i.MX 95 AHAB Load M7 Application to TCM

This notebook describes how to build a bootable AHAB image with M7 application, and how to load it to TCM (Tightly Coupled Memory).

1. Prerequisites

• SPSDK is needed with examples extension. pip install spsdk[examples] (Please refer to the installation documentation.)

• This demo was tested with i.MX 95 EVK board with LPDDR4 memory and A0 chip revision.

1.1 Images preparation

• Obtain all the necessary binaries and put them into inputs directory

1.2 Requirements

Download these files from the https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/<package name> and put them into the inputs directory.

Primary image container set:

• ELE firmware

• lpddr5 or lpddr4 firmware files with OEI firmware

• CM33 OEI TCM

• CM33 System manager image

• M7 application image

2. AHAB Image

2.1 AHAB Template

We can generate the template using the nxpimage ahab get-template command. The command will generate a template. The template is a YAML file that contains the AHAB header and the AHAB container. The AHAB header contains the information about the image, such as the version, the number of containers, and the signature.

The following command generates the template:

nxpimage ahab get-template -f mimx9596 -o ahab_template.yaml

2.2 Exporting of the AHAB image

The AHAB image can be exported using the nxpimage ahab export command. The command will create the AHAB image from the template. The following command creates the AHAB image:

nxpimage ahab export -c ahab_template.yaml 

Image container set consists of the following images:

• ELE firmware

• DDR firmware with OEI

• System manager

• M7 application image

nxpimage ahab get-template -f mimx9596 -o workspace/ahab_template.yaml --force 
Creating workspace/ahab_template.yaml template file.

Configuration Differences

Show Diff Download Config

# ===========================  ahab Configuration template for mimx9596, Revision: latest.  ============================

# ======================================================================================================================
#                                                 == General Options ==                                                 
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9596
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest IMPORTANT! B0 revision has different container format than A1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: 
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: ../outputs/flash.bin
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: 
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
  -
  # ====================================================================================================================
  #                                          == List of possible 2 options. ==                                          
  #                                        Options [binary_container, container]                                        
  # ====================================================================================================================

  #  =========================== [Example of possible configuration: #0 , erase if not used] ============================
    # -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
  - # -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
    # Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
    binary_container: Define the path to the EdgeLock Enclave Firmware container
      # -----------------------------===== The AHAB container binary file [Required] =====------------------------------
      # Description: The binary file that contains AHAB "my_binary_container.bin
      path: my_ahab_container.bin
      path: inputs/mx95b0-ahab-container.img

  #  =========================== [Example of possible configuration: #1 , erase if not used] ============================
    # --------------------------------------===== AHAB Container [Required] =====---------------------------------------
  - # --------------------------------------===== AHAB Container [Required] =====---------------------------------------
    # Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
    # container.
    container:
      # --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
      # Description: Defines which set is used to authenticate the container.
      # Possible options: 
      srk_set: none
      # ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
      # Description: Which key from SRK set is being used.
      used_srk_id: 0
      # -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
      # Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
      # 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
      srk_revoke_mask: '0x00'
      # ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
      # Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
      # firmware.
      #  - disabled:       GDET is disabled after the first OEM container has been authenticated (default behavior)
      #  - enabled_eleapi: Automatically enable GDET during all ELE API calls
      #  - enabled:        Leave GDET enabled
      # Possible options: 
      gdet_runtime_behavior: disabled
      # ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
      # Description: This option overrides a fuse to select verification mode.
      #  - default: Apply default fuse policy.
      #  - check_all_signatures: Force verification of all present signatures.
      # Possible options: 
      check_all_signatures: default
      # ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
      # Description: This option enables fast boot mode.
      #  - disabled: Fast boot disabled.
      #  - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
      #  - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
      # i.MX952).
      #  - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
      # authentication.
      # Possible options: 
      fast_boot: disabled
      # --------------------------------------===== Fuse version [Optional] =====---------------------------------------
      # Description: The value must be equal or greater than the version stored in fuses to allow loading this
      # container.
      fuse_version: 0
      # ------------------------------------===== Software version [Optional] =====-------------------------------------
      # Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
      # Fuse version field.
      sw_version: 0
      # ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
      # Description: Signature provider configuration in format 'type=;=;=' or a
      # private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
      # been revoked.
      signer: type=file;file_path=my_prv_key.pem
      # ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
      # Description: Signature provider configuration in format 'type=;=;=' or a
      # private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
      # SRK must not have been revoked.
      signer_#2: type=file;file_path=my_prv_key.pem

      # ================================================================================================================
      #                     == Configuration of AHAB Container images (array of multiple images) ==                     
      # ================================================================================================================
      # ---------------------------------------===== Image array [Required] =====---------------------------------------
      # Description: Array of image entries.
      images:
        -
        # ==============================================================================================================
        #                                       == List of possible 13 options. ==                                      
        #      Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC      
        # configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot, 
        #         TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]         
        # ==============================================================================================================

        #  ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
        # Double Authentication of NXP firmwares
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x0000000000000000
        # hash_type:                     SHA384
          # -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
          # Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
          double_authentication: nxp_ele.bin

        #  =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
        # OEI with DDR PHY tunning images
        - # OEI with DDR PHY tunning images
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x000000001FFC0000
        # entry_point:                   0x000000001FFC0001
        # image_type:                    oei
        # core_id:                       cortex-m33
        # hash_type:                     SHA384
          # -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
          # Description: Firmware for LPDDR4/5 memory.
          lpddr_imem: lpddr_imem.bin Add path to the LPDDR IMEM image
          lpddr_imem: lpddr4x_imem_v202409.bin
          # ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
          # Description: Firmware for LPDDR4/5 for quick boot.
          lpddr_imem_qb: lpddr_imem_qb.bin Add path to the LPDDR IMEM image
          lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
          # ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
          # Description: Data for LPDDR4/5 memory.
          lpddr_dmem: lpddr_dmem.bin Add path to the LPDDR DMEM image
          lpddr_dmem: lpddr4x_dmem_v202409.bin
          # --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
          # Description: Data for LPDDR4/5 memory in quick boot.
          lpddr_dmem_qb: lpddr_dmem_qb.bin Optionally add path to the LPDDR DMEM quick boot image
          lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
          # -----------------------------------------===== OEI [Required] =====-----------------------------------------
          # Description: OEI - Optional Executable Image firmware
          oei_ddr: oei_ddr.bin Add path to the OEI DDR image
          oei_ddr: oei-m33-ddr.bin
          # -----------------------------------===== Quick Boot Data [Optional] =====-----------------------------------
          # Description: QB data - Optional Quick boot data, if defined a new empty record will be added just behind DDR
          # FW entry
          qb_data: qb_data.bin

        #  ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
        # OEI TCM settings (ECC etc.)
        - # OEI TCM settings (ECC etc.)
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x000000001FFC0000
        # entry_point:                   0x000000001FFC0001
        # image_type:                    oei
        # core_id:                       cortex-m33
        # hash_type:                     SHA384
          # -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
          # Description: OEI(Optional Executable Image) TCM settings binary file.
          oei_tcm: oei_tcm.bin Add path to the OEI TCM image
          oei_tcm: oei-m33-tcm.bin

        #  =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
        # System booting image
        - # System booting image
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x000000001FFC0000
        # image_type:                    executable
        # core_id:                       cortex-m33
        # hash_type:                     SHA384
          # ---------------------------------===== Boot system manager [Required] =====---------------------------------
          # Description: System manager booting image
          system_manager: system_manager.bin Add path to system manager
          system_manager: m33_image-mx95evk.bin

        #  ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
        # Cortex M7 additional application
        - # Cortex M7 additional application
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x00000000303C0000
        # entry_point:                   0x0000000000000000
        # image_type:                    executable
        # core_id:                       cortex-m7-1
        # meta_data_start_cpu_id:        1
        # hash_type:                     SHA384
          # --------------------------===== Cortex M7 additional application [Required] =====---------------------------
          # Description: Cortex M7 additional application
          cortex_m7_app: cortex_m7_app.bin Optionally Add path to the Cortex M7 application
          cortex_m7_app: hello_world_sm_cm7.bin

        #  ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
        # U-Boot SPL (Secondary program loader)
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x0000000020480000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # -----------------------------------------===== SPL [Required] =====-----------------------------------------
          # Description: SPL firmware
          spl: spl.bin

        #  ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
        # V2X dummy image container definition
        - # V2X dummy image container definition
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x000000008B000000
        # image_type:                    v2x_dummy
        # core_id:                       cortex-m33
        # hash_type:                     SHA384
          # --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
          # Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
          v2x_dummy: true This is a dummy image that has to be present in the container for A0

        #  ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
        # U-Boot ATF container definition
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x000000008A200000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # -------------------------------------===== ATF binary [Required] =====--------------------------------------
          # Description: ARM Trusted Firmware binary file.
          atf: bl31.bin

        #  ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
        # U-Boot container definition
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x0000000090200000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # ------------------------------------===== U-Boot binary [Required] =====------------------------------------
          # Description: U-Boot binary file.
          uboot: u-boot.bin

        #  ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
        # A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x000000008C000000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # -----------------------------------------===== TEE [Required] =====-----------------------------------------
          # Description: TEE - Trusted Execution Environment binary
          tee: tee.bin

        #  =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
        # Linux kernel Image container definition
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x0000000090400000
        # image_type:                    executable
        # core_id:                       cortex-a55
        # meta_data_start_cpu_id:        2
        # hash_type:                     SHA384
          # ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
          # Description: Linux kernel executable Image binary file (typically Image.bin)
          kernel: Image.bin

        #  ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
        # Device Tree Blob (DTB) container definition
        # Image array default settings. Can be overridden by definitions that are hidden in the template:
        # load_address:                  0x0000000093000000
        # entry_point:                   0x0000000000000000
        # image_type:                    data
        # core_id:                       cortex-a55
        # hash_type:                     SHA384
          # -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
          # Description: Device Tree Blob (DTB) binary file containing hardware description
          dtb: device-tree.dtb

        #  ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
        # General Image Entry
          # -------------------------------------===== Image path [Optional] =====--------------------------------------
          # Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
          # image is needed, Just do not use the image path. In case that the image size in container should be aligned
          # differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
          # 'image_size_alignment' where could be override image size by any custom value.
          image_path: my_image.bin
          # ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
          # Description: Offset in bytes from start of container header to beginning of the image. Zero value means
          # automatic placing the image with proper alignment after previous one, this is recommended for
          # serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
          # to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
          # Booting core images must be located after the other ones
          image_offset: 0
          # ------------------------------===== Image destination address [Required] =====------------------------------
          # Description: Address the image is written to in memory (absolute address in system memory).
          load_address: '0x1FFC_0000'
          # ----------------------------------===== Image entry point [Required] =====----------------------------------
          # Description: Image entry point (absolute address). Valid only for executable image types.
          entry_point: '0x1FFC_0000'
          # -------------------------------------===== Image type [Required] =====--------------------------------------
          # Description: Kind of image.
          # Possible options: 
          # executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
          # v2x_rom_patch>
          image_type: executable
          # ---------------------------------------===== Core ID [Required] =====---------------------------------------
          # Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
          # Possible options: 
          core_id: dummy
          # ----------------------------------===== Image encryption [Optional] =====-----------------------------------
          # Description: Determines, whether image is encrypted or not.
          is_encrypted: false
          # -------------------------------------===== Boot flags [Optional] =====--------------------------------------
          # Description: Boot flags controlling SCFW boot.
          boot_flags: 0
          # ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
          # Description: Resource ID of CPU to be started
          meta_data_start_cpu_id: 0
          # ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
          # Description: Resource ID of the MU associated with the CPU
          meta_data_mu_cpu_id: 0
          # ---------------------------------===== Start partition ID [Optional] =====----------------------------------
          # Description: Partition ID of the partition to start
          meta_data_start_partition_id: 0
          # ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
          # Description: HASH type of image.
          # Possible options: 
          hash_type: sha512

      # ================================================================================================================
      #                                      == Configuration of AHAB SRK table ==                                      
      # ================================================================================================================
      # ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
      # Description: SRK (Super Root key) table definition.
      srk_table: All attributes related to the signing might be removed
        # ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
        # Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
        # affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
        # process itself. This option exists only for compatibility with systems where fuses are already programmed. In
        # most cases, this should remain false.
        flag_ca: false
        # ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
        # Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
        # be used.
        # Possible options: 
        # shake_256_512, sm3>
        hash_algorithm: default
        # ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
        # Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
        # algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
        # sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
        # dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
        # type of AHAB container
        srk_array:
          - my_srk_public_key0.pub
          - my_srk_public_key1.pub
          - my_srk_public_key2.pub
          - my_srk_public_key3.pub

        # ==============================================================================================================
        #               == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==               
        # ==============================================================================================================
        # -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
        srk_table_#2:
          # ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
          # Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
          # only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
          # signing process itself. This option exists only for compatibility with systems where fuses are already
          # programmed. In most cases, this should remain false.
          flag_ca: false
          # -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
          # Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
          # be used.
          # Possible options: 
          # shake_256_512, sm3>
          hash_algorithm: default
          # -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
          # Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
          # signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
          # Certificate may be of Certificate Authority.
          srk_array:
            - my_srk_public_key0.pub
            - my_srk_public_key1.pub
            - my_srk_public_key2.pub
            - my_srk_public_key3.pub

      # ================================================================================================================
      #           == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==           
      # ================================================================================================================
      # ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
      # Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
      # SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
      # it itself.
      certificate: my_ahab_certificate.bin

      # ================================================================================================================
      #         == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==         
      # ================================================================================================================
      # -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
      # Description: Encryption blob container definition
      blob: And
finally remove unused parts for AHAB Certificate and Encryption blob
        # ------------------------------------===== Key identifier [Required] =====-------------------------------------
        # Description: The key identifier that has been used to generate DEK keyblob.
        key_identifier: 0
        # -------------------------------------===== DEK key size [Required] =====--------------------------------------
        # Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
        # Possible options: <128, 192, 256>
        dek_key_size: 128
        # ----------------------------------------===== DEK key [Required] =====----------------------------------------
        # Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
        dek_key: my_dek_key.txt
        # --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
        # Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
        # If NOT used, the empty keyblob is inserted into container and need to be updated later.
        dek_keyblob: my_wrapped_key.txt And finally remove unused parts for AHAB Certificate and Encryption blob

# Copyright 2024 NXP
#
# SPDX-License-Identifier: BSD-3-Clause
# ==========================  Advanced High-Assurance Boot Configuration template for mimx9596.  ===========================

# ======================================================================================================================
#                                                 == General Options ==
# ======================================================================================================================
# ------------------------------------------===== MCU family [Required] =====-------------------------------------------
# Description: Family identifier including the chip revision. If revision is not present, latest revision is used as
# default.
# Possible options: 
family: mimx9596
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon
revision: latest IMPORTANT! B0 revision has different container format than A1
# ----------------------------------===== Target memory [Conditionally required] =====----------------------------------
# Description: Target memory for AHAB container
# Possible options: 
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: ../outputs/flash.bin
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
  - # -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
    # Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
    binary_container: Define the path to the EdgeLock Enclave Firmware container
      # -----------------------------===== The AHAB container binary file [Required] =====------------------------------
      # Description: The binary file that contains AHAB "my_binary_container.bin
      path: inputs/mx95b0-ahab-container.img

  - # --------------------------------------===== AHAB Container [Required] =====---------------------------------------
    # Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
    # container.
    container:
      # --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
      # Description: Defines which set is used to authenticate the container.
      # Possible options: 
      srk_set: none
      # ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
      # Description: Which key from SRK set is being used.
      used_srk_id: 0

      # ================================================================================================================
      #                     == Configuration of AHAB Container images (array of multiple images) ==
      # ================================================================================================================
      # ---------------------------------------===== Image array [Required] =====---------------------------------------
      # Description: Array of image entries.
      images:
        - # OEI with DDR PHY tunning images
          # Image array default settings. Can be override by defines that are hidden in template:
          # image_offset:                  0x00010400
          # load_address:                  0x000000001FFC0000
          # entry_point:                   0x000000001FFC0001
          # image_type:                    executable
          # core_id:                       cortex-m33
          # hash_type:                     SHA384
          # -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
          # Description: Firmware for LPDDR4/5 memory in 1D mode.
          lpddr_imem: lpddr4x_imem_v202409.bin Add path to the LPDDR IMEM image
          # -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
          # Description: Firmware for LPDDR4/5 memory in 2D mode.
          lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin Add path to the LPDDR IMEM image
          # ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
          # Description: Data for LPDDR4/5 memory in 1D mode.
          lpddr_dmem: lpddr4x_dmem_v202409.bin Add path to the LPDDR DMEM image
          # ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
          # Description: Data for LPDDR4/5 memory in 2D mode.
          lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin Optionally add path to the LPDDR DMEM quick boot image
          # -----------------------------------------===== OEI [Required] =====-----------------------------------------
          # Description: OEI - Optional Executable Image firmware
          oei_ddr: oei-m33-ddr.bin Add path to the OEI DDR image

        - # OEI TCM settings (ECC etc.)
          # Image array default settings. Can be override by defines that are hidden in template:
          # image_offset:                  0x00010400
          # load_address:                  0x000000001FFC0000
          # entry_point:                   0x000000001FFC0001
          # image_type:                    executable
          # core_id:                       cortex-m33
          # hash_type:                     SHA384
          # -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
          # Description: OEI(Optional Executable Image) TCM settings binary file.
          oei_tcm: oei-m33-tcm.bin Add path to the OEI TCM image

        - # System booting image
          # Image array default settings. Can be override by defines that are hidden in template:
          # image_offset:                  0x00080400
          # load_address:                  0x000000001FFC0000
          # image_type:                    executable
          # core_id:                       cortex-m33
          # hash_type:                     SHA384
          # ---------------------------------===== Boot system manager [Required] =====---------------------------------
          # Description: System manager booting image
          system_manager: m33_image-mx95evk.bin Add path to system manager

        - # Cortex M7 additional application
          # Image array default settings. Can be override by defines that are hidden in template:
          # load_address:                  0x00000000303C0000
          # image_type:                    executable
          # core_id:                       cortex-m7-1
          # hash_type:                     SHA384
          # --------------------------===== Cortex M7 additional application [Required] =====---------------------------
          # Description: Cortex M7 additional application
          cortex_m7_app: hello_world_sm_cm7.bin Optionally Add path to the Cortex M7 application

        - # V2X dummy image container definition
          # Image array default settings. Can be override by defines that are hidden in template:
          # load_address:                  0x000000008B000000
          # image_type:                    v2x_dummy
          # core_id:                       cortex-m33
          # hash_type:                     SHA384
          # --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
          # Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
          v2x_dummy: true This is a dummy image that has to be present in the container for A0

# EXPORT U-BOOT IMAGE
VERBOSITY = "-v"

%! nxpimage $VERBOSITY ahab export --config inputs/mx95_tcm.yaml

nxpimage -v ahab export --config inputs/mx95_tcm.yaml 
INFO:spsdk.apps.nxpimage_apps.nxpimage_ahab:Created AHAB Image:
Name:      AHAB Image
Starts:    0x0
Ends:      0x5c7ff
Size:      Size: 370.0 kiB; 378,880 B
Alignment: 512 B
Execution Start Address: Not defined
Pattern:zeros
AHAB Image for mimx9596, Revision: latest

INFO:spsdk.apps.nxpimage_apps.nxpimage_ahab:Created AHAB Image memory map:

+==0x0000_0000= AHAB Image ==========================+
|             Size: 370.0 kiB; 378,880 B             |
|     AHAB Image for mimx9596, Revision: latest      |
|                   Pattern: zeros                   |
|+==0x0000_0000= AHAB Containers ===================+|
||             Size: 48.0 kiB; 49,152 B             ||
||              AHAB Containers block               ||
||                  Pattern: zeros                  ||
||+==0x0000_0000= AHAB Container 0 ================+||
|||             Size: 8.0 kiB; 8,227 B             |||
|||         AHAB Container for nxp_SWver:0         |||
||+==0x0000_2022===================================+||
||                   Gap: 8.0 kiB                   ||
||+==0x0000_4000= AHAB Container 1 ================+||
|||                  Size: 832 B                   |||
|||         AHAB Container for nxp_SWver:0         |||
||+==0x0000_433f===================================+||
||                  Gap: 15.2 kiB                   ||
||+==0x0000_8000= AHAB Container 2 ================+||
|||                  Size: 544 B                   |||
|||        AHAB Container for none_SWver:0         |||
||+==0x0000_821f===================================+||
|+==0x0000_bfff=====================================+|
|+==0x0000_c000= Container 0 AHAB Data Image 0 =====+|
||             Size: 44.6 kiB; 45,648 B             ||
||  AHAB encrypted data block for ele core and ele  ||
||                   Image Type.                    ||
|+==0x0001_724f=====================================+|
|                    Gap: 3.4 kiB                    |
|+==0x0001_8000= Container 1 AHAB Data Image 0 =====+|
||             Size: 63.8 kiB; 65,280 B             ||
||   AHAB encrypted data block for v2x-1 core and   ||
||             v2x_primary Image Type.              ||
|+==0x0002_7eff=====================================+|
|                     Gap: 256 B                     |
|+==0x0002_8000= Container 1 AHAB Data Image 1 =====+|
||             Size: 28.0 kiB; 28,672 B             ||
||   AHAB encrypted data block for v2x-2 core and   ||
||            v2x_secondary Image Type.             ||
|+==0x0002_efff=====================================+|
|+==0x0002_f000= OEI TCM ===========================+|
||              Size: 5.0 kiB; 5,120 B              ||
||AHAB data block for cortex-m33 core and oei Image ||
||                      Type.                       ||
|+==0x0003_03ff=====================================+|
|+==0x0003_0400= System manager ====================+|
||            Size: 163.0 kiB; 166,912 B            ||
||AHAB data block for cortex-m33 core and executable||
||                   Image Type.                    ||
|+==0x0005_8fff=====================================+|
|+==0x0005_9000= Additional Cortex M7 application ==+|
||             Size: 14.0 kiB; 14,336 B             ||
||     AHAB data block for cortex-m7-1 core and     ||
||              executable Image Type.              ||
|+==0x0005_c7ff=====================================+|
|+==0x0005_c800= V2X core Dummy record =============+|
||                    Size: 0 B                     ||
||AHAB data block for cortex-m33 core and v2x_dummy ||
||                   Image Type.                    ||
|+==0x0005_c7ff=====================================+|
+==0x0005_c7ff=======================================+

Success. (AHAB: outputs/flash.bin created.)

# Set the boot mode to Cortex-M Serial Downloader 1001 and download the files using the UUU tool

%! nxpuuu $VERBOSITY run "SDPS[-t 10000]: boot -f outputs/flash.bin"

nxpuuu run "SDPS[-t 10000]: boot -f outputs/flash.bin" 
SDPS[-t 10000]: boot -f outputs/flash.bin


Success