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9596, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1181, Revision: b0#
AHABImage for mimxrt1181, Revision: b0 JSON schema
AHABImage for mimxrt1181, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1181, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1181, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1182, Revision: b0#
AHABImage for mimxrt1182, Revision: b0 JSON schema
AHABImage for mimxrt1182, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1182, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1182, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1186, Revision: a0#
AHABImage for mimxrt1186, Revision: a0 JSON schema
AHABImage for mimxrt1186, Revision: a0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1186, Revision: a0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1186, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1187, Revision: b0#
AHABImage for mimxrt1187, Revision: b0 JSON schema
AHABImage for mimxrt1187, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1187, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1187, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1189, Revision: b0#
AHABImage for mimxrt1189, Revision: b0 JSON schema
AHABImage for mimxrt1189, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1189, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1189, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc, fastboot>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, nxp, oem, devhsm>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# If omitted, the existing flag value in the parsed container is preserved (no override applied).
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Required] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: SCFW - Resource ID of CPU to be started. SM - CPU ID for System Manager. Identifies which CPU
# should start executing the image.
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: SCFW - Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: SCFW - Partition ID of the partition to start
meta_data_start_partition_id: 0
# ------------------------------------===== SM mSel Value [Optional] =====------------------------------------
# Description: mSel value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage msel parameter and stored in bits 23:16 of metadata.
meta_data_msel: 0
# --------------------------------------===== SM Flags [Optional] =====---------------------------------------
# Description: Flags value for System Manager (i.MX9). Only valid for CM33_0 (cpu_id=0). This value is passed
# via the mkimage flags parameter and stored in bits 31:24 of metadata.
meta_data_flags: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha256
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, ML-DSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512,
# sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512, sm3. Supported key sizes/curves: prime256v1,
# sec384r1, sec512r1, rsa2048, rsa3072, rsa4096, dil3, dil5, mldsa65, mldsa87, sm2. Certificate may be of
# Certificate Authority. PQC algorithms are supported just in a new type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt