User Guide - nxpele

This user guide describes how to use nxpele application. nxpele is a tool to communicate with EdgeLock Enclave hardware on target where it is used, for example: i.MX RT1180 or i.MX 93.

Nxpele supports three modes of communication:

• mboot mode - nxpele communicates with EdgeLock Enclave using mboot commands (i.MX RT1180).

In order to use the nxpele in mboot mode, flashloader must be loaded to target memory. It relies on mboot commands (write-memory, read-memory and ele-message), so it contains standard blhost options to establish connection with ISP mboot.

• uboot_serial mode - nxpele communicates with EdgeLock Enclave using u-boot serial console.

In order to use the nxpele in uboot mode, u-boot serial console must be enabled. U-Boot must be built with support for AHAB. (CONFIG_AHAB_UBOOT=y) This implementation relies on “ele_message” command in U-Boot console.

• uboot_fastboot mode - nxpele communicates with EdgeLock Enclave using u-boot fastboot.

In order to use the nxpele in uboot_fastboot mode, u-boot fastboot must be enabled. U-Boot must be built with support for AHAB. (CONFIG_AHAB_UBOOT=y) and console multiplexing must be enabled (CONFIG_CONSOLE_MUX=y). This is the fastest method to communicate with EdgeLock Enclave.

For more information about building the u-boot with AHAB support, please refer to the U-Boot documentation. https://docs.u-boot.org/en/latest/build/gcc.html

Nxpele supports following commands:

NXP EdgeLock Enclave - available commands

Command	Description
get-families	SPSDK CLI command for displaying family information.
batch	Invoke nxpele commands defined in command file.
ping	Send general EdgeLock Enclave PING message.
enable-apc	Send request to enable APC to EdgeLock Enclave.
enable-rtc	Send request to enable RTC to EdgeLock Enclave.
reset-apc-context	Send request to reset APC context in EdgeLock Enclave.
reset	Send general EdgeLock Enclave RESET message.
get-ele-fw-status	Get status of EdgeLock Enclave firmware.
get-ele-trng-state	Get status of EdgeLock Enclave TRNG.
get-ele-fw-version	Get version of EdgeLock Enclave firmware.
get-info	Get information from EdgeLock Enclave.
ele-fw-auth	Authenticate and execute EdgeLock Enclave firmware.
dump-debug-buffer	Dump EdgeLock Enclave debug buffer logs.
read-common-fuse	Read common fuse from EdgeLock Enclave.
read-shadow-fuse	Read shadow fuse from EdgeLock Enclave.
oem-cntn-auth	Authenticate OEM container.
commit	Commit information.
derive-key	Derive key.
verify-image	Verify OEM image.
release-container	Release EdgeLock Enclave firmware message.
forward-lifecycle-update	Forward Lifecycle update to Closed or Locked state.
signed-message	Send signed message to EdgeLock Enclave.
get-events	Get stored events in EdgeLock Enclave.
start-trng	Start True Random Number Generator in EdgeLock Enclave message.
load-keyblob	Load EdgeLock Enclave keyblob to hardware.
generate-keyblob	Group of sub-commands related to generate Keyblob.
write-fuse	Write one fuse by specifying index and data to be written.
write-shadow-fuse	Write one shadow fuse by specifying index and data to be written.
session-open	Open EdgeLock Enclave HSM session.
sab-init	Initialize EdgeLock Secure Enclave Firmware HSM services.
session-close	Close EdgeLock Enclave HSM session.
keystore-open	Open EdgeLock Enclave key store service.
keystore-close	Close EdgeLock Enclave key store service.
public-key-export	Export public key from EdgeLock Enclave key store.
export-nxp-prod-ka-puk	Export NXP Production Key Agreement Public Key.
hse	Hardware Security Engine commands.

Command line interface

nxpele

Utility for communication with the EdgeLock Enclave on target over BLHOST or UBOOT.

Usage

nxpele [OPTIONS] COMMAND [ARGS]...

Options

-t, --timeout <ms>

Sets timeout when waiting on data over a serial line. The default is 5000 milliseconds.

-p, --port <COM[,speed>

Serial port configuration. Default baud rate is 57600. Use ‘nxpdevscan’ utility to list devices on serial port.

-u, --usb <VID:PID|USB_PATH|DEV_NAME>

USB device identifier. | Following formats are supported: <vid>, <vid:pid> or <vid,pid>, device/instance path, device name. | <vid>: hex or dec string; e.g. 0x0AB12, 43794. | <vid/pid>: hex or dec string; e.g. 0x0AB12:0x123, 1:3451. | Use ‘nxpdevscan’ utility to list connected device names.

-l, --lpcusbsio <usb,VID:PID|USB_PATH|SER_NUM,]spi|i2c>

USB-SIO bridge interface.

Optional USB device filtering formats: [usb,vid:pid|usb_path|serial_number]

Following serial interfaces are supported:

spi[index][,port,pin,speed_kHz,polarity,phase]

- index … optional index of SPI peripheral. Example: “spi1” (default=0)

- port … bridge GPIO port used as SPI SSEL(default=0)

- pin … bridge GPIO pin used as SPI SSEL

default SSEL is set to 0.15 which works

for the LPCLink2 bridge. The MCULink OB

bridge ignores the SSEL value anyway.(default=15)

- speed_kHz … SPI clock in kHz (default 1000)

- polarity … SPI CPOL option (default=1)

- phase … SPI CPHA option (default=1)

- nirq_port … nIRQ port number (default None)

- nirq_pin … nIRQ pin number (default None)

i2c[index][,address,speed_kHz]

- index … optional index of I2C peripheral. Example: “i2c1” (default=0)

- address … I2C device address (default 0x10)

- speed_kHz … I2C clock in kHz (default 100)

- nirq_port … nIRQ port number (default None)

- nirq_pin … nIRQ pin number (default None)

Following types of interface configuration formats are supported:

- string with coma separated arguments i.e. spi1,0,15,1000,1

- string with coma separated keyword arguments (the order may not be maintained) i.e.spi1,port=0,speed_kHz=1000,nirq_port=1,nirq_pin=7

- string with combination of coma separated arguments and keyword arguments i.e.spi1,0,15,nirq_port=1,nirq_pin=7

-b, --buspal <spi[,speed,polarity,phase,lsb|msb] | i2c[,address,speed>

Buspal settings

-d, --device <device>

Select connection method for ELE communication, otherwise default from DB will be used

Options:

mboot | uboot_serial | uboot_fastboot

--buffer-addr <buffer_addr>

Override default buffer address for ELE communication

--buffer-size <buffer_size>

Override default buffer size for ELE communication

--fb-addr <fb_addr>

Override default buffer address for fastboot

--fb-size <fb_size>

Override default buffer size for fastboot

-v, --verbose

Print more detailed information

-vv, --debug

Display more debugging information.

--version

Show the version and exit.

--help

Show this message and exit.

-f, --family <family>

[required] Select the chip family.

Options:

mcxe315 | mcxe316 | mcxe317 | mcxe31b | mimx8ulp | mimx9131 | mimx9352 | mimx943 | mimx95294 | mimx9596 | mimxrt1181 | mimxrt1182 | mimxrt1186 | mimxrt1187 | mimxrt1189

batch

Invoke nxpele commands defined in command file.

Command file contains one nxpele command per line. example: “write-fuse –index=129 –data=0x7021b4a5”

Comments are supported. Everything after ‘#’ is a comment (just like in Python/Shell)

Note: This is an early experimental format, it may change at any time.

COMMAND_FILE - path to nxpele command file

Usage

nxpele batch [OPTIONS] COMMAND_FILE

Arguments

COMMAND_FILE

Required argument

commit

Commit information.

Usage

nxpele commit [OPTIONS]

Options

-i, --commit-info <commit_info>

Required Info to be committed. It could be used multiple

Options:

NXP_SRK_REVOCATION | NXP_FW_FUSE | OEM_SRK_REVOCATION | OEM_FW_FUSE

derive-key

Derive key.

Allowed sizes are 16 and 32 bytes.

Usage

nxpele derive-key [OPTIONS]

Options

-s, --size <size>

Size of output key

Options:

16 | 32

-c, --key-diversification-context <key_diversification_context>

File path to Key diversification context binary file

-o, --output <output>

Derived key output file.

dump-debug-buffer

Dump EdgeLock Enclave debug buffer logs.

EdgeLock Secure Enclave has a logging mechanism for debugging purposes. Logs are sent over MU with maximum 20 logs per exchange. If ELE has more than 20 logs in buffer, this command must be called multiple times.

Logs are not in plaintext and can only be interpreted by STEC ROM/FW team. Make sure to respect log printing format before sending to STEC team.

Usage

nxpele dump-debug-buffer [OPTIONS]

Options

-o, --output <output>

Store debug logs into a file. If not used, logs are printed to console.

--dump-all

Dump all available logs by calling the command multiple times if needed.

ele-fw-auth

Authenticate and execute EdgeLock Enclave firmware.

Firmware should be placed in any memory accessible by ROM code if ‘-a’ is used, otherwise the correct address will be used.

Usage

nxpele ele-fw-auth [OPTIONS]

Options

-a, --address <address>

Address of EdgeLock Enclave firmware container in target memory.

-b, --binary <binary>

File name with binary of EdgeLock Enclave firmware.

enable-apc

Send request to enable APC to EdgeLock Enclave.

Usage

nxpele enable-apc [OPTIONS]

enable-rtc

Send request to enable RTC to EdgeLock Enclave.

Usage

nxpele enable-rtc [OPTIONS]

export-nxp-prod-ka-puk

Export NXP Production Key Agreement Public Key.

This command performs the complete sequence to export the NXP production key agreement public key (nxp_prod_ka_puk):

1. SAB Init - Initialize EdgeLock Secure Enclave Firmware HSM services

2. Session Open - Open a session for HSM operations

3. Keystore Open - Open/create a shared keystore

4. Public Key Export - Export the NXP production key agreement public key

5. Cleanup - Close keystore and session (unless –keep-session is used)

The exported key is typically 64 bytes for ECC P-256 keys (32 bytes x + 32 bytes y) in non-compressed form, big-endian order.

Usage

nxpele export-nxp-prod-ka-puk [OPTIONS]

Options

-n, --nonce <nonce>

Nonce used as authentication proof for accessing the key store (default: 0x1234).

--keystore-id <keystore_id>

Key store identifier (default: 0xABCD).

--key-id <key_id>

Key ID for NXP production key agreement public key (default: 0x70000000).

-s, --buffer-size <buffer_size>

Length in bytes of the output public key buffer (default: 64).

-o, --output <output>

Required Output file to store the exported NXP production key agreement public key.

--keep-session

Keep session and keystore open after export (for debugging).

forward-lifecycle-update

Forward Lifecycle update to Closed or Locked state.

The Forward Lifecycle update message is used to change the chip lifecycle. It is used for updating the lifecycle state to OEM Closed or OEM Locked.

Usage

nxpele forward-lifecycle-update [OPTIONS]

Options

-l, --lifecycle <lifecycle>

Required Lifecycle to switch to value

Options:

OEM_CLOSED | OEM_LOCKED

generate-keyblob

Group of sub-commands related to generate Keyblob.

Usage

nxpele generate-keyblob [OPTIONS] COMMAND [ARGS]...

DEK

Generate DEK keyblob on EdgeLock Enclave.

Usage

nxpele generate-keyblob DEK [OPTIONS]

Options

-a, --algorithm <algorithm>

Required Encryption algorithm to wrap key.

Options:

AES_CBC | SM4_CBC

-i, --key-id <key_id>

Required Key ID (know also as Key Identifier), the same value has to be provided again when decrypting the generated blob.

-k, --key <key>

Required Key as hexadecimal string or path to file containing key in plain text or in binary

-s, --key-size <key_size>

Required Key size in bits. Table with allowed combination: AES_CBC: [128, 192, 256], SM4_CBC: [128],

-o, --output <output>

Store DEK keyblob into a file. If not used, then value is just printed to console.

IEE

Generate IEE keyblob atomic command on EdgeLock Enclave.

Usage

nxpele generate-keyblob IEE [OPTIONS]

Options

-i, --key-id <key_id>

Required Key ID (know also as Key Identifier),the same value has to be provided again when decrypting the generated blob.

-a, --algorithm <algorithm>

Required Encryption algorithm to wrap key.

Options:

AES_XTS | AES_CTR

-k, --key <key>

Required AES Key as hexadecimal string or path to file containing key in plain text or in binary

-s, --key-size <key_size>

Required Key size in bits. Table with allowed combination: AES_XTS: [256, 512], AES_CTR: [128, 256],

-c, --counter <counter>

AES 64 bit counter as hexadecimal string or path to file containing key in plain text or in binary

-m, --ctr-mode <ctr_mode>

AES CTR mode in case that is used

Options:

CTR_WITH_ADDRESS | CTR_WITHOUT_ADDRESS | CTR_KEY_STREAM

-p, --page-offset <page_offset>

IEE page offset, default is 0

-r, --region-number <region_number>

Required Region number

-b, --bypass

Bypass Encryption

-l, --locked

Lock configuration

-o, --output <output>

Store IEE keyblob into a file. If not used, then value is just printed to console.

IEE-KEYBLOB

Generate IEE keyblob on EdgeLock Enclave.

Usage

nxpele generate-keyblob IEE-KEYBLOB [OPTIONS]

Options

-r, --region-number <region_number>

Required Region number

-c, --config <config>

Required Configuration file from NXPIMAGE IEE tool. From the config, all needed values has been loaded.

-oc, --override-config <key_path=value>

Allows override the individual configuration settings. The use is simple: ‘key_path=value’, like ‘family=mimxrt595s’ or in structural configuration with separating character ‘/’ like ‘containers/0/binary_container=my_container.bin’. It could be used multiple times.

-o, --output <output>

Store IEE keyblob into a file. If not used, value is just printed to console.

OTFAD

Generate OTFAD keyblob atomic command on EdgeLock Enclave.

This commands send just return raw format of one quarter of whole OTFAD DUK keyblob. For experts only! To get whole working keyblob use OTFAD-KEYBLOB command.

Usage

nxpele generate-keyblob OTFAD [OPTIONS]

Options

-i, --key-id <key_id>

Required Key ID (know also as Key Identifier): Byte 0: Index of the OTFAD key struct (0 .. 3). Important when the key scrambling is enabled. Byte 1: 0x1 - FlexSPI 1, 0x2 - FlexSPI 2. Bytes 2-3: reserved

-k, --key <key>

Required AES 128 key as hexadecimal string or path to file containing key in plain text or in binary

-c, --counter <counter>

Required AES 64 bit counter as hexadecimal string or path to file containing key in plain text or in binary

-s, --start-address <start_address>

Required Start address of OTFAD. Address must be aligned to 1KB block

-e, --end-address <end_address>

Required End address of OTFAD. Address must be aligned to 1KB block

-r, --read-only

Configuration is read only

-d, --decryption_enabled

Decryption is enabled

-v, --valid

Configuration is valid

-o, --output <output>

Store OTFAD keyblob into a file. If not used, value is just printed to console.

OTFAD-KEYBLOB

Generate OTFAD keyblob on EdgeLock Enclave.

Usage

nxpele generate-keyblob OTFAD-KEYBLOB [OPTIONS]

Options

-i, --flexspi-index <flexspi_index>

Index of used FlexSPI peripheral. Typically 1 or 2.

-c, --config <config>

Required Configuration file from NXPIMAGE OTFAD tool. From the config, all needed values has been loaded.

-oc, --override-config <key_path=value>

Allows override the individual configuration settings. The use is simple: ‘key_path=value’, like ‘family=mimxrt595s’ or in structural configuration with separating character ‘/’ like ‘containers/0/binary_container=my_container.bin’. It could be used multiple times.

-o, --output <output>

Store OTFAD keyblob into a file. If not used, value is just printed to console.

get-ele-fw-status

Get status of EdgeLock Enclave firmware.

Usage

nxpele get-ele-fw-status [OPTIONS]

get-ele-fw-version

Get version of EdgeLock Enclave firmware.

Usage

nxpele get-ele-fw-version [OPTIONS]

get-ele-trng-state

Get status of EdgeLock Enclave TRNG.

Usage

nxpele get-ele-trng-state [OPTIONS]

get-events

Get stored events in EdgeLock Enclave.

Usage

nxpele get-events [OPTIONS]

get-families

Shows the full family info for commands in this group.

Usage

nxpele get-families [OPTIONS]

get-info

Get information from EdgeLock Enclave.

By default, displays all available information. Use –attribute to retrieve a specific piece of information.

Usage

nxpele get-info [OPTIONS]

Options

-a, --attribute <attribute>

Specific attribute to retrieve. If not specified, all information is displayed.

Options:

cmd | version | length | soc_id | soc_rev | life_cycle | sssm_state | attest_api_version | uuid | sha256_rom_patch | sha256_fw | oem_srkh | imem_state | csal_state | trng_state | oem_pqc_srkh

hse

Hardware Security Engine commands.

Usage

nxpele hse [OPTIONS] COMMAND [ARGS]...

format-key-catalog

Format key catalog.

Usage

nxpele hse format-key-catalog [OPTIONS]

Options

--key-catalog <key_catalog>

Required Path to key catalog binary or configuration file. Key catalog configuration can be created using ‘nxpimage hse key-catalog’ commands.

fw-erase

Erase HSE firmware from the device.

This service erases the HSE Firmware, SYS-IMG, and backup (if present) from the secure flash on the device.

IMPORTANT RESTRICTIONS: - Available for flash-based devices only (HSE_B variant) - Can only be performed in CUST_DEL life cycle - This is a DESTRUCTIVE operation that cannot be undone

The command will return an error if attempted in any life cycle other than CUST_DEL.

Usage

nxpele hse fw-erase [OPTIONS]

Options

--yes

Confirm the action without prompting.

fw-integrity-check

Check HSE firmware integrity.

This service performs an integrity check of the HSE Firmware and SYS-IMG inside HSE to verify they have not been corrupted or tampered with.

Notes: - Available for HSE_B variant only - Non-destructive operation - only checks integrity - Returns success if firmware integrity is valid, failure otherwise

Usage

nxpele hse fw-integrity-check [OPTIONS]

fw-update

Update HSE firmware.

This service is used to update the HSE firmware into the HSE internal flash memory. Supports both one-pass and streaming modes (START, UPDATE, FINISH).

For streaming mode: 1. First use mode=START with the first chunk 2. Use mode=UPDATE for intermediate chunks 3. Finally use mode=FINISH for the last chunk

For one-pass mode: - Use mode=ONE_PASS to update the entire firmware in one operation

If –binary is provided, the firmware will be loaded to the specified address before performing the update operation.

Usage

nxpele hse fw-update [OPTIONS]

Options

-m, --mode <mode>

Required Access mode for firmware update (ONE_PASS, START, UPDATE, FINISH).

Options:

ONE_PASS | START | UPDATE | FINISH

-a, --fw-addr <fw_addr>

Required Address of the HSE firmware file or chunk in target memory.

-l, --length <length>

Length of firmware chunk in bytes (required for START and UPDATE modes, must be multiple of 64 bytes).

-b, --binary <binary>

Binary file with HSE firmware to load to target memory before update (optional).

get-attr

Get HSE attribute.

Usage

nxpele hse get-attr [OPTIONS]

Options

-id, --attr-id <attr_id>

Required Attribute identifier to retrieve

Options:

FW_VERSION | CAPABILITIES | APP_DEBUG_KEY | SECURE_LIFECYCLE | ENABLE_PUBLISH_KEYSTORE_RAM_TO_FLASH

-j, --json

Use JSON output

get-key-info

Get HSE key information.

This command retrieves detailed information about a key using its handle. The information includes key flags, bit length, counter, SMR flags, and key type.

Usage

nxpele hse get-key-info [OPTIONS]

Options

-c, --catalog-id <catalog_id>

Required Key catalog ID.

Options:

ROM | NVM | RAM

-g, --group-idx <group_idx>

Required Group index in catalog.

-s, --slot-idx <slot_idx>

Required Key slot index within the group.

img-sign

Boot Data image sign.

Usage

nxpele hse img-sign [OPTIONS]

Options

-a, --img-addr <img_addr>

Required The address of the Boot Data Image.

-l, --tag-length <tag_length>

Length of the final signature with IV.

-o, --output <output>

Store the signature into output file.

img-verify

Verify Boot Data Image.

Verifies the GMAC tag of a Boot Data Image that was previously signed using the img-sign command. For HSE_H/M, verifies IVT/DCD/ST/LPDDR4(S32Z/E devices)/AppBSB image. For HSE_B, verifies IVT/AppBSB image.

Usage

nxpele hse img-verify [OPTIONS]

Options

-a, --img-addr <img_addr>

Required The address of the Boot Data Image to verify (includes authentication TAG).

key-import

Import key in HSE key catalog.

Usage

nxpele hse key-import [OPTIONS]

Options

--catalog-id <catalog_id>

Required Key catalog ID.

Options:

ROM | NVM | RAM

--group-idx <group_idx>

Required Group index in catalog.

--slot-idx <slot_idx>

Required Key slot index within the group.

--key-info <key_info>

Required Path to key info binary or configuration file.

--key-path <key_path>

Required Path to a key to be loaded.

--key-format <key_format>

Key format of the imported key. Applicable only for ECC keys.

Options:

RAW | UNCOMPRESSED | COMPRESSED

set-attr

Attribute related commands.

Usage

nxpele hse set-attr [OPTIONS] COMMAND [ARGS]...

enable-publish-keystore-ram-to-flash

Enable publish keystore RAM To Flash Attribute Handler.

Usage

nxpele hse set-attr enable-publish-keystore-ram-to-flash [OPTIONS]

Options

-v, --value <value>

Required Config value to be set

Options:

CFG_NO | CFG_YES

secure_lifecycle

Advance the secure lifecycle.

Usage

nxpele hse set-attr secure_lifecycle [OPTIONS]

Options

-v, --value <value>

Required Config value to be set

Options:

CUST_DEL | OEM_PROD | IN_FIELD | PRE_FA | SIMULATED_OEM_PROD | SIMULATED_IN_FIELD

smr-entry-install

Install SMR (Secure Memory Region).

Usage

nxpele hse smr-entry-install [OPTIONS]

Options

--entry-idx <entry_idx>

Required SMR entry index.

-e, --smr-entry <smr_entry>

Required Path to SMR entry binary data or config file.

-a, --auth-tag-addr <auth_tag_addr>

Authentication tag address. For MAC and RSA signature, only one value is used. Both values are used for ECDSA and EDDSA signatures.

-l, --auth-tag-length <auth_tag_length>

Authentication tag length. For MAC and RSA signature, only one value is used. Both values are used for ECDSA and EDDSA signatures.

keystore-close

Close EdgeLock Enclave key store service.

Key store close command is used to close a key store service flow identified by its handle. Key store context and content is deleted from the EdgeLock Secure Enclave internal memory. Any update not written in the NVM will be lost.

Must be called after opening a valid key store service.

Usage

nxpele keystore-close [OPTIONS]

Options

-k, --keystore-handle <keystore_handle>

Required Key store handle to close. Handle value returned by keystore-open command.

keystore-open

Open EdgeLock Enclave key store service.

Key store open command is used to open a service flow on the specified key store. Maximum 2 key stores can be created/opened and maximum 100 keys per key store.

Must be called after opening a valid session. Required before other key store APIs.

Usage

nxpele keystore-open [OPTIONS]

Options

-s, --session-handle <session_handle>

Required Session handle from session-open command.

-i, --keystore-id <keystore_id>

Required Key store identifier set by the user.

-n, --nonce <nonce>

Required Nonce used as authentication proof for accessing the key store.

--create

Create a new key store (default is to load existing key store).

--shared

Create/open shared keystore accessible from any MU (default is regular/isolated).

--sync

SYNC operation - request completed only when written to NVM (for CREATE only).

--monotonic-counter

Increment monotonic counter (used with SYNC operation).

load-keyblob

Load EdgeLock Enclave keyblob to hardware.

The command ‘Load key blob’ is used to inject some keys in specific HW blocks. The expected blob must have been previously created by using the ‘Generate Key Blob’ command.

Usage

nxpele load-keyblob [OPTIONS]

Options

-i, --key-id <key_id>

Required Key ID (know also as Key Identifier), the same value has to be provided again when decrypting the generated blob.

-b, --binary <binary>

Required Binary file with EdgeLock Enclave keyblob to be loaded to HW.

oem-cntn-auth

Authenticate OEM container.

Container should be placed in any memory accessible by ROM code

Usage

nxpele oem-cntn-auth [OPTIONS]

Options

-a, --address <address>

Address of OEM container in target memory.

-b, --binary <binary>

Alternative to defining address, this option get the binary file, load it into device and run authentication.

ping

Send general EdgeLock Enclave PING message.

Usage

nxpele ping [OPTIONS]

public-key-export

Export public key from EdgeLock Enclave key store.

Exports the public key of an asymmetric key whose private key is present in the key store. Public key is re-calculated by default (except for Twisted Edwards and Montgomery keys).

Key formats: - ECC: Non-compressed form {x, y} in big-endian order - RSA: Modulus only (public exponent is 65537) - Montgomery: Big-endian format (unlike RFC 7748)

Must be called after opening a valid key store service.

Usage

nxpele public-key-export [OPTIONS]

Options

-k, --keystore-handle <keystore_handle>

Required Key store handle from keystore-open command.

-i, --key-id <key_id>

Required ID of the asymmetric key stored in the key store.

-s, --buffer-size <buffer_size>

Length in bytes of the output public key buffer (default: 512).

-o, --output <output>

Store exported public key into a file. If not used, key is printed to console.

read-common-fuse

Read common fuse from EdgeLock Enclave.

Not all fuses could be read by this command, just some of them are supported.

Usage

nxpele read-common-fuse [OPTIONS]

Options

-i, --index <index>

Required Fuse index.

read-shadow-fuse

Read shadow fuse from EdgeLock Enclave.

Not all fuses could be read by this command, just some of them are supported.

Usage

nxpele read-shadow-fuse [OPTIONS]

Options

-i, --index <index>

Required Fuse index.

release-container

Release EdgeLock Enclave firmware message.

Usage

nxpele release-container [OPTIONS]

reset

Send general EdgeLock Enclave RESET message.

Usage

nxpele reset [OPTIONS]

reset-apc-context

Send request to reset APC context in EdgeLock Enclave.

Usage

nxpele reset-apc-context [OPTIONS]

sab-init

Initialize EdgeLock Secure Enclave Firmware HSM services.

SAB Init command is used to initialize the EdgeLock Secure Enclave Firmware HSM services. It must be called once, at boot, by any core.

SAB Init command must be called before any other ones that use a SAB session. Can be called multiple times - will return success if already initialized.

Usage

nxpele sab-init [OPTIONS]

session-close

Close EdgeLock Enclave HSM session.

Session close command is used to close an opened session. Any data related to the session, including other services flow contexts, will be deleted.

Session close command will close any associated services to the session as well. Can only be called after having opened a valid session.

Usage

nxpele session-close [OPTIONS]

Options

-s, --session-handle <session_handle>

Required Session handle to close. Handle value returned by session-open command.

session-open

Open EdgeLock Enclave HSM session.

Session open command is used to initialize the EdgeLock Secure Enclave HSM services for the requestor. It establishes a route between the user and the EdgeLock Secure Enclave as well as a quality of service.

A maximum of 20 sessions can be opened at the same time. Session open command must be called before any other APIs that use a session.

Usage

nxpele session-open [OPTIONS]

signed-message

Send signed message to EdgeLock Enclave.

Signed message could be created by ‘nxpimage signed-msg’ tool.

Usage

nxpele signed-message [OPTIONS]

Options

-b, --binary <binary>

Required Binary file with signed message container.

start-trng

Start True Random Number Generator in EdgeLock Enclave message.

Usage

nxpele start-trng [OPTIONS]

verify-image

Verify OEM image.

The Verify Image message is sent to the ELE after a container has been loaded into memory and processed with an Authenticate Container message. This commands the ELE to check the hash on one or more images.

Usage

nxpele verify-image [OPTIONS]

Options

-m, --mask <mask>

Used to indicate which images are to be checked. There must be at least one image. If not defined Image_0 will be checked.

write-fuse

Write one fuse by specifying index and data to be written.

Usage

nxpele write-fuse [OPTIONS]

Options

-d, --data <data>

Required Data to be written

-i, --index <index>

Required Index of the fuse to be written

--lock

Write lock fuse

write-shadow-fuse

Write one shadow fuse by specifying index and data to be written.

Usage

nxpele write-shadow-fuse [OPTIONS]

Options

-d, --data <data>

Required Data to be written

-i, --index <index>

Required Index of the fuse to be written