ELE message support API

ELE message support API#

SPSDK EdgeLock Enclave support module.

This module provides comprehensive support for EdgeLock Enclave Tool functionality, enabling secure provisioning and management operations for NXP EdgeLock Enclave devices.

Module with the EdgeLock Enclave messages#

SPSDK EdgeLock Enclave message handling and communication protocol.

This module provides comprehensive message classes for communicating with NXP’s EdgeLock Enclave security subsystem. It includes message formatting, serialization, and protocol handling for various ELE operations including authentication, key management, lifecycle operations, and system control functions.

class spsdk.ele.ele_message.EleMessage#

Bases: object

Base class for EdgeLock Enclave message communication.

This class provides the foundation for creating and managing messages sent to and received from the EdgeLock Enclave security subsystem. It handles message structure including headers with tag, command ID, size and version fields, as well as memory alignment and addressing for both command and response data.

Variables:

TAG – Message tag identifier for commands (0x17).
RSP_TAG – Message tag identifier for responses (0xE1).
VERSION – Message protocol version (0x06).
ELE_MSG_ALIGN – Memory alignment requirement for messages (8 bytes).

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 0#

COMMAND_HEADER_WORDS_COUNT = 1#

COMMAND_PAYLOAD_WORDS_COUNT = 0#

ELE_MSG_ALIGN = 8#

HEADER_FORMAT = '<BBBB'#

MAX_COMMAND_DATA_SIZE = 0#

MAX_RESPONSE_DATA_SIZE = 0#

MSG_IDS#: alias of MessageIDs

RESPONSE_HEADER_WORDS_COUNT = 2#

RESPONSE_PAYLOAD_WORDS_COUNT = 0#

RSP_TAG = 225#

TAG = 23#

VERSION = 6#

property command_address: int#

Get command address in target memory space.

Returns the buffer address aligned to ELE message alignment requirements.

Returns:: Aligned command address as integer value.

property command_data: bytes#

Get command data to be loaded into target memory space.

Returns:: Command data as bytes, empty by default.

property command_data_address: int#

Get command data address in target memory space.

Calculates the aligned address where command data should be placed in target memory, based on the command address and the number of command words.

Returns:: Aligned address for command data placement in target memory.

property command_data_size: int#

Get the size of command data aligned to ELE message requirements.

The method calculates the aligned size of command data, using either the actual data length or the maximum command data size if no data is present.

Returns:: Size of command data aligned to ELE_MSG_ALIGN boundary.

property command_words_count: int#

Get the total count of command words.

Calculates the total number of words in the command by summing the header words count and payload words count.

Returns:: Total number of words in the command.

decode_response(response)#

Decode response from target.

Parses and validates the response message header and status information. The method verifies message tag, command, size, and version fields against expected values and extracts status, indication, and abort code.

Parameters:: response (bytes) – Raw response data bytes from target device.
Raises:: SPSDKParsingError – Invalid response format or field values detected.
Return type:: None

decode_response_data(response_data)#

Decode response data from target.

The response data are specific per command and will be processed according to the command’s expected response format.

Parameters:: response_data (bytes) – Raw response data bytes received from the target device.
Return type:: None

export()#

Export message to final bytes array.

Return type:: bytes
Returns:: Bytes representation of message object.

property free_space_address: int#

Get first free address after ELE message in target memory space.

The method calculates the aligned address that comes after the response data, ensuring proper memory alignment according to ELE message requirements.

Returns:: Aligned memory address representing the first free location after the ELE message.

property free_space_size: int#

Get free space size after ELE message in target memory space.

Calculates the available space remaining in the buffer after the ELE message, aligned to the required ELE message alignment boundary.

Returns:: Size of free space in bytes, aligned to ELE_MSG_ALIGN boundary.

static get_msg_crc(payload)#

Compute message CRC.

The method calculates CRC using XOR operation on 4-byte chunks of the input payload. All data must be properly aligned to 4-byte boundaries for correct computation.

Parameters:: payload (bytes) – The input data to compute CRC on. Must be 4 bytes aligned.
Raises:: SPSDKValueError – Payload is not 4 bytes aligned.
Return type:: bytes
Returns:: 4 bytes of CRC in little endian format.

property has_command_data: bool#

Check if command has additional data.

Returns:: True if command has additional data, False otherwise.

property has_response_data: bool#

Check if response has additional data.

Returns:: True if response contains additional data, False otherwise.

header_export()#

Export message header to bytes.

Converts the message header fields (version, command words count, command, and tag) into their binary representation using the predefined header format.

Return type:: bytes
Returns:: Bytes representation of message header.

info()#

Get message information including live data.

Returns a formatted string containing command details, word counts, data flags, and response status information.

Return type:: str
Returns:: Formatted string with comprehensive message information.

property response_address: int#

Get response address in target memory space.

Calculates the memory address where the response data should be placed, considering command data presence and proper alignment requirements.

Returns:: Aligned memory address for response data placement.

property response_data_address: int#

Get response data address in target memory space.

Calculates the aligned memory address where response data should be stored, based on the response address and the number of response words.

Returns:: Aligned memory address for response data storage.

property response_data_size: int#

Get aligned response data size.

Returns the response data size aligned to ELE message alignment requirements.

Returns:: Aligned response data size in bytes.

response_status()#

Get response status information as formatted string.

Formats the response status with detailed failure information including indication and abort code when applicable.

Return type:: str
Returns:: Formatted string containing response status details.

property response_words_count: int#

Get the total count of response words.

Calculates the total number of words in the response by summing the header words count and payload words count.

Returns:: Total number of words in the response message.

set_buffer_params(buff_addr, buff_size)#

Set the communication buffer parameters to allow command update addresses inside command payload.

Parameters:

buff_addr (int) – Real address of communication buffer in target memory space.
buff_size (int) – Size of communication buffer in target memory space.

Raises:

SPSDKError – Invalid buffer parameters during validation.

Return type:

None

property status_string: str#

Get status in readable string format.

Converts the response status and indication codes into a human-readable string representation for easier debugging and logging purposes.

Returns:: Human-readable status string - “Succeeded” for success, “Failed: <indication>” for failures, or “Invalid status!” for unknown status codes.

validate()#

Validate the ELE message structure and content.

Performs validation checks on the message to ensure it meets the required format and contains valid data according to ELE protocol specifications.

Raises:: SPSDKError – Invalid message structure or content.
Return type:: None

validate_buffer_params()#

Validate communication buffer parameters.

Checks if the communication buffer has sufficient size to accommodate the ELE message response data or response words based on the message configuration.

Raises:: SPSDKValueError – Invalid buffer parameters - buffer too small for message.
Return type:: None

class spsdk.ele.ele_message.EleMessageCommit(info_to_commit)#

Bases: EleMessage

ELE Message Commit command handler.

This class implements the ELE commit message functionality for committing various types of information to the EdgeLock Enclave. It manages the creation of commit requests and processing of responses, including validation of which information was successfully committed.

Variables:

CMD – Command identifier for ELE commit request.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in command.
RESPONSE_PAYLOAD_WORDS_COUNT – Number of payload words in response.

Initialize ELE message with information to commit.

Parameters:: info_to_commit (list[EleInfo2Commit]) – List of ELE information objects that need to be committed.

CMD = 168#

COMMAND_PAYLOAD_WORDS_COUNT = 1#

RESPONSE_PAYLOAD_WORDS_COUNT = 1#

decode_response(response)#

Decode response from target.

This method processes the response data and validates the commit mask against the expected information to commit. If there’s a mismatch, it logs a warning about which information was actually committed versus what was requested.

Parameters:: response (bytes) – Raw response data bytes from the target device.
Raises:: SPSDKParsingError – Response parsing detects an error.
Return type:: None

export()#

Export message to bytes array.

Converts the message object into its binary representation by combining the exported header with the info2commit_mask field.

Return type:: bytes
Returns:: Binary representation of the message object.

property info2commit_mask: int#

Get info to commit mask used in command.

This method iterates through all info_to_commit rules and combines their tags using bitwise OR operation to create a composite mask value.

Returns:: Combined bitmask of all info to commit rule tags.

mask_to_info2commit(mask)#

Get list of info to commit from mask.

Converts a bitmask into a list of EleInfo2Commit objects by checking each bit position and creating corresponding commit info objects.

Parameters:: mask (int) – Bitmask where each bit represents a specific info to commit.
Return type:: list[EleInfo2Commit]
Returns:: List of EleInfo2Commit objects corresponding to set bits in the mask.

class spsdk.ele.ele_message.EleMessageDeriveKey(key_size, context)#

Bases: EleMessage

ELE Message for cryptographic key derivation operations.

This class implements the ELE (EdgeLock Enclave) message protocol for deriving cryptographic keys with optional context-based diversification. It handles the communication with the ELE subsystem to generate derived keys of specified sizes using user-provided context data.

Variables:

CMD – ELE derive key request command identifier.
SUPPORTED_KEY_SIZES – List of supported output key sizes in bytes.
MAX_RESPONSE_DATA_SIZE – Maximum size of response data from ELE.

Initialize ELE message for key derivation.

Sets up the message with specified key size and optional context for key diversification. Validates that key size is supported and context length is within limits.

Parameters:

key_size (int) – Output key size in bytes, must be 16 or 32
context (Optional[bytes]) – Optional user context bytes for key diversification

Raises:

SPSDKValueError – If key size is not supported or context is too long

CMD = 169#

COMMAND_PAYLOAD_WORDS_COUNT = 6#

MAX_RESPONSE_DATA_SIZE = 32#

SUPPORTED_KEY_SIZES = [16, 32]#

property command_data: bytes#

Get command data to be loaded into target memory space.

Returns the context data if available, otherwise returns empty bytes.

Returns:: Command data as bytes, or empty bytes if no context is available.

decode_response_data(response_data)#

Decode response data from target and extract derived key.

The response data are specific per command. This method extracts the derived key from the beginning of the response data based on the configured key size.

Parameters:: response_data (bytes) – Raw response data bytes from the target device.
Raises:: IndexError – If response_data is shorter than the expected key_size.
Return type:: None

export()#

Export message to final bytes array.

The method serializes the message object into a binary format by packing the payload data, combining it with the header, and appending a CRC checksum.

Return type:: bytes
Returns:: Bytes representation of the complete message including header, payload, and CRC.

get_key()#

Get derived key.

Return type:: bytes
Returns:: The derived cryptographic key as bytes.

class spsdk.ele.ele_message.EleMessageDumpDebugBuffer#

Bases: EleMessage

ELE Message for dumping EdgeLock Secure Enclave debug buffer.

This class handles retrieval of debug logs from the EdgeLock Secure Enclave’s internal logging mechanism. Logs are transmitted over MU interface with a maximum of 20 logs per exchange. Multiple calls may be required to retrieve all logs when the ELE buffer contains more than 20 entries.

Variables:

CMD – Command identifier for debug buffer dump request.
RESPONSE_PAYLOAD_WORDS_COUNT – Maximum response length in words.
ELE_DEBUG_LOG_MAX_RSP_LENGTH – Maximum response length constant.

Initialize ELE message object.

Initializes the ELE (EdgeLock Enclave) message with empty debug words list, zero log count, and sets the more logs flag to False.

CMD = 33#

ELE_DEBUG_LOG_MAX_RSP_LENGTH = 23#

RESPONSE_PAYLOAD_WORDS_COUNT = 21#

decode_response(response)#

Decode response from target containing debug log data.

This method parses the ELE debug log response, extracting debug words and handling CRC verification when present. It determines if more logs are available and validates the message integrity.

Parameters:: response (bytes) – Raw response data bytes from the target device.
Raises:: SPSDKParsingError – When response parsing fails or CRC verification fails.
Return type:: None

get_debug_logs()#

Get the debug log words.

Return type:: list[int]
Returns:: List of debug log words.

get_log_count()#

Get the number of logs in current response.

Return type:: int
Returns:: Number of logs.

has_more_logs_available()#

Check if more logs are available to fetch.

Return type:: bool
Returns:: True if more logs are available, False otherwise.

response_info()#

Get formatted debug buffer information in STEC team format.

Formats the debug buffer data into a human-readable string following the STEC team format specification. The logs are displayed in pairs with hexadecimal formatting, and includes metadata about log count and availability of additional logs.

Return type:: str
Returns:: Formatted string containing debug log information, log count, and availability status.

class spsdk.ele.ele_message.EleMessageEleFwAuthenticate(ele_fw_address)#

Bases: EleMessage

ELE firmware authentication request message.

This class represents a message used to request authentication of ELE (EdgeLock Enclave) firmware. It handles the communication protocol for authenticating firmware loaded at a specific memory address in the target device.

Variables:

CMD – Message command identifier for ELE firmware authentication request.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the command message.

Initialize ELE message with firmware address.

Be aware to have ELE FW in accessible memory for ROM, and do not use the RAM memory used to communicate with ELE.

Parameters:: ele_fw_address (int) – Address in target memory with ELE firmware.

CMD = 2#

COMMAND_PAYLOAD_WORDS_COUNT = 3#

export()#

Export message to final bytes array.

The method serializes the message object into a binary format by combining the exported header with packed firmware address data.

Return type:: bytes
Returns:: Bytes representation of message object.

class spsdk.ele.ele_message.EleMessageEnableApc#

Bases: EleMessage

ELE Message for enabling Application Processing Core (APC).

This message class handles the ELE command to enable the Application Processing Core, which is responsible for managing application-level operations in the secure element.

Variables:: CMD – Command identifier for the ELE enable APC request.

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 210#

class spsdk.ele.ele_message.EleMessageEnableRtc#

Bases: EleMessage

ELE message for enabling Real Time Core functionality.

This class represents a command message used to enable the Real Time Core (RTC) in EdgeLock Enclave operations, providing access to real-time processing capabilities.

Variables:: CMD – Command identifier for the ELE enable RTC request.

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 211#

class spsdk.ele.ele_message.EleMessageForwardLifeCycleUpdate(lifecycle_update)#

Bases: EleMessage

ELE message for forwarding life cycle update requests.

This class represents a message used to request a life cycle state transition in the EdgeLock Enclave. The operation is non-revertible and changes the device’s security state permanently.

Variables:

CMD – Command identifier for life cycle update requests.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the message.

Initialize lifecycle update message.

Be aware that this is non-revertible operation.

Parameters:: lifecycle_update (LifeCycleToSwitch) – New life cycle value to switch to.

CMD = 149#

COMMAND_PAYLOAD_WORDS_COUNT = 1#

export()#

Export message to bytes array representation.

Converts the message object into its binary format by combining the header and lifecycle update data with proper padding.

Return type:: bytes
Returns:: Binary representation of the complete message.

class spsdk.ele.ele_message.EleMessageGenerateKeyBLobOtfad(key_identifier, key, aes_counter, start_address, end_address, read_only=True, decryption_enabled=True, configuration_valid=True)#

Bases: EleMessageGenerateKeyBlob

ELE Message Generate OTFAD KeyBlob.

This class handles generation of OTFAD (On-The-Fly AES Decryption) keyblobs for ELE (EdgeLock Enclave) operations. It manages OTFAD-specific parameters including memory address ranges, AES counter values, and decryption configuration flags.

Variables:

KEYBLOB_NAME – Name identifier for OTFAD keyblob type.
SUPPORTED_ALGORITHMS – Dictionary of supported encryption algorithms and key sizes.

Initialize OTFAD keyblob for on-the-fly AES decryption configuration.

Creates a keyblob instance for OTFAD (On-The-Fly AES Decryption) with specified encryption parameters and memory region configuration.

Parameters:

key_identifier (int) – Unique identifier for the encryption key
key (bytes) – AES encryption key bytes for OTFAD operations
aes_counter (bytes) – Initial counter value for AES-CTR mode encryption
start_address (int) – Starting memory address for the encrypted region
end_address (int) – Ending memory address for the encrypted region
read_only (bool) – Enable read-only access protection, defaults to True
decryption_enabled (bool) – Enable automatic decryption, defaults to True
configuration_valid (bool) – Mark configuration as valid, defaults to True

KEYBLOB_NAME = 'OTFAD'#

SUPPORTED_ALGORITHMS: dict[SpsdkEnum, list[int]] = {KeyBlobEncryptionAlgorithm(tag=4, label='AES_CTR', description='KeyBlob encryption algorithm AES CTR'): [128]}#

property command_data: bytes#

Get command data to be loaded into target memory space.

Constructs the complete OTFAD keyblob command data by combining header, options, OTFAD configuration, and CRC checksum. The method packs all configuration parameters including encryption settings, memory addresses, and security flags into a binary format suitable for target loading.

Returns:: Complete binary command data ready for target memory loading.

info()#

Get formatted information string including live configuration data.

Returns a multi-line string containing AES counter, memory addresses, and status flags for the ELE message configuration.

Return type:: str
Returns:: Formatted string with message configuration details.

validate()#

Validate OTFAD keyblob parameters.

Performs comprehensive validation of all OTFAD keyblob parameters including key identifier structure, AES counter length, and address alignment requirements.

Raises:

SPSDKValueError – Invalid key identifier structure (struct index not 0-3).
SPSDKValueError – Invalid key identifier peripheral index (not 1-2 for FlexSPIx).
SPSDKValueError – Invalid key identifier reserved bytes (must be 0).
SPSDKValueError – Invalid AES counter length (must be 64 bits).
SPSDKValueError – Invalid start address alignment (must be 1024-byte aligned).
SPSDKValueError – Invalid end address alignment (must be 1024-byte aligned).

Return type:

None

class spsdk.ele.ele_message.EleMessageGenerateKeyBlob(key_identifier, algorithm, key)#

Bases: EleMessage

ELE Message for generating encrypted key blobs.

This class handles the creation and processing of ELE (EdgeLock Enclave) messages that generate encrypted key blobs from raw cryptographic keys. It supports various encryption algorithms and manages the complete workflow from key input to encrypted blob output.

Variables:

KEYBLOB_NAME – Human-readable name for the key blob type.
SUPPORTED_ALGORITHMS – Dictionary mapping algorithms to supported key sizes.
KEYBLOB_TAG – Tag identifier for the key blob format.
KEYBLOB_VERSION – Version of the key blob format.
MAX_RESPONSE_DATA_SIZE – Maximum size of response data in bytes.

Initialize Generate Key Blob message.

Creates a new instance for generating a key blob with specified encryption algorithm.

Parameters:

key_identifier (int) – Unique identifier for the key to be wrapped.
algorithm (KeyBlobEncryptionAlgorithm) – Encryption algorithm to use for key blob generation.
key (bytes) – Raw key data that will be wrapped into the key blob.

CMD = 175#

COMMAND_PAYLOAD_WORDS_COUNT = 7#

KEYBLOB_NAME = 'Unknown'#

KEYBLOB_TAG = 129#

KEYBLOB_VERSION = 0#

MAX_RESPONSE_DATA_SIZE = 512#

SUPPORTED_ALGORITHMS: dict[SpsdkEnum, list[int]] = {}#

decode_response_data(response_data)#

Decode response data from target and extract key blob.

The method parses the response data structure, validates the header fields (version, length, tag) and extracts the key blob. The response data format is command-specific.

Parameters:: response_data (bytes) – Raw response data bytes from target device.
Raises:: SPSDKParsingError – Invalid tag, version, or length in response.
Return type:: None

export()#

Export message to final bytes array.

Converts the message object into its binary representation by packing the header, payload data, and CRC checksum into a bytes array suitable for transmission.

Return type:: bytes
Returns:: Complete binary representation of the message including header, payload, and CRC.

classmethod get_supported_algorithms()#

Get the list of supported algorithms.

Return type:: list[str]
Returns:: List of supported algorithm names.

classmethod get_supported_key_sizes()#

Get table with supported key sizes per algorithm.

The method iterates through all supported algorithms and formats their key sizes into a human-readable string representation.

Return type:: str
Returns:: Formatted string containing algorithm labels and their supported key sizes.

info()#

Get formatted information about the key blob message.

The method returns a comprehensive string containing details about the key blob including its type, key ID, algorithm, and key size in bits.

Return type:: str
Returns:: Formatted string with key blob information including type, ID, algorithm, and key size.

validate()#

Validate keyblob message data.

Validates that the algorithm is supported and the key size is compatible with the selected algorithm for the keyblob generation.

Raises:: SPSDKValueError – Invalid used key size or encryption algorithm.
Return type:: None

class spsdk.ele.ele_message.EleMessageGenerateKeyBlobDek(key_identifier, algorithm, key)#

Bases: EleMessageGenerateKeyBlob

ELE Message for generating DEK (Data Encryption Key) KeyBlob.

This class handles the creation of ELE messages specifically for generating DEK KeyBlobs, which are used for data encryption operations. It supports AES-CBC and SM4-CBC encryption algorithms with various key sizes.

Variables:

KEYBLOB_NAME – Identifier for DEK keyblob type.
SUPPORTED_ALGORITHMS – Dictionary mapping encryption algorithms to supported key sizes.

Initialize Generate Key Blob message.

Creates a new instance for generating a key blob with specified encryption algorithm.

Parameters:

key_identifier (int) – Unique identifier for the key to be wrapped.
algorithm (KeyBlobEncryptionAlgorithm) – Encryption algorithm to use for key blob generation.
key (bytes) – Raw key data that will be wrapped into the key blob.

KEYBLOB_NAME = 'DEK'#

SUPPORTED_ALGORITHMS: dict[SpsdkEnum, list[int]] = {KeyBlobEncryptionAlgorithm(tag=3, label='AES_CBC', description='KeyBlob encryption algorithm AES CBC'): [128, 192, 256], KeyBlobEncryptionAlgorithm(tag=43, label='SM4_CBC', description='KeyBlob encryption algorithm SM4 CBC'): [128]}#

property command_data: bytes#

Generate command data to be loaded into target memory space.

Creates a binary data structure containing the keyblob header, options, and key data formatted for ELE (EdgeLock Enclave) command processing.

Returns:: Binary command data ready for target memory loading.

class spsdk.ele.ele_message.EleMessageGenerateKeyBlobIee(key_identifier, algorithm, key, ctr_mode, aes_counter, page_offset, region_number, bypass=False, locked=False)#

Bases: EleMessageGenerateKeyBlob

ELE Message for generating IEE (Inline Encryption Engine) KeyBlob.

This class handles the creation of IEE-specific keyblobs for secure data encryption in NXP MCUs. It supports AES-XTS and AES-CTR encryption algorithms with various key sizes and provides configuration for IEE-specific parameters like page offset, region number, and CTR modes.

Variables:

KEYBLOB_NAME – Identifier name for IEE keyblob type.
SUPPORTED_ALGORITHMS – Dictionary mapping supported encryption algorithms to their valid key sizes.

Initialize IEE keyblob generator.

Creates an instance for generating IEE (Inline Encryption Engine) keyblobs with specified encryption parameters and region configuration.

Parameters:

key_identifier (int) – Unique identifier for the encryption key
algorithm (KeyBlobEncryptionAlgorithm) – Encryption algorithm to be used for keyblob generation
key (bytes) – Raw IEE encryption key bytes
ctr_mode (KeyBlobEncryptionIeeCtrModes) – Counter mode configuration for AES CTR algorithm
aes_counter (bytes) – Initial counter value for AES CTR mode encryption
page_offset (int) – Memory page offset for IEE region configuration
region_number (int) – Target region number for IEE configuration
bypass (bool) – Enable encryption bypass mode, defaults to False
locked (bool) – Lock the keyblob configuration, defaults to False

KEYBLOB_NAME = 'IEE'#

SUPPORTED_ALGORITHMS: dict[SpsdkEnum, list[int]] = {KeyBlobEncryptionAlgorithm(tag=4, label='AES_CTR', description='KeyBlob encryption algorithm AES CTR'): [128, 256], KeyBlobEncryptionAlgorithm(tag=55, label='AES_XTS', description='KeyBlob encryption algorithm AES XTS'): [256, 512]}#

property command_data: bytes#

Generate command data to be loaded into target memory space.

Creates a binary representation of the keyblob command including header, options, IEE configuration, and CRC checksum. The data is formatted according to the target device’s memory layout requirements.

Returns:: Binary command data ready for target memory loading.

info()#

Get formatted information about the key blob encryption message.

Provides detailed information about the encryption algorithm, keys, counters, and configuration parameters. The output includes live data with proper formatting for debugging and verification purposes.

Return type:: str
Returns:: Formatted string containing message details including algorithm type, keys, counters, page offset, region number, bypass and lock status.

class spsdk.ele.ele_message.EleMessageGetEvents#

Bases: EleMessage

ELE message for retrieving system events from EdgeLock Enclave.

This class handles requests to get singular events that have occurred since the firmware started. Events include command failures and successful commands with indications (warnings). The EdgeLock Enclave stores events in a fixed-size buffer, and when capacity is exceeded, new events are lost. The complete event buffer is always returned regardless of actual event count. Event layout: ————————- - TAG - CMD - IND - STS - ————————-

Variables:

CMD – Command identifier for get events request.
RESPONSE_PAYLOAD_WORDS_COUNT – Expected response payload size in words.
MAX_EVENT_CNT – Maximum number of events that can be stored.

Initialize ELE message for retrieving singular events.

This message is used to retrieve any singular event that has occurred since the FW has started. A singular event occurs when the second word of a response to any request is different from ELE_SUCCESS_IND. That includes commands with failure response as well as commands with successful response containing an indication (i.e. warning response). The events are stored by the ELE in a fixed sized buffer. When the capacity of the buffer is exceeded, new occurring events are lost. The event buffer is systematically returned in full to the requester independently of the actual numbers of events stored.

CMD = 162#

MAX_EVENT_CNT = 8#

RESPONSE_PAYLOAD_WORDS_COUNT = 10#

decode_response(response)#

Decode response from target device.

Parses the response data to extract event count, maximum events, individual events, and validates the CRC checksum. Logs errors if maximum event count doesn’t match expected value or if CRC validation fails.

Parameters:: response (bytes) – Raw response data bytes from the target device.
Raises:: SPSDKParsingError – Response parsing detects an error or invalid data format.
Return type:: None

static get_cmd(event)#

Get Command in string from event.

Extracts the command field from an event value and returns its string description.

Parameters:: event (int) – Event value containing command information in bits 16-23.
Return type:: str
Returns:: String description of the command or empty string if not found.

static get_ind(event)#

Get indication string from event value.

Extracts the indication bits from the event value and converts them to a human-readable string description.

Parameters:: event (int) – Event value containing indication bits in bits 8-15.
Return type:: str
Returns:: String description of the indication or empty string if not found.

static get_ipc_id(event)#

Get IPC ID in string from event.

Extracts the IPC (Inter-Processor Communication) ID from the event value by shifting and masking bits, then converts it to a human-readable string description.

Parameters:: event (int) – Event value containing the IPC ID in bits 24-31.
Return type:: str
Returns:: String description of the IPC ID or empty string if not found.

static get_sts(event)#

Get status string representation from event code.

Extracts the status code from the lower 8 bits of the event and converts it to a human-readable string description.

Parameters:: event (int) – Event code containing status information in lower 8 bits.
Return type:: str
Returns:: String description of the status code, or empty string if conversion fails.

response_info()#

Get formatted string with events information.

Formats and returns a string containing detailed information about all events, including event count, IPC ID, command, indication, and status for each event. If the event count exceeds the maximum supported limit, only the first events up to the limit are displayed with a warning message.

Return type:: str
Returns:: Formatted string with events information.

class spsdk.ele.ele_message.EleMessageGetFwStatus#

Bases: EleMessage

ELE Message for retrieving EdgeLock Enclave firmware status.

This class implements the GET_FW_STATUS_REQ message command to query and decode the current firmware status of the EdgeLock Enclave security subsystem.

Variables:

CMD – Message command identifier for firmware status request.
RESPONSE_PAYLOAD_WORDS_COUNT – Expected response payload size in words.

Initialize ELE message object.

Sets up the ELE message with default firmware status indicating that ELE firmware is not in place.

CMD = 197#

RESPONSE_PAYLOAD_WORDS_COUNT = 1#

decode_response(response)#

Decode response from target.

The method parses the response bytes and extracts the ELE firmware status from the response data using little-endian byte order.

Parameters:: response (bytes) – Raw response data bytes received from the target device.
Raises:: SPSDKParsingError – Response parsing detects an error in the data format.
Return type:: None

response_info()#

Get EdgeLock Enclave firmware status information.

Returns a formatted string containing the current firmware state of the EdgeLock Enclave, providing human-readable status information for debugging and monitoring purposes.

Return type:: str
Returns:: Formatted string with ELE firmware status information.

class spsdk.ele.ele_message.EleMessageGetFwVersion#

Bases: EleMessage

ELE Message for retrieving EdgeLock Enclave firmware version information.

This class handles communication with the EdgeLock Enclave to request and process firmware version data, including version numbers and commit SHA1 information.

Variables:

CMD – Command identifier for firmware version request.
RESPONSE_PAYLOAD_WORDS_COUNT – Expected response payload size in words.

Initialize ELE message object.

Sets up the ELE message instance with default firmware version attributes initialized to zero.

CMD = 157#

RESPONSE_PAYLOAD_WORDS_COUNT = 2#

decode_response(response)#

Decode response from target.

Parses the response bytes to extract ELE firmware version information including the raw version and SHA1 hash values.

Parameters:: response (bytes) – Response data bytes from the target device.
Raises:: SPSDKParsingError – Response parsing detected an error.
Return type:: None

response_info()#

Get EdgeLock Enclave firmware version information.

Formats the ELE firmware version data into a human-readable string containing the firmware version in both raw hexadecimal and readable format, commit SHA1, and build status information.

Return type:: str
Returns:: Formatted string with ELE firmware version details.

class spsdk.ele.ele_message.EleMessageGetInfo#

Bases: EleMessage

ELE Message for retrieving device information.

This class implements the GET_INFO command for EdgeLock Enclave (ELE) communication, allowing retrieval of comprehensive device information including SoC details, lifecycle state, security configuration, and cryptographic hashes.

Variables:

CMD – Command identifier for GET_INFO request.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the command.
MAX_RESPONSE_DATA_SIZE – Maximum size of response data in bytes.

Initialize ELE message object with default values.

Sets up all information fields to their default states including version info, SOC details, lifecycle state, security subsystem state, attestation version, UUID, hash values, and various state indicators.

AVAILABLE_ATTRIBUTES = ('cmd', 'version', 'length', 'soc_id', 'soc_rev', 'life_cycle', 'sssm_state', 'attest_api_version', 'uuid', 'sha256_rom_patch', 'sha256_fw', 'oem_srkh', 'imem_state', 'csal_state', 'trng_state', 'oem_pqc_srkh')#

CMD = 218#

COMMAND_PAYLOAD_WORDS_COUNT = 3#

MAX_RESPONSE_DATA_SIZE = 256#

decode_response_data(response_data)#

Decode response data from target and populate info attributes.

Parses the binary response data according to ELE message format and extracts various system information fields including SoC details, lifecycle state, cryptographic hashes, and security states.

Parameters:: response_data (bytes) – Binary response data from ELE target device.
Raises:: struct.error – If response_data is too short or malformed.
Return type:: None

export()#

Export message to bytes array.

Converts the message object into its binary representation by packing the payload data and combining it with the exported header.

Return type:: bytes
Returns:: Binary representation of the message object.

get_attribute(attribute_name)#

Get specific attribute value by name.

Retrieves and formats a specific attribute from the ELE info response. Returns None if the attribute doesn’t exist or is not available.

Parameters:: attribute_name (str) – Name of the attribute to retrieve
Return type:: Optional[str]
Returns:: Formatted string value of the attribute, or None if not found
Raises:: SPSDKValueError – If attribute name is not valid

classmethod get_available_attributes()#

Get list of available attribute names.

Return type:: tuple
Returns:: List of attribute names that can be retrieved

response_info()#

Get formatted ELE response information.

Formats and returns comprehensive information about the ELE (EdgeLock Enclave) including command details, version, SoC information, life cycle state, security states, and cryptographic hashes in a human-readable string format.

Return type:: str
Returns:: Formatted string containing detailed ELE information including command, version, SoC details, life cycle, security states, and hashes.

class spsdk.ele.ele_message.EleMessageGetTrngState#

Bases: EleMessage

ELE Message for retrieving True Random Number Generator state.

This class handles communication with EdgeLock Enclave to query the current state of both the TRNG (True Random Number Generator) and CSAL (Cryptographic Secure Application Library) components. It decodes the response to provide readable state information for both random number generation subsystems.

Variables:

CMD – Command identifier for TRNG state request.
RESPONSE_PAYLOAD_WORDS_COUNT – Expected response payload size in words.

Initialize ELE message object.

Sets up the ELE message with default TRNG state set to ELE_TRNG_PROGRAM and CSAL state set to ELE_CSAL_NOT_READY.

CMD = 164#

RESPONSE_PAYLOAD_WORDS_COUNT = 1#

decode_response(response)#

Decode response from target.

This method parses the response bytes and extracts ELE TRNG state and CSAL state from the last 4 bytes of the response data.

Parameters:: response (bytes) – Raw response data bytes received from the target device.
Raises:: SPSDKParsingError – Response parsing detected an error or invalid format.
Return type:: None

response_info()#

Get EdgeLock Enclave response information.

Returns formatted string containing the current state of EdgeLock Enclave TRNG and EdgeLock Secure Enclave RNG components.

Return type:: str
Returns:: Formatted string with TRNG and RNG state information.

class spsdk.ele.ele_message.EleMessageKeyStoreClose(key_store_handle)#

Bases: EleMessage

ELE Message Key Store Close.

EdgeLock Enclave message for closing a key store service flow identified by its handle. This command deletes the key store context and content from the EdgeLock Secure Enclave internal memory, with any updates not written to NVM being lost. The command can only be called after having opened a valid key store service.

Variables:

CMD – Message command identifier for key store close request.
VERSION – HSM API version (0x07).
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in command (1).
RESPONSE_PAYLOAD_WORDS_COUNT – Number of payload words in response (0).

Initialize key store service close message.

Parameters:: key_store_handle (int) – Handle identifying the key store service flow to close

CMD = 49#

COMMAND_PAYLOAD_WORDS_COUNT = 1#

RESPONSE_PAYLOAD_WORDS_COUNT = 0#

VERSION = 7#

decode_response(response)#

Decode response from target.

Parses and validates the response message header and extracts status information. The method verifies message tag, command, size, and version fields, then decodes the status word containing response indicator and abort code.

Parameters:: response (bytes) – Raw response data bytes from target device.
Raises:: SPSDKParsingError – Invalid response format or header field mismatch.
Return type:: None

export()#

Export message to bytes array.

Converts the ELE message structure into a binary format suitable for transmission. The exported format includes a header with version, word count, command ID, and tag, followed by the payload containing the key store handle.

Return type:: bytes
Returns:: Binary representation of the ELE message.

info()#

Get formatted information about the key store close command.

Provides detailed information about the key store close operation including the key store handle and important warnings about data loss.

Return type:: str
Returns:: Formatted string containing command information and live data.

response_info()#

Get response information as formatted string.

Formats the key store close response information including status and handle details into a human-readable string representation.

Return type:: str
Returns:: Formatted string containing response status and key store handle information.

class spsdk.ele.ele_message.EleMessageKeyStoreOpen(session_handle, key_store_id, nonce, create_keystore=False, shared_keystore=False, monotonic_counter_increment=False, sync_operation=False)#

Bases: EleMessage

ELE Message Key Store Open.

ELE message for opening a key store service flow on NXP EdgeLock Enclave. Manages key store access with support for creation, loading, and configuration of shared or isolated key stores with up to 100 keys per store.

Variables:

CMD – Key store open command identifier (0x30).
FLAG_CREATE_KEYSTORE – Flag bit for creating new key store.
FLAG_SHARED_KEYSTORE – Flag bit for shared key store access.
FLAG_MONOTONIC_COUNTER_INCREMENT – Flag bit for monotonic counter increment.
FLAG_SYNC_OPERATION – Flag bit for synchronous NVM operations.

Initialize ELE message for key store operations.

Configures the message with session parameters, key store settings, and operation flags for creating or loading key stores with optional synchronization and counter increment.

Parameters:

session_handle (int) – Handle identifying the current session
key_store_id (int) – Key store identifier set by the user
nonce (int) – Nonce used as authentication proof for accessing the key store
create_keystore (bool) – True to create key store, False to load existing one
shared_keystore (bool) – True for shared keystore, False for regular (isolated) keystore
monotonic_counter_increment (bool) – True to increment monotonic counter (SYNC operation)
sync_operation (bool) – True for SYNC operation (request completed only when written to NVM)

CMD = 48#

COMMAND_PAYLOAD_WORDS_COUNT = 5#

FLAG_CREATE_KEYSTORE = 1#

FLAG_MONOTONIC_COUNTER_INCREMENT = 32#

FLAG_SHARED_KEYSTORE = 4#

FLAG_SYNC_OPERATION = 128#

RESPONSE_PAYLOAD_WORDS_COUNT = 1#

VERSION = 7#

decode_response(response)#

Decode response from target.

Parses and validates the response message header, extracts status information, and decodes the key store handle if present in the response data.

Parameters:: response (bytes) – Raw response data bytes from the target device.
Raises:: SPSDKParsingError – Invalid response format, tag, command, size or version.
Return type:: None

export()#

Export message to bytes representation.

Converts the ELE message object into its final binary format by packing the header and payload with proper CRC calculation for transmission.

Return type:: bytes
Returns:: Complete message as bytes array ready for transmission.

property flags: int#

Get flags byte from boolean parameters.

Converts the boolean flag parameters into a single integer value by applying bitwise OR operations with corresponding flag constants.

Returns:: Integer value representing combined flags from boolean parameters.

get_key_store_handle()#

Get the key store handle from successful response.

Return type:: int
Returns:: Key store handle, 0 if key store open failed.

info()#

Get information about the Key Store Open Command message.

The method provides comprehensive details about the key store operation including session handle, key store ID, nonce, operation type, and various configuration flags. If available, it also includes response information from the command execution.

Return type:: str
Returns:: Formatted string containing detailed information about the message including operation parameters and system limitations.

is_key_store_valid()#

Check if key store was successfully opened.

Return type:: bool
Returns:: True if key store handle is valid (non-zero), False otherwise.

response_info()#

Get key store open response information.

Formats and returns detailed information about the key store operation including the handle, operation status, and key store type.

Return type:: str
Returns:: Formatted string containing key store handle, operation status, and type information.

class spsdk.ele.ele_message.EleMessageLoadKeyBLob(key_identifier, keyblob)#

Bases: EleMessage

ELE Message for loading key blob operations.

This class implements the ELE (EdgeLock Enclave) message protocol for loading key blobs into the target device. It handles the packaging and export of key blob data along with key identifiers for secure provisioning operations.

Variables:

CMD – Command identifier for load key blob request.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the command.

Initialize Load Key Blob instance.

Creates a new Load Key Blob object with the specified key identifier and keyblob data. The constructor validates the provided parameters to ensure they meet the required format.

Parameters:

key_identifier (int) – Unique identifier for the key to be loaded
keyblob (bytes) – Binary data containing the encrypted key material to be wrapped

Raises:

SPSDKError – Invalid key identifier or keyblob format

CMD = 167#

COMMAND_PAYLOAD_WORDS_COUNT = 3#

property command_data: bytes#

Get command data to be loaded into target memory space.

Returns:: The keyblob data as bytes.

export()#

Export message to final bytes array.

The method serializes the message object into a binary format by packing the key ID, padding, and command data address into the payload, then combining it with the exported header.

Return type:: bytes
Returns:: Bytes representation of message object.

info()#

Get information about the message including live data.

The method provides detailed information about the message, including the key ID and keyblob size in addition to the base message information.

Return type:: str
Returns:: Formatted string containing message information with key ID and keyblob size.

class spsdk.ele.ele_message.EleMessageOemContainerAuthenticate(oem_cntn_addr)#

Bases: EleMessage

ELE message for OEM container authentication request.

This class represents a message used to request authentication of an OEM container in the EdgeLock Enclave (ELE) system. It handles the formatting and export of authentication requests with the specified container address.

Variables:

CMD – Command identifier for OEM container authentication request.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the command.

Initialize OEM container message with target memory address.

Be aware to have OEM Container in accessible memory for ROM.

Parameters:: oem_cntn_addr (int) – Address in target memory with OEM container.

CMD = 135#

COMMAND_PAYLOAD_WORDS_COUNT = 2#

export()#

Export message to final bytes array.

The method combines the header export with packed OEM container address to create the complete message representation.

Return type:: bytes
Returns:: Bytes representation of message object.

class spsdk.ele.ele_message.EleMessagePing#

Bases: EleMessage

ELE Message Ping command implementation.

This class represents a ping message used to test communication with the EdgeLock Enclave (ELE). The ping command is typically used for connectivity verification and basic health checks.

Variables:: CMD – Command identifier for ping request message.

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 1#

class spsdk.ele.ele_message.EleMessagePublicKeyExport(key_store_handle, key_id, output_buffer_size=64)#

Bases: EleMessage

ELE Message for Public Key Export operations.

This class handles the export of public keys from asymmetric key pairs stored in the EdgeLock Secure Enclave key store. The public key is re-calculated from the stored private key since public keys are not stored by default in the key storage. For ECC keys, the public key is exported in non-compressed form {x, y} in big-endian order. For RSA keys, only the modulus is exported as the public exponent uses the default value (65,537). ECC Montgomery keys are exported in big-endian format per EdgeLock Secure Enclave specifications. Requires an active key store service session before use.

Variables:

CMD – Public key export command identifier (0x32)
MAX_RESPONSE_DATA_SIZE – Maximum size limit for exported public key data

Initialize ELE message for retrieving public key from key store.

Parameters:

key_store_handle (int) – Handle identifying the key store service flow
key_id (int) – ID of the asymmetric key stored in the key store
output_buffer_size (int) – Length in bytes of the output public key buffer

CMD = 50#

COMMAND_PAYLOAD_WORDS_COUNT = 6#

MAX_RESPONSE_DATA_SIZE = 1024#

RESPONSE_PAYLOAD_WORDS_COUNT = 2#

VERSION = 7#

decode_response(response)#

Decode response from target device.

Parses and validates the response message header, extracts status information, and decodes the output public key size from the response data.

Parameters:: response (bytes) – Raw response data bytes from the target device.
Raises:: SPSDKParsingError – Invalid response format, tag, command, size, or version.
Return type:: None

decode_response_data(response_data)#

Decode response data from target.

The method extracts the public key from the response data based on the configured output public key size. If no public key size is specified, an empty key is set.

Parameters:: response_data (bytes) – Raw response data bytes received from target.
Return type:: None

export()#

Export message to bytes representation.

Converts the ELE message object into its final binary format by packing the header, payload, and CRC into a bytes array ready for transmission.

Return type:: bytes
Returns:: Complete message as bytes including header, payload and CRC.

get_public_key()#

Get the exported public key.

Return type:: bytes
Returns:: Public key bytes, empty if export failed.

get_public_key_size()#

Get the size of exported public key.

Return type:: int
Returns:: Size in bytes of exported public key.

info()#

Get information about the Public Key Export Command message.

Provides detailed information about the command including key store handle, key ID, output buffer size, and operational details. If response data is available, includes response information as well.

Return type:: str
Returns:: Formatted string containing comprehensive message information.

response_info()#

Get formatted information about public key export response.

Provides detailed information about the exported public key including key store handle, key ID, size, and the actual key data with format specifications for different key types.

Return type:: str
Returns:: Formatted string containing comprehensive public key export information.

class spsdk.ele.ele_message.EleMessageReadCommonFuse(index)#

Bases: EleMessage

ELE Message for reading common fuse values.

This class implements the ELE (EdgeLock Enclave) message protocol for reading common fuse data from the target device. It handles the command formatting, response parsing, and provides access to the retrieved fuse value.

Variables:

CMD – Command identifier for read common fuse operation.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in command.
RESPONSE_PAYLOAD_WORDS_COUNT – Number of payload words in response.

Initialize ELE message for reading common fuse.

Creates a new instance to read a specific fuse by its index identifier.

Parameters:: index (int) – Fuse identifier to read.

CMD = 151#

COMMAND_PAYLOAD_WORDS_COUNT = 1#

RESPONSE_PAYLOAD_WORDS_COUNT = 1#

decode_response(response)#

Decode response from target and extract fuse value.

The method parses the response bytes and extracts the fuse value from bytes 8-12 using little-endian byte order.

Parameters:: response (bytes) – Response data bytes from the target device.
Raises:: SPSDKParsingError – Response parsing detected an error.
Return type:: None

export()#

Export message to bytes array representation.

The method serializes the message object into a binary format by combining the exported header with the message index and padding.

Return type:: bytes
Returns:: Binary representation of the message object.

response_info()#

Get response information for fuse read operation.

Formats the fuse ID and its value into a human-readable string representation for display purposes.

Return type:: str
Returns:: Formatted string containing fuse ID and value in hexadecimal format.

class spsdk.ele.ele_message.EleMessageReadShadowFuse(index)#

Bases: EleMessageReadCommonFuse

ELE Message for reading shadow fuse values.

This class represents an ELE (EdgeLock Enclave) message specifically designed for reading shadow fuse data from the device. Shadow fuses are temporary storage locations that mirror the actual fuse values.

Variables:: CMD – Message command identifier for shadow fuse read operations.

Initialize ELE message for reading common fuse.

Creates a new instance to read a specific fuse by its index identifier.

Parameters:: index (int) – Fuse identifier to read.

CMD = 243#

export()#

Export message to bytes array.

Converts the message object into its binary representation by combining the exported header with the packed index value.

Return type:: bytes
Returns:: Binary representation of the message object.

class spsdk.ele.ele_message.EleMessageReleaseContainer#

Bases: EleMessage

ELE Message for releasing a container.

This class represents an ELE (EdgeLock Enclave) message used to release a previously loaded container from the secure enclave memory.

Variables:: CMD – Command identifier for the release container request.

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 137#

class spsdk.ele.ele_message.EleMessageReset#

Bases: EleMessage

ELE Message Reset command handler.

This class implements the ELE (EdgeLock Enclave) reset message functionality, providing the ability to send reset requests to the ELE subsystem.

Variables:

CMD – Command identifier for reset request operations.
RESPONSE_HEADER_WORDS_COUNT – Number of header words in reset response.

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 199#

RESPONSE_HEADER_WORDS_COUNT = 0#

class spsdk.ele.ele_message.EleMessageResetApcContext#

Bases: EleMessage

ELE Message for resetting APC (Application Processing Core) context.

This message requests the ELE (EdgeLock Enclave) to reset the APC context, which clears the current application processing state and reinitializes the core context for fresh operation.

Variables:: CMD – Message command identifier for APC context reset request.

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 216#

class spsdk.ele.ele_message.EleMessageSabInit#

Bases: EleMessage

ELE Message SAB Init.

SAB Init command is used to initialize the EdgeLock Secure Enclave Firmware HSM services. It must be called once, at boot, by any core. SAB Init command must be called before any other ones that use a SAB session. SAB Init command can be called multiple times, even if not recommended. EdgeLock Secure Enclave Firmware will do nothing and respond a success if the initialization is already done.

Variables:

CMD – SAB Init command ID (0x17).
VERSION – Version for HSM API (0x07).

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 23#

COMMAND_PAYLOAD_WORDS_COUNT = 0#

RESPONSE_PAYLOAD_WORDS_COUNT = 0#

VERSION = 7#

decode_response(response)#

Decode response from target.

Parameters:: response (bytes) – Raw response data bytes from target device.
Raises:: SPSDKParsingError – Invalid response format or field values detected.
Return type:: None

export()#

Export message to bytes representation.

Converts the message object to its final bytes array format by overriding the header with HSM API version and correct word size.

Return type:: bytes
Returns:: Bytes representation of message object.

info()#

Get information about SAB Init Command including live data.

Returns detailed information about the SAB Init Command which initializes EdgeLock Secure Enclave Firmware HSM services. This command must be called once at boot by any core and before any other SAB session commands.

Return type:: str
Returns:: Formatted string containing information about the SAB Init Command.

class spsdk.ele.ele_message.EleMessageSessionClose(session_handle)#

Bases: EleMessage

ELE Message Session Close.

Session close command is used to close an opened session. Any data related to the session, including other services flow contexts, will be deleted. User can call this function only after having opened a valid session (see Session open (0x10)). Session close command will close any associated services to the session as well.

Variables:

CMD – Session close command ID (0x11).
VERSION – Version for HSM API (0x07).
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in command (1).
RESPONSE_PAYLOAD_WORDS_COUNT – Number of payload words in response (0).

Initialize ELE message for session closure.

Parameters:: session_handle (int) – Session handle to close. Handle value returned by Session open (0x10).

CMD = 17#

COMMAND_PAYLOAD_WORDS_COUNT = 1#

RESPONSE_PAYLOAD_WORDS_COUNT = 0#

VERSION = 7#

decode_response(response)#

Decode response from target.

Parameters:: response (bytes) – Raw response data bytes from target device.
Raises:: SPSDKParsingError – Invalid response format or field values detected.
Return type:: None

export()#

Export message to final bytes array.

The method overrides the header to use HSM API version and adds session handle to create the complete message payload.

Return type:: bytes
Returns:: Bytes representation of message object.

info()#

Get session close command information including live data.

Provides detailed information about the session close command, including the session handle and operational constraints.

Return type:: str
Returns:: Formatted string containing session close command information.

class spsdk.ele.ele_message.EleMessageSessionOpen#

Bases: EleMessage

ELE Message Session Open.

Session open command is used to initialize the EdgeLock Secure Enclave HSM services for the requestor. It establishes a route between the user and the EdgeLock Secure Enclave as well as a quality of service. A maximum of 20 sessions can be opened at the same time. Session open command must be called before any other APIs that use a session.

Variables:

CMD – Session open command ID (0x10).
VERSION – Version for HSM API (0x07).
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in command (2).
RESPONSE_PAYLOAD_WORDS_COUNT – Number of payload words in response (1).

Initialize ELE message object.

Initializes the ELE message instance with default values including session handle set to 0.

CMD = 16#

COMMAND_PAYLOAD_WORDS_COUNT = 2#

RESPONSE_PAYLOAD_WORDS_COUNT = 1#

VERSION = 7#

decode_response(response)#

Decode response from target.

Parses and validates the response message header, extracts status information, and updates the message object with decoded values including status, indication, abort code, and session handle.

Parameters:: response (bytes) – Raw response data bytes from target device.
Raises:: SPSDKParsingError – Invalid response format, tag, command, size or version.
Return type:: None

export()#

Export message to final bytes array.

The method overrides the header to use HSM API version and adds two reserved words set to zero to create the complete message payload.

Return type:: bytes
Returns:: Bytes representation of message object.

get_session_handle()#

Get the session handle from successful response.

Return type:: int
Returns:: Session handle, 0 if session open failed.

info()#

Get information about the session open command including live data.

Provides detailed information about the EdgeLock Secure Enclave session open command, including its purpose, limitations, and current session state if available.

Return type:: str
Returns:: Formatted string containing comprehensive information about the session open command and its current state.

is_session_valid()#

Check if session was successfully opened.

Return type:: bool
Returns:: True if session handle is valid (non-zero), False otherwise.

response_info()#

Get session open response information.

Formats and returns detailed information about the session handle status, including whether the session was successfully opened or failed.

Return type:: str
Returns:: Formatted string containing session handle and status information.

class spsdk.ele.ele_message.EleMessageSigned(signed_msg, family)#

Bases: EleMessage

ELE Message for signed message containers.

This class handles ELE (EdgeLock Enclave) messages that contain signed message containers, providing functionality to parse, validate, and export signed messages for secure communication with the ELE subsystem.

Variables:: COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the command.

Initialize ELE message object from signed message data.

Parses and validates the provided signed message container, extracting the command and storing the binary data for further processing.

Parameters:

signed_msg (bytes) – Binary data containing the signed message container
family (FamilyRevision) – Chip family revision information for message parsing

Raises:

SPSDKValueError – Invalid or malformed signed message container

COMMAND_PAYLOAD_WORDS_COUNT = 2#

property command_data: bytes#

Get command data to be loaded into target memory space.

Returns:: Binary data of the signed message ready for loading into target memory.

export()#

Export message to bytes array.

Converts the message object into its binary representation by combining the exported header with a payload containing command data address.

Return type:: bytes
Returns:: Binary representation of the message object.

info()#

Get information including live data about the message.

The method retrieves basic message information from the parent class and appends detailed image information from the signed message component.

Return type:: str
Returns:: Formatted string containing comprehensive message information.

class spsdk.ele.ele_message.EleMessageStartTrng#

Bases: EleMessage

ELE Message for starting the True Random Number Generator.

This class represents a command message used to initiate the hardware-based True Random Number Generator (TRNG) in ELE (EdgeLock Enclave) secure subsystem.

Variables:: CMD – Command identifier for the start TRNG request message.

Initialize ELE message object.

Initialize all message attributes to their default values including abort code, indication, status, buffer address and size, command, and response data size.

CMD = 163#

class spsdk.ele.ele_message.EleMessageVerifyImage(image_mask=1)#

Bases: EleMessage

ELE message for verifying image integrity.

This class implements the ELE Verify Image request message that commands the ELE to check the hash on one or more images after a container has been loaded into memory and processed with an Authenticate Container message.

Variables:

CMD – Message command identifier for verify image request.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in command.
RESPONSE_PAYLOAD_WORDS_COUNT – Number of payload words in response.

Initialize Verify Image message.

The Verify Image message is sent to the ELE after a container has been loaded into memory and processed with an Authenticate Container message. This commands the ELE to check the hash on one or more images.

Parameters:: image_mask (int) – Bitmask indicating which images to check. Each bit corresponds to a particular image index in the header (bit 0 for image 0, bit 1 for image 1, etc.). At least one image must be specified.

CMD = 136#

COMMAND_PAYLOAD_WORDS_COUNT = 1#

RESPONSE_PAYLOAD_WORDS_COUNT = 2#

decode_response(response)#

Decode response from target.

Parses the response data to extract valid and invalid image masks, then validates that the combined masks match the originally requested image mask for checking.

Parameters:: response (bytes) – Raw response data bytes from the target device.
Raises:: SPSDKParsingError – Response parse detect some error.
Return type:: None

export()#

Export message to bytes array.

Converts the message object into its binary representation by combining the exported header with the image mask field.

Return type:: bytes
Returns:: Binary representation of the message object.

response_info()#

Get response information as formatted string.

Formats the valid and invalid image masks into a human-readable string representation with hexadecimal values.

Return type:: str
Returns:: Formatted string containing valid and invalid image mask information.

class spsdk.ele.ele_message.EleMessageWriteFuse(bit_position, bit_length, lock, payload)#

Bases: EleMessage

ELE message for writing fuse data.

This class represents a request message to write data to fuses in ELE (EdgeLock Enclave). It handles OEM fuse writing operations with configurable bit positioning, length, and locking capabilities. Fuse accessibility depends on the chip lifecycle state.

Variables:

CMD – Message command identifier for write fuse operation.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the command.
RESPONSE_PAYLOAD_WORDS_COUNT – Number of payload words in the response.

Initialize ELE fuse write message.

This command allows to write to the fuses. OEM Fuses are accessible depending on the chip lifecycle.

Parameters:

bit_position (int) – Fuse identifier expressed as its position in bit in the fuse map.
bit_length (int) – Number of bits to be written.
lock (bool) – Write lock requirement. When set to 1, fuse words are locked. When unset, no write lock is done.
payload (int) – Data to be written.

CMD = 214#

COMMAND_PAYLOAD_WORDS_COUNT = 2#

RESPONSE_PAYLOAD_WORDS_COUNT = 1#

decode_response(response)#

Decode response from target.

The method parses the response bytes and extracts the processed index value from the response data structure.

Parameters:: response (bytes) – Raw response data bytes from the target device.
Raises:: SPSDKParsingError – Response parsing detects an error in the data format.
Return type:: None

export()#

Export message to bytes array representation.

Converts the message object into its binary format by combining the header with packed bit position, bit length (with lock flag), and payload data.

Return type:: bytes
Returns:: Binary representation of the complete message.

class spsdk.ele.ele_message.EleMessageWriteShadowFuse(index, value)#

Bases: EleMessage

ELE message for writing shadow fuse values.

This class represents a request message to write data to shadow fuses in the EdgeLock Enclave. Shadow fuses are temporary storage that mirrors the actual fuse values and can be modified without permanently altering the hardware fuses.

Variables:

CMD – Message command identifier for write shadow fuse operation.
COMMAND_PAYLOAD_WORDS_COUNT – Number of payload words in the message.

Initialize ELE shadow fuse write command.

This command allows to write to the shadow fuses.

Parameters:

index (int) – Fuse identifier expressed as its position in bit in the fuse map.
value (int) – Data to be written.

CMD = 242#

COMMAND_PAYLOAD_WORDS_COUNT = 2#

export()#

Export message to bytes array.

Converts the message object into its binary representation by combining the exported header with the packed index and value fields.

Return type:: bytes
Returns:: Binary representation of the message object.

Module with the HSE(Hardware Security Engine) EdgeLock Enclave messages#

SPSDK ELE HSE message implementation for Hardware Security Engine operations.

This module provides specialized ELE message classes for HSE (Hardware Security Engine) operations including attribute management, firmware updates, boot data signing and verification, and key information handling.

class spsdk.ele.ele_message_hse.EleMessageHse(srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessage

Base class for HSE-specific ELE messages.

This class extends the EleMessage base class with HSE-specific functionality for command formatting, response handling, and service identification. It provides the foundation for implementing HSE (Hardware Security Engine) communication protocols within the SPSDK framework.

Variables:

CMD_ID_FORMAT – Format string for HSE command ID structure.
CMD_DESCRIPTOR_FORMAT – Format string for HSE descriptor structure.
RESPONSE_HEADER_WORDS_COUNT – Number of words in HSE response header.
MSG_IDS – HSE-specific message ID enumeration.

Initialize the HSE message with the specified service version.

Parameters:: srv_version (ServiceVersion) – Service version to use for this message, defaults to VERSION_0.

CMD_DESCRIPTOR_FORMAT: str#

CMD_HEADER_FORMAT: str = '<LBBBB'#

MSG_IDS#: alias of HseMessageIDs

RESPONSE_HEADER_WORDS_COUNT = 1#

class ServiceVersion(tag, label, description=None)#

Bases: SpsdkEnum

HSE service version enumeration.

Defines the available HSE service versions that can be used when constructing HSE messages for EdgeLock Enclave operations.

VERSION_0 = (0, 'ver0', 'Hse service version 0')#

VERSION_1 = (1, 'ver1', 'Hse service version 1')#

property command_data: bytes#

Get the complete command data.

Combines the command header and service descriptor into the complete command data. The header is packed using CMD_ID_FORMAT with service_id and zero padding, then concatenated with the service descriptor bytes.

Returns:: Complete command data as bytes.

property command_data_size: int#

Get the size of command data in bytes.

Calculates the total size by combining the command ID format size and command descriptor format size using struct.calcsize().

Returns:: Size of command data in bytes.

property command_words_count: int#

Get the count of command words.

Returns:: Number of command words, always returns 1.

decode_response(response)#

Decode the HSE response data.

Extracts the response status from the HSE response data and sets the appropriate status and indication values based on the HSE response.

Parameters:: response (bytes) – Response data bytes to decode containing HSE status information.
Return type:: None

export()#

Export command data as bytes for target memory loading.

Converts the command data address to a 4-byte little-endian byte sequence that can be loaded into the target memory space.

Return type:: bytes
Returns:: Command data address as 4-byte little-endian bytes.

abstract get_srv_descriptor()#

Get service descriptor.

Retrieves the service descriptor as a byte sequence for HSE message processing.

Return type:: bytes
Returns:: Service descriptor in bytes format.

response_status()#

Get response status information as formatted string.

The method formats the response status and optionally includes HSE response indication details when the status indicates ELE failure.

Return type:: str
Returns:: Formatted string containing response status and indication details.

property service_cancelable: bool#

Check if the service can be canceled based on service_id byte 2.

The method examines the third byte (index 2) of the service_id when converted to little-endian format to determine if the service supports cancellation.

Returns:: True if service can be canceled (byte 2 == 0x00), False if not cancelable (byte 2 == 0xA5).

property service_class_index: int#

Get the service class index from service_id.

Extracts the service class index from byte 1 of the service_id when converted to little-endian 4-byte representation.

Returns:: Service class index value in range 0-255.

property service_id: int#

Get the service ID for this message.

Combines the command ID and service version into a single service ID value.

Returns:: Service ID as an integer.

property service_index: int#

Get the service index from service_id.

Extracts the first byte (byte 0) from the service_id when converted to little-endian byte representation.

Returns:: Service index value in range 0-255.

property service_version: int#

Get the service version from service_id.

The method extracts the service version from byte 3 of the service_id when converted to little-endian byte representation.

Returns:: Service version value in range 0-255.

class spsdk.ele.ele_message_hse.EleMessageHseAttr(attr_id, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

Base class for HSE attribute operations.

Provides common functionality for getting and setting HSE attributes, including attribute handler management and response processing.

Variables:: CMD_DESCRIPTOR_FORMAT – Binary format specification for command descriptor.

Initialize the HSE attribute message.

Parameters:

attr_id (HseAttributeId) – The attribute ID to operate on.
srv_version (ServiceVersion) – Service version to use for this message.

CMD_DESCRIPTOR_FORMAT: str = '<HBBLL'#

abstract get_srv_descriptor()#

Get service descriptor.

Retrieves the service descriptor as a byte sequence for HSE message processing.

Return type:: bytes
Returns:: Service descriptor in bytes format.

class spsdk.ele.ele_message_hse.EleMessageHseBootDataImageSign(img_addr, tag_len=28, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

ELE message for HSE boot data image signing operations.

Handles cryptographic signing of boot data images for different HSE variants. For HSE_H/M devices, supports IVT/DCD/ST/LPDDR4(S32Z/E devices)/AppBSB images. For HSE_B devices, supports IVT/AppBSB images. The class manages the signing process and extracts authentication tags from the HSE response.

Initialize the boot data image sign message.

Parameters:

img_addr (int) – Address of the image to sign.
tag_len (int) – Length of the tag (must be 16 or 28).
srv_version (ServiceVersion) – Service version to use for this message.

Raises:

SPSDKValueError – If tag_len is not 16 or 28.

CMD = 8#

CMD_DESCRIPTOR_FORMAT: str = '<LLL'#

decode_response_data(response)#

Decode the response data for the boot data image sign operation.

Extracts the initial vector (if present) and GMAC value from the response based on tag length. For tag_len=16, only GMAC value is extracted. For tag_len=28, both initial vector (12 bytes) and GMAC value (16 bytes) are extracted.

Parameters:: response (bytes) – Response data bytes to decode containing IV and/or GMAC
Raises:: SPSDKValueError – If tag_len is not supported (must be 16 or 28)
Return type:: None

get_srv_descriptor()#

Get service descriptor for HSE message.

Packs the image address, tag length, and response data address into a binary service descriptor format using the predefined CMD_DESCRIPTOR_FORMAT.

Return type:: bytes
Returns:: Binary service descriptor containing packed message parameters.

response_info()#

Get formatted information about the response.

Returns a string containing the image signature data including the initial vector (if present) and GMAC value in hexadecimal format.

Return type:: str
Returns:: String representation of the image signature data.

property signature: bytes#

Get the complete signature bytes.

Combines the initial vector (if present) and GMAC value to form the complete signature.

Returns:: Complete signature bytes containing optional initial vector followed by GMAC value.

class spsdk.ele.ele_message_hse.EleMessageHseBootDataImageVerify(img_addr, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Boot Data Image Verification Message.

Handles verification of boot data images including IVT, DCD, ST, LPDDR4 (S32Z/E devices), and AppBSB components. For HSE_H/M devices, verifies all image types. For HSE_B devices, verifies IVT and AppBSB images only. This message verifies GMAC tags generated by the EleMessageHseBootDataImageSign service, ensuring boot data integrity and authenticity during secure boot process.

Initialize the boot data image verify message.

Parameters:

img_addr (int) – Address of the image to verify (includes the authentication TAG).
srv_version (ServiceVersion) – Service version to use for this message.

CMD = 9#

CMD_DESCRIPTOR_FORMAT: str = '<L'#

get_srv_descriptor()#

Get service descriptor.

Packs the image address into a service descriptor format for HSE communication.

Return type:: bytes
Returns:: Packed service descriptor bytes containing the image address.

response_info()#

Get formatted information about the response.

Returns a human-readable string indicating whether the Boot Data Image verification was successful or failed based on the response status.

Return type:: str
Returns:: String representation of the image verification result.

class spsdk.ele.ele_message_hse.EleMessageHseEraseFirmware(srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Erase Firmware service.

This service is used for erasing the HSE Firmware from flash-based devices (HSE_B variant). It also erases the SYS-IMG and backup (if present) in the secure flash from the device.

Important restrictions: - Available for flash based devices only (HSE_B variant) - Can be performed only in CUST_DEL life cycle - Will return HSE_SRV_RSP_NOT_ALLOWED error if performed in other life cycles

Variables:

CMD – Command identifier for HSE firmware erase operation.
CMD_DESCRIPTOR_FORMAT – Binary format specification for command descriptor.

Initialize the HSE Erase Firmware message.

Creates a new HSE firmware erase message. This operation will completely erase the HSE firmware, SYS-IMG, and any backup images from the secure flash.

Warning: This is a destructive operation that cannot be undone. Use with caution.

Parameters:: srv_version (ServiceVersion) – Service version to use for this message.

CMD = 87#

CMD_DESCRIPTOR_FORMAT: str = '<BBBB'#

get_srv_descriptor()#

Get service descriptor for the Erase Firmware command.

Creates a packed binary service descriptor containing only reserved fields as specified in the hseEraseFwSrv_t structure.

Return type:: bytes
Returns:: Packed service descriptor bytes with 4 reserved bytes set to zero.

response_info()#

Get formatted information about the response.

Returns a human-readable string describing the result of the HSE firmware erase operation, indicating success or failure with appropriate messaging.

Return type:: str
Returns:: String representation of the firmware erase operation result.

class spsdk.ele.ele_message_hse.EleMessageHseFirmwareIntegrityCheck(srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Firmware Integrity Check service.

This service performs an integrity check of the HSE Firmware and SYS-IMG inside HSE. It verifies the cryptographic integrity and authenticity of the firmware components to ensure they have not been corrupted or tampered with.

Important notes: - Available for HSE_B variant only - No input data structure required - Returns success/failure status indicating firmware integrity state

Variables:

CMD – Command identifier for HSE firmware integrity check operation.
CMD_DESCRIPTOR_FORMAT – Binary format specification for command descriptor.

Initialize the HSE Firmware Integrity Check message.

Creates a new HSE firmware integrity check message. This operation will verify the integrity of the HSE firmware and SYS-IMG components without modifying them.

Parameters:: srv_version (ServiceVersion) – Service version to use for this message.

CMD = 84#

CMD_DESCRIPTOR_FORMAT: str = '<BBBB'#

get_srv_descriptor()#

Get service descriptor for the Firmware Integrity Check command.

Creates a packed binary service descriptor. Since no data structure is used for this service, the descriptor contains only reserved/padding bytes.

Return type:: bytes
Returns:: Packed service descriptor bytes with reserved fields set to zero.

response_info()#

Get formatted information about the response.

Returns a human-readable string describing the result of the HSE firmware integrity check operation, indicating whether the firmware integrity is valid.

Return type:: str
Returns:: String representation of the firmware integrity check result.

class spsdk.ele.ele_message_hse.EleMessageHseFirmwareUpdate(access_mode, fw_file_addr, stream_length=0, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Firmware Update command.

This service is used to update the HSE firmware into the HSE internal flash memory. Supports both one-pass and streaming modes (START, UPDATE, FINISH).

Variables:

CMD – Command identifier for HSE firmware update operations.
CMD_DESCRIPTOR_FORMAT – Binary format specification for command descriptor.

Initialize the HSE firmware update message.

Creates a new HSE firmware update message with specified access mode and firmware parameters. Validates stream length requirements for streaming modes (START/UPDATE).

Parameters:

access_mode (HseAccessMode) – The access mode for firmware update (ONE_PASS, START, UPDATE, FINISH)
fw_file_addr (int) – Address of the firmware file or chunk
stream_length (int) – Length of the firmware chunk in streaming mode (must be multiple of 64 bytes)
srv_version (ServiceVersion) – Service version to use for this message

Raises:

SPSDKValueError – If stream_length is invalid for the specified access mode

CMD = 5#

CMD_DESCRIPTOR_FORMAT: str = '<BBBBLL'#

class HseAccessMode(tag, label, description=None)#

Bases: SpsdkEnum

HSE firmware update access mode enumeration.

Defines the available access modes for HSE (Hardware Security Engine) firmware update operations, supporting both single-pass and streaming update workflows.

FINISH = (3, 'FINISH', 'Finish mode - complete streaming firmware update')#

ONE_PASS = (0, 'ONE_PASS', 'One-pass mode - complete firmware update in one operation')#

START = (1, 'START', 'Start mode - begin streaming firmware update')#

UPDATE = (2, 'UPDATE', 'Update mode - continue streaming firmware update')#

get_srv_descriptor()#

Get service descriptor for the firmware update command.

Creates a packed binary service descriptor containing access mode, stream length, and firmware file address for HSE firmware update operations.

Return type:: bytes
Returns:: Packed service descriptor bytes containing command parameters.

response_info()#

Get formatted information about the response.

Returns a human-readable string describing the status of the firmware update operation, indicating whether it was successful or failed.

Return type:: str
Returns:: String representation of the firmware update status.

class spsdk.ele.ele_message_hse.EleMessageHseFormatKeyCatalogs(srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Format Key Catalogs service.

This service configures NVM or RAM key catalogs for HSE Firmware operations. The catalogs format is defined according to the total number of groups and maximum available memory for NVM or RAM keys handled by the HSE Firmware.

Variables:

CMD – HSE message command identifier for format key catalogs operation.
CMD_DESCRIPTOR_FORMAT – Binary format structure for service descriptor.

Initialize the HSE Format Key Catalogs message.

This constructor sets up the message for formatting key catalogs in HSE, initializing catalog addresses and response configuration.

Parameters:: srv_version (ServiceVersion) – Service version to use for this message
Raises:: SPSDKValueError – If key catalog configuration is invalid

CMD = 257#

CMD_DESCRIPTOR_FORMAT: str = '<LL'#

get_srv_descriptor()#

Get service descriptor for the Format Key Catalogs command.

Return type:: bytes
Returns:: Packed service descriptor bytes containing NVM and RAM catalog addresses.

response_info()#

Get formatted information about the response.

Return type:: str
Returns:: String representation of the key catalog formatting result.

class spsdk.ele.ele_message_hse.EleMessageHseGetAttr(attr_id, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHseAttr

ELE message for retrieving HSE (Hardware Security Engine) attributes.

This class implements the GET_ATTR command to request and decode specific HSE attribute values from the EdgeLock Enclave. It handles the service descriptor creation, response data decoding, and provides formatted output of the retrieved attribute information.

Variables:: CMD – HSE message command identifier for GET_ATTR operation.

Initialize HSE attribute get message.

Creates a new HSE attribute get message with the specified attribute ID and service version. The attribute value is initially set to None and will be populated when the response is received.

Parameters:

attr_id (HseAttributeId) – HSE attribute identifier to retrieve.
srv_version (ServiceVersion) – Service version for the HSE message, defaults to VERSION_0.

CMD = 10813442#

decode_response_data(response)#

Decode the response data for this attribute.

Sets the response data in the attribute handler and triggers decoding.

Parameters:: response (bytes) – Response data to decode.
Return type:: None

get_srv_descriptor()#

Get service descriptor.

Creates and returns a packed binary service descriptor containing the attribute handler information, including attribute ID, size, and response data address.

Return type:: bytes
Returns:: Packed binary service descriptor as bytes.

info()#

Get formatted information about the response.

Return type:: str
Returns:: String representation of the attribute data or message if no attribute retrieved.

class spsdk.ele.ele_message_hse.EleMessageHseGetKeyInfo(key_handle, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Get Key Info command message.

This class represents an ELE HSE service message for retrieving key information and properties using a key handle as input parameter. It handles the command formatting, response parsing, and provides access to the retrieved key data.

Initialize the HSE Get Key Info message.

Parameters:

key_handle (KeyHandle) – The key handle to get information for.
srv_version (ServiceVersion) – Service version to use for this message.

CMD = 10813699#

CMD_DESCRIPTOR_FORMAT: str = '<LL'#

decode_response_data(response)#

Decode the response data for the Get Key Info operation.

Extracts the key information from the response and stores it in the key_info attribute.

Parameters:: response (bytes) – Response data bytes to decode containing key information.
Raises:: SPSDKError – If response data cannot be parsed or is invalid.
Return type:: None

get_srv_descriptor()#

Get service descriptor for the Get Key Info command.

Return type:: bytes
Returns:: Packed service descriptor bytes.

response_info()#

Get formatted information about the response.

Returns string representation of key information if the response status indicates success, otherwise returns an error message indicating failure to retrieve key information.

Return type:: str
Returns:: String representation of the key information or error message.

class spsdk.ele.ele_message_hse.EleMessageHseImportKey(key_handle, payload, cipher_key_handle=4294967295, cipher_scheme=None, key_container_len=0, key_container_addr=0, auth_key_handle=4294967295, auth_scheme=None, auth_lengths=(0, 0), auth_address=(0, 0), key_format=None, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Import Key service message.

This class represents an ELE message for importing keys into the HSE key store. Supports importing symmetric keys, asymmetric key pairs, and public keys in both raw format and authenticated container format.

Variables:

CMD – Command identifier for the HSE import key service.
CMD_DESCRIPTOR_FORMAT – Binary format structure for the command descriptor.

Initialize the HSE Import Key message.

Creates a new HSE (Hardware Security Engine) import key message with the specified parameters for importing cryptographic keys into secure key slots.

Parameters:

key_handle (KeyHandle) – Handle of the key slot where the key will be imported
payload (KeyImportPayload) – Key import payload containing key data and metadata
cipher_key_handle (int) – Handle of the key used for decryption if key is encrypted
cipher_scheme (Optional[HseCipherScheme]) – Cipher scheme used for encrypted keys
key_container_len (int) – Length of the key container in bytes
key_container_addr (int) – Memory address of the key container
auth_key_handle (int) – Handle of the key used for authentication verification
auth_scheme (Optional[HseAuthScheme]) – Authentication scheme for key container verification
auth_lengths (tuple) – Tuple of lengths for authentication tags (up to 2 elements)
auth_address (tuple) – Tuple of addresses for authentication tags (up to 2 elements)
key_format (Optional[KeyFormat]) – Format of the key being imported (defaults to RAW)
srv_version (ServiceVersion) – Service version to use for this message

CMD = 260#

CMD_DESCRIPTOR_FORMAT: str = '<LLLLLHHHBBLBBBBLHBBLLBBBBLHHLLBBH'#

get_srv_descriptor()#

Get service descriptor for the Import Key command.

Packs all the command parameters into a binary format according to the HSE command descriptor structure for key import operations.

Return type:: bytes
Returns:: Packed service descriptor bytes containing key handles, addresses, cipher and authentication schemes, and other import parameters.

response_info()#

Get formatted information about the response.

This method provides a human-readable string describing the result of the key import operation, indicating success or failure along with the associated key handle.

Return type:: str
Returns:: String representation of the key import result.

class spsdk.ele.ele_message_hse.EleMessageHseSetAttr(attr_id, value_addr=None, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHseAttr

ELE message for setting HSE (Hardware Security Engine) attributes.

This class handles the SET_ATTR command to modify HSE attribute values on the target device. It extends the base HSE attribute message functionality with specific support for setting attribute data through memory addresses.

Variables:: CMD – Command identifier for the SET_ATTR operation.

Initialize HSE attribute message for getting attribute value.

Creates a new HSE message instance for retrieving the value of a specified HSE attribute. The message can optionally specify a memory address where the attribute value should be stored.

Parameters:

attr_id (HseAttributeId) – HSE attribute identifier to get value for.
value_addr (Optional[int]) – Optional memory address where attribute value will be stored.
srv_version (ServiceVersion) – Service version for the HSE message.

CMD = 1#

decode_response_data(response)#

Decode the response data for this attribute.

Sets the response data in the attribute handler and triggers decoding.

Parameters:: response (bytes) – Response data to decode.
Return type:: None

get_srv_descriptor()#

Get service descriptor.

Creates and returns a packed binary service descriptor containing the attribute ID, reserved fields, size, and value address according to the command descriptor format.

Return type:: bytes
Returns:: Packed binary service descriptor as bytes.

class spsdk.ele.ele_message_hse.EleMessageHseSmrEntryInstall(access_mode, entry_index, smr_entry_addr=None, smr_data_addr=None, smr_data_length=None, auth_tag_addr=(0, 0), auth_tag_length=(0, 0), cipher_params=None, srv_version=EleMessageHse.ServiceVersion(tag=0, label='ver0', description='Hse service version 0'))#

Bases: EleMessageHse

HSE Secure Memory Region Installation service.

This service installs or updates a Secure Memory Region (SMR) entry which needs to be verified during boot or runtime phase. The installation can be done in one-pass or streaming mode.

Variables:

CMD – Command identifier for SMR entry installation service.
CMD_DESCRIPTOR_FORMAT – Binary format descriptor for the command structure.

Initialize the SMR Entry Install message.

Creates a new SMR (Secure Memory Region) Entry Install message for HSE communication. This message is used to install or update SMR entries in the HSE SMR table with specified access modes and optional encryption parameters.

Parameters:

access_mode (HseAccessMode) – The access mode for SMR installation (ONE_PASS, START, UPDATE, FINISH).
entry_index (int) – Index of SMR entry in the SMR table to be installed/updated.
smr_entry_addr (Optional[int]) – Address of SMR entry structure containing configuration properties.
smr_data_addr (Optional[int]) – Address where SMR data to be installed is located.
smr_data_length (Optional[int]) – Length of the SMR data in bytes.
auth_tag_addr (tuple) – Tuple of addresses where SMR authentication tags are located.
auth_tag_length (tuple) – Tuple of lengths for the authentication tags.
cipher_params (Optional[HseSmrCipherParams]) – Cipher parameters for encrypted SMR installation, defaults to None.
srv_version (ServiceVersion) – Service version to use for this message.

CMD = 1281#

CMD_DESCRIPTOR_FORMAT: str = '<BBBBLLLLLHHLLL'#

get_srv_descriptor()#

Get service descriptor for the SMR Entry Install command.

Packs all the service descriptor fields into a binary format according to the CMD_DESCRIPTOR_FORMAT specification for HSE SMR entry installation.

Return type:: bytes
Returns:: Packed service descriptor bytes containing access mode, entry index, SMR entry/data addresses, authentication tags, and cipher parameters.

response_info()#

Get formatted information about the response.

Returns a human-readable string describing the SMR (Secure Memory Region) installation result based on the response status and entry details.

Return type:: str
Returns:: String representation of the SMR installation result including entry index, access mode, and success/failure status.

class spsdk.ele.ele_message_hse.HseAccessMode(tag, label, description=None)#

Bases: SpsdkEnum

HSE access mode enumeration for streaming operations.

Defines the available access modes that control how HSE (Hardware Security Engine) operations are executed, supporting both single-pass and multi-step streaming workflows.

FINISH = (3, 'FINISH', 'Finish mode - complete streaming operation')#

ONE_PASS = (0, 'ONE_PASS', 'One-pass mode - complete operation in one step')#

START = (1, 'START', 'Start mode - begin streaming operation')#

UPDATE = (2, 'UPDATE', 'Update mode - continue streaming operation')#

class spsdk.ele.ele_message_hse.HseAuthScheme(algorithm=0, mode=0, options=b'\\x00\\x00\\x00\\x00')#

Bases: object

HSE Authentication Scheme structure.

This class represents authentication parameters for HSE (Hardware Security Engine) operations, encapsulating algorithm identifiers, modes, and additional options required for secure authentication processes.

Initialize the authentication scheme structure.

Parameters:

algorithm (int) – Authentication algorithm identifier.
mode (int) – Authentication mode identifier.
options (bytes) – Additional authentication options (4 bytes).

pack()#

Pack the authentication scheme into bytes.

Serializes the authentication scheme object into a binary format using little-endian byte order with specific field layout.

Return type:: bytes
Returns:: Packed authentication scheme as bytes with algorithm, mode, padding, and options.

class spsdk.ele.ele_message_hse.HseCipherScheme(algorithm=0, mode=0, options=b'\\x00\\x00\\x00\\x00')#

Bases: object

HSE Cipher Scheme structure.

This class represents a cipher scheme configuration for HSE (Hardware Security Engine) operations, encapsulating algorithm type, mode, and additional cipher options for cryptographic operations.

Initialize the cipher scheme structure.

Parameters:

algorithm (int) – Cipher algorithm identifier.
mode (int) – Cipher mode identifier.
options (bytes) – Additional cipher options (4 bytes).

pack()#

Pack the cipher scheme into bytes.

Serializes the cipher scheme object into a binary format using little-endian byte ordering with algorithm, mode, padding bytes, and options.

Return type:: bytes
Returns:: Packed cipher scheme as bytes in little-endian format.

class spsdk.ele.ele_message_hse.HseSmrCipherParams(iv_addr=0, gmac_tag_addr=0, aad_addr=0)#

Bases: object

HSE SMR cipher parameters container.

This class encapsulates the cryptographic parameters required for installing and decrypting encrypted Secure Memory Regions (SMRs) in HSE operations, including initialization vectors, GMAC authentication tags, and additional authenticated data.

aad_addr: int = 0#: Optional - Address of the AAD used for AEAD.

gmac_tag_addr: int = 0#: Optional - Address of tag used for AEAD. The length for the GMAC tag is 16 bytes.

iv_addr: int = 0#: Address of Initialization Vector/Nonce. The length of the IV is 16 bytes.

class spsdk.ele.ele_message_hse.KeyImportPayload(key_info, key)#

Bases: object

HSE Key Import Payload structure.

Manages cryptographic key data and metadata for importing keys into HSE (Hardware Security Engine). This class encapsulates key information, converts keys to the appropriate format, and handles payload structure for key import operations.

Variables:

FEATURE – Database feature identifier for HSE operations.
SUB_FEATURE – Sub-feature identifier for key import operations.

Initialize the key import structure.

Parameters:

key_info (KeyInfo) – Key information structure containing key metadata and configuration.
key (Union[PrivateKey, PublicKey, bytes]) – The cryptographic key to import, can be private key, public key, or raw bytes.

FEATURE = 'hse'#

SUB_FEATURE = 'key_import'#

static convert_key(key, key_type=None)#

Convert an SPSDK key to HSE key format.

HSE key format consists of up to three chunks: - pKey[0]: Public key data (modulus for RSA, X/Y coordinates for ECC, etc.) - pKey[1]: Additional public key data (exponent for RSA, etc.) - pKey[2]: Private key data (private exponent for RSA, private scalar for ECC,

symmetric key data)

Parameters:

key (Union[PrivateKey, PublicKey, bytes]) – SPSDK key object (from spsdk.crypto.keys) or raw key bytes
key_type (Optional[KeyType]) – HSE key type, required when key is provided as raw bytes

Raises:

SPSDKValueError – Invalid key type, unsupported key format, or invalid key length

Return type:

list[Optional[bytes]]

Returns:

List of up to three byte arrays representing the key components

export()#

Export the key import structure to bytes.

The method serializes the key information and concatenates all non-null key data chunks to create a complete binary representation of the key import structure.

Return type:: bytes
Returns:: Serialized key import structure as bytes.

property key_lengths: list[int | None]#

Get the lengths of each key component.

Returns:: List of lengths for each key component, None for missing components.

property key_offsets: list[int | None]#

Calculate the offsets of each key component in the payload.

The offsets are calculated relative to the start of the payload, with the key_info structure at the beginning followed by key components.

Returns:: List of offsets for each key component, None for missing components.

property size: int#

Get the total size of the key import payload in bytes.

Includes the size of the key_info structure and all key components.

Returns:: Total size in bytes.

Module with the EdgeLock Enclave message handler with mBoot#

EdgeLock Enclave (ELE) communication interface.

This module provides functionality for handling communication with the EdgeLock Enclave (ELE), a hardware security module present in certain NXP microcontrollers. It includes classes and methods for constructing, sending, and receiving ELE messages through various communication protocols including MCUBoot, U-Boot serial console, and U-Boot fastboot. The module supports flexible integration with different development and production environments by providing abstract message handling capabilities and device-specific implementations for ELE-capable NXP microcontrollers.

class spsdk.ele.ele_comm.EleDevice(tag, label, description=None)#

Bases: SpsdkEnum

ELE device communication interface enumeration.

This enumeration defines the supported communication interfaces for EdgeLock Enclave (ELE) devices, including different boot modes and communication protocols.

MBOOT = (0, 'mboot', 'ELE over mboot')#

UBOOT_FASTBOOT = (2, 'uboot_fastboot', 'ELE over fastboot')#

UBOOT_SERIAL = (1, 'uboot_serial', 'ELE over U-Boot serial console')#

class spsdk.ele.ele_comm.EleMessageHandler(device, family, buffer_address=None, buffer_size=None)#

Bases: object

ELE Message Handler for NXP MCU communication.

This class provides a unified interface for handling EdgeLock Enclave (ELE) message communication across supported NXP MCU families. It manages the communication buffer configuration, device interaction, and message processing for secure provisioning operations. The handler supports multiple communication interfaces including McuBoot, U-Boot Serial, and U-Boot Fastboot protocols, providing a consistent API for ELE operations regardless of the underlying transport mechanism.

Initialize ELE communication interface.

Sets up communication with EdgeLock Enclave (ELE) using the specified device and configures buffer parameters for data exchange.

Parameters:

device (Union[McuBoot, UbootSerial, UbootFastboot]) – Communication interface for device interaction.
family (FamilyRevision) – Target MCU family and revision information.
buffer_address (Optional[int]) – Override default buffer address for ELE communication.
buffer_size (Optional[int]) – Override default buffer size for ELE communication.

static get_ele_device(family)#

Get default ELE device from database.

Retrieves the default EdgeLock Enclave (ELE) device configuration for the specified device family from the database.

Parameters:: family (FamilyRevision) – Device family and revision information.
Return type:: EleDevice
Returns:: EleDevice instance with default configuration for the specified family.

classmethod get_message_handler(family, device=None, fb_addr=None, fb_size=None, buffer_addr=None, buffer_size=None, port=None, usb=None, buspal=None, lpcusbsio=None, timeout=5000)#

Get ELE message handler for specified device and family.

Creates and configures an appropriate ELE message handler based on the device type and family. Supports U-Boot (FastBoot and Serial) and MBoot interfaces with configurable communication parameters.

Parameters:

family (FamilyRevision) – Target MCU family and revision information.
device (Optional[str]) – Device type to use, defaults to family-specific device if None.
fb_addr (Optional[int]) – FastBoot buffer address, uses database default if None.
fb_size (Optional[int]) – FastBoot buffer size, uses database default if None.
buffer_addr (Optional[int]) – Communication buffer address override.
buffer_size (Optional[int]) – Communication buffer size override.
port (Optional[str]) – Serial port identifier for serial communication.
usb (Optional[str]) – USB device identifier for USB communication.
buspal (Optional[str]) – BusPal interface configuration.
lpcusbsio (Optional[str]) – LPCUSBSIO interface configuration.
timeout (int) – Communication timeout in milliseconds.

Raises:

SPSDKError – When port is not specified for U-Boot serial device.

Return type:

EleMessageHandler

Returns:

Configured ELE message handler instance.

static get_supported_ele_devices()#

Get list of supported ELE device families.

Return type:: list[str]
Returns:: List of supported ELE device family names.

static get_supported_families()#

Get list of supported target families for ELE.

The method retrieves all families supported by the ELE (EdgeLock Enclave) database manager from the SPSDK database.

Return type:: list[FamilyRevision]
Returns:: List of supported families with their revisions.

abstract send_message(msg)#

Send message and receive response.

Parameters:: msg (EleMessage) – EdgeLock Enclave message to be sent.
Raises:: SPSDKError – If message sending or response receiving fails.
Return type:: None

class spsdk.ele.ele_comm.EleMessageHandlerMBoot(device, family, comm_buffer_address_override=None, comm_buffer_size_override=None)#

Bases: EleMessageHandler

EdgeLock Enclave Message Handler over MCUBoot.

This class provides communication interface for sending EdgeLock Enclave messages to target devices through MCUBoot protocol. It handles the complete message lifecycle including command preparation, execution, response processing, and data transfer operations.

Initialize ELE communication interface.

Parameters:

device (McuBoot) – McuBoot device instance for communication.
family (FamilyRevision) – Target family revision specification.
comm_buffer_address_override (Optional[int]) – Override default communication buffer address for ELE.
comm_buffer_size_override (Optional[int]) – Override default communication buffer size for ELE.

Raises:

SPSDKError – Invalid device instance provided, must be McuBoot.

send_message(msg)#

Send message and receive response.

This method sends an EdgeLock Enclave message to the target device, executes it, and processes the response. It handles the entire communication process, including writing the command to target memory, executing the ELE message, reading back the response, and decoding it. If required, it also handles command data and response data.

Parameters:

msg (EleMessage) – EdgeLock Enclave message to be sent

Raises:

SPSDKError – If the device is not an instance of McuBoot, or if ELE communication fails, or if the ELE message fails
SPSDKLengthError – If invalid read back length is detected for response or response data

Return type:

None

class spsdk.ele.ele_comm.EleMessageHandlerUBoot(device, family, comm_buffer_address_override=None, comm_buffer_size_override=None)#

Bases: EleMessageHandler

EdgeLock Enclave Message Handler for U-Boot communication.

This class implements functionality to send ELE messages to target devices over U-Boot and decode the responses. It provides an interface for communication with the EdgeLock Enclave using the U-Boot protocol, supporting both serial and fastboot communication methods.

Initialize ELE message handler for U-Boot communication.

Creates an ELE message handler instance that communicates with EdgeLock Enclave through U-Boot interface using either serial or fastboot protocol.

Parameters:

device (Union[UbootSerial, UbootFastboot]) – U-Boot communication device instance.
family (FamilyRevision) – Target chip family and revision information.
comm_buffer_address_override (Optional[int]) – Custom communication buffer address for ELE.
comm_buffer_size_override (Optional[int]) – Custom communication buffer size for ELE.

Raises:

SPSDKError – If device is not UbootSerial or UbootFastboot instance.

extract_error_values(error_message)#

Extract error values from error message.

This method parses the error message to extract abort_code, status, and indication values using regular expressions to find hexadecimal values in the message format.

Parameters:: error_message (str) – Error message containing ret and response hexadecimal values.
Return type:: tuple[int, int, int]
Returns:: A tuple containing (abort_code, status, indication) as integers.

send_message(msg)#

Send message to EdgeLock Enclave and receive response.

This method performs the following steps: 1. Prepares command data in target memory if required. 2. Executes the ELE message on the target. 3. Reads back the response. 4. Decodes the response. 5. Checks the response status. 6. Reads back the response data from target memory if required.

Parameters:

msg (EleMessage) – EdgeLock Enclave message to be sent.

Raises:

SPSDKError – If an invalid response status is detected or if communication fails.
SPSDKLengthError – If an invalid read back length is detected.

Return type:

None

Module with the EdgeLock Enclave message constants#

EdgeLock Enclave constants and enumerations.

This module provides constant definitions and enumeration classes for EdgeLock Enclave (ELE) operations, including message IDs, response codes, lifecycle states, and configuration options used throughout the SPSDK ELE functionality.

class spsdk.ele.ele_constants.EleCsalState(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE CSAL state enumeration.

Enumeration defining the possible states of EdgeLock secure enclave random context initialization (CSAL - Cryptographic Services Abstraction Layer).

ELE_CSAL_ERROR = (3, 'ELE_CSAL_ERROR', 'EdgeLock secure enclave random context initialization failed')#

ELE_CSAL_NOT_READY = (0, 'ELE_CSAL_NOT_READY', 'EdgeLock secure enclave random context initialization is not done yet')#

ELE_CSAL_ON_GOING = (1, 'ELE_CSAL_ON_GOING', 'EdgeLock secure enclave random context initialization is on-going')#

ELE_CSAL_PAUSE = (4, 'ELE_CSAL_PAUSE', "EdgeLock secure enclave random context initialization is in 'pause' mode")#

ELE_CSAL_READY = (2, 'ELE_CSAL_READY', 'EdgeLock secure enclave random context initialization succeed')#

class spsdk.ele.ele_constants.EleFwStatus(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE Firmware status enumeration.

This enumeration defines the possible states of the ELE (EdgeLock Enclave) firmware, indicating whether the firmware is properly authenticated and operational or not in place.

ELE_FW_STATUS_IN_PLACE = (1, 'ELE_FW_STATUS_IN_PLACE', 'Authenticated and operational')#

ELE_FW_STATUS_NOT_IN_PLACE = (0, 'ELE_FW_STATUS_NOT_IN_PLACE', 'Not in place')#

class spsdk.ele.ele_constants.EleImemState(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE IMEM state enumeration.

This enumeration defines the possible states of the ELE (EdgeLock Enclave) IMEM (Instruction Memory) indicating whether the memory is fully loaded or has been lost during power transitions.

ELE_IMEM_LOADED = (202, 'ELE_IMEM_LOADED', 'The IMEM is fully loaded and all ELE functionality can be used')#

ELE_IMEM_LOST = (254, 'ELE_IMEM_LOST', 'Some IMEM regions have been lost during power down and fw must be re-installed to use all ELE features')#

class spsdk.ele.ele_constants.EleInfo2Commit(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE Information type to be committed.

Enumeration of information types that can be committed to the EdgeLock Enclave (ELE). This class defines the available commitment options for both NXP and OEM containers, including SRK revocation and firmware fuse version settings.

NXP_FW_FUSE = (2, 'NXP_FW_FUSE', 'FW fuse version of the NXP container')#

NXP_SRK_REVOCATION = (1, 'NXP_SRK_REVOCATION', 'SRK revocation of the NXP container')#

OEM_FW_FUSE = (32, 'OEM_FW_FUSE', 'FW fuse version of the OEM container')#

OEM_SRK_REVOCATION = (16, 'OEM_SRK_REVOCATION', 'SRK revocation of the OEM container')#

class spsdk.ele.ele_constants.EleTrngState(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE TRNG (True Random Number Generator) state enumeration.

This enumeration defines the possible states of the EdgeLock Enclave True Random Number Generator, providing status information for TRNG operations including initialization, entropy generation, and error conditions.

ELE_TRNG_ERROR = (4, 'ELE_TRNG_ERROR', 'TRNG encounter an error while generating entropy')#

ELE_TRNG_GENERATING_ENTROPY = (2, 'ELE_TRNG_GENERATING_ENTROPY', 'TRNG is still generating entropy')#

ELE_TRNG_NOT_READY = (0, 'ELE_TRNG_NOT_READY', "True random generator not started yet. Use 'start-trng' command")#

ELE_TRNG_PROGRAM = (1, 'ELE_TRNG_PROGRAM', 'TRNG is in program mode')#

ELE_TRNG_READY = (3, 'ELE_TRNG_READY', 'TRNG entropy is valid and ready to be read')#

class spsdk.ele.ele_constants.HseMessageIDs(tag, label, description=None)#

Bases: SpsdkSoftEnum

HSE Service Message IDs enumeration.

This enumeration defines message identifiers for HSE (Hardware Security Engine) services including system management, key operations, cryptographic services, and firmware operations. Each entry contains the numeric ID, symbolic name, and description of the HSE service.

ACTIVATE_PASSIVE_BLOCK = (81, 'HSE_SRV_ID_ACTIVATE_PASSIVE_BLOCK', 'Activate passive block')#

AEAD = (10813956, 'HSE_SRV_ID_AEAD', 'AEAD service')#

BOOT_DATA_IMAGE_SIGN = (8, 'HSE_SRV_ID_BOOT_DATA_IMAGE_SIGN', 'Boot data image sign service')#

BOOT_DATA_IMAGE_VERIFY = (9, 'HSE_SRV_ID_BOOT_DATA_IMAGE_VERIFY', 'Boot data image verify service')#

CANCEL = (10813444, 'HSE_SRV_ID_CANCEL', 'Cancel service')#

CONFIG_COUNTER = (82, 'HSE_SRV_ID_CONFIG_COUNTER', 'Configure counter')#

CORE_RESET_ENTRY_ERASE = (1286, 'HSE_SRV_ID_CORE_RESET_ENTRY_ERASE', 'Core reset entry erase')#

CORE_RESET_ENTRY_INSTALL = (1283, 'HSE_SRV_ID_CORE_RESET_ENTRY_INSTALL', 'Core reset entry install')#

ERASE_FW = (87, 'HSE_SRV_ID_ERASE_FW', 'Erase firmware')#

ERASE_HSE_NVM_DATA = (80, 'HSE_SRV_ID_ERASE_HSE_NVM_DATA', 'Erase HSE NVM data')#

ERASE_KEY = (258, 'HSE_SRV_ID_ERASE_KEY', 'Erase key')#

EXPORT_KEY = (261, 'HSE_SRV_ID_EXPORT_KEY', 'Export key')#

FAST_CMAC = (10813954, 'HSE_SRV_ID_FAST_CMAC', 'Fast CMAC service')#

FIRMWARE_UPDATE = (5, 'HSE_SRV_ID_FIRMWARE_UPDATE', 'Firmware update service')#

FORMAT_KEY_CATALOGS = (257, 'HSE_SRV_ID_FORMAT_KEY_CATALOGS', 'Format key catalogs')#

FW_INTEGRITY_CHECK = (84, 'HSE_SRV_ID_FW_INTEGRITY_CHECK', 'Firmware integrity check')#

GET_ATTR = (10813442, 'HSE_SRV_ID_GET_ATTR', 'Get attribute service')#

GET_KEY_INFO = (10813699, 'HSE_SRV_ID_GET_KEY_INFO', 'Get key information')#

GET_RANDOM_NUM = (768, 'HSE_SRV_ID_GET_RANDOM_NUM', 'Get random number')#

HASH = (10813952, 'HSE_SRV_ID_HASH', 'Hash service')#

IMPORT_EXPORT_STREAM_CTX = (10813450, 'HSE_SRV_ID_IMPORT_EXPORT_STREAM_CTX', 'Import/export stream context')#

IMPORT_KEY = (260, 'HSE_SRV_ID_IMPORT_KEY', 'Import key')#

INCREMENT_COUNTER = (10814464, 'HSE_SRV_ID_INCREMENT_COUNTER', 'Increment counter')#

KEY_DERIVE = (264, 'HSE_SRV_ID_KEY_DERIVE', 'Derive key')#

KEY_DERIVE_COPY = (265, 'HSE_SRV_ID_KEY_DERIVE_COPY', 'Derive key copy')#

KEY_GENERATE = (262, 'HSE_SRV_ID_KEY_GENERATE', 'Generate key')#

KEY_VERIFY = (267, 'HSE_SRV_ID_KEY_VERIFY', 'Verify key')#

LOAD_ECC_CURVE = (256, 'HSE_SRV_ID_LOAD_ECC_CURVE', 'Load ECC curve')#

MAC = (10813953, 'HSE_SRV_ID_MAC', 'MAC service')#

ON_DEMAND_CORE_RESET = (1284, 'HSE_SRV_ID_ON_DEMAND_CORE_RESET', 'On-demand core reset')#

PUBLISH_NVM_KEYSTORE_RAM_TO_FLASH = (85, 'HSE_SRV_ID_PUBLISH_NVM_KEYSTORE_RAM_TO_FLASH', 'Publish NVM keystore RAM to flash')#

READ_COUNTER = (10814465, 'HSE_SRV_ID_READ_COUNTER', 'Read counter')#

RSA_CIPHER = (519, 'HSE_SRV_ID_RSA_CIPHER', 'RSA cipher service')#

SBAF_UPDATE = (83, 'HSE_SRV_ID_SBAF_UPDATE', 'SBAF update service')#

SET_ATTR = (1, 'HSE_SRV_ID_SET_ATTR', 'Set attribute service')#

SHE_BOOT_FAILURE = (41222, 'HSE_SRV_ID_SHE_BOOT_FAILURE', 'SHE boot failure')#

SHE_BOOT_OK = (41221, 'HSE_SRV_ID_SHE_BOOT_OK', 'SHE boot OK')#

SHE_EXPORT_RAM_KEY = (41219, 'HSE_SRV_ID_SHE_EXPORT_RAM_KEY', 'SHE export RAM key')#

SHE_GET_ID = (41220, 'HSE_SRV_ID_SHE_GET_ID', 'SHE get ID')#

SHE_LOAD_KEY = (41217, 'HSE_SRV_ID_SHE_LOAD_KEY', 'SHE load key')#

SHE_LOAD_PLAIN_KEY = (41218, 'HSE_SRV_ID_SHE_LOAD_PLAIN_KEY', 'SHE load plain key')#

SMR_ENTRY_ERASE = (1285, 'HSE_SRV_ID_SMR_ENTRY_ERASE', 'SMR entry erase')#

SMR_ENTRY_INSTALL = (1281, 'HSE_SRV_ID_SMR_ENTRY_INSTALL', 'SMR entry install')#

SMR_VERIFY = (1282, 'HSE_SRV_ID_SMR_VERIFY', 'SMR verify')#

SYM_CIPHER = (10813955, 'HSE_SRV_ID_SYM_CIPHER', 'Symmetric cipher service')#

SYS_AUTH_REQ = (6, 'HSE_SRV_ID_SYS_AUTH_REQ', 'System authorization request')#

SYS_AUTH_RESP = (7, 'HSE_SRV_ID_SYS_AUTH_RESP', 'System authorization response')#

class spsdk.ele.ele_constants.HseResponseStatus(tag, label, description=None)#

Bases: SpsdkEnum

HSE service response status codes enumeration.

This enumeration defines all possible response status codes returned by HSE (Hardware Security Engine) services, including success responses, verification failures, parameter errors, operation restrictions, and access failures. Each status code contains the numeric value, symbolic name, and description.

CANCELED = (869716886, 'HSE_SRV_RSP_CANCELED', 'The service has been canceled.')#

CANCEL_FAILURE = (869716577, 'HSE_SRV_RSP_CANCEL_FAILURE', 'The service can not be canceled.')#

COUNTER_OVERFLOW = (869717299, 'HSE_SRV_RSP_COUNTER_OVERFLOW', 'The monotonic counter overflows.')#

FUSE_VDD_GND = (3141818355, 'HSE_SRV_RSP_FUSE_VDD_GND', 'EFUSE_VDD connected to ground during fuse write operation.')#

FUSE_WRITE_FAILURE = (3141818087, 'HSE_SRV_RSP_FUSE_WRITE_FAILURE', 'Fuse write operation failed.')#

GENERAL_ERROR = (869717233, 'HSE_SRV_RSP_GENERAL_ERROR', 'Error not covered by the other error codes is detected inside HSE.')#

INVALID_ADDR = (1436918378, 'HSE_SRV_RSP_INVALID_ADDR', 'The address parameters are invalid.')#

INVALID_PARAM = (1436918681, 'HSE_SRV_RSP_INVALID_PARAM', 'The HSE request parameters are invalid.')#

IPSEC_CE_DROP = (3711148378, 'HSE_SRV_RSP_IPSEC_CE_DROP', 'Decap CE DROP (ECN issue) error.')#

IPSEC_HEADER_LEN_OVERFLOW = (3711149273, 'HSE_SRV_RSP_IPSEC_HEADER_LEN_OVERFLOW', 'Operation successful, but IPsec additions cause overflow of IP header length field.')#

IPSEC_INVALID_DATA = (3711119667, 'HSE_SRV_RSP_IPSEC_INVALID_DATA', 'Invalid (malformed) IP packet.')#

IPSEC_PADDING_CHECK_FAIL = (3711149370, 'HSE_SRV_RSP_IPSEC_PADDING_CHECK_FAIL', 'IPsec padding check error found.')#

IPSEC_REPLAY_DETECTED = (3711120093, 'HSE_SRV_RSP_IPSEC_REPLAY_DETECTED', 'Valid packet but replay detected.')#

IPSEC_REPLAY_LATE = (3711120293, 'HSE_SRV_RSP_IPSEC_REPLAY_LATE', 'Valid packet but frame late in sequence.')#

IPSEC_SEQ_NUM_OVERFLOW = (3711120445, 'HSE_SRV_RSP_IPSEC_SEQNUM_OVERFLOW', 'Sequence number overflow.')#

IPSEC_TTL_EXCEEDED = (3711148755, 'HSE_SRV_RSP_IPSEC_TTL_EXCEEDED', 'Packet decrypted but TTL exceeded.')#

IPSEC_VALID_DUMMY_PAYLOAD = (3711149013, 'HSE_SRV_RSP_IPSEC_VALID_DUMMY_PAYLOAD', 'Valid Dummy Payload (type 59).')#

KEY_EMPTY = (2779403031, 'HSE_SRV_RSP_KEY_EMPTY', 'Specified key slot is empty.')#

KEY_INVALID = (2779402932, 'HSE_SRV_RSP_KEY_INVALID', "The key usage flags don't allow to perform the requested crypto operation.")#

KEY_NOT_AVAILABLE = (2779402674, 'HSE_SRV_RSP_KEY_NOT_AVAILABLE', 'Key is locked due to failed boot measurement or an active debugger.')#

KEY_UPDATE_ERROR = (2779403619, 'HSE_SRV_RSP_KEY_UPDATE_ERROR', 'Specified key slot cannot be updated due to errors in verification of the parameters.')#

KEY_WRITE_PROTECTED = (2779403318, 'HSE_SRV_RSP_KEY_WRITE_PROTECTED', 'Key slot to be loaded is protected with WRITE PROTECTION restriction flag.')#

MEMORY_FAILURE = (869716278, 'HSE_SRV_RSP_MEMORY_FAILURE', 'Detect physical errors, flipped bits etc., during memory read or write operations.')#

NOT_ALLOWED = (2857738780, 'HSE_SRV_RSP_NOT_ALLOWED', 'The operation is not allowed because of some restrictions.')#

NOT_ENOUGH_SPACE = (2857739121, 'HSE_SRV_RSP_NOT_ENOUGH_SPACE', 'There is no enough space to perform service.')#

NOT_SUPPORTED = (2857738526, 'HSE_SRV_RSP_NOT_SUPPORTED', 'The operation or feature not supported.')#

OK = (1436920371, 'HSE_SRV_RSP_OK', 'HSE service successfully executed with no error.')#

READ_FAILURE = (2857739303, 'HSE_SRV_RSP_READ_FAILURE', 'The service request failed because read access was denied.')#

RNG_INIT_IN_PROGRESS = (869783850, 'HSE_SRV_RSP_RNG_INIT_IN_PROGRESS', 'RNG Initialization is in Progress.')#

SBAF_UPDATE_REQUIRED = (3429301933, 'HSE_SRV_RSP_SBAF_UPDATE_REQUIRED', 'Operation is dependent on Secure BAF version, which on the device happens to be old.')#

SHE_BOOT_SEQUENCE_ERROR = (869783610, 'HSE_SRV_RSP_SHE_BOOT_SEQUENCE_ERROR', 'Received SHE_BOOT_OK or SHE_BOOT_FAILURE more then one time.')#

SHE_NO_SECURE_BOOT = (869717539, 'HSE_SRV_RSP_SHE_NO_SECURE_BOOT', 'HSE did not perform SHE based secure Boot.')#

STREAMING_MODE_FAILURE = (2857739953, 'HSE_SRV_RSP_STREAMING_MODE_FAILURE', 'The service request that uses streaming mode failed.')#

VERIFY_FAILED = (1436918116, 'HSE_SRV_RSP_VERIFY_FAILED', 'HSE signals that a verification request fails (e.g. MAC and Signature verification).')#

WRITE_FAILURE = (2857739543, 'HSE_SRV_RSP_WRITE_FAILURE', 'The service request failed because write access was denied.')#

class spsdk.ele.ele_constants.KeyBlobEncryptionAlgorithm(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE KeyBlob encryption algorithm enumeration.

This enumeration defines the supported encryption algorithms for KeyBlob operations in the EdgeLock Enclave (ELE), including AES and SM4 cipher modes.

AES_CBC = (3, 'AES_CBC', 'KeyBlob encryption algorithm AES CBC')#

AES_CTR = (4, 'AES_CTR', 'KeyBlob encryption algorithm AES CTR')#

AES_XTS = (55, 'AES_XTS', 'KeyBlob encryption algorithm AES XTS')#

SM4_CBC = (43, 'SM4_CBC', 'KeyBlob encryption algorithm SM4 CBC')#

class spsdk.ele.ele_constants.KeyBlobEncryptionIeeCtrModes(tag, label, description=None)#

Bases: SpsdkSoftEnum

IEE CTR mode enumeration for keyblob encryption.

This enumeration defines the available AES CTR (Counter) modes for IEE (Inline Encryption Engine) keyblob encryption, including address binding options and keystream-only mode.

AesCTRWAddress = (2, 'CTR_WITH_ADDRESS', ' AES CTR w address binding mode')#

AesCTRWOAddress = (3, 'CTR_WITHOUT_ADDRESS', ' AES CTR w/o address binding mode')#

AesCTRkeystream = (4, 'CTR_KEY_STREAM', 'AES CTR keystream only')#

class spsdk.ele.ele_constants.LifeCycle(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE device lifecycle state enumeration.

This enumeration defines the various lifecycle states that an ELE (EdgeLock Enclave) device can be in, from initial blank state through provisioning, deployment, and end-of-life states. Each lifecycle state represents a specific security and operational mode of the device.

LC_BLANK = (2, 'BLANK', 'Blank device')#

LC_BRICKED = (1024, 'BRICKED', 'BRICKED')#

LC_FAB = (4, 'FAB', 'Fab mode')#

LC_NXP_FR = (256, 'NXP_FR', 'Field Return NXP')#

LC_NXP_PROV = (8, 'NXP_PROV', 'NXP Provisioned')#

LC_OEM_CLSD = (64, 'OEM_CLSD', 'OEM Closed')#

LC_OEM_FR = (128, 'OEM_FR', 'Field Return OEM')#

LC_OEM_LCKD = (512, 'OEM_LCKD', 'OEM Locked')#

LC_OEM_OPEN = (16, 'OEM_OPEN', 'OEM Open')#

LC_OEM_SWC = (32, 'OEM_SWC', 'OEM Secure World Closed')#

class spsdk.ele.ele_constants.LifeCycleToSwitch(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE life cycle enumeration for switching operations.

This enumeration defines the available life cycle states that can be used in ELE (EdgeLock Enclave) life cycle switching requests, providing standardized constants for OEM closed and locked states.

OEM_CLOSED = (8, 'OEM_CLOSED', 'OEM Closed')#

OEM_LOCKED = (128, 'OEM_LOCKED', 'OEM Locked')#

class spsdk.ele.ele_constants.MessageIDs(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE Message Identifiers enumeration.

This enumeration defines all supported EdgeLock Enclave (ELE) message identifiers used for communication with the ELE firmware. Each message ID represents a specific command or request that can be sent to the ELE subsystem for various operations including authentication, key management, lifecycle updates, and system control.

ELE_COMMIT_REQ = (168, 'ELE_COMMIT_REQ', 'EdgeLock Enclave commit request.')#

ELE_DERIVE_KEY_REQ = (169, 'ELE_DERIVE_KEY_REQ', 'Derive key')#

ELE_DUMP_DEBUG_BUFFER_REQ = (33, 'ELE_DUMP_DEBUG_BUFFER_REQ', 'Dump the ELE logs')#

ELE_ENABLE_APC_REQ = (210, 'ELE_ENABLE_APC_REQ', 'Enable APC (Application processor)')#

ELE_ENABLE_RTC_REQ = (211, 'ELE_ENABLE_RTC_REQ', 'Enable RTC (Runtime processor)')#

ELE_FWD_LIFECYCLE_UP_REQ = (149, 'ELE_FWD_LIFECYCLE_UP_REQ', 'Forward Lifecycle update')#

ELE_FW_AUTH_REQ = (2, 'ELE_FW_AUTH_REQ', 'ELE firmware authenticate request.')#

ELE_GET_EVENTS_REQ = (162, 'ELE_GET_EVENTS_REQ', 'Get Events')#

ELE_OEM_CNTN_AUTH_REQ = (135, 'ELE_OEM_CNTN_AUTH_REQ', 'OEM Container authenticate')#

ELE_RELEASE_CONTAINER_REQ = (137, 'ELE_RELEASE_CONTAINER_REQ', 'Release Container.')#

ELE_RESET_APC_CTX_REQ = (216, 'ELE_RESET_APC_CTX_REQ', 'Reset APC Context')#

ELE_VERIFY_IMAGE_REQ = (136, 'ELE_VERIFY_IMAGE_REQ', 'Verify Image')#

GENERATE_KEY_BLOB_REQ = (175, 'GENERATE_KEY_BLOB_REQ', 'Generate KeyBlob request.')#

GET_FW_STATUS_REQ = (197, 'GET_FW_STATUS_REQ', 'Get ELE FW status request.')#

GET_FW_VERSION_REQ = (157, 'GET_FW_VERSION_REQ', 'Get firmware version request.')#

GET_INFO_REQ = (218, 'GET_INFO_REQ', 'Get ELE Information request.')#

GET_TRNG_STATE_REQ = (164, 'GET_TRNG_STATE_REQ', 'Get True Random Generator state request.')#

KEY_STORE_CLOSE_REQ = (49, 'KEY_STORE_CLOSE_REQ', 'Key Store Close Request')#

KEY_STORE_OPEN_REQ = (48, 'KEY_STORE_OPEN_REQ', 'Key Store Open Request')#

LOAD_KEY_BLOB_REQ = (167, 'LOAD_KEY_BLOB_REQ', 'Load KeyBlob request.')#

PING_REQ = (1, 'PING_REQ', 'Ping request.')#

PUBLIC_KEY_EXPORT_REQ = (50, 'PUBLIC_KEY_EXPORT_REQ', 'Public Key Export Request')#

READ_COMMON_FUSE = (151, 'READ_COMMON_FUSE', 'Read common fuse request.')#

READ_SHADOW_FUSE = (243, 'READ_SHADOW_FUSE', 'Read shadow fuse request.')#

RESET_REQ = (199, 'RESET_REQ', 'System reset request.')#

RETURN_LIFECYCLE_UPDATE_REQ = (160, 'RETURN_LIFECYCLE_UPDATE_REQ', 'Return lifecycle update request.')#

SAB_INIT_REQ = (23, 'SAB_INIT_REQ', 'SAB Init Request')#

SESSION_CLOSE_REQ = (17, 'SESSION_CLOSE_REQ', 'Session Close Request')#

SESSION_OPEN_REQ = (16, 'SESSION_OPEN_REQ', 'Session Open Request')#

START_RNG_REQ = (163, 'START_RNG_REQ', 'Start True Random Generator request.')#

WRITE_FUSE = (214, 'WRITE_FUSE', 'Write fuse')#

WRITE_SEC_FUSE_REQ = (145, 'WRITE_SEC_FUSE_REQ', 'Write secure fuse request.')#

WRITE_SHADOW_FUSE = (242, 'WRITE_SHADOW_FUSE', 'Write shadow fuse')#

class spsdk.ele.ele_constants.MessageUnitId(tag, label, description=None)#

Bases: SpsdkSoftEnum

Message Unit ID enumeration for ELE communication.

This enumeration defines the available message unit identifiers used for communication with the EdgeLock Enclave (ELE) subsystem.

APD_MU = (2, 'APD_MU', 'Application Processor message unit')#

RTD_MU = (1, 'RTD_MU', 'Real Time Device message unit')#

class spsdk.ele.ele_constants.ResponseIndication(tag, label, description=None)#

Bases: SpsdkSoftEnum

ELE Message Response indication enumeration.

This enumeration defines response indication codes returned by the EdgeLock Enclave (ELE) to indicate various failure conditions and error states during message processing.

ELE_ABORT_IND = (255, 'ELE_ABORT_IND', 'Abort')#

ELE_APC_ALREADY_ENABLED_FAILURE_IND = (203, 'ELE_APC_ALREADY_ENABLED_FAILURE_IND', 'APC already enabled failure')#

ELE_AUTH_SKIPPED_OR_FAILED_FAILURE_IND = (187, 'ELE_AUTH_SKIPPED_OR_FAILED_FAILURE_IND', 'Authentication skipped or failed failure')#

ELE_BAD_CERTIFICATE_FAILURE_IND = (252, 'ELE_BAD_CERTIFICATE_FAILURE_IND', 'Bad certificate failure')#

ELE_BAD_CONTAINER_FAILURE_IND = (247, 'ELE_BAD_CONTAINER_FAILURE_IND', 'Bad container failure')#

ELE_BAD_FUSE_ID_FAILURE_IND = (246, 'ELE_BAD_FUSE_ID_FAILURE_IND', 'Bad fuse ID failure')#

ELE_BAD_HASH_FAILURE_IND = (241, 'ELE_BAD_HASH_FAILURE_IND', 'Bad hash failure')#

ELE_BAD_ID_FAILURE_IND = (191, 'ELE_BAD_ID_FAILURE_IND', 'Bad ID failure')#

ELE_BAD_IMAGE_ADDR_FAILURE_IND = (196, 'ELE_BAD_IMAGE_ADDR_FAILURE_IND', 'Bad image address failure')#

ELE_BAD_IMAGE_NUM_FAILURE_IND = (195, 'ELE_BAD_IMAGE_NUM_FAILURE_IND', 'Bad image number failure')#

ELE_BAD_IMAGE_PARAM_FAILURE_IND = (197, 'ELE_BAD_IMAGE_PARAM_FAILURE_IND', 'Bad image parameters failure')#

ELE_BAD_IMAGE_TYPE_FAILURE_IND = (198, 'ELE_BAD_IMAGE_TYPE_FAILURE_IND', 'Bad image type failure')#

ELE_BAD_KEY_HASH_FAILURE_IND = (250, 'ELE_BAD_KEY_HASH_FAILURE_IND', 'The key hash verification does not match OTP')#

ELE_BAD_MONOTONIC_COUNTER_FAILURE_IND = (254, 'ELE_BAD_MONOTONIC_COUNTER_FAILURE_IND', 'Bad monotonic counter failure')#

ELE_BAD_PAYLOAD_FAILURE_IND = (177, 'ELE_BAD_PAYLOAD_FAILURE_IND', 'Bad payload failure')#

ELE_BAD_SIGNATURE_FAILURE_IND = (240, 'ELE_BAD_SIGNATURE_FAILURE_IND', 'Bad signature failure')#

ELE_BAD_SRK_SET_FAILURE_IND = (239, 'ELE_BAD_SRK_SET_FAILURE_IND', 'Bad SRK set failure')#

ELE_BAD_UID_FAILURE_IND = (253, 'ELE_BAD_UID_FAILURE_IND', 'Bad UID failure')#

ELE_BAD_VALUE_FAILURE_IND = (245, 'ELE_BAD_VALUE_FAILURE_IND', 'Bad value failure')#

ELE_BAD_VERSION_FAILURE_IND = (248, 'ELE_BAD_VERSION_FAILURE_IND', 'Bad version failure')#

ELE_CORRUPTED_SRK_FAILURE_IND = (208, 'ELE_CORRUPTED_SRK_FAILURE_IND', 'Corrupted SRK failure')#

ELE_CRC_ERROR_IND = (185, 'ELE_CRC_ERROR_IND', 'CRC error')#

ELE_CSTM_FAILURE_IND = (207, 'ELE_CSTM_FAILURE_IND', 'CSTM failure')#

ELE_DECRYPTION_FAILURE_IND = (169, 'ELE_DECRYPTION_FAILURE_IND', 'Decryption failure')#

ELE_DISABLED_FEATURE_FAILURE_IND = (182, 'ELE_DISABLED_FEATURE_FAILURE_IND', 'Disabled feature failure')#

ELE_DMA_FAILURE_IND = (181, 'ELE_DMA_FAILURE_IND', 'DMA failure')#

ELE_ENCRYPTION_FAILURE_IND = (168, 'ELE_ENCRYPTION_FAILURE_IND', 'Encryption failure')#

ELE_FW_PING_FAILURE_IND = (26, 'ELE_FW_PING_FAILURE_IND', 'Firmware ping failure')#

ELE_INCONSISTENT_PAR_FAILURE_IND = (188, 'ELE_INCONSISTENT_PAR_FAILURE_IND', 'Inconsistent parameter failure')#

ELE_INVALID_KEY_FAILURE_IND = (249, 'ELE_INVALID_KEY_FAILURE_IND', 'The key in the container is invalid')#

ELE_INVALID_LIFECYCLE_IND = (242, 'ELE_INVALID_LIFECYCLE_IND', 'Invalid lifecycle')#

ELE_INVALID_MESSAGE_FAILURE_IND = (244, 'ELE_INVALID_MESSAGE_FAILURE_IND', 'Invalid message failure')#

ELE_INVALID_OPERATION_FAILURE_IND = (192, 'ELE_INVALID_OPERATION_FAILURE_IND', 'Invalid operation failure')#

ELE_LOCKED_REG_FAILURE_IND = (190, 'ELE_LOCKED_REG_FAILURE_IND', 'Locked register failure')#

ELE_MSG_TRUNCATED_IND = (194, 'ELE_MSG_TRUNCATED_IND', 'Message truncated failure')#

ELE_MUST_ATTEST_FAILURE_IND = (183, 'ELE_MUST_ATTEST_FAILURE_IND', 'Must attest failure')#

ELE_MUST_SIGNED_FAILURE_IND = (224, 'ELE_MUST_SIGNED_FAILURE_IND', 'Must be signed failure')#

ELE_NON_SECURE_STATE_FAILURE_IND = (193, 'ELE_NON_SECURE_STATE_FAILURE_IND', 'Non secure state failure')#

ELE_NO_AUTHENTICATION_FAILURE_IND = (238, 'ELE_NO_AUTHENTICATION_FAILURE_IND', 'No authentication failure')#

ELE_NO_VALID_CONTAINER_FAILURE_IND = (251, 'ELE_NO_VALID_CONTAINER_FAILURE_IND', 'No valid container failure')#

ELE_OLD_VERSION_FAILURE_IND = (206, 'ELE_OLD_VERSION_FAILURE_IND', 'Old version failure')#

ELE_OTP_INVALID_IDX_FAILURE_IND = (173, 'ELE_OTP_INVALID_IDX_FAILURE_IND', 'OTP Invalid IDX failure')#

ELE_OTP_LOCKED_FAILURE_IND = (171, 'ELE_OTP_LOCKED_FAILURE_IND', 'OTP locked failure')#

ELE_OTP_PROGFAIL_FAILURE_IND = (170, 'ELE_OTP_PROGFAIL_FAILURE_IND', 'OTP program fail failure')#

ELE_OUT_OF_MEMORY_IND = (209, 'ELE_OUT_OF_MEMORY_IND', 'Out of memory failure')#

ELE_PERMISSION_DENIED_FAILURE_IND = (243, 'ELE_PERMISSION_DENIED_FAILURE_IND', 'Permission denied failure')#

ELE_RNG_INST_FAILURE_IND = (189, 'ELE_RNG_INST_FAILURE_IND', 'Random number generator instantiation failure')#

ELE_RNG_NOT_STARTED_FAILURE_IND = (184, 'ELE_RNG_NOT_STARTED_FAILURE_IND', 'Random number generator not started failure')#

ELE_ROM_PING_FAILURE_IND = (10, 'ELE_ROM_PING_FAILURE_IND', 'ROM ping failure')#

ELE_RTC_ALREADY_ENABLED_FAILURE_IND = (204, 'ELE_RTC_ALREADY_ENABLED_FAILURE_IND', 'RTC already enabled failure')#

ELE_TIME_OUT_FAILURE_IND = (176, 'ELE_TIME_OUT_FAILURE_IND', 'Timeout failure')#

ELE_UNALIGNED_PAYLOAD_FAILURE_IND = (166, 'ELE_UNALIGNED_PAYLOAD_FAILURE_IND', 'Un-aligned payload failure')#

ELE_WRONG_ADDRESS_FAILURE_IND = (180, 'ELE_WRONG_ADDRESS_FAILURE_IND', 'Wrong address failure')#

ELE_WRONG_BOOT_MODE_FAILURE_IND = (205, 'ELE_WRONG_BOOT_MODE_FAILURE_IND', 'Wrong boot mode failure')#

ELE_WRONG_SIZE_FAILURE_IND = (167, 'ELE_WRONG_SIZE_FAILURE_IND', 'Wrong size failure')#

class spsdk.ele.ele_constants.ResponseStatus(tag, label, description=None)#

Bases: SpsdkEnum

ELE Message Response status enumeration.

This enumeration defines the possible response status codes returned by ELE (EdgeLock Enclave) message operations, indicating success or failure of requests.

ELE_FAILURE_IND = (41, 'Failure', 'The request failed')#

ELE_SUCCESS_IND = (214, 'Success', 'The request was successful')#

class spsdk.ele.ele_constants.SocId(tag, label, description=None)#

Bases: SpsdkSoftEnum

SOC Identification enumeration for NXP microcontrollers.

This enumeration provides standardized identifiers for supported System-on-Chip (SOC) devices in the SPSDK library, mapping numeric IDs to device names and marketing names.

MX8ULP = (2125, 'MX8ULP', 'i.MX8ULP')#

MX91 = (37120, 'MX91', 'i.MX91')#

MX93 = (37632, 'MX93', 'i.MX93')#

MX943 = (37936, 'MX943', 'i.MX943')#

MX95 = (38144, 'MX95', 'i.MX95')#

RT1180 = (4480, 'RT1180', 'i.MXRT1180')#

ELE message support API

Contents

ELE message support API#

Module with the EdgeLock Enclave messages#

Module with the HSE(Hardware Security Engine) EdgeLock Enclave messages#

Module with the EdgeLock Enclave message handler with mBoot#

Module with the EdgeLock Enclave message constants#