AHAB#
AHAB (Advanced High Assurance Boot) is a container format supported on some devices. A configuration file in YAML or JSON is used to instruct nxpimage how the output should look like.
Example of use for export
nxpimage ahab export -c "path\to\config\file.yaml"
Example of use for parse binary AHAB container
nxpimage ahab parse -b "my_ahab_container.bin" -o "path\to_parsed_data"
The full AHAB configuration template could be generated by nxpimage tool “get_template” sub-command for family that supports AHAB, example:
nxpimage ahab get-template -f rt118x -o ahab_template_rt118x.yaml
Generating Multiple Bootable Image Templates#
For families that support IMX bootloaders (like i.MX 8/9 series), you can generate multiple template configurations using the get-templates command:
nxpimage bootable-image get-templates -f <family> -o <output_directory>
This command generates:
- Standard templates for all memory types
- Extra templates with simplified naming (e.g., spl for primary image, uboot for secondary image)
- Board-specific template variants in sub-folders
To generate a specific template type:
nxpimage bootable-image get-templates -f <family> -o <output_directory> --template imx_boot_flash_all
To generate templates for a specific board:
nxpimage bootable-image get-templates -f <family> -o <output_directory> --board imx95-19x19-lpddr5-evk
Use nxpimage bootable-image list-boards -f <family> to see available boards.
AHAB Extensions#
Since SPSDK version 2.2.0, support for AHAB extensions have been added. This allows the user to create the standard images like U-Boot for example in the similar manner as with the imx-mkimage tool, without knowing the details of the AHAB format.
AHAB Sign#
Since SPSDK version 2.3.0 it is possible to sign and encrypt existing image or image container set, without parsing.
It parses the input image, loads the configuration file and iterates over the segments in the image. If the segment is AHAB image, it iterates over all the containers and if the container is not NXP signed, it signs them with the key (signature provider) provided in the configuration.
If the blob is specified, it also iterates over all images in the container and encrypt them.
Then signed (encrypted) image is saved to the path provided.
Template for signing might be generated using the get-template command with –sign/-s flag:
nxpimage ahab get-template -f <family> -o sign_template.yaml --sign
Example of use for sign and encrypt AHAB container
nxpimage -v ahab sign -c "path\to\config\file.yaml" -c "ahab_image_to_be_signed.bin" -o "path\to_signed_image"
AHAB Re-sign#
It is possible to re-sign an existing AHAB container without modifying other parts of the image. This is useful when you need to update the signature of a specific container without rebuilding the entire image.
The re-sign command allows you to specify a private key or signature provider configuration to sign a specific container in the AHAB image.
Example of use for re-signing a container in an AHAB image:
nxpimage ahab re-sign -f <family> -b "ahab_image.bin" -k "path/to/private_key.pem" -i <container_id>
For bootable images that contain FCB or XMCD segments, you need to specify the memory type:
nxpimage ahab re-sign -f <family> -b "bootable_image.bin" -k "path/to/private_key.pem" -i <container_id> -m <memory_type>
AHAB Update Keyblob#
It is possible to update the encryption keyblob in an existing AHAB container. This is useful when you need to update the encryption keys without rebuilding the entire image.
The update-keyblob command allows you to replace the keyblob in a specific container of an AHAB image with a new one.
Example of use for updating a keyblob in an AHAB image:
nxpimage ahab update-keyblob -f <family> -b "ahab_image.bin" -k "path/to/new_keyblob.bin" -i <container_id>
For bootable images that contain FCB or XMCD segments, you need to specify the memory type:
nxpimage ahab update-keyblob -f <family> -b "bootable_image.bin" -k "path/to/new_keyblob.bin" -i <container_id> -m <memory_type>
Supported configuration options#
AHABImage for mimx8dxl, Revision: a0#
AHABImage for mimx8dxl, Revision: a0 JSON schema
AHABImage for mimx8dxl, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx8dxl, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx8dxl, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080020000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, seco, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m4, cortex-a35, seco, v2x-1, v2x-2>
core_id: cortex-m4
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx8qm, Revision: a0#
AHABImage for mimx8qm, Revision: a0 JSON schema
AHABImage for mimx8qm, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx8qm, Revision: a0 =================================
# ======================================================================================================================
# == AHABImage for mimx8qm, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080020000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a72
# meta_data_start_cpu_id: 3
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, dcd, provisioning_image, dek_validation, provisioning_data, seco>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m4-0, cortex-m4-1, cortex-a72, cortex-a53>
core_id: cortex-m4-0
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx8qxp, Revision: a0#
AHABImage for mimx8qxp, Revision: a0 JSON schema
AHABImage for mimx8qxp, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx8qxp, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx8qxp, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 5 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, General
# Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080020000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a35
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, dcd, provisioning_image, dek_validation, provisioning_data, seco>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m4, cortex-a35>
core_id: cortex-m4
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx8ulp, Revision: a2#
AHABImage for mimx8ulp, Revision: a2 JSON schema
AHABImage for mimx8ulp, Revision: a2 YAML configuration template
# ================================ AHAB template AHABImage for mimx8ulp, Revision: a2 ================================
# ======================================================================================================================
# == AHABImage for mimx8ulp, Revision: a2 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, a2, latest>
revision: a2
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 9 options. ==
# Options [uPower, SPL, Uboot ATF, Uboot, TEE Trusted Execution Environment, MCU Image, Linux Kernel Image,
# Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===================== [Example of possible configuration: #0 uPower, erase if not used] ======================
# uPower firmware
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000028300200
# image_type: executable
# core_id: cortex-a53
# hash_type: SHA384
# ---------------------------------------===== uPower [Required] =====----------------------------------------
# Description: uPower firmware
upower: upower.bin
# ======================= [Example of possible configuration: #1 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000022020000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #2 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020040000
# image_type: executable
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #3 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #4 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000A6000000
# image_type: executable
# core_id: cortex-a55
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# ==================== [Example of possible configuration: #5 MCU Image, erase if not used] ====================
# MCU Image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC2000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== MCU Image [Required] =====--------------------------------------
# Description: MCU Image
mcu: m33_image.bin
# =============== [Example of possible configuration: #6 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #7 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #8 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, dek_validation_fcb_chk, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, cortex-a53, ele, hdmi-tx, hdmi-rx>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9131, Revision: a0#
AHABImage for mimx9131, Revision: a0 JSON schema
AHABImage for mimx9131, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9131, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx9131, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204A0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204C0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <reserved, cortex-a55, ele, v2x-1, v2x-2>
core_id: reserved
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9352, Revision: a1#
AHABImage for mimx9352, Revision: a1 JSON schema
AHABImage for mimx9352, Revision: a1 YAML configuration template
# ================================ AHAB template AHABImage for mimx9352, Revision: a1 ================================
# ======================================================================================================================
# == AHABImage for mimx9352, Revision: a1 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: a1
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 7 options. ==
# Options [SPL with optional DDR tunning images, Uboot ATF, Uboot, TEE Trusted Execution Environment, Linux
# Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ====== [Example of possible configuration: #0 SPL with optional DDR tunning images, erase if not used] =======
# U-Boot SPL with optional DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000002049A000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------===== LPDDR memory FW in 1D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 1D mode.
lpddr_imem_1d: lpddr_imem_1d.bin
# -----------------------------===== LPDDR memory FW in 2D mode [Required] =====------------------------------
# Description: Firmware for LPDDR4/5 memory in 2D mode.
lpddr_imem_2d: lpddr_imem_2d.bin
# ----------------------------===== LPDDR memory data in 1D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 1D mode.
lpddr_dmem_1d: lpddr_dmem_1d.bin
# ----------------------------===== LPDDR memory data in 2D mode [Required] =====-----------------------------
# Description: Data for LPDDR4/5 memory in 2D mode.
lpddr_dmem_2d: lpddr_dmem_2d.bin
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl_ddr: spl.bin
# ==================== [Example of possible configuration: #1 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000204E0000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #2 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #3 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000096000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #4 Linux Kernel Image, erase if not used] ================
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000080400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #5 Device Tree Blob, erase if not used] =================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000083000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# =============== [Example of possible configuration: #6 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, v2x_dummy, ele, v2x_primary,
# v2x_secondary, v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-a55, ele, v2x-1, v2x-2>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx943, Revision: a0#
AHABImage for mimx943, Revision: a0 JSON schema
AHABImage for mimx943, Revision: a0 YAML configuration template
# ================================ AHAB template AHABImage for mimx943, Revision: a0 =================================
# ======================================================================================================================
# == AHABImage for mimx943, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 14 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, Cortex M7 second core additional
# application, Cortex M33 second core additional application, SPL, Uboot ATF, Uboot, TEE Trusted Execution
# Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr_imem.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr_imem_qb.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr_dmem.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr_dmem_qb.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei_ddr.bin
# -----------------------------------===== Quick Boot Data [Optional] =====-----------------------------------
# Description: QB data - Optional Quick boot data, if defined a new empty record will be added just behind DDR
# FW entry
qb_data: qb_data.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# == [Example of possible configuration: #5 Cortex M7 second core additional application, erase if not used] ===
# Cortex M7 second core additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000302C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-2
# meta_data_start_cpu_id: 7
# hash_type: SHA384
# --------------------===== Cortex M7 second core additional application [Required] =====---------------------
# Description: Cortex M7 second core additional application
cortex_m7_2_app: cortex_m7_2_app.bin
# == [Example of possible configuration: #6 Cortex M33 second core additional application, erase if not used] ==
# Cortex M33 second core additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000309C0000
# entry_point: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33-2
# meta_data_start_cpu_id: 8
# hash_type: SHA384
# --------------------===== Cortex M33 second core additional application [Required] =====--------------------
# Description: Cortex M33 second core additional application
cortex_m33_2_app: cortex_m33_2_app.bin
# ======================= [Example of possible configuration: #7 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #8 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #9 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======= [Example of possible configuration: #10 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #11 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #12 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #13 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, cortex-m7-2, cortex-m33-2,
# ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx95294, Revision: a0#
AHABImage for mimx95294, Revision: a0 JSON schema
AHABImage for mimx95294, Revision: a0 YAML configuration template
# =============================== AHAB template AHABImage for mimx95294, Revision: a0 ================================
# ======================================================================================================================
# == AHABImage for mimx95294, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, V2X Dummy, SPL, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr_imem.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr_imem_qb.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr_dmem.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr_dmem_qb.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei_ddr.bin
# -----------------------------------===== Quick Boot Data [Optional] =====-----------------------------------
# Description: QB data - Optional Quick boot data, if defined a new empty record will be added just behind DDR
# FW entry
qb_data: qb_data.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ==================== [Example of possible configuration: #5 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ======================= [Example of possible configuration: #6 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimx9596, Revision: b0#
AHABImage for mimx9596, Revision: b0 JSON schema
AHABImage for mimx9596, Revision: b0 YAML configuration template
# ================================ AHAB template AHABImage for mimx9596, Revision: b0 ================================
# ======================================================================================================================
# == AHABImage for mimx9596, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ---------------------------------------===== Container version [Optional] =====---------------------------------------
# Description: Force container version, if not specified the default version is used. This configuration option is valid
# only for chips that supports both AHAB container versions. Possible options <2, 1>
container_version: 2
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# ----------------------------------===== Check all signatures [Optional] =====-----------------------------------
# Description: This option overrides a fuse to select verification mode.
# - default: Apply default fuse policy.
# - check_all_signatures: Force verification of all present signatures.
# Possible options: <default, check_all_signatures>
check_all_signatures: default
# ----------------------------------------===== Fast boot [Optional] =====----------------------------------------
# Description: This option enables fast boot mode.
# - disabled: Fast boot disabled.
# - hash_and_copy: ELE will do the hash and copy (when disabled, BootROM will do the copy).
# - external_accelerator: Use external accelerator for authentication (e.g. V2X on i.MX95B0, i.MX943 and
# i.MX952).
# - hash_and_copy_with_external_accelerator:ELE will do hash and copy, and use external accelerator for
# authentication.
# Possible options: <disabled, hash_and_copy, external_accelerator, hash_and_copy_with_external_accelerator>
fast_boot: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ------------------===== AHAB container signer for second signature (PQC only) [Optional] =====------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for second sign (PQC only) of the container header. Header can be signed by SRK. The referenced
# SRK must not have been revoked.
signer_#2: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# ==============================================================================================================
# == List of possible 13 options. ==
# Options [Double Authentication of NXP Firmwares, OEI with DDR tunning images, OEI TCM Settings (ECC
# configuration etc.), Boot system manager, Cortex M7 additional application, SPL, V2X Dummy, Uboot ATF, Uboot,
# TEE Trusted Execution Environment, Linux Kernel Image, Device Tree Blob, General Image Entry]
# ==============================================================================================================
# ===== [Example of possible configuration: #0 Double Authentication of NXP Firmwares, erase if not used] ======
# Double Authentication of NXP firmwares
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000000000000
# hash_type: SHA384
# -------------------------------------===== NXP ELE FW [Required] =====--------------------------------------
# Description: NXP ELE firmware, that should be also signed by OEM keys binary file.
double_authentication: nxp_ele.bin
# =========== [Example of possible configuration: #1 OEI with DDR tunning images, erase if not used] ===========
# OEI with DDR PHY tunning images
# -----------------------------------===== LPDDR memory FW [Required] =====-----------------------------------
# Description: Firmware for LPDDR4/5 memory.
lpddr_imem: lpddr4x_imem_v202409.bin
# ---------------------------===== LPDDR memory FW for quick boot [Optional] =====----------------------------
# Description: Firmware for LPDDR4/5 for quick boot.
lpddr_imem_qb: lpddr4x_imem_qb_v202409.bin
# ----------------------------------===== LPDDR memory data [Required] =====----------------------------------
# Description: Data for LPDDR4/5 memory.
lpddr_dmem: lpddr4x_dmem_v202409.bin
# --------------------------===== LPDDR memory data for quick boot [Optional] =====---------------------------
# Description: Data for LPDDR4/5 memory in quick boot.
lpddr_dmem_qb: lpddr4x_dmem_qb_v202409.bin
# -----------------------------------------===== OEI [Required] =====-----------------------------------------
# Description: OEI - Optional Executable Image firmware
oei_ddr: oei-m33-ddr.bin
# ==== [Example of possible configuration: #2 OEI TCM Settings (ECC configuration etc.), erase if not used] ====
# OEI TCM settings (ECC etc.)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# entry_point: 0x000000001FFC0001
# image_type: oei
# core_id: cortex-m33
# hash_type: SHA384
# -------------------------------------===== OEI TCM FW [Required] =====--------------------------------------
# Description: OEI(Optional Executable Image) TCM settings binary file.
oei_tcm: oei_tcm.bin
# =============== [Example of possible configuration: #3 Boot system manager, erase if not used] ===============
# System booting image
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000001FFC0000
# image_type: executable
# core_id: cortex-m33
# hash_type: SHA384
# ---------------------------------===== Boot system manager [Required] =====---------------------------------
# Description: System manager booting image
system_manager: system_manager.bin
# ======== [Example of possible configuration: #4 Cortex M7 additional application, erase if not used] =========
# Cortex M7 additional application
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x00000000303C0000
# entry_point: 0x0000000000000000
# image_type: executable
# core_id: cortex-m7-1
# meta_data_start_cpu_id: 1
# hash_type: SHA384
# --------------------------===== Cortex M7 additional application [Required] =====---------------------------
# Description: Cortex M7 additional application
cortex_m7_app: cortex_m7_app.bin
# ======================= [Example of possible configuration: #5 SPL, erase if not used] =======================
# U-Boot SPL (Secondary program loader)
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000020480000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== SPL [Required] =====-----------------------------------------
# Description: SPL firmware
spl: spl.bin
# ==================== [Example of possible configuration: #6 V2X Dummy, erase if not used] ====================
# V2X dummy image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008B000000
# image_type: v2x_dummy
# core_id: cortex-m33
# hash_type: SHA384
# --------------------------------------===== V2X Dummy [Required] =====--------------------------------------
# Description: If Present, V2X dummy image will be added to Image Array Entry (no data record)
v2x_dummy: true
# ==================== [Example of possible configuration: #7 Uboot ATF, erase if not used] ====================
# U-Boot ATF container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008A200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -------------------------------------===== ATF binary [Required] =====--------------------------------------
# Description: ARM Trusted Firmware binary file.
atf: bl31.bin
# ====================== [Example of possible configuration: #8 Uboot, erase if not used] ======================
# U-Boot container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090200000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------------===== U-Boot binary [Required] =====------------------------------------
# Description: U-Boot binary file.
uboot: u-boot.bin
# ======== [Example of possible configuration: #9 TEE Trusted Execution Environment, erase if not used] ========
# A TEE (Trusted Execution Environment) is a trusted OS running in some secure environment, for example, TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver handles the details needed to communicate with the TEE.
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x000000008C000000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# -----------------------------------------===== TEE [Required] =====-----------------------------------------
# Description: TEE - Trusted Execution Environment binary
tee: tee.bin
# =============== [Example of possible configuration: #10 Linux Kernel Image, erase if not used] ===============
# Linux kernel Image container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000090400000
# image_type: executable
# core_id: cortex-a55
# meta_data_start_cpu_id: 2
# hash_type: SHA384
# ------------------------------===== Linux Kernel Image Binary [Required] =====------------------------------
# Description: Linux kernel executable Image binary file (typically Image.bin)
kernel: Image.bin
# ================ [Example of possible configuration: #11 Device Tree Blob, erase if not used] ================
# Device Tree Blob (DTB) container definition
# Image array default settings. Can be overridden by definitions that are hidden in the template:
# load_address: 0x0000000093000000
# entry_point: 0x0000000000000000
# image_type: data
# core_id: cortex-a55
# hash_type: SHA384
# -------------------------------===== Device Tree Blob Binary [Required] =====-------------------------------
# Description: Device Tree Blob (DTB) binary file containing hardware description
dtb: device-tree.dtb
# ============== [Example of possible configuration: #12 General Image Entry, erase if not used] ===============
# General Image Entry
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, oei, provisioning_image, dek_validation_fcb_chk, provisioning_data,
# executable_fast_boot_image, oei_ddr, v2x_dummy, ele_as_image, ele, v2x_as_image, v2x_primary, v2x_secondary,
# v2x_rom_patch>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <dummy, cortex-m33, cortex-a55, ele, v2x-1, v2x-2, cortex-m7-1, ddr>
core_id: dummy
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3, sha3_256, sha3_384, sha3_512, shake_128_256, shake_256_512>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ==============================================================================================================
# == Configuration of AHAB SRK table in case that the double signing (ECC + PQC) ==
# ==============================================================================================================
# -----------------------------------===== Second SRK Table [Optional] =====------------------------------------
srk_table_#2:
# ---------------------------------------===== CA Flag [Optional] =====---------------------------------------
# Description: CA Flag is used by AHAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag
# only affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB
# signing process itself. This option exists only for compatibility with systems where fuses are already
# programmed. In most cases, this should remain false.
flag_ca: false
# -----------------------------------===== Hash Algorithm [Optional] =====------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# -----------------------------===== Super Root Key (SRK) table [Required] =====------------------------------
# Description: Table containing the used SRK Dilithium records. All SRKs must be of the same type. Supported
# signing algorithms are: Dilithium level 3. Supported hash algorithms: sha3_256, sha3_384, sha3_512.
# Certificate may be of Certificate Authority.
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ================================================================================================================
# ----------------------------------===== The AHAB certificate [Optional] =====-----------------------------------
# Description: The file that contains AHAB certificate. It could be used already prepared binary form signed by
# SRK, or it is possible to use configuration YAML file of certificate and the AHAB export process it will export
# it itself.
certificate: my_ahab_certificate.bin
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1181, Revision: b0#
AHABImage for mimxrt1181, Revision: b0 JSON schema
AHABImage for mimxrt1181, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1181, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1181, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1182, Revision: b0#
AHABImage for mimxrt1182, Revision: b0 JSON schema
AHABImage for mimxrt1182, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1182, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1182, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1186, Revision: a0#
AHABImage for mimxrt1186, Revision: a0 JSON schema
AHABImage for mimxrt1186, Revision: a0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1186, Revision: a0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1186, Revision: a0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: a0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1187, Revision: b0#
AHABImage for mimxrt1187, Revision: b0 JSON schema
AHABImage for mimxrt1187, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1187, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1187, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt
AHABImage for mimxrt1189, Revision: b0#
AHABImage for mimxrt1189, Revision: b0 JSON schema
AHABImage for mimxrt1189, Revision: b0 YAML configuration template
# =============================== AHAB template AHABImage for mimxrt1189, Revision: b0 ===============================
# ======================================================================================================================
# == AHABImage for mimxrt1189, Revision: b0 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: b0
# -----------------------------------------===== Target memory [Optional] =====-----------------------------------------
# Description: Target memory for AHAB container
# Possible options: <serial_downloader, standard, nand_2k, nand_4k, sd_emmc>
target_memory: standard
# ---------------------------------------===== Output file name [Required] =====----------------------------------------
# Description: Output AHAB file name
output: generated_ahab.bin
# --------------------------------------===== Output file format [Optional] =====---------------------------------------
# Description: Output file format for AHAB image
# Possible options: <bin, hex, srec, sparse>
output_format: bin
# --------------------------------===== Base offset for the output file [Optional] =====--------------------------------
# Description: Base offset where the AHAB image will be placed in target memory. (primarily when using SREC/HEX
# output_format)
output_offset: 0
# ------------------------------===== List of containers present in AHAB [Required] =====-------------------------------
# Description: The order of containers in the list defines the order in AHAB.
containers:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [binary_container, container]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# -----------------------------------===== Binary AHAB container [Required] =====-----------------------------------
# Description: Binary Container format to add to AHAB image, Typically it could be used to add ELE Firmware.
binary_container:
# -----------------------------===== The AHAB container binary file [Required] =====------------------------------
# Description: The binary file that contains AHAB "my_binary_container.bin
path: my_ahab_container.bin
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# --------------------------------------===== AHAB Container [Required] =====---------------------------------------
# Description: Configurable Container format to add to AHAB image. This allow to configure all aspects of the AHAB
# container.
container:
# --------------------------------===== Super Root Key (SRK) set [Required] =====---------------------------------
# Description: Defines which set is used to authenticate the container.
# Possible options: <none, oem, nxp>
srk_set: none
# ---------------------------------===== Used SRK [Conditionally required] =====----------------------------------
# Description: Which key from SRK set is being used.
used_srk_id: 0
# -------------------------------------===== SRK revoke mask [Optional] =====-------------------------------------
# Description: Bit-mask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit
# 1 = revoke SRK_1 etc. Example of revocation SRK_0 and SRK_1 - the value should be 0x03
srk_revoke_mask: '0x00'
# ----------------------------------===== GDET runtime behavior [Optional] =====----------------------------------
# Description: This option defines runtime behavior of Glitch detector. Not supported by all devices and their ELE
# firmware.
# - disabled: GDET is disabled after the first OEM container has been authenticated (default behavior)
# - enabled_eleapi: Automatically enable GDET during all ELE API calls
# - enabled: Leave GDET enabled
# Possible options: <disabled, enabled_eleapi, enabled>
gdet_runtime_behavior: disabled
# --------------------------------------===== Fuse version [Optional] =====---------------------------------------
# Description: The value must be equal or greater than the version stored in fuses to allow loading this
# container.
fuse_version: 0
# ------------------------------------===== Software version [Optional] =====-------------------------------------
# Description: Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same
# Fuse version field.
sw_version: 0
# ----------------------------------===== AHAB container signer [Optional] =====----------------------------------
# Description: Signature provider configuration in format 'type=<identifier>;<key1>=<value1>;<key2>=<value2>' or a
# private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have
# been revoked.
signer: type=file;file_path=my_prv_key.pem
# ================================================================================================================
# == Configuration of AHAB Container images (array of multiple images) ==
# ================================================================================================================
# ---------------------------------------===== Image array [Required] =====---------------------------------------
# Description: Array of image entries.
images:
-
# -------------------------------------===== Image path [Optional] =====--------------------------------------
# Description: Path to image binary (absolute/relative). In case that only Image Array entry without any data
# image is needed, Just do not use the image path. In case that the image size in container should be aligned
# differently then SPSDK do (4 bytes for ELE images, 1 byte otherwise), there is hidden option
# 'image_size_alignment' where could be override image size by any custom value.
image_path: my_image.bin
# ---------------------------===== Image offset in AHAB container [Optional] =====----------------------------
# Description: Offset in bytes from start of container header to beginning of the image. Zero value means
# automatic placing the image with proper alignment after previous one, this is recommended for
# serial_downloader mode. In case of XiP type of AHAB image, the load_address and entry_point must correspond
# to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS. The
# Booting core images must be located after the other ones
image_offset: 0
# ------------------------------===== Image destination address [Required] =====------------------------------
# Description: Address the image is written to in memory (absolute address in system memory).
load_address: '0x1FFC_0000'
# ----------------------------------===== Image entry point [Required] =====----------------------------------
# Description: Image entry point (absolute address). Valid only for executable image types.
entry_point: '0x1FFC_0000'
# -------------------------------------===== Image type [Required] =====--------------------------------------
# Description: Kind of image.
# Possible options: <executable, data, provisioning_image, provisioning_data, ele>
image_type: executable
# ---------------------------------------===== Core ID [Required] =====---------------------------------------
# Description: Defines the core the image is dedicated for. Not all cores are supported for all families.
# Possible options: <cortex-m33, cortex-m7, ele>
core_id: cortex-m33
# ----------------------------------===== Image encryption [Optional] =====-----------------------------------
# Description: Determines, whether image is encrypted or not.
is_encrypted: false
# ----------------------------------===== Image Descriptor [Optional] =====-----------------------------------
# Description: Determines, whether image is descriptor or not.
is_image_descriptor: false
# -------------------------------------===== Boot flags [Optional] =====--------------------------------------
# Description: Boot flags controlling SCFW boot.
boot_flags: 0
# ------------------------------------===== Start CPU ID [Optional] =====-------------------------------------
# Description: Resource ID of CPU to be started
meta_data_start_cpu_id: 0
# ------------------------------===== CPU memory unit start ID [Optional] =====-------------------------------
# Description: Resource ID of the MU associated with the CPU
meta_data_mu_cpu_id: 0
# ---------------------------------===== Start partition ID [Optional] =====----------------------------------
# Description: Partition ID of the partition to start
meta_data_start_partition_id: 0
# ----------------------------------===== Images HASH type [Optional] =====-----------------------------------
# Description: HASH type of image.
# Possible options: <sha256, sha384, sha512, sm3>
hash_type: sha512
# ================================================================================================================
# == Configuration of AHAB SRK table ==
# ================================================================================================================
# ---------------------------------===== SRK Table [Conditionally required] =====---------------------------------
# Description: SRK (Super Root key) table definition.
srk_table:
# ----------------------------------------===== CA Flag [Optional] =====----------------------------------------
# Description: CA Flag is used by HAB to indicate if the SRK is allowed to sign other keys. In AHAB CA Flag only
# affects the final SRKH (Super Root Key Hash) value burned into chip fuses. It is not used in the AHAB signing
# process itself. This option exists only for compatibility with systems where fuses are already programmed. In
# most cases, this should remain false.
flag_ca: false
# ------------------------------------===== Hash Algorithm [Optional] =====-------------------------------------
# Description: Hash algorithm used for SRK records. If not specified, default algorithm based on key type will
# be used.
# Possible options: <default, sha256, sha384, sha512, sha3_256, sha3_384, sha3_512, shake_128_256,
# shake_256_512, sm3>
hash_algorithm: default
# ------------------------------===== Super Root Key (SRK) table [Required] =====-------------------------------
# Description: Table containing the used SRK records. All SRKs must be of the same type. Supported signing
# algorithms are: RSA-PSS, ECDSA, Dilithium or SM2. Supported hash algorithms: sha256, sha384, sha512, sha3_256,
# sha3_384, sha3_512, sm3. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096,
# dilithium3, sm2. Certificate may be of Certificate Authority. Dilithium algorithms are supported just in new
# type of AHAB container
srk_array:
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ================================================================================================================
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ================================================================================================================
# -------------------------------------===== Encryption blob [Optional] =====-------------------------------------
# Description: Encryption blob container definition
blob:
# ------------------------------------===== Key identifier [Required] =====-------------------------------------
# Description: The key identifier that has been used to generate DEK keyblob.
key_identifier: 0
# -------------------------------------===== DEK key size [Required] =====--------------------------------------
# Description: Data Encryption key size. Used for AES CBC-MAC (128/192/256 size)
# Possible options: <128, 192, 256>
dek_key_size: 128
# ----------------------------------------===== DEK key [Required] =====----------------------------------------
# Description: Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_key: my_dek_key.txt
# --------------------------------------===== DEK keyblob [Optional] =====--------------------------------------
# Description: Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# If NOT used, the empty keyblob is inserted into container and need to be updated later.
dek_keyblob: my_wrapped_key.txt