i.MX93 Key Import and Key Exchange Example

This documentation covers the key import and key exchange operations for the i.MX93 EdgeLock Secure Enclave, specifically focusing on the combined key agreement and key derivation functionality used to establish secure key import capabilities.

1. Prerequisites

• SPSDK is needed with examples extension. pip install spsdk[examples] (Please refer to the installation documentation.)

• This demo was tested with i.MX93 EVK board

• Obtain an NXP_PROD_KA_PUB key

1.1 NXP Production Key

The EdgeLock Secure Enclave provides a built-in production key for key agreement:

• Key ID: 0x70000000 (NXP PROD MANUFACT KEY AGREEMENT)

• Purpose: Enables consistent OEM_IMPORT_xxx keys across devices with same SRKH

• Availability: Same key across all lifecycles

• Public Key Export: Available via Public key export API (0x32)

This ensures that devices with the same Super Root Key Hash (SRKH) can use identical import keys, simplifying key management across device populations.

2 Key Exchange Operation

2.1 Purpose

The key exchange operation performs a combined key agreement and key derivation to create symmetric keys stored in the EdgeLock Secure Enclave key storage. This operation is primarily used to establish OEM Master Keys for secure key import operations.

2.2 Key Features

• Combined Operation: Performs both key agreement (ECDH) and key derivation (HKDF) in a single operation

• Symmetric Key Creation: Only symmetric keys can be created through this operation

• Secure Storage: Derived keys are stored in EdgeLock Secure Enclave key storage

• OEM Signed Content: Input parameters are protected by OEM signed messages for integrity

2.3 Key Exchange Signed Message Configuration

message:
  command:
    KEY_EXCHANGE_REQ:
      # Key storage configuration
      key_store_id: 0x454C4500
      
      # Algorithm selection
      key_exchange_algorithm: HKDF SHA256  # Options: HKDF SHA256, HKDF SHA384
      
      # Salt configuration for HKDF process
      salt_flags: 0                        # Bit 0: Salt source, Bit 1: ELE import salt
      
      # Derived key attributes
      derived_key_grp: 0                   # Group ID (0-99)
      derived_key_size_bits: 256           # Key size: 128/192/256
      derived_key_type: OEM_IMPORT_MK_SK   # Key type for import operations
      derived_key_lifetime: PERSISTENT     # VOLATILE/PERSISTENT/PERMANENT
      derived_key_usage:                   # Permission list
        - Derive
      derived_key_permitted_algorithm: HKDF SHA256
      derived_key_lifecycle: CURRENT       # Lifecycle restrictions
      derived_key_id: 0x1                  # Key identifier
      
      # ECDH configuration
      private_key_id: 0x70000000           # NXP PROD MANUFACT KEY AGREEMENT
      oem_private_key: oem_private_key.pem # OEM private key for ECDH
      nxp_prod_ka_pub: nxp.pub             # NXP production public key

2.4 OEM Master Key Generation

The key exchange operation generates an OEM_IMPORT_MK_SK (OEM Import Master Secret Key) with specific requirements:

Required Attributes

• Type: OEM_IMPORT_MK_SK

• Usage: Derive (Cache usage set by default)

• Permitted Algorithm: HKDF SHA256 (0x08000109)

• Size: 256 bits

• Lifecycle: User-defined

• Lifetime: User-defined (PERSISTENT recommended)

Derived Keys

From the OEM_IMPORT_MK_SK, two additional keys are derived:

1. OEM_IMPORT_CMAC_SK

   • Used to verify Key Import signed TLV buffers

   • Type: AES, Size: 256 bits

   • No key identifier (derived on-demand)

2. OEM_IMPORT_WRAP_SK

   • Used to decrypt wrapped keys in Key Import operations

   • Type: AES, Size: 256 bits

   • No key identifier (derived on-demand)

YamlDiffWidget("inputs/key_exchange.diffc").html

nxpimage signed-msg get-template -f mx93 -o workspace/key_exchange.yaml --force -m KEY_EXCHANGE_REQ
Creating workspace/key_exchange.yaml template file.

Configuration Differences

Show Diff Download Config

# ======================  Signed message Configuration template for mimx9352, Revision: latest.  =======================

# ======================================================================================================================
#                                                 == General Options ==                                                 
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output Signed Message file name
output: signed_message.bin
output: ../workspace/signed_msg_key_exchange_hkdf.bin

# ======================================================================================================================
#                                            == Settings of Signed Message ==                                           
# ======================================================================================================================
# -----------------------------------===== Super Root Key (SRK) set [Required] =====------------------------------------
# Description: Defines which set is used to authenticate the signed message.
# Possible options: 
srk_set: oem
# -------------------------------------------===== Used SRK [Required] =====--------------------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# ----------------------------------------===== SRK revoke mask [Required] =====----------------------------------------
# Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit 1 =
# revoke SRK_1 etc.
srk_revoke_mask: 0
# -----------------------------------------===== Fuse version [Required] =====------------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this container.
fuse_version: 0
# ---------------------------------------===== Software version [Required] =====----------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same Fuse
# version field.
sw_version: 0
# --------------------------------===== Signed Message container signer [Required] =====--------------------------------
# Description: Signature provider configuration in format 'type=;=;=' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have been
# revoked.
signer: type=file;file_path=my_prv_key.pem Add private key or signer
signer: srk1_ecc256.pem

# ======================================================================================================================
#                                    == Configuration of Signed Message SRK table ==                                    
# ======================================================================================================================
# -------------------------------------------===== SRK Table [Required] =====-------------------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
  # -------------------------------------------===== CA Flag [Optional] =====-------------------------------------------
  # Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
  # affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
  # process itself. This option exists only for compatibility with systems where fuses are already programmed. In most
  # cases, this should remain false.
  flag_ca: false
  # ---------------------------------------===== Hash Algorithm [Optional] =====----------------------------------------
  # Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will be
  # used.
  # Possible options: 
  hash_algorithm: default
  # ---------------------------------===== Super Root Key (SRK) table [Required] =====----------------------------------
  # Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing algorithms
  # are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256, sha3_384,
  # sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, dilithium3, sm2.
  # Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new type of AHAB container
  srk_array: Add your SRK public keys
    - my_srk_public_key0.pub
    - my_srk_public_key1.pub
    - my_srk_public_key2.pub
    - my_srk_public_key3.pub
    - srk0_ecc256.pub
    - srk1_ecc256.pub
    - srk2_ecc256.pub
    - srk3_ecc256.pub

# ======================================================================================================================
#              == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==              
# ======================================================================================================================
# -------------------------------------===== The AHAB certificate [Optional] =====--------------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by SRK, or
# it is possible to use configuration YAML file of certificate and the AHAB export process it will export it itself.
certificate: my_ahab_certificate.bin
# -----------------------------------------===== IV file path [Optional] =====------------------------------------------
# Description: Used only for encrypted messages. Fixed size at 256 bits. If defined the encryption is used for this
# Signed message. The HEX format is accepted.
iv_path: my_IV.txt

# ======================================================================================================================
#                                               == Settings of Message ==                                               
# ======================================================================================================================
message:
  # -------------------------------------===== Certificate version [Optional] =====-------------------------------------
  # Description: Certificate version
  cert_version: 0
  # -----------------------------------===== Certificate permission [Optional] =====------------------------------------
  # Description: Certificate permission, to be used in future. The stated permission must allow the operation requested
  # by the signed message.
  cert_permission: 0
  # -----------------------------------------===== Issue date [Optional] =====------------------------------------------
  # Description: Optional Issue date of message, if not defined the current date is used. The format must be following:
  # 'YYYY-MM'
  issue_date: 2022-10
  # -----------------------------------------===== Device UUID [Optional] =====-----------------------------------------
  # Description: Unique identifier of the chip. It could be retrieve by BLHOST command from chip or also the debug
  # authentication protocol could provide this value. Hex string format (hexadecimal string without '0x'). In case that
  # the restriction on UUID is not needed the field could be omitted.
  uuid: '0000000000000000'
  command:
    # ---------------------------------------===== Key exchange [Required] =====----------------------------------------
    # Description: This message is used to perform a combined key agreement and key derivation operation. The derived
    # key will be stored in key storage as a new key. Only symmetric keys can be created with this operation. Key
    # attributes are set in the command, like others key creation APIs (Generate key, Import key).
    KEY_EXCHANGE_REQ:
      # --------------------------------------===== Key store ID [Required] =====---------------------------------------
      # Description: Key store ID where to store the derived key. It must be the key store ID related to the key
      # management handle set in the command API
      key_store_id: 0 Set ID of the keystore
      key_store_id: 0x454C4500
      # ---------------------------------===== Key exchange algorithm [Required] =====----------------------------------
      # Description: ECDH HKDF SHA256 KEY IMPORT    0x09020109
      # ECDH HKDF SHA384 KEY IMPORT    0x0902010A
      # ECDH HKDF SHA ANY KEY IMPORT   0x090201FF
      # ECDH HKDF SHA256               0x89020109
      # ECDH HKDF SHA384               0x8902010A
      # ECDH HKDF SHA ANY              0x890201FF
      # Possible options: 
      # HKDF SHA256, ECDH HKDF SHA384, ECDH HKDF SHA ANY, HKDF SHA256, HKDF SHA384>
      key_exchange_algorithm: ECDH HKDF SHA256 KEY IMPORT
      key_exchange_algorithm: HKDF SHA256
      # ---------------------------------------===== Salt Flags [Required] =====----------------------------------------
      # Description: Bit field indicating the requested operations:
      #  Bit 0: Salt in step #1 (HKDF-extract) of HMAC based two-step key derivation process:
      #  - 0: Use zeros salt
      #  - 1:Use peer public key hash as salt
      #  Bit 1: In case of ELE import, salt used to derive OEM_IMPORT_WRAP_SK and OEM_IMPORT_CMAC_SK:
      #  - 0: Zeros string
      #  - 1: Device SRKH.
      #  Bit 2 to 15: Reserved
      salt_flags: 0
      # ------------------------------------===== Derived key group [Required] =====------------------------------------
      # Description: Derived key group. 100 groups are available per key store. It must be a value in the range [0; 99].
      # Keys belonging to the same group can be managed through the Manage key group command
      derived_key_grp: 0
      # ----------------------------------===== Derived key size bits [Required] =====----------------------------------
      # Description: Derived key size bits
      # Possible options: <128, 192, 224, 256, 384, 512>
      derived_key_size_bits: 256
      # ------------------------------------===== Derived key type [Required] =====-------------------------------------
      # Description:
      #  Key type          Value   Key size in bits
      #  AES               0x2400  128/192/256
      #  HMAC              0x1100  224/256/384/512
      #  OEM_IMPORT_MK_SK  0x9200  128/192/256
      # Possible options: 
      derived_key_type: AES Specify OEM_IMPORT_MK_SK for derivation of master key
      derived_key_type: OEM_IMPORT_MK_SK
      # ----------------------------------===== Derived key lifetime [Required] =====-----------------------------------
      # Description:
      #  VOLATILE           0x00  Standard volatile key.
      #  PERSISTENT         0x01  Standard persistent key.
      #  PERMANENT          0xFF  Standard permanent key.
      # Possible options: 
      derived_key_lifetime: PERSISTENT
      # ------------------------------------===== Derived key usage [Required] =====------------------------------------
      # Description: Permission usage list. List of possible permissions:
      #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
      # default by ELE FW for all keys generated or imported.
      #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
      # encryption or asymmetric encryption operation.
      #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
      # decryption or asymmetric decryption operation.
      #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
      # asymmetric message signature operation.
      #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC
      # verification or an asymmetric message signature verification operation.
      #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
      # operation. Setting this permission automatically sets the Sign Message usage.
      #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
      # signature verification operation.
      #  Setting this permission automatically sets the Verify Message usage.
      #  Derive          0x00004000  Permission to derive other keys from this key.
      derived_key_usage:
        - Cache
        - Derive
      # -----------------------------===== Derived key permitted algorithm [Required] =====-----------------------------
      # Description:
      #  HKDF SHA256 (HMAC two-step)  0x08000109
      #  HKDF SHA384 (HMAC two-step)  0x0800010A
      # Possible options: 
      derived_key_permitted_algorithm: HKDF SHA256
      # ----------------------------------===== Derived key lifecycle [Required] =====----------------------------------
      # Description:
      #  CURRENT           0x00  Key is usable in current lifecycle.
      #  OPEN              0x01  Key is usable in open lifecycle.
      #  CLOSED            0x02  Key is usable in closed lifecycle.
      #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
      # Possible options: 
      derived_key_lifecycle: CURRENT
      # -------------------------------------===== Derived key ID [Required] =====--------------------------------------
      # Description: It could be:
      #  - Wanted key identifier of the generated key: only supported by persistent and permanent keys
      #  - 0x00000000 to let the FW chose the key identifier: supported by all keys (all persistence levels)
      derived_key_id: 0
      derived_key_id: 0x1
      # -------------------------------------===== Private key ID [Required] =====--------------------------------------
      # Description: Identifier in the ELE key storage of the private key to use with the peer public key during the key
      # agreement process
      private_key_id: 0 This is ID of the NXP prod key agreement key used for key exchange
      private_key_id: 0x70000000
      # ------------------------------===== Input peer public key digest [Optional] =====-------------------------------
      # Description: The algorithm used to generate the digest must be SHA256
      input_peer_public_key_digest: '0x0000000000000000000000000000000000000000000000000000000000000000' Digest of peer's public key for verification, this might be deleted if private OEM key is provided - will be calculated
from public part
      # ------------------------------===== Input user fixed info digest [Optional] =====-------------------------------
      # Description: The algorithm used to generate the digest must be SHA256
      input_user_fixed_info_digest: '0x0000000000000000000000000000000000000000000000000000000000000000'
      # --------------------------------===== OEM Private Key for ECDH [Optional] =====---------------------------------
      # Description: Path to OEM P256 private key file (PEM format) used for ECDH key agreement. This key will be used
      # with NXP_PROD_KA_PUB to derive the shared secret and subsequent keys. If provided along with nxp_prod_ka_pub,
      # automatic ECDH key derivation will be performed.
      oem_private_key: oem_p256_private_key.pem Path to the OEM private key used in key exchange process
      oem_private_key: oem_private_key.pem
      # -------------------------===== NXP Production Key Agreement Public Key [Optional] =====-------------------------
      # Description: NXP production key agreement public key. Used together with oem_private_key for ECDH key
      # derivation.
      nxp_prod_ka_pub: nxp_prod_ka.pub Path to the NXP pro key agreement public key
      nxp_prod_ka_pub: nxp.pub
      # -----------------------------------===== Super Root Key Hash [Optional] =====-----------------------------------
      # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
      srkh: '0x00000000000000000000000000000000'

# Copyright 2025 NXP
#
# SPDX-License-Identifier: BSD-3-Clause

# ======================  Signed message Configuration template for mimx9352, Revision: latest.  =======================

# ======================================================================================================================
#                                                 == General Options ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output Signed Message file name
output: ../workspace/signed_msg_key_exchange_hkdf.bin

# ======================================================================================================================
#                                            == Settings of Signed Message ==
# ======================================================================================================================
# -----------------------------------===== Super Root Key (SRK) set [Required] =====------------------------------------
# Description: Defines which set is used to authenticate the signed message.
# Possible options: 
srk_set: oem
# -------------------------------------------===== Used SRK [Required] =====--------------------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# ----------------------------------------===== SRK revoke mask [Required] =====----------------------------------------
# Description: Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit 1 =
# revoke SRK_1 etc.
srk_revoke_mask: 0
# -----------------------------------------===== Fuse version [Required] =====------------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this container.
fuse_version: 0
# ---------------------------------------===== Software version [Required] =====----------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same Fuse
# version field.
sw_version: 0
# --------------------------------===== Signed Message container signer [Required] =====--------------------------------
# Description: Signature provider configuration in format 'type=;=;=' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have been
# revoked.
signer: srk1_ecc256.pem Add private key or signer

# ======================================================================================================================
#                                    == Configuration of Signed Message SRK table ==
# ======================================================================================================================
# -------------------------------------------===== SRK Table [Required] =====-------------------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
  # -------------------------------------------===== CA Flag [Optional] =====-------------------------------------------
  # Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
  # affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
  # process itself. This option exists only for compatibility with systems where fuses are already programmed. In most
  # cases, this should remain false.
  flag_ca: false
  # ---------------------------------===== Super Root Key (SRK) table [Required] =====----------------------------------
  # Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing algorithms
  # are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256, sha3_384,
  # sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096, dilithium3, sm2.
  # Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new type of AHAB container
  srk_array: Add your SRK public keys
    - srk0_ecc256.pub
    - srk1_ecc256.pub
    - srk2_ecc256.pub
    - srk3_ecc256.pub

# ======================================================================================================================
#                                               == Settings of Message ==
# ======================================================================================================================
message:
  command:
    # ---------------------------------------===== Key exchange [Required] =====----------------------------------------
    # Description: This message is used to perform a combined key agreement and key derivation operation. The derived
    # key will be stored in key storage as a new key. Only symmetric keys can be created with this operation. Key
    # attributes are set in the command, like others key creation APIs (Generate key, Import key).
    KEY_EXCHANGE_REQ:
      # --------------------------------------===== Key store ID [Required] =====---------------------------------------
      # Description: Key store ID where to store the derived key. It must be the key store ID related to the key
      # management handle set in the command API
      key_store_id: 0x454C4500 Set ID of the keystore
      # ---------------------------------===== Key exchange algorithm [Required] =====----------------------------------
      # Description:
      #  HKDF SHA256 0x09020109
      #  HKDF SHA384 0x0902010A
      # Possible options: 
      key_exchange_algorithm: HKDF SHA256
      # ---------------------------------------===== Salt Flags [Required] =====----------------------------------------
      # Description: Bit field indicating the requested operations:
      #  Bit 0: Salt in step #1 (HKDF-extract) of HMAC based two-step key derivation process:
      #  - 0: Use zeros salt
      #  - 1:Use peer public key hash as salt
      #  Bit 1: In case of ELE import, salt used to derive OEM_IMPORT_WRAP_SK and OEM_IMPORT_CMAC_SK:
      #  - 0: Zeros string
      #  - 1: Device SRKH.
      #  Bit 2 to 15: Reserved
      salt_flags: 0
      # ------------------------------------===== Derived key group [Required] =====------------------------------------
      # Description: Derived key group. 100 groups are available per key store. It must be a value in the range [0; 99].
      # Keys belonging to the same group can be managed through the Manage key group command
      derived_key_grp: 0
      # ----------------------------------===== Derived key size bits [Required] =====----------------------------------
      # Description: Derived key size bits
      # Possible options: <128, 192, 224, 256, 384, 512>
      derived_key_size_bits: 256
      # ------------------------------------===== Derived key type [Required] =====-------------------------------------
      # Description:
      #  Key type          Value   Key size in bits
      #  AES               0x2400  128/192/256
      #  HMAC              0x1100  224/256/384/512
      #  OEM_IMPORT_MK_SK  0x9200  128/192/256
      # Possible options: 
      derived_key_type: OEM_IMPORT_MK_SK Specify OEM_IMPORT_MK_SK for derivation of master key
      # ----------------------------------===== Derived key lifetime [Required] =====-----------------------------------
      # Description:
      #  VOLATILE           0x00  Standard volatile key.
      #  PERSISTENT         0x01  Standard persistent key.
      #  PERMANENT          0xFF  Standard permanent key.
      # Possible options: 
      derived_key_lifetime: PERSISTENT
      # ------------------------------------===== Derived key usage [Required] =====------------------------------------
      # Description: Permission usage list. List of possible permissions:
      #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
      # default by ELE FW for all keys generated or imported.
      #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
      # encryption or asymmetric encryption operation.
      #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
      # decryption or asymmetric decryption operation.
      #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
      # asymmetric message signature operation.
      #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC
      # verification or an asymmetric message signature verification operation.
      #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
      # operation. Setting this permission automatically sets the Sign Message usage.
      #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
      # signature verification operation.
      #  Setting this permission automatically sets the Verify Message usage.
      #  Derive          0x00004000  Permission to derive other keys from this key.
      derived_key_usage:
        - Derive
      # -----------------------------===== Derived key permitted algorithm [Required] =====-----------------------------
      # Description:
      #  HKDF SHA256 (HMAC two-step)  0x08000109
      #  HKDF SHA384 (HMAC two-step)  0x0800010A
      # Possible options: 
      derived_key_permitted_algorithm: HKDF SHA256
      # ----------------------------------===== Derived key lifecycle [Required] =====----------------------------------
      # Description:
      #  CURRENT           0x00  Key is usable in current lifecycle.
      #  OPEN              0x01  Key is usable in open lifecycle.
      #  CLOSED            0x02  Key is usable in closed lifecycle.
      #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
      # Possible options: 
      derived_key_lifecycle: CURRENT
      # -------------------------------------===== Derived key ID [Required] =====--------------------------------------
      # Description: It could be:
      #  - Wanted key identifier of the generated key: only supported by persistent and permanent keys
      #  - 0x00000000 to let the FW chose the key identifier: supported by all keys (all persistence levels)
      derived_key_id: 0x1
      # -------------------------------------===== Private key ID [Required] =====--------------------------------------
      # Description: Identifier in the ELE key storage of the private key to use with the peer public key during the key
      # agreement process
      private_key_id: 0x70000000 This is ID of the NXP prod key agreement key used for key exchange
      # --------------------------------===== OEM Private Key for ECDH [Optional] =====---------------------------------
      # Description: Path to OEM P256 private key file (PEM format) used for ECDH key agreement. This key will be used
      # with NXP_PROD_KA_PUB to derive the shared secret and subsequent keys. If provided along with nxp_prod_ka_pub,
      # automatic ECDH key derivation will be performed.
      oem_private_key: oem_private_key.pem Path to the OEM private key used in key exchange process
      # -------------------------===== NXP Production Key Agreement Public Key [Optional] =====-------------------------
      # Description: NXP production key agreement public key. Used together with oem_private_key for ECDH key
      # derivation.
      nxp_prod_ka_pub: nxp.pub Path to the NXP pro key agreement public key

2.5 Generation of signed message and key derivation

The command generates the signed message for the key exchange. If the -w/–assets option is specified, also generates the assets - OEM_IMPORT_MK_SK key is derived.

nxpimage -v signed-msg export -c inputs/key_exchange.yaml

%! nxpimage -v signed-msg export -c inputs/key_exchange.yaml -w workspace/assets
 

nxpimage -v signed-msg export -c inputs/key_exchange.yaml -w workspace/assets
INFO:spsdk.image.ahab.signed_msg:Calculated input_peer_public_key_digest from OEM private key during config loading 3d164eb2e8c2c8566be458bdbdae6715f4484c8ffbacb14f248e20c3811def9b
INFO:spsdk.image.ahab.signed_msg:ECDH shared secret: 1ae9e13162f15e3b0baa0b7b959852e4d8a5c573cc0a4072e0d3a6666c728cbd
INFO:spsdk.image.ahab.signed_msg:Derived OEM_Import_MK_SK: c7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194
INFO:spsdk.image.ahab.signed_msg:Derived OEM_Import_Wrap_SK: f2fa66b83ed82acbe4dddb5c60966cabad61cf3116b542115f10f06cf6aee825
INFO:spsdk.image.ahab.signed_msg:Derived OEM_Import_CMAC_SK: dc202a1160b4a5d11c088514e99e298b45aba12867543236fcd8774227f3e15c
INFO:spsdk.image.ahab.signed_msg:ECDH key derivation completed during configuration loading
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:Created Signed message Image:
Name:      Signed Message Image
Starts:    0x0
Ends:      0x23f
Size:      Size: 576 B
Alignment: 8 B
Execution Start Address: Not defined
Pattern:zeros
Signed Message Image for mimx9352, Revision: latest

INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:Created Signed message Image memory map:

┌──0x0000_0000─ Signed Message Image ──┐
│             Size: 576 B              │
│  Signed Message Image for mimx9352,  │
│           Revision: latest           │
│            Pattern: zeros            │
│┌──0x0000_0000─ Signed Message ──────┐│
││            Size: 576 B             ││
││Signed Message for KEY_EXCHANGE_REQ ││
│└──0x0000_023f───────────────────────┘│
└──0x0000_023f─────────────────────────┘

INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:SRK hash:cb2cc774b2dcec92c840eca0646b78f8d3661d3a43ed265a490a13aca75e190a
INFO:spsdk.image.ahab.signed_msg:Exported shared_secret to workspace/assets/shared_secret.bin
INFO:spsdk.image.ahab.signed_msg:Exported oem_import_mk_sk to workspace/assets/oem_import_mk_sk.bin
INFO:spsdk.image.ahab.signed_msg:Exported oem_import_wrap_sk to workspace/assets/oem_import_wrap_sk.bin
INFO:spsdk.image.ahab.signed_msg:Exported oem_import_cmac_sk to workspace/assets/oem_import_cmac_sk.bin
Performing post export
workspace/assets/shared_secret.bin
workspace/assets/oem_import_mk_sk.bin
workspace/assets/oem_import_wrap_sk.bin
workspace/assets/oem_import_cmac_sk.bin
Success. (Signed message: workspace/signed_msg_key_exchange_hkdf.bin created.)

3. Key Import Operation

3.1 Purpose

The key import operation allows secure importation of symmetric keys or private keys from asymmetric key pairs into the EdgeLock Secure Enclave key storage.

3.2 Key Features

• Encrypted Import: All imported keys must be encrypted (except specific cases like SRKH)

• Multiple Key Types: Supports AES, HMAC, ECC, and other key types

• Flexible Wrapping: Supports RFC3394 and AES-CBC wrapping algorithms

• Signed TLV Format: Uses signed TLV (Type-Length-Value) format for integrity

3.3 TLV Blob generation

Example of the configuration of TLV blob for importing the AES-256 key.

command:
  KEY_IMPORT:
    # Key identification
    key_id: 0                               # Key store ID
    
    # Permitted algorithm
    permitted_algorithm: "ALL CIPHER"       # Hash algorithm for verification
    
    # Key attributes
    key_type: AES                           # Key type and hash
    key_size_bits: 256                      # Key size: 128/192/224/256/384/512
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT # Persistence level
    key_lifecycle: OPEN_CLOSED              # Lifecycle restrictions
    key_usage:                              # Permission list
      - Encrypt
      - Decrypt
      
    # Wrapping configuration
    oem_mk_sk_key_id: 1                     # OEM_IMPORT_MK_SK key ID
    key_wrapping_algorithm: RFC3394         # RFC3394 or AES_CBC
    signing_algorithm: CMAC                 # Signature algorithm
    
    # Key data (two options)
    # Option 1: Pre-wrapped key and signature
    # wrapped_key: "0x00000000"
    # signature: "0x00000000000000000000000000000000"
    
    # Option 2: Raw key with master key (automatic wrapping)
    import_key: aes256.bin                  # Raw key file
    oem_import_mk_sk_key: "0xc7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194" # Taken from the key exchange operation
    
    # Optional SRKH for salt derivation
    srkh: "0x00000000000000000000000000000000"

3.4 Supported Key Types

Key Type	Value	Supported Sizes (bits)
AES	0x2400	128, 192, 256
HMAC	0x1100	224, 256, 384, 512
Derived key	0x1200	256, 384
OEM_IMPORT_MK_SK	0x9200	128, 192, 256
ECC NIST	0x7112	128, 192, 256, 384, 521

3.5 Key Usage Permissions

Permission	Value	Description
Cache	0x00000004	Cache in secure memory (default)
Encrypt	0x00000100	Encryption operations
Decrypt	0x00000200	Decryption operations
Sign message	0x00000400	Message signing (MAC/asymmetric)
Verify message	0x00000800	Message verification
Sign hash	0x00001000	Hash signing (asymmetric)
Verify hash	0x00002000	Hash verification
Derive	0x00004000	Key derivation operations

3.6 Export of TLV blob

nxpimage -v signed-msg tlv export -c inputs/tlv_import_aes256.yaml

YamlDiffWidget("inputs/tlv_import_aes256.diffc").html

nxpimage signed-msg tlv get-template -f mx93 -o workspace/tlv_import_aes256.yaml --force
Success. (TLV template: workspace/tlv_import_aes256.yaml created.)

Configuration Differences

Show Diff Download Config

# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                 == General Options ==                                                 
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
command:
  # ---------------------------------------===== Key import TLV [Required] =====----------------------------------------
  # Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
  # key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
  # following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
  # sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private
  # keys, it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of
  # the imported key must be coherent. If attributes are invalid, an error is returned.
  KEY_IMPORT:
    # -----------------------------------===== Key ID [Conditionally required] =====------------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API. If set to 0, the actual ID is determined by ELE.
    key_id: 0
    # -----------------------------===== Permitted algorithm [Conditionally required] =====-----------------------------
    # Description: Permitted algorithm of the imported key. Supports hash, MAC, cipher, AEAD, signature, and key
    # exchange algorithms.
    # Possible options: 
    # HMAC SHA256, HMAC SHA384, CMAC, ECB NO PADDING, CBC NO PADDING, CTR, CFB, OFB, ALL CIPHER, CCM, GCM,
    # CHACHA20_POLY1305, ALL AEAD, ECDSA SHA224, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512, RSA PKCS1 V1.5 SHA224, RSA
    # PKCS1 V1.5 SHA256, RSA PKCS1 V1.5 SHA384, RSA PKCS1 V1.5 SHA512, RSA PKCS1 V1.5 SHA ANY, RSA PKCS1 PSS MGF1
    # SHA224, RSA PKCS1 PSS MGF1 SHA256, RSA PKCS1 PSS MGF1 SHA384, RSA PKCS1 PSS MGF1 SHA512, RSA PKCS1 PSS MGF1 SHA
    # ANY, RSA PKCS1 ALL, ED25519PH, ED448PH, PURE EDDSA, ALL EDDSA, CMAC ATTESTATION, ECDSA SHA224 ATTESTATION, ECDSA
    # SHA256 ATTESTATION, ECDSA SHA384 ATTESTATION, ECDSA SHA512 ATTESTATION, RSA PKCS1 V1.5 CRYPT, RSA PKCS1 OAEP SHA1,
    # RSA PKCS1 OAEP SHA224, RSA PKCS1 OAEP SHA256, RSA PKCS1 OAEP SHA384, RSA PKCS1 OAEP SHA512, ECDH HKDF SHA256 KEY
    # IMPORT, ECDH HKDF SHA384 KEY IMPORT, ECDH HKDF SHA ANY KEY IMPORT, ECDH HKDF SHA256, ECDH HKDF SHA384, ECDH HKDF
    # SHA ANY>
    permitted_algorithm: SHA256 Set permitted algo
    permitted_algorithm: "ALL CIPHER"
    # ------------------------------===== Derived key usage [Conditionally required] =====------------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC verification
    # or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Cache
      - Encrypt
      - Derive
      - Decrypt
    # -------------------------------===== Import key type [Conditionally required] =====-------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES               0x2400  128/192/256
    #  HMAC              0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    # Possible options: 
    key_type: AES
    # ----------------------------===== Import key size bits [Conditionally required] =====-----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512>
    key_size_bits: 256
    # ----------------------------===== Imported key lifetime [Conditionally required] =====----------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # ---------------------------===== Imported key lifecycle [Conditionally required] =====----------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  OPENED and CLOSED   0x03  Key is usable in opened and closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: CURRENT Specify in which lifecycle stages the key is valid
    key_lifecycle: OPEN_CLOSED
    # ---------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====---------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the key
    # management handle set in the command API
    oem_mk_sk_key_id: 0
    oem_mk_sk_key_id: 1
    # -----------------------===== Imported key wrapping algorithm [Conditionally required] =====-----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: RFC3394
    # --------------------------------------===== Initial vector [Optional] =====---------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    iv: '0x00000000000000000000000000000000'
    # -------------------------------===== Wrapped key signing algorithm [Optional] =====-------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # ---------------------------------===== Wrapped key [Conditionally required] =====---------------------------------
    # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # could be used 'import_key' & 'oem_import_mk_sk_key'.
    wrapped_key: '0x00000000'
    # ----------------------------------===== Signature [Conditionally required] =====----------------------------------
    # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature length
    # fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    signature: '0x00000000000000000000000000000000'
    # -------------------------------===== Raw import key [Conditionally required] =====--------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: raw_key.pem
    import_key: aes256.bin
    # ----------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====-----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: '0x00000000000000000000000000000000'
    oem_import_mk_sk_key: workspace/assets/oem_import_mk_sk.bin
    # ------------------------------------===== Super Root Key Hash [Optional] =====------------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: '0x00000000000000000000000000000000'
    srkh: "0x00000000000000000000000000000000"
# ======================================================================================================================
#                                                  == Basic Settings ==                                                 
# ======================================================================================================================
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
output: tlv.bin

# Copyright 2025 NXP
#
# SPDX-License-Identifier: BSD-3-Clause
# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                 == General Options ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
# ----------------------------------------===== Key import TLV [Optional] =====-----------------------------------------
# Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
# key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
# following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
# sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private keys,
# it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of the
# imported key must be coherent. If attributes are invalid, an error is returned.
command:
  KEY_IMPORT:
    # ----------------------------------===== Key ID [Conditionally required] =====-----------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API
    key_id: 0
    # ---------------------------===== Key import algorithm [Conditionally required] =====----------------------------
    # Description:
    #  KEY       VALUE
    #  MD5       0x0200000
    #  SHA1      0x02000005
    #  SHA224    0x02000008
    #  SHA256    0x02000009
    #  SHA384    0x0200000A
    #  SHA512    0x0200000B
    #  defaults to SHA256
    # Possible options: 
    permitted_algorithm: "ALL CIPHER" Set permitted algo
    # -----------------------------===== Derived key usage [Conditionally required] =====-----------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC
    # verification or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Encrypt
      - Decrypt
    # ------------------------------===== Import key type [Conditionally required] =====------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES        0x2400  128/192/256
    #  HMAC SHA384       0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    # Possible options: 
    key_type: AES
    # ---------------------------===== Import key size bits [Conditionally required] =====----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512>
    key_size_bits: 256
    # ---------------------------===== Imported key lifetime [Conditionally required] =====---------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # --------------------------===== Imported key lifecycle [Conditionally required] =====---------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: OPEN_CLOSED Specify in which lifecycle stages the key is valid
    # --------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====--------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the
    # key management handle set in the command API
    oem_mk_sk_key_id: 1
    # ----------------------===== Imported key wrapping algorithm [Conditionally required] =====----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: RFC3394
    # -------------------------------------===== Initial vector [Optional] =====--------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    # iv: "0x00000000000000000000000000000000"
    # ------------------------------===== Wrapped key signing algorithm [Optional] =====------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # --------------------------------===== Wrapped key [Conditionally required] =====--------------------------------
    # # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # # could be used 'import_key' & 'oem_import_mk_sk_key'.
    # wrapped_key: "0x00000000"
    # # ---------------------------------===== Signature [Conditionally required] =====---------------------------------
    # # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature
    # # length fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    # signature: "0x00000000000000000000000000000000"
    # ------------------------------===== Raw import key [Conditionally required] =====-------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: aes256.bin
    # ---------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: workspace/assets/oem_import_mk_sk.bin
    # -----------------------------------===== Super Root Key Hash [Optional] =====-----------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: "0x00000000000000000000000000000000"
output: tlv.bin

3.6.1 TLV blob - AES256

%! nxpimage -v signed-msg tlv export -c inputs/tlv_import_aes256.yaml

nxpimage -v signed-msg tlv export -c inputs/tlv_import_aes256.yaml
INFO:spsdk.image.ahab.tlv:The Import key Signed message created with raw key and OEM_IMPORT_MK_SK key.
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_WRAP_SK: f2fa66b83ed82acbe4dddb5c60966cabad61cf3116b542115f10f06cf6aee825
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_CMAC_SK: dc202a1160b4a5d11c088514e99e298b45aba12867543236fcd8774227f3e15c
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV blob size: 141 bytes
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV details:
TLV
  Key ID value: 0x00000000, 0
  Key import algorithm value: ALL CIPHER
  Key usage value: ['Encrypt', 'Decrypt']
  Key type value: AES
  Key bit size value: 0x00000100, 256
  Key life time value: ELE_KEY_IMPORT_PERSISTENT
  Key life cycle value: OPEN_CLOSED
  OEM Import MK SK key ID value: 0x00000001, 1
  Key wrapping algorithm: RFC3394
  Initial vector value: 00000000000000000000000000000000
  Key signing algorithm: CMAC
  Import key wrapped data: 8551f75b2dd95752084cfbc196a8ae1102eab2e1821fbcaf70a9f5b4e7dc3a130441cc3272524bf0
  Signature: a63e4e71b1dae995c8a484a12e6f811b
Success. (TLV blob: inputs/tlv.bin created.)

3.6.2 TLV blob - ECC384

YamlDiffWidget("inputs/tlv_import_ecc384.diffc").html

nxpimage signed-msg tlv get-template -f mx93 -o workspace/tlv_import_ecc384.yaml --force
Success. (TLV template: workspace/tlv_import_ecc384.yaml created.)

Configuration Differences

Show Diff Download Config

# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                 == General Options ==                                                 
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
output: tlv.bin

command:
  # ---------------------------------------===== Key import TLV [Required] =====----------------------------------------
  # Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
  # key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
  # following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
  # sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private
  # keys, it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of
  # the imported key must be coherent. If attributes are invalid, an error is returned.
  KEY_IMPORT:
    # -----------------------------------===== Key ID [Conditionally required] =====------------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API. If set to 0, the actual ID is determined by ELE.
    key_id: 0
    # -----------------------------===== Permitted algorithm [Conditionally required] =====-----------------------------
    # Description: Permitted algorithm of the imported key. Supports hash, MAC, cipher, AEAD, signature, and key
    # exchange algorithms.
    # Possible options: 
    # HMAC SHA256, HMAC SHA384, CMAC, ECB NO PADDING, CBC NO PADDING, CTR, CFB, OFB, ALL CIPHER, CCM, GCM,
    # CHACHA20_POLY1305, ALL AEAD, ECDSA SHA224, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512, RSA PKCS1 V1.5 SHA224, RSA
    # PKCS1 V1.5 SHA256, RSA PKCS1 V1.5 SHA384, RSA PKCS1 V1.5 SHA512, RSA PKCS1 V1.5 SHA ANY, RSA PKCS1 PSS MGF1
    # SHA224, RSA PKCS1 PSS MGF1 SHA256, RSA PKCS1 PSS MGF1 SHA384, RSA PKCS1 PSS MGF1 SHA512, RSA PKCS1 PSS MGF1 SHA
    # ANY, RSA PKCS1 ALL, ED25519PH, ED448PH, PURE EDDSA, ALL EDDSA, CMAC ATTESTATION, ECDSA SHA224 ATTESTATION, ECDSA
    # SHA256 ATTESTATION, ECDSA SHA384 ATTESTATION, ECDSA SHA512 ATTESTATION, RSA PKCS1 V1.5 CRYPT, RSA PKCS1 OAEP SHA1,
    # RSA PKCS1 OAEP SHA224, RSA PKCS1 OAEP SHA256, RSA PKCS1 OAEP SHA384, RSA PKCS1 OAEP SHA512, ECDH HKDF SHA256 KEY
    # IMPORT, ECDH HKDF SHA384 KEY IMPORT, ECDH HKDF SHA ANY KEY IMPORT, ECDH HKDF SHA256, ECDH HKDF SHA384, ECDH HKDF
    # SHA ANY>
    permitted_algorithm: SHA256 Set permitted algo
    permitted_algorithm: "ECDSA SHA384"
    # ------------------------------===== Derived key usage [Conditionally required] =====------------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC verification
    # or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Cache
      - Derive
      - Sign hash
      - Verify hash
    # -------------------------------===== Import key type [Conditionally required] =====-------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES               0x2400  128/192/256
    #  HMAC              0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    # Possible options: 
    key_type: AES
    key_type: ECC NIST
    # ----------------------------===== Import key size bits [Conditionally required] =====-----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512>
    key_size_bits: 256
    key_size_bits: 384
    # ----------------------------===== Imported key lifetime [Conditionally required] =====----------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # ---------------------------===== Imported key lifecycle [Conditionally required] =====----------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  OPENED and CLOSED   0x03  Key is usable in opened and closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: CURRENT Specify in which lifecycle stages the key is valid
    key_lifecycle: OPEN_CLOSED
    # ---------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====---------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the key
    # management handle set in the command API
    oem_mk_sk_key_id: 0
    oem_mk_sk_key_id: 1
    # -----------------------===== Imported key wrapping algorithm [Conditionally required] =====-----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: RFC3394
    # --------------------------------------===== Initial vector [Optional] =====---------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    iv: '0x00000000000000000000000000000000'
    # -------------------------------===== Wrapped key signing algorithm [Optional] =====-------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # ---------------------------------===== Wrapped key [Conditionally required] =====---------------------------------
    # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # could be used 'import_key' & 'oem_import_mk_sk_key'.
    wrapped_key: '0x00000000'
    # ----------------------------------===== Signature [Conditionally required] =====----------------------------------
    # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature length
    # fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    signature: '0x00000000000000000000000000000000'
    # -------------------------------===== Raw import key [Conditionally required] =====--------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: raw_key.pem
    import_key: oem_p384_private.pem
    # ----------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====-----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: '0x00000000000000000000000000000000'
    oem_import_mk_sk_key: "0xc7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194"
    # ------------------------------------===== Super Root Key Hash [Optional] =====------------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: '0x00000000000000000000000000000000'
    srkh: "0x00000000000000000000000000000000"
# ======================================================================================================================
#                                                  == Basic Settings ==                                                 
# ======================================================================================================================
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
output: tlv.bin

# Copyright 2025 NXP
#
# SPDX-License-Identifier: BSD-3-Clause
# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                 == General Options ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
output: tlv.bin

# ----------------------------------------===== Key import TLV [Optional] =====-----------------------------------------
# Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
# key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
# following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
# sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private keys,
# it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of the
# imported key must be coherent. If attributes are invalid, an error is returned.
command:
  KEY_IMPORT:
    # ----------------------------------===== Key ID [Conditionally required] =====-----------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API
    key_id: 0
    # ---------------------------===== Key import algorithm [Conditionally required] =====----------------------------
    # Description:
    #  KEY       VALUE
    #  MD5       0x0200000
    #  SHA1      0x02000005
    #  SHA224    0x02000008
    #  SHA256    0x02000009
    #  SHA384    0x0200000A
    #  SHA512    0x0200000B
    #  defaults to SHA256
    # Possible options: 
    permitted_algorithm: "ECDSA SHA384" Set permitted algo
    # -----------------------------===== Derived key usage [Conditionally required] =====-----------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC
    # verification or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Sign hash
      - Verify hash
    # ------------------------------===== Import key type [Conditionally required] =====------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES        0x2400  128/192/256
    #  HMAC SHA384       0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    # Possible options: 
    key_type: ECC NIST
    # ---------------------------===== Import key size bits [Conditionally required] =====----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512>
    key_size_bits: 384
    # ---------------------------===== Imported key lifetime [Conditionally required] =====---------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # --------------------------===== Imported key lifecycle [Conditionally required] =====---------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: OPEN_CLOSED Specify in which lifecycle stages the key is valid
    # --------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====--------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the
    # key management handle set in the command API
    oem_mk_sk_key_id: 1
    # ----------------------===== Imported key wrapping algorithm [Conditionally required] =====----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: RFC3394
    # -------------------------------------===== Initial vector [Optional] =====--------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    # iv: "0x00000000000000000000000000000000"
    # ------------------------------===== Wrapped key signing algorithm [Optional] =====------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # --------------------------------===== Wrapped key [Conditionally required] =====--------------------------------
    # # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # # could be used 'import_key' & 'oem_import_mk_sk_key'.
    # wrapped_key: "0x00000000"
    # # ---------------------------------===== Signature [Conditionally required] =====---------------------------------
    # # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature
    # # length fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    # signature: "0x00000000000000000000000000000000"
    # ------------------------------===== Raw import key [Conditionally required] =====-------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: oem_p384_private.pem
    # ---------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: "0xc7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194"
    # -----------------------------------===== Super Root Key Hash [Optional] =====-----------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: "0x00000000000000000000000000000000"

%! nxpimage -v signed-msg tlv export -c inputs/tlv_import_ecc384.yaml

nxpimage -v signed-msg tlv export -c inputs/tlv_import_ecc384.yaml
INFO:spsdk.image.ahab.tlv:The Import key Signed message created with raw key and OEM_IMPORT_MK_SK key.
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_WRAP_SK: f2fa66b83ed82acbe4dddb5c60966cabad61cf3116b542115f10f06cf6aee825
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_CMAC_SK: dc202a1160b4a5d11c088514e99e298b45aba12867543236fcd8774227f3e15c
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV blob size: 157 bytes
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV details:
TLV
  Key ID value: 0x00000000, 0
  Key import algorithm value: ECDSA SHA384
  Key usage value: ['Sign hash', 'Verify hash']
  Key type value: ECC NIST
  Key bit size value: 0x00000180, 384
  Key life time value: ELE_KEY_IMPORT_PERSISTENT
  Key life cycle value: OPEN_CLOSED
  OEM Import MK SK key ID value: 0x00000001, 1
  Key wrapping algorithm: RFC3394
  Initial vector value: 00000000000000000000000000000000
  Key signing algorithm: CMAC
  Import key wrapped data: 8b3fa3a1a659ae4c4b5a120cb5eebb2ae3fd33ecbd9b3e2cc7c3b4566848cc40aa33601469fa82750ef1acc9d37800f03c381e86ec560513
  Signature: e7d995f27ac05e7336a800a5924d38e0
Success. (TLV blob: inputs/tlv.bin created.)

3.6.3 TLV blob - ECC521

YamlDiffWidget("inputs/tlv_import_ecc521.diffc").html

nxpimage signed-msg tlv get-template -f mx93 -o workspace/tlv_import_ecc521.yaml --force
Success. (TLV template: workspace/tlv_import_ecc521.yaml created.)

Configuration Differences

Show Diff Download Config

# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                  == Basic Settings ==                                                 
# ======================================================================================================================
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
output: tlv.bin
# ======================================================================================================================
#                                                 == General Options ==                                                 
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
output: tlv.bin

command:
  # ---------------------------------------===== Key import TLV [Required] =====----------------------------------------
  # Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
  # key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
  # following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
  # sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private
  # keys, it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of
  # the imported key must be coherent. If attributes are invalid, an error is returned.
  KEY_IMPORT:
    # -----------------------------------===== Key ID [Conditionally required] =====------------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API. If set to 0, the actual ID is determined by ELE.
    key_id: 0
    # -----------------------------===== Permitted algorithm [Conditionally required] =====-----------------------------
    # Description: Permitted algorithm of the imported key. Supports hash, MAC, cipher, AEAD, signature, and key
    # exchange algorithms.
    # Possible options: 
    # HMAC SHA256, HMAC SHA384, CMAC, ECB NO PADDING, CBC NO PADDING, CTR, CFB, OFB, ALL CIPHER, CCM, GCM,
    # CHACHA20_POLY1305, ALL AEAD, ECDSA SHA224, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512, RSA PKCS1 V1.5 SHA224, RSA
    # PKCS1 V1.5 SHA256, RSA PKCS1 V1.5 SHA384, RSA PKCS1 V1.5 SHA512, RSA PKCS1 V1.5 SHA ANY, RSA PKCS1 PSS MGF1
    # SHA224, RSA PKCS1 PSS MGF1 SHA256, RSA PKCS1 PSS MGF1 SHA384, RSA PKCS1 PSS MGF1 SHA512, RSA PKCS1 PSS MGF1 SHA
    # ANY, RSA PKCS1 ALL, ED25519PH, ED448PH, PURE EDDSA, ALL EDDSA, CMAC ATTESTATION, ECDSA SHA224 ATTESTATION, ECDSA
    # SHA256 ATTESTATION, ECDSA SHA384 ATTESTATION, ECDSA SHA512 ATTESTATION, RSA PKCS1 V1.5 CRYPT, RSA PKCS1 OAEP SHA1,
    # RSA PKCS1 OAEP SHA224, RSA PKCS1 OAEP SHA256, RSA PKCS1 OAEP SHA384, RSA PKCS1 OAEP SHA512, ECDH HKDF SHA256 KEY
    # IMPORT, ECDH HKDF SHA384 KEY IMPORT, ECDH HKDF SHA ANY KEY IMPORT, ECDH HKDF SHA256, ECDH HKDF SHA384, ECDH HKDF
    # SHA ANY>
    permitted_algorithm: SHA256 Set permitted algo
    permitted_algorithm: "ECDSA SHA512"
    # ------------------------------===== Derived key usage [Conditionally required] =====------------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC verification
    # or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Cache
      - Derive
      - Sign hash
      - Verify hash
    # -------------------------------===== Import key type [Conditionally required] =====-------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES               0x2400  128/192/256
    #  HMAC              0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    #  RSA               0x7001  2048/3072/4096
    # Possible options: 
    key_type: AES
    key_type: ECC NIST
    # ----------------------------===== Import key size bits [Conditionally required] =====-----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512, 521, 2048, 3072, 4096>
    key_size_bits: 256
    key_size_bits: 521
    # ----------------------------===== Imported key lifetime [Conditionally required] =====----------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # ---------------------------===== Imported key lifecycle [Conditionally required] =====----------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  OPENED and CLOSED   0x03  Key is usable in opened and closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: CURRENT Specify in which lifecycle stages the key is valid
    key_lifecycle: OPEN_CLOSED
    # ---------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====---------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the key
    # management handle set in the command API
    oem_mk_sk_key_id: 0
    oem_mk_sk_key_id: 1
    # -----------------------===== Imported key wrapping algorithm [Conditionally required] =====-----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: RFC3394 We need to use AES-CBC because key size is not 8 bytes aligned
    key_wrapping_algorithm: AES_CBC
    # --------------------------------------===== Initial vector [Optional] =====---------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    iv: '0x00000000000000000000000000000000'
    # -------------------------------===== Wrapped key signing algorithm [Optional] =====-------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # ---------------------------------===== Wrapped key [Conditionally required] =====---------------------------------
    # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # could be used 'import_key' & 'oem_import_mk_sk_key'.
    wrapped_key: '0x00000000'
    # ----------------------------------===== Signature [Conditionally required] =====----------------------------------
    # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature length
    # fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    signature: '0x00000000000000000000000000000000'
    # -------------------------------===== Raw import key [Conditionally required] =====--------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: raw_key.pem
    import_key: oem_p521_private.pem
    # ----------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====-----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: '0x00000000000000000000000000000000'
    oem_import_mk_sk_key: "0xc7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194"
    # ------------------------------------===== Super Root Key Hash [Optional] =====------------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: '0x00000000000000000000000000000000'
    srkh: "0x00000000000000000000000000000000"

# Copyright 2025 NXP
#
# SPDX-License-Identifier: BSD-3-Clause
# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                 == General Options ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
output: tlv.bin

# ----------------------------------------===== Key import TLV [Optional] =====-----------------------------------------
# Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
# key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
# following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
# sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private keys,
# it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of the
# imported key must be coherent. If attributes are invalid, an error is returned.
command:
  KEY_IMPORT:
    # ----------------------------------===== Key ID [Conditionally required] =====-----------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API
    key_id: 0
    # ---------------------------===== Key import algorithm [Conditionally required] =====----------------------------
    # Description:
    #  KEY       VALUE
    #  MD5       0x0200000
    #  SHA1      0x02000005
    #  SHA224    0x02000008
    #  SHA256    0x02000009
    #  SHA384    0x0200000A
    #  SHA512    0x0200000B
    #  defaults to SHA256
    # Possible options: 
    permitted_algorithm: "ECDSA SHA512" Set permitted algo
    # -----------------------------===== Derived key usage [Conditionally required] =====-----------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC
    # verification or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Sign hash
      - Verify hash
    # ------------------------------===== Import key type [Conditionally required] =====------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES        0x2400  128/192/256
    #  HMAC SHA384       0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    # Possible options: 
    key_type: ECC NIST
    # ---------------------------===== Import key size bits [Conditionally required] =====----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512>
    key_size_bits: 521
    # ---------------------------===== Imported key lifetime [Conditionally required] =====---------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # --------------------------===== Imported key lifecycle [Conditionally required] =====---------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: OPEN_CLOSED Specify in which lifecycle stages the key is valid
    # --------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====--------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the
    # key management handle set in the command API
    oem_mk_sk_key_id: 1
    # ----------------------===== Imported key wrapping algorithm [Conditionally required] =====----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: AES_CBC We need to use AES-CBC because key size is not 8 bytes aligned
    # -------------------------------------===== Initial vector [Optional] =====--------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    # iv: "0x00000000000000000000000000000000"
    # ------------------------------===== Wrapped key signing algorithm [Optional] =====------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # --------------------------------===== Wrapped key [Conditionally required] =====--------------------------------
    # # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # # could be used 'import_key' & 'oem_import_mk_sk_key'.
    # wrapped_key: "0x00000000"
    # # ---------------------------------===== Signature [Conditionally required] =====---------------------------------
    # # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature
    # # length fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    # signature: "0x00000000000000000000000000000000"
    # ------------------------------===== Raw import key [Conditionally required] =====-------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: oem_p521_private.pem
    # ---------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: "0xc7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194"
    # -----------------------------------===== Super Root Key Hash [Optional] =====-----------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: "0x00000000000000000000000000000000"

%! nxpimage -v signed-msg tlv export -c inputs/tlv_import_ecc521.yaml

nxpimage -v signed-msg tlv export -c inputs/tlv_import_ecc521.yaml
INFO:spsdk.image.ahab.tlv:The Import key Signed message created with raw key and OEM_IMPORT_MK_SK key.
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_WRAP_SK: f2fa66b83ed82acbe4dddb5c60966cabad61cf3116b542115f10f06cf6aee825
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_CMAC_SK: dc202a1160b4a5d11c088514e99e298b45aba12867543236fcd8774227f3e15c
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV blob size: 199 bytes
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV details:
TLV
  Key ID value: 0x00000000, 0
  Key import algorithm value: ECDSA SHA512
  Key usage value: ['Sign hash', 'Verify hash']
  Key type value: ECC NIST
  Key bit size value: 0x00000209, 521
  Key life time value: ELE_KEY_IMPORT_PERSISTENT
  Key life cycle value: OPEN_CLOSED
  OEM Import MK SK key ID value: 0x00000001, 1
  Key wrapping algorithm: AES_CBC
  Initial vector value: 00000000000000000000000000000000
  Key signing algorithm: CMAC
  Import key wrapped data: 917b068704098f0685083f3056a08b1a95d0f49cff49806103a04c7cad2a57859b1a16a74e82fb193db3a6aeb1726c6d9190c501c19a3bd4613406010b8a010b7a12435e56bec4a7df52e9fec126e6d3
  Signature: db088ca226029d74b52cb97b88f86d8b
Success. (TLV blob: inputs/tlv.bin created.)

3.6.3 TLV blob - RSA4096

YamlDiffWidget("inputs/tlv_import_rsa4096.diffc").html

nxpimage signed-msg tlv get-template -f mx93 -o workspace/tlv_import_rsa4096.yaml --force
Success. (TLV template: workspace/tlv_import_rsa4096.yaml created.)

Configuration Differences

Show Diff Download Config

# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                  == Basic Settings ==                                                 
# ======================================================================================================================
# ---------------------------------------===== Output Image name [Required] =====---------------------------------------
# Description: The path for result binary file.
output: tlv.bin
# ======================================================================================================================
#                                                 == General Options ==                                                 
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
output: tlv.bin

command:
  # ---------------------------------------===== Key import TLV [Required] =====----------------------------------------
  # Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
  # key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
  # following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
  # sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private
  # keys, it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of
  # the imported key must be coherent. If attributes are invalid, an error is returned.
  KEY_IMPORT:
    # -----------------------------------===== Key ID [Conditionally required] =====------------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API. If set to 0, the actual ID is determined by ELE.
    key_id: 0
    # -----------------------------===== Permitted algorithm [Conditionally required] =====-----------------------------
    # Description: Permitted algorithm of the imported key. Supports hash, MAC, cipher, AEAD, signature, and key
    # exchange algorithms.
    # Possible options: 
    # HMAC SHA256, HMAC SHA384, CMAC, ECB NO PADDING, CBC NO PADDING, CTR, CFB, OFB, ALL CIPHER, CCM, GCM,
    # CHACHA20_POLY1305, ALL AEAD, ECDSA SHA224, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512, RSA PKCS1 V1.5 SHA224, RSA
    # PKCS1 V1.5 SHA256, RSA PKCS1 V1.5 SHA384, RSA PKCS1 V1.5 SHA512, RSA PKCS1 V1.5 SHA ANY, RSA PKCS1 PSS MGF1
    # SHA224, RSA PKCS1 PSS MGF1 SHA256, RSA PKCS1 PSS MGF1 SHA384, RSA PKCS1 PSS MGF1 SHA512, RSA PKCS1 PSS MGF1 SHA
    # ANY, RSA PKCS1 ALL, ED25519PH, ED448PH, PURE EDDSA, ALL EDDSA, CMAC ATTESTATION, ECDSA SHA224 ATTESTATION, ECDSA
    # SHA256 ATTESTATION, ECDSA SHA384 ATTESTATION, ECDSA SHA512 ATTESTATION, RSA PKCS1 V1.5 CRYPT, RSA PKCS1 OAEP SHA1,
    # RSA PKCS1 OAEP SHA224, RSA PKCS1 OAEP SHA256, RSA PKCS1 OAEP SHA384, RSA PKCS1 OAEP SHA512, ECDH HKDF SHA256 KEY
    # IMPORT, ECDH HKDF SHA384 KEY IMPORT, ECDH HKDF SHA ANY KEY IMPORT, ECDH HKDF SHA256, ECDH HKDF SHA384, ECDH HKDF
    # SHA ANY>
    permitted_algorithm: SHA256 Set permitted algo
    permitted_algorithm: "RSA PKCS1 ALL"
    # ------------------------------===== Derived key usage [Conditionally required] =====------------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC verification
    # or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Cache
      - Derive
      - Sign hash
      - Verify hash
    # -------------------------------===== Import key type [Conditionally required] =====-------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES               0x2400  128/192/256
    #  HMAC              0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    #  RSA               0x7001  2048/3072/4096
    # Possible options: 
    key_type: AES
    key_type: RSA
    # ----------------------------===== Import key size bits [Conditionally required] =====-----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512, 521, 2048, 3072, 4096>
    key_size_bits: 256
    key_size_bits: 4096
    # ----------------------------===== Imported key lifetime [Conditionally required] =====----------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # ---------------------------===== Imported key lifecycle [Conditionally required] =====----------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  OPENED and CLOSED   0x03  Key is usable in opened and closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: CURRENT Specify in which lifecycle stages the key is valid
    key_lifecycle: OPEN_CLOSED
    # ---------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====---------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the key
    # management handle set in the command API
    oem_mk_sk_key_id: 0
    oem_mk_sk_key_id: 1
    # -----------------------===== Imported key wrapping algorithm [Conditionally required] =====-----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: RFC3394
    # --------------------------------------===== Initial vector [Optional] =====---------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    iv: '0x00000000000000000000000000000000'
    # -------------------------------===== Wrapped key signing algorithm [Optional] =====-------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # ---------------------------------===== Wrapped key [Conditionally required] =====---------------------------------
    # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # could be used 'import_key' & 'oem_import_mk_sk_key'.
    wrapped_key: '0x00000000'
    # ----------------------------------===== Signature [Conditionally required] =====----------------------------------
    # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature length
    # fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    signature: '0x00000000000000000000000000000000'
    # -------------------------------===== Raw import key [Conditionally required] =====--------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: raw_key.pem
    import_key: oem_rsa4096_private.pem
    # ----------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====-----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: '0x00000000000000000000000000000000'
    oem_import_mk_sk_key: "0xc7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194"
    # ------------------------------------===== Super Root Key Hash [Optional] =====------------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: '0x00000000000000000000000000000000'
    srkh: "0x00000000000000000000000000000000"

# Copyright 2025-2026 NXP
#
# SPDX-License-Identifier: BSD-3-Clause

# ============================  TLV Configuration template for mimx9352, Revision: latest.  ============================

# ======================================================================================================================
#                                                 == General Options ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: mimx9352
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: 
revision: latest
output: tlv.bin

# ----------------------------------------===== Key import TLV [Optional] =====-----------------------------------------
# Description: This TLV is designed to import a symmetric key or a private key of an asymmetric key pair. The imported
# key must be encrypted (except specific cases like SRKH). The key used to decrypt the imported key must have the
# following attributes; -  DECRYPT usage; -  A wrapping key algorithm as permitted algorithm (detailed in next
# sections). User must import symmetric key or private key from an asymmetric key pair. For RSA asymmetric private keys,
# it must be the concatenation of private exponent followed by the modulus. To be valid, all key attributes of the
# imported key must be coherent. If attributes are invalid, an error is returned.
command:
  KEY_IMPORT:
    # ----------------------------------===== Key ID [Conditionally required] =====-----------------------------------
    # Description: Key store ID where to store the imported key. It must be the key store ID related to the key
    # management handle set in the command API
    key_id: 0
    # ---------------------------===== Key import algorithm [Conditionally required] =====----------------------------
    # Description:
    #  KEY       VALUE
    #  MD5       0x0200000
    #  SHA1      0x02000005
    #  SHA224    0x02000008
    #  SHA256    0x02000009
    #  SHA384    0x0200000A
    #  SHA512    0x0200000B
    #  defaults to SHA256
    # Possible options: 
    permitted_algorithm: "RSA PKCS1 ALL" Set permitted algo
    # -----------------------------===== Derived key usage [Conditionally required] =====-----------------------------
    # Description: Permission usage list. List of possible permissions:
    #  Cache           0x00000004  Permission to cache the key in the ELE internal secure memory. This usage is set by
    # default by ELE FW for all keys generated or imported.
    #  Encrypt         0x00000100  Permission to encrypt a message with the key. It could be cipher encryption, AEAD
    # encryption or asymmetric encryption operation.
    #  Decrypt         0x00000200  Permission to decrypt a message with the key. It could be cipher decryption, AEAD
    # decryption or asymmetric decryption operation.
    #  Sign message    0x00000400  Permission to sign a message with the key. It could be a MAC generation or an
    # asymmetric message signature operation.
    #  Verify message  0x00000800  Permission to verify a message signature with the key. It could be a MAC
    # verification or an asymmetric message signature verification operation.
    #  Sign hash       0x00001000  Permission to sign a hashed message with the key with an asymmetric signature
    # operation. Setting this permission automatically sets the Sign Message usage.
    #  Verify hash     0x00002000  Permission to verify a hashed message signature with the key with an asymmetric
    # signature verification operation.
    #  Setting this permission automatically sets the Verify Message usage.
    #  Derive          0x00004000  Permission to derive other keys from this key.
    key_usage: Specify key usage restrictions
      - Sign hash
      - Verify hash
    # ------------------------------===== Import key type [Conditionally required] =====------------------------------
    # Description:
    #  Key type          Value   Key size in bits
    #  AES        0x2400  128/192/256
    #  HMAC SHA384       0x1100  224/256/384/512
    #  Derived key       0x1200  256/384
    #  OEM_IMPORT_MK_SK  0x9200  128/192/256
    #  ECC NIST          0x7112  128/192/256
    # Possible options: 
    key_type: RSA
    # ---------------------------===== Import key size bits [Conditionally required] =====----------------------------
    # Description: Import key size bits
    # Possible options: <128, 192, 224, 256, 384, 512>
    key_size_bits: 4096
    # ---------------------------===== Imported key lifetime [Conditionally required] =====---------------------------
    # Description:
    #  ELE_KEY_IMPORT_VOLATILE           0xC0020000  Standard volatile key.
    #  ELE_KEY_IMPORT_PERSISTENT         0xC0020001  Standard persistent key.
    #  ELE_KEY_IMPORT_PERMANENT          0xC00200FF  Standard permanent key.
    # Possible options: 
    key_lifetime: ELE_KEY_IMPORT_PERSISTENT
    # --------------------------===== Imported key lifecycle [Conditionally required] =====---------------------------
    # Description:
    #  CURRENT           0x00  Key is usable in current lifecycle.
    #  OPEN              0x01  Key is usable in open lifecycle.
    #  CLOSED            0x02  Key is usable in closed lifecycle.
    #  CLOSED and LOCKED 0x04  Key is usable in closed and locked lifecycle.
    # Possible options: 
    key_lifecycle: OPEN_CLOSED Specify in which lifecycle stages the key is valid
    # --------------------------===== OEM_IMPORT_MK_SK key ID [Conditionally required] =====--------------------------
    # Description: Key store ID where is stored the OEM_IMPORT_MK_SK key. It must be the key store ID related to the
    # key management handle set in the command API
    oem_mk_sk_key_id: 1
    # ----------------------===== Imported key wrapping algorithm [Conditionally required] =====----------------------
    # Description:
    #  RFC3394 - RFC 3394 wrapping
    #  AES_CBC - AES-CBC wrapping (padding: ISO7816-4 padding)
    # Possible options: 
    key_wrapping_algorithm: RFC3394
    # -------------------------------------===== Initial vector [Optional] =====--------------------------------------
    # Description: IV to use for CBC wrapping. Not used if 'wrapping algorithm' not equal 0x02.
    # iv: "0x00000000000000000000000000000000"
    # ------------------------------===== Wrapped key signing algorithm [Optional] =====------------------------------
    # Description: Algorithm used to sign the blob itself. Field “Signature” of this blob. It must be: 0x01 (CMAC)
    # Possible options: 
    signing_algorithm: CMAC
    # --------------------------------===== Wrapped key [Conditionally required] =====--------------------------------
    # # Description: Private key data in encrypted format as defined by the 'Wrapping Algorithm'. Key used to do the
    # # encryption must be OEM_IMPORT_WRAP_SK derived from OEM_IMPORT_MK_SK. Instead of 'wrapped_key' & 'signature' it
    # # could be used 'import_key' & 'oem_import_mk_sk_key'.
    # wrapped_key: "0x00000000"
    # # ---------------------------------===== Signature [Conditionally required] =====---------------------------------
    # # Description: Signature of all previous fields of this blob including the signature tag (0x5E) and signature
    # # length fields. Key used to do the signature must be OEM_IMPORT_CMAC_SK derived from OEM_IMPORT_MK_SK. Instead of
    # # 'wrapped_key' & 'signature' it could be used 'import_key' & 'oem_import_mk_sk_key'.
    # signature: "0x00000000000000000000000000000000"
    # ------------------------------===== Raw import key [Conditionally required] =====-------------------------------
    # Description: Raw private key that will be wrapped and encrypted by OEM_IMPORT_MK_SK key that must be also
    # provided. Instead of 'import_key' & 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    import_key: oem_rsa4096_private.pem
    # ---------------------------===== OEM_IMPORT_MK_SK Key [Conditionally required] =====----------------------------
    # Description: OEM_IMPORT_MK_SK key used to wrap and encrypt the raw key. Instead of 'import_key' &
    # 'oem_import_mk_sk_key' it could be used 'wrapped_key' & 'signature'.
    oem_import_mk_sk_key: "0xc7e7436ed876b0176d775a658c3e9bcf59c940a41a2673b0552b7d7df504d194"
    # -----------------------------------===== Super Root Key Hash [Optional] =====-----------------------------------
    # Description: Optional Super root key hash is used if Salt flags that requires in Exchange keys algorithms.
    srkh: "0x00000000000000000000000000000000"

%! nxpimage -v signed-msg tlv export -c inputs/tlv_import_rsa4096.yaml

nxpimage -v signed-msg tlv export -c inputs/tlv_import_rsa4096.yaml
INFO:spsdk.image.ahab.tlv:The Import key Signed message created with raw key and OEM_IMPORT_MK_SK key.
INFO:spsdk.image.ahab.tlv:RSA key loaded: 4096 bits, modulus: 512 bytes, exponent: 512 bytes
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_WRAP_SK: f2fa66b83ed82acbe4dddb5c60966cabad61cf3116b542115f10f06cf6aee825
INFO:spsdk.image.ahab.tlv:Derived OEM_IMPORT_CMAC_SK: dc202a1160b4a5d11c088514e99e298b45aba12867543236fcd8774227f3e15c
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV blob size: 1135 bytes
INFO:spsdk.apps.nxpimage_apps.nxpimage_signed_msg:TLV details:
TLV
  Key ID value: 0x00000000, 0
  Key import algorithm value: RSA PKCS1 ALL
  Key usage value: ['Sign hash', 'Verify hash']
  Key type value: RSA
  Key bit size value: 0x00001000, 4096
  Key life time value: ELE_KEY_IMPORT_PERSISTENT
  Key life cycle value: OPEN_CLOSED
  OEM Import MK SK key ID value: 0x00000001, 1
  Key wrapping algorithm: RFC3394
  Initial vector value: 00000000000000000000000000000000
  Key signing algorithm: CMAC
  Import key wrapped data: 897ef5802e89080fb176798992bbe954b2ce3e6b31afe2c6d151e171487b76cfca004a70f83dbaf3b7d7a7dc4b1187bc57c8da4d9d6a0663cad30f1156806fc8973cf391aa4df68450392292539a782c400f33f03c7703e709816752f71cd8db836be26cf7e5814ee3d0e3bb9ee67b633630cc34497c395f510d1dd357975e9d55add77475b1ac52031e6db64be8decf234dfe05fbe439d1e0a8c8eea8d66b6c9fc746d7640860384692d913dfecafc1cefc79d3ce4f2b932724891ff0ad01e46667b44a5259901fedcda603318ea989e052e6b9a8fc60af1303bae83d36c12b5e538a9f561d34e441e8cfd7e6533222a1f79a57831d6ac00c465880a9b7e01c9a05e2f0b0f4651a5b26b1f889ba5964ee52495d3746a458a7cd83ba2bff43633f8e9d3eb1f48d8b266176f68f933f02cffde1bd7dd4c1636b133bc1d2ae48b9d3dacef71512a902960b44abd53bdee6b5e6fdb3b125be55a24d278c9bf351e57c258fd5725a91a09a6b7b616eb8c9935af44c1f78d70e6fce8cc5f8f808cb920bb1c8860d108bc5887cdcbe14e84355ad941c5cb5b1e2ec706c7a08292a03a733cb7975518e8bc023728fbf0ebf827728550a20c216dde511b362d579f6f515bfbc16f912efcffed2e076ecb72f503a584a702823bc8218c38305bf88ca8d015dd30219471dd0bad0c629e712dac5bf5ec72773be2855b7836b7dd49420bb6fe34b0ec977639ac64ec70ed190e6e45f6b4ffc55bf734e6daddf8acd6eb3fe36a6b3bf46d9f5c6ba34226e4886decc9674e10595e331ff625373eb2eac16cb19fa87ed1e99f9132bf63c2af243c1e530568004e6665e4c251dadb04cef6d9ab9e3b3535c59a628a7ec3863c372e6d61728e4a671b8b5cd8bb0072e10c615b908207afb0d3f9ee9d8f7061bbb932c9cf6279966a553e3b38868eb2ac045fe3fba5ff2861c4c9f1b02ed4293475a89a3e291ad95bd029c9a47a9afc228be51ba60159a7773621e3e1bf9f37a90554e5d74ee2b467d74e172ff46c412b837e784fa361bb6389a1737e8ddae1296b0e585ba119d4eacc8cdf9a9747366b34f1ab5136597216478897b777ae3b94ed2e3dcf1180f6fa3cb84e437d26c8f477a6978d3d98f1bff290f9b465a6d6bfe2746fff21a658671ec50705ea140ea64399adcac4118fb1fe1fc8f800764ca095396cdccd90b592a533a82039bb817451cfa382c27b23bf9a1b0bb293f4b91cad702372678229d2d5404488efbd544ed28cfce3aa1fce533c6d2924512334d3c436d04081364949f2c0f32b36466c534eb764435a5724bfe5173e6dee905e2f646faa36cabc3ebf79fefbeaeaa513dc67b032e76d2de1bd78aead20e24745ffc3d9ac7a3e248a14577fef24cd98ccca4cad1334380d577d7d6f8e5d80567131f18eb1c9fff51c62743c2eb2ad070fa6a560cba26ac0e6ca152cb2db3
  Signature: 6458344257179e589d2acb7e102743b9
Success. (TLV blob: inputs/tlv.bin created.)