User Guide - el2go#
This user’s guide describes how to interface with the EdgeLock 2GO service and Edgelock 2GO NXP Provisioning Firmware using the el2go application.
The el2go application is a command-line utility used on the host computer to act as an intermediate layer between Edgelock 2GO Service’s REST API and Edgelock 2GO NXP Provisioning Firmware running on a device. The application only sends one command per invocation.
Prerequisites#
Activate and configure your EdgeLock 2GO account (https://www.nxp.com/products/security-and-authentication/secure-service-2go-platform/edgelock-2go:EDGELOCK-2GO)
Install Secure Provisioning SDK(SPSDK)
Load on the device EdgeLock 2GO NXP Provisioning Firmware
Setup of the EdgeLock 2GO platform#
In the documentation menu of your EdgeLock 2GO account available at https://www.edgelock2go.com you can find the documents which explain how to setup the EdgeLock 2GO Account to:
Create EdgeLock 2GO API key
Create device group
Create Secure Object
Assign Secure Object to Device Group
Communication#
The el2go application communicates with the EdgeLock 2GO API over the host computer’s internet network and with the EdgeLock 2GO NXP Provisioning Firmware over the host computer’s UART (Serial Port) or USB connections.
EdgeLock 2GO NXP Provisioning Firmware supports I2C and SPI connections if an external BUSPAL connection is used.
el2go - USB#
el2go could be connected to MCU Bootloader and EdgeLock 2GO NXP Provisioning Firmware over USB HID.
el2go - UART#
el2go could be connected to MCU bootloader and EdgeLock 2GO NXP Provisioning Firmware over UART.
el2go - BUSPAL#
The BusPal acts as a bus translator running on selected platforms. BusPal assists el2go in carrying out commands and responses from the target device through an established connection with el2go over UART, and the target device over I2C or SPI.
Command line interface#
el2go consist of a set of sub-commands followed by options and arguments.
Some of these commands are used for communication with EdgeLock 2GO and others with the EdgeLock 2GO NXP Provisioning Firmware running on device.
el2go#
Use EdgeLock 2GO service to provision a device.
el2go [OPTIONS] COMMAND [ARGS]...
Options
- -v, --verbose#
Print more detailed information
- -vv, --debug#
Display more debugging information.
- --version#
Show the version and exit.
- --help#
Show this message and exit.
close-device#
Launch EdgeLock 2GO NXP Provisioning Firmware.
By using EdgeLock 2GO Secure Object’s stored in Flash memory:
1. Device’s lifecycle will be advanced to In-field/Closed or In-field Locked/Closed/Locked based on the lifecycle state associated with the Secure Objects downloaded from the EdgeLock 2GO server.
Device will be moved to Secure state.
OEM FW Authentication Key Hash will be provisioned.
OEM FW Decryption Key will be provisioned.
Desired OTP fuses will be provisioned using OTP Configuration Data.
ADDRESS is the FLASH memory address where Secure Objects are stored.
When -d/–dry-run flag is used, the device will not be provisioned and remain in the same status as before. Only, EdgeLock 2GO Secure Object’s and correct setup will be verified.
el2go close-device [OPTIONS] ADDRESS
Options
- -d, --dry-run#
Enable Provisioning Firmware dry run, meaning that no fuses will be burned
- -p, --port <COM[,speed>#
Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.
- -u, --usb <VID:PID|USB_PATH|DEV_NAME>#
USB device identifier. | Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name. | <vid>: hex or dec string; e.g. 0x0AB12, 43794. | <vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451. | Use ‘nxpdevscan’ utility to list connected device names.
- -b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>#
Buspal settings
- -t, --timeout <ms>#
Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.
Arguments
- ADDRESS#
Required argument
get-fw-version#
Return EdgeLock 2GO NXP Provisioning Firmware’s version.
el2go get-fw-version [OPTIONS]
Options
- -p, --port <COM[,speed>#
Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.
- -u, --usb <VID:PID|USB_PATH|DEV_NAME>#
USB device identifier. | Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name. | <vid>: hex or dec string; e.g. 0x0AB12, 43794. | <vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451. | Use ‘nxpdevscan’ utility to list connected device names.
- -b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>#
Buspal settings
- -t, --timeout <ms>#
Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.
get-secure-objects#
Download EdgeLock 2GO Secure objects generated for the device attached.
To generate a template of the configuration file required as input, get-template command can be used.
Inside configuration file the values below should be defined:
EdgeLock 2GO API key
Device Group id
Hardware’s 12NC code
el2go get-secure-objects [OPTIONS]
Options
- -c, --config <config>#
Required Path to the YAML/JSON configuration file.
- -o, --output <output>#
Required Path to a file, where to store the output.
- --force#
Force overwriting of existing files.
- -p, --port <COM[,speed>#
Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.
- -u, --usb <VID:PID|USB_PATH|DEV_NAME>#
USB device identifier. | Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name. | <vid>: hex or dec string; e.g. 0x0AB12, 43794. | <vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451. | Use ‘nxpdevscan’ utility to list connected device names.
- -b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>#
Buspal settings
- -t, --timeout <ms>#
Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.
get-template#
Get template for the configuration file used in get-secure-objects command.
el2go get-template [OPTIONS]
Options
- -f, --family <family>#
Select the chip family.
- Options:
rw61x
- -o, --output <output>#
Required Path to a file, where to store the output.
- --force#
Force overwriting of existing files.
test-connection#
Test connection with EdgeLock 2GO.
el2go test-connection [OPTIONS]
Options
- -c, --config <config>#
Required Path to the YAML/JSON configuration file.
Usage example#
A proposed order of el2go application usage is presented below:
- get-template
Syntax:
el2go get-template -f [CHIP_FAMILY] -o [PATH_TO_OUPUT_FILE]
Description: A configuration file template will be generated on the desired path and for the desired chip family.
- test-connection(Optional)
Syntax:
el2go test-connection -c [PATH_TO_CONFIG_FILE]
Description: Given the path to the configuration file, a request to EdgeLock 2GO REST API will be send to establish connection with the service.
- get-secure-objects
Syntax:
el2go get-secure-objects [INTERFACE_OPTIONS] -c [PATH_TO_CONFIG_FILE] -o [PATH_TO_OUTPUT_BINARY_FILE]
Description: Given the path to the configuration file, with required inputs defined, this command will:
Harvest device’s UUID.
Whitelist device to the defined Device Group.
Request generation of Secure Objects assigned to the Device Group.
Download and store locally to a binary file the Secure Objects.
Note: Device needs to be in ISP boot mode.
- get-fw-version
Syntax:
el2go get-fw-version [INTERFACE_OPTIONS]
Description: Since EdgeLock 2GO NXP Provisioning Firmware is loaded on the device, with this command Firmware’s version can be extracted. Also, user can check if communication have been established between host machine and EdgeLock 2GO NXP Provisioning Firmware.
Note: Device needs to be in FlexSPI boot mode.
- close-device
Syntax:
el2go close-device [INTERFACE_OPTIONS] [ADDRESS]
Description: This command will provision the device. The FLASH memory address where Secure Objects downloaded using get-secure-objects should be passed as argument or else operation will fail.
Note: Device needs to be in FlexSPI boot mode.