Master Boot Image (MBI)
Master Boot Image can be used directly (e.g. by using blhost write-memory command) or it can be used for further processing (e.g. used as input to Secure Binary image container). Image is created based on a supplied configuration file, either JSON or YAML is supported.
We can divide divide into two categories based on layout.
- eXecute-In-Place (XIP) images
Plain
CRC
Signed
- Load-to-RAM images
Plain
CRC
Signed images with HMAC signed header. Since load-to-RAM copies the image from untrusted media to on-chip RAM, the length field in header should be authenticated before copy. Hence HMAC signed headers are used.
Encrypted (plain header with HMAC + AES-CBC encrypted).
Example of use
nxpimage: nxpimage mbi export <path to config file>
Sample configuration for LPC55s6x plain signed XIP image. Other sample configurations might be obtained with the get-templates sub-command.
# =========== Master Boot Image Configuration template for lpc55s6x, Plain Signed XIP Image. ===========
#
# == Basic Settings ==
#
family: lpc55s6x # MCU family., MCU family name.
outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.
masterBootOutputFile: my_mbi.bin # Master Boot Image name., The file for Master Boot Image result file.
inputImageFile: my_application.bin # Plain application image., The input application image to by modified to Master Boot Image.
#
# == Trust Zone Settings ==
#
enableTrustZone: false # TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
# == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # Image Build Number, If it's omitted, it will be used 0 as default value.
rootCertificate0File: my_certificate0.pem # Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # Root Certificate File 3, Root certificate file index 3.
mainCertChainId: 0 # Main Certificate Index, Index of certificate that is used as a main.
chainCertificate0File0: chain_certificate0_depth0.pem # Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
Supported devices for MBI
NXPIMAGE support devices from LPC55xx family (LPC55S0x, LPC55S1x, LPC55S2x, LPC552x, LPC55S6x), RT5xx, RT6xx and LPC55S3x. Supported execution targets are: Internal flash (XIP), External Flash (XIP) and Load to RAM and image authentication types: Plain, CRC, Signed, Encrypted and NXP Signed.
The following table shows the supported image types for each device, it either shows “N/A” if the configuration is not available or respective class that will be used for image creation.
Target in the table represents outputImageExecutionTarget in the configuration file and authentication in the table represents outputImageAuthenticationType.
Targets |
Internal flash (XIP) |
Internal flash (XIP) |
Internal flash (XIP) |
Internal flash (XIP) |
External flash (XIP) |
External flash (XIP) |
External flash (XIP) |
External flash (XIP) |
RAM |
RAM |
RAM |
RAM |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Authentication |
Plain |
CRC |
Signed |
Encrypted + Signed |
Plain |
CRC |
Signed |
Encrypted + Signed |
Plain |
CRC |
Signed |
Encrypted + Signed |
lpc55xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s0x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc550x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s1x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc551x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s2x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc552x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s6x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
nhs52sxx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
rt5xx |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||||
rt6xx |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||||
lpc55s3x |
N/A |
N/A |
N/A |
N/A |
||||||||
kw45xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||
k32w1xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||
lpc553x |
N/A |
N/A |
N/A |
N/A |
Supported configuration options
Refer to the documentation below for the supported configuration options for each image type. Please note that the outputImageExecutionTarget and outputImageAuthenticationType must be filled in addition to the basic settings according to the table with supported devices.
outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.
Mbi_CrcRam
family(string): MCU family name. Must be one of:['lpc55s1x', 'lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc55s0x', 'lpc550x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_CrcRam ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRam ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s1x', 'lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc55s0x', 'lpc550x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_CrcRamLpc55s3x
family(string): MCU family name. Must be one of:['lpc553x', 'lpc55s3x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcRamLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc553x', 'lpc55s3x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string): The binary file to be added to final application.destAddress([‘string’, ‘number’]): Destination address in RAM of additional binary.load(boolean): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_CrcRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries; This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file; The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address in RAM of additional binary.
load: true # [Required], Enable load; Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_CrcXip
family(string): MCU family name. Must be one of:['lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc550x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
# =========== YAML template Mbi_CrcXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc550x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
Mbi_CrcXipKw45xx
family(string): MCU family name. Must be one of:['kw45xx', 'k32w1xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageSubtype(string): Image subtype determine the image use in MCU (Main application or something else).
# =========== YAML template Mbi_CrcXipKw45xx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipKw45xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['kw45xx', 'k32w1xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageSubtype: MAIN # [Optional], Image subtype determine the image use in MCU (Main application or something else).
Mbi_CrcXipLpc55s3x
family(string): MCU family name. Must be one of:['lpc553x', 'lpc55s3x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcXipLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc553x', 'lpc55s3x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcXipRtxxx
family(string): MCU family name. Must be one of:['lpc55s0x', 'rt6xx', 'lpc55s1x', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_CrcXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s0x', 'rt6xx', 'lpc55s1x', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_EncryptedRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string): The binary file to be added to final application.destAddress([‘string’, ‘number’]): Destination address in RAM of additional binary.load(boolean): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.useKeyStore(boolean): Enables using key store on device.deviceKeySource(string): Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image). Must be one of:['OTP', 'Keystore'].keyStoreFile(string): Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.outputImageEncryptionKeyFile(string): The HMAC encryption key (file path).ctr_init_vector(string): The initial vector for encryption counter.
# =========== YAML template Mbi_EncryptedRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_EncryptedRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries; This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file; The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address in RAM of additional binary.
load: true # [Required], Enable load; Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
useKeyStore: false # [Optional], The Key store enabler; Enables using key store on device.
deviceKeySource: OTP # [Optional], The Key store location; Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image); Possible options:['OTP', 'Keystore']
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file; Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.
outputImageEncryptionKeyFile: hmac_key.bin # [Required], HMAC Key; The HMAC encryption key (file path).
ctr_init_vector: '0xc3df2316fd40b15586cb5ae49483aee2' # [Optional], The output image encryption initial vector for encryption counter; The initial vector for encryption counter.
Mbi_PlainRamLpc55s3x
family(string): MCU family name. Must be one of:['lpc553x', 'lpc55s3x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_PlainRamLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc553x', 'lpc55s3x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_PlainRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainSignedRamRtxxx
family(string): MCU family name. Must be one of:['rt6xx', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string): The binary file to be added to final application.destAddress([‘string’, ‘number’]): Destination address in RAM of additional binary.load(boolean): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.outputImageEncryptionKeyFile(string): The HMAC encryption key (file path).useKeyStore(boolean): Enables using key store on device.deviceKeySource(string): Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image). Must be one of:['OTP', 'Keystore'].keyStoreFile(string): Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainSignedRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainSignedRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt6xx', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries; This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file; The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address in RAM of additional binary.
load: true # [Required], Enable load; Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
outputImageEncryptionKeyFile: hmac_key.bin # [Required], HMAC Key; The HMAC encryption key (file path).
useKeyStore: false # [Optional], The Key store enabler; Enables using key store on device.
deviceKeySource: OTP # [Optional], The Key store location; Determinate where the keystore is located. There is two options: OTP or KEYSTORE (included in Load to RAM image); Possible options:['OTP', 'Keystore']
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file; Optional KeyStore data file for included keystore (KEYSTORE source)in LoadToRam images.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainSignedXipRtxxx
family(string): MCU family name. Must be one of:['lpc55s0x', 'rt6xx', 'lpc55s1x', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainSignedXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainSignedXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s0x', 'rt6xx', 'lpc55s1x', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainXip
family(string): MCU family name. Must be one of:['lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc550x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
# =========== YAML template Mbi_PlainXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc550x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
Mbi_PlainXipKw45xx
family(string): MCU family name. Must be one of:['kw45xx', 'k32w1xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageSubtype(string): Image subtype determine the image use in MCU (Main application or something else).
# =========== YAML template Mbi_PlainXipKw45xx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipKw45xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['kw45xx', 'k32w1xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageSubtype: MAIN # [Optional], Image subtype determine the image use in MCU (Main application or something else).
Mbi_PlainXipRtxxx
family(string): MCU family name. Must be one of:['lpc55s0x', 'rt6xx', 'lpc55s1x', 'rt5xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s0x', 'rt6xx', 'lpc55s1x', 'rt5xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainXipSignedKw45xx
family(string): MCU family name. Must be one of:['kw45xx', 'k32w1xx'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Unused when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block is omitted expect the ‘signingCertificatePrivateKeyFile’ or ‘iskSignProvider’.useIsk(boolean): Enable ISK type of signature certification. Unused when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Unused when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Unused when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Unused when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestSigningHashLength(number): Optional Manifest signing hash length to create Certificate v3.1 Manifest. Must be one of:[0, 32, 48, 64].outputImageSubtype(string): Image subtype determine the image use in MCU (Main application or something else).attachSignDigest(boolean): When enabled it added additional signature digest after image (SHA256/384 depends on elliptic curve type for base signing).isNxpImage(boolean): When is set, the image will be changed to NXP manufacture type.noSignature(boolean): When is set, the signature is not included. The signature could be later added by HSM.
# =========== YAML template Mbi_PlainXipSignedKw45xx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipSignedKw45xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['kw45xx', 'k32w1xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Unused when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block is omitted expect the 'signingCertificatePrivateKeyFile' or 'iskSignProvider'
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Unused when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Unused when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Unused when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Unused when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestSigningHashLength: 32 # [Optional], Manifest signing hash length; Optional Manifest signing hash length to create Certificate v3.1 Manifest; Possible options:[0, 32, 48, 64]
outputImageSubtype: MAIN # [Optional], Image subtype determine the image use in MCU (Main application or something else).
attachSignDigest: false # [Optional], Attach Signature digest; When enabled it added additional signature digest after image (SHA256/384 depends on elliptic curve type for base signing).
isNxpImage: false # [Optional], NXP Image type; When is set, the image will be changed to NXP manufacture type.
noSignature: false # [Optional], No Signature; When is set, the signature is not included. The signature could be later added by HSM.
Mbi_PlainXipSignedLpc55s3x
family(string): MCU family name. Must be one of:['lpc553x', 'lpc55s3x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Unused when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block is omitted expect the ‘signingCertificatePrivateKeyFile’ or ‘iskSignProvider’.useIsk(boolean): Enable ISK type of signature certification. Unused when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Unused when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Unused when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Unused when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestSigningHashLength(number): Optional Manifest signing hash length to create Certificate v3.1 Manifest. Must be one of:[0, 32, 48, 64].outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_PlainXipSignedLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipSignedLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc553x', 'lpc55s3x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Unused when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block is omitted expect the 'signingCertificatePrivateKeyFile' or 'iskSignProvider'
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Unused when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Unused when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Unused when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Unused when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestSigningHashLength: 32 # [Optional], Manifest signing hash length; Optional Manifest signing hash length to create Certificate v3.1 Manifest; Possible options:[0, 32, 48, 64]
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_SignedRam
family(string): MCU family name. Must be one of:['lpc55s1x', 'lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc55s0x', 'lpc550x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.
# =========== YAML template Mbi_SignedRam ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_SignedRam ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s1x', 'lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc55s0x', 'lpc550x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
Mbi_SignedXip
family(string): MCU family name. Must be one of:['lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc550x'].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip'].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc'].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.
# =========== YAML template Mbi_SignedXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_SignedXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s6x', 'lpc55s2x', 'lpc551x', 'lpc55xx', 'nhs52sxx', 'lpc552x', 'lpc550x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.