AHAB
AHAB (Advanced High Assurance Boot) is a container format supported on some devices. A configuration file in YAML or JSON is used to instruct nxpimage how the output should look like.
AHAB container is not supported by elftosb tool.
Example of use for export
nxpimage ahab export "path\to\config\file.yaml"
Example of use for parse binary AHAB container
nxpimage ahab parse -b "my_ahab_container.bin" "path\to_parsed_data"
The full AHAB configuration template could be generated by nxpimage tool “get_template” sub-command for family that supports AHAB, example:
nxpimage ahab get-template -f rt118x ./my_config_templates
Supported configuration options
AHABImage
family(string): Family identifier including the chip revision. If revision is not present, latest revision is used as default. Must be one of:["mx93", "rt118x"].revision(string): Revision of silicon. Must be one of:["a0"].image_type(string): The final use of image, this setting is changing the style of offsets in final container. Must be one of:["xip", "non_xip", "serial_downloader", "nand"].output(string): Output AHAB file name.containers(array): The order of containers in the list defines the order in AHAB. Length must be at least 1.Items
One of
object
binary_container(object, required)path(string, required): The binary file that contains AHAB “my_binary_container.bin.
object
container(object, required)srk_set(string, required): Defines which set is used to authenticate the container. Must be one of:["none", "oem", "nxp"].used_srk_id([‘number’, ‘string’]): Which key from SRK set is being used.srk_revoke_mask([‘number’, ‘string’]): Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit 1 = revoke SRK_1 etc.fuse_version([‘number’, ‘string’], required): The value must be equal or greater than the version stored in fuses to allow loading this container.sw_version([‘number’, ‘string’], required): Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same Fuse version field.signing_key(string): Private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have been revoked.signature_provider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. The signature provider could be used instead of definition of ‘signing_key’. images(array, required): Array of image entries. Length must be between 1 and 8 (inclusive).Items (object)
image_path(string, required): Path to image binary (absolute/relative).image_offset([‘number’, ‘string’], required): Relative address for start of AHAB image (can contain multiple AHAB containers). In case of XiP type of AHAB image, the load_address and entry_point must correspond to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS.load_address([‘number’, ‘string’], required): Address the image is written to in memory (absolute address in system memory).entry_point([‘number’, ‘string’], required): Image entry point (absolute address). Valid only for executable image types.image_type(string, required): Kind of image. Must be one of:["executable", "data", "dcd_image", "seco", "provisioning_image", "provisioning_data"].core_id(string, required): Defines the core the image is dedicated for. Must be one of:["cortex-a55", "cortex-m33", "cortex-m7"].is_encrypted(boolean, required): Determines, whether image is encrypted or not.boot_flags([‘number’, ‘string’]): Boot flags controlling SCFW boot.meta_data_start_cpu_id([‘number’, ‘string’]): Resource ID of CPU to be started.meta_data_mu_cpu_id([‘number’, ‘string’]): Resource ID of the MU associated with the CPU.meta_data_start_partition_id([‘number’, ‘string’]): Partition ID of the partition to start.hash_type(string): HASH type of image. All images in the container must have the same HASH type. Must be one of:["sha256", "sha384", "sha512"].
srk_table(object): SRK (Super Root key) table definition.srk_array(array, required): Table containing the used SRK records. All SRKs must be of the same type. Supported signing algorithms are: RSASSA-PSS or ECDSA. Supported hash algorithms: sha256, sha384, sha512. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096. Certificate may be of Certificate Authority. Length must be equal to 4.Items (string): Path to SRK Key file.
certificate(object): Optional certificate container definition.”.permissions(array): Permissions used to indicate what a certificate can be used for.Items (string): Must be one of:
["container", "secure_enclave_debug", "phbc_debug", "hdmi_debug", "soc_debug_domain_1", "soc_debug_domain_2", "life_cycle", "hdcp_fuses", "monotonic_counter"].
uuid([‘number’, ‘string’]): (Optional) 128-bit unique identifier.public_key(string, required): Path to Public key file (RSA and ECDSA).signing_key(string, required): Private key used for sign the certificate container.signature_provider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. The signature provider could be used instead of definition of ‘signing_key’.
blob(object): Encryption blob container definition.dek_key_size([‘number’, ‘string’], required): Data Encryption key size. Used for AES CBC-MAC (128/192/256 size). Must be one of:[128, 192, 256].dek_key(string, required): Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.dek_keyblob(string, required): Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted.
# =========== AHAB template AHABImage ===========
# ----------------------------------------------------------------------------------------------------
# == AHABImage ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family; Family identifier including the chip revision. If revision is not present, latest revision is used as default; Possible options:['mx93', 'rt118x']
revision: a0 # [Optional], MCU revision; Revision of silicon; Possible options:['a0']
image_type: xip # [Required], Type of image; The final use of image, this setting is changing the style of offsets in final container; Possible options:['xip', 'non_xip', 'serial_downloader', 'nand']
output: generated_ahab.bin # [Required], Output file name; Output AHAB file name
containers: # [Required], List of containers present in AHAB; The order of containers in the list defines the order in AHAB.
# ----------------------------------------------------------------------------------------------------
# == List of possible 2 options. Option types[object,object] ==
# ----------------------------------------------------------------------------------------------------
- # [Example of possible configuration #0]
# ----------------------------------------------------------------------------------------------------
# == Optional Binary Container format to add to AHAB image ==
# ----------------------------------------------------------------------------------------------------
binary_container: # [Required], Binary AHAB container
path: my_ahab_container.bin # [Required], The AHAB container binary file; The binary file that contains AHAB "my_binary_container.bin
- # [Example of possible configuration #1]
# ----------------------------------------------------------------------------------------------------
# == Optional Configuration Container format to add to AHAB image ==
# ----------------------------------------------------------------------------------------------------
container: # [Required], AHAB Container
srk_set: oem # [Required], Super Root Key (SRK) set; Defines which set is used to authenticate the container; Possible options:['none', 'oem', 'nxp']
used_srk_id: 0 # [Conditionally required], Used SRK; Which key from SRK set is being used.
srk_revoke_mask: 0 # [Optional], SRK revoke mask; Bitmask to indicate which SRKs to revoke. Bit set to 1 means revoke key. Bit 0 = revoke SRK_0, bit 1 = revoke SRK_1 etc.
fuse_version: 0 # [Required], Fuse version; The value must be equal or greater than the version stored in fuses to allow loading this container.
sw_version: 0 # [Required], Software version; Number used by Privileged Host Boot Companion (PHBC) to select between multiple images with same Fuse version field.
signing_key: my_signing_key.pem # [Conditionally required], AHAB container signing key; Private key used for sign the container header. Header can be signed by SRK. The referenced SRK must not have been revoked.
signature_provider: type=file;file_path=my_prv_key.pem # [Optional], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". The signature provider could be used instead of definition of 'signing_key'.
# ----------------------------------------------------------------------------------------------------
# == Configuration of AHAB Container images (array of multiple images) ==
# ----------------------------------------------------------------------------------------------------
images: # [Required], Image array; Array of image entries.
- image_path: my_image.bin # [Required], Image path; Path to image binary (absolute/relative).
image_offset: '0x4000' # [Required], Image offset in AHAB container; Relative address for start of AHAB image (can contain multiple AHAB containers). In case of XiP type of AHAB image, the load_address and entry_point must correspond to this values. Example of setting of load_address - AHAB_IMAGE_ADDRESS+IMAGE_OFFSET=LOAD_ADDRESS
load_address: '0x5000' # [Required], Image destination address; Address the image is written to in memory (absolute address in system memory).
entry_point: '0x5000' # [Required], Image entry point (absolute address). Valid only for executable image types.
image_type: executable # [Required], Image type; Kind of image; Possible options:['executable', 'data', 'dcd_image', 'seco', 'provisioning_image', 'provisioning_data']
core_id: cortex-m33 # [Required], Core ID; Defines the core the image is dedicated for; Possible options:['cortex-a55', 'cortex-m33', 'cortex-m7']
is_encrypted: false # [Required], Image encryption; Determines, whether image is encrypted or not.
boot_flags: 0 # [Optional], Boot flags controlling SCFW boot.
meta_data_start_cpu_id: 0 # [Optional], Start CPU ID; Resource ID of CPU to be started
meta_data_mu_cpu_id: 0 # [Optional], CPU memory unit start ID; Resource ID of the MU associated with the CPU
meta_data_start_partition_id: 0 # [Optional], Start partition ID; Partition ID of the partition to start
hash_type: sha512 # [Optional], Images HASH type; HASH type of image. All images in the container must have the same HASH type; Possible options:['sha256', 'sha384', 'sha512']
# ----------------------------------------------------------------------------------------------------
# == Configuration of AHAB SRK table ==
# ----------------------------------------------------------------------------------------------------
srk_table: # [Conditionally required], SRK Table; SRK (Super Root key) table definition.
srk_array: # [Required], Super Root Key (SRK) table; Table containing the used SRK records. All SRKs must be of the same type. Supported signing algorithms are: RSASSA-PSS or ECDSA. Supported hash algorithms: sha256, sha384, sha512. Supported key sizes/curves: prime256v1, sec384r1, sec512r1, rsa2048, rsa4096. Certificate may be of Certificate Authority.
- my_srk_public_key0.pub
- my_srk_public_key1.pub
- my_srk_public_key2.pub
- my_srk_public_key3.pub
# ----------------------------------------------------------------------------------------------------
# == Optional configuration of AHAB Container Certificate (if not used, erase the section) ==
# ----------------------------------------------------------------------------------------------------
certificate: # [Optional], Certificate container; Optional certificate container definition."
permissions: # [Optional], Certificate permissions; Permissions used to indicate what a certificate can be used for
- container
- secure_enclave_debug
- phbc_debug
- hdmi_debug
- soc_debug_domain_1
- soc_debug_domain_2
- life_cycle
- hdcp_fuses
- monotonic_counter
uuid: 346200660880414387117887842999773 # [Optional], UUID; (Optional) 128-bit unique identifier
public_key: my_cert_public_key.pem # [Required], Certificate public key; Path to Public key file (RSA and ECDSA).
signing_key: my_cert_signing_key.pem # [Required], Certificate container signing key; Private key used for sign the certificate container.
signature_provider: type=file;file_path=my_prv_key.pem # [Optional], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". The signature provider could be used instead of definition of 'signing_key'.
# ----------------------------------------------------------------------------------------------------
# == Optional configuration of AHAB Container Encryption blob (if not used, erase the section) ==
# ----------------------------------------------------------------------------------------------------
blob: # [Optional], Encryption blob container definition
dek_key_size: 128 # [Required], DEK key size; Data Encryption key size. Used for AES CBC-MAC (128/192/256 size); Possible options:[128, 192, 256]
dek_key: my_dek_key.txt # [Required], DEK key; Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted
dek_keyblob: my_wrapped_key.txt # [Required], DEK keyblob; Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size). The HEX format is accepted