Flash encryption engines

nxpimage currently supports generation of bootable images and keyblobs for NXP bus encryption engines – OTFAD (On-the-fly AES decryption engines), BEE (Bus encryption engine) and IEE (Inline encryption engine).

Note

For Prince algorithm based inline encryption & decryption engines (IPED, Prince & NPX) we don’t support offline image creation.

IEE

nxpimage supports generation of bootable image for MIMXRT117x. More details can be found in the security reference manual: https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMXRT1170SRM&appType=moderated or in the Secure Boot modes application note https://www.nxp.com/webapp/Download?colCode=AN13250

IEE engine provides means to perform inline encryption and decryption. Following algorithms are supported AES-128/256-CTR and AES-256/512-XTS. The IEE key blob containing keys and context structures is encrypted by a KEK according to the RFC3394 key-wrapping algorithm, because the key blob resides in the external memory along with the image and it must be protected

Generation of bootable image First step is to get a template for configuration. The template might look like the file below. nxpimage iee get-template -f rt1170 iee_template.yaml

IEE template for rt116x

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x"].

  • output_folder (string): Path to directory where the IEE output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "iee_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "iee_keyblob".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • generate_fuses_script (boolean): BCF file with fuses configuration. Default: true.

  • keyblob_address ([‘string’, ‘number’]): Should be aligned to 1 kB.

  • data_blobs (array): List of all data blobs that will be encrypted.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted.

      • address ([‘number’, ‘string’]): Data blob address, it doesn’t have to be specified for S-REC.

  • ibkek1 ([‘string’, ‘number’]): IBKEK1 AES-XTS key for keyblob encryption.

  • ibkek2 ([‘string’, ‘number’]): IBKEK2 AES-XTS key for keyblob encryption.

  • key_blobs (array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be between 1 and 4 (inclusive).

    • Items (object)

      • region_lock (boolean): Determines if the ROM will lock the IEE configuration to prevent later changes. Default: false.

      • aes_mode (string, required): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of: ["Bypass", "AesXTS", "AesCTRWAddress", "AesCTRWOAddress", "AesCTRkeystream"].

      • key_size (string, required): AES mode, AES-XTS or AES-CTR. Must be one of: ["CTR256XTS512", "CTR128XTS256"].

      • page_offset (number): Page offset, IEE_REG0PO value. Default: 0.

      • key1 ([‘number’, ‘string’], required): AES key for the key blob, size depends on key_size.

      • key2 ([‘number’, ‘string’], required): AES key for the key blob, size depends on key_size.

      • start_address ([‘number’, ‘string’], required): Start address of key blob data, it should be aligned to 1 KB (1024 B).

      • end_address ([‘number’, ‘string’], required): End address of key blob data, it should be aligned to 1 KB (1024 B).

# ===========  IEE template for rt116x  ===========
# ----------------------------------------------------------------------------------------------------
#                                    == IEE template for rt116x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x']
output_folder: iee_output # [Required], IEE output directory; Path to directory where the IEE output will be generated
output_name: iee_whole_image # [Optional], Output binary image filename; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: iee_keyblob # [Optional], Keyblob filename; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
generate_fuses_script: true # [Optional], Generate blhost batch file to burn fuses; BCF file with fuses configuration
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob; Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list; List of all data blobs that will be encrypted
  - data: my_data.bin  # [Required], Binary data blob; Path to binary file with plain text data to be encrypted
    address: '0x30001000' # [Optional], Data blob address, it doesn't have to be specified for S-REC
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key; IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key; IBKEK2 AES-XTS key for keyblob encryption
key_blobs: # [Required], The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
  - region_lock: false  # [Optional], Keyblob lock attribute; Determines if the ROM will lock the IEE configuration to prevent later changes.
    aes_mode: AesXTS # [Required], AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only; Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
    key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS; AES mode, AES-XTS or AES-CTR; Possible options:['CTR256XTS512', 'CTR128XTS256']
    page_offset: 0 # [Optional], Page offset, IEE_REG0PO value
    key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key; AES key for the key blob, size depends on key_size
    key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2; AES key for the key blob, size depends on key_size
    start_address: '0x30001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x30008000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)

IEE template for rt117x

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x"].

  • output_folder (string): Path to directory where the IEE output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "iee_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "iee_keyblob".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • generate_fuses_script (boolean): BCF file with fuses configuration. Default: true.

  • keyblob_address ([‘string’, ‘number’]): Should be aligned to 1 kB.

  • data_blobs (array): List of all data blobs that will be encrypted.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted.

      • address ([‘number’, ‘string’]): Data blob address, it doesn’t have to be specified for S-REC.

  • ibkek1 ([‘string’, ‘number’]): IBKEK1 AES-XTS key for keyblob encryption.

  • ibkek2 ([‘string’, ‘number’]): IBKEK2 AES-XTS key for keyblob encryption.

  • key_blobs (array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be between 1 and 4 (inclusive).

    • Items (object)

      • region_lock (boolean): Determines if the ROM will lock the IEE configuration to prevent later changes. Default: false.

      • aes_mode (string, required): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of: ["Bypass", "AesXTS", "AesCTRWAddress", "AesCTRWOAddress", "AesCTRkeystream"].

      • key_size (string, required): AES mode, AES-XTS or AES-CTR. Must be one of: ["CTR256XTS512", "CTR128XTS256"].

      • page_offset (number): Page offset, IEE_REG0PO value. Default: 0.

      • key1 ([‘number’, ‘string’], required): AES key for the key blob, size depends on key_size.

      • key2 ([‘number’, ‘string’], required): AES key for the key blob, size depends on key_size.

      • start_address ([‘number’, ‘string’], required): Start address of key blob data, it should be aligned to 1 KB (1024 B).

      • end_address ([‘number’, ‘string’], required): End address of key blob data, it should be aligned to 1 KB (1024 B).

# ===========  IEE template for rt117x  ===========
# ----------------------------------------------------------------------------------------------------
#                                    == IEE template for rt117x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x']
output_folder: iee_output # [Required], IEE output directory; Path to directory where the IEE output will be generated
output_name: iee_whole_image # [Optional], Output binary image filename; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: iee_keyblob # [Optional], Keyblob filename; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
generate_fuses_script: true # [Optional], Generate blhost batch file to burn fuses; BCF file with fuses configuration
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob; Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list; List of all data blobs that will be encrypted
  - data: my_data.bin  # [Required], Binary data blob; Path to binary file with plain text data to be encrypted
    address: '0x30001000' # [Optional], Data blob address, it doesn't have to be specified for S-REC
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key; IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key; IBKEK2 AES-XTS key for keyblob encryption
key_blobs: # [Required], The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
  - region_lock: false  # [Optional], Keyblob lock attribute; Determines if the ROM will lock the IEE configuration to prevent later changes.
    aes_mode: AesXTS # [Required], AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only; Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
    key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS; AES mode, AES-XTS or AES-CTR; Possible options:['CTR256XTS512', 'CTR128XTS256']
    page_offset: 0 # [Optional], Page offset, IEE_REG0PO value
    key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key; AES key for the key blob, size depends on key_size
    key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2; AES key for the key blob, size depends on key_size
    start_address: '0x30001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x30008000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)

IEE template for rt118x

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x"].

  • output_folder (string): Path to directory where the IEE output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "iee_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "iee_keyblob".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • generate_fuses_script (boolean): BCF file with fuses configuration. Default: true.

  • keyblob_address ([‘string’, ‘number’]): Should be aligned to 1 kB.

  • data_blobs (array): List of all data blobs that will be encrypted.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted.

      • address ([‘number’, ‘string’]): Data blob address, it doesn’t have to be specified for S-REC.

  • master (string): M33 or M7 core. Must be one of: ["CM33", "CM7"].

  • key_blob (object): Keyblob configuration, keyblob won’t be generated.

    • aes_mode (string, required): AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only. Must be one of: ["Bypass", "AesXTS", "AesCTRWAddress", "AesCTRWOAddress", "AesCTRkeystream"].

    • key_size (string, required): AES mode, AES-XTS or AES-CTR. Must be one of: ["CTR256XTS512", "CTR128XTS256"].

    • key1 ([‘number’, ‘string’], required): AES key for the key blob, size depends on key_size.

    • key2 ([‘number’, ‘string’], required): AES key for the key blob, size depends on key_size.

# ===========  IEE template for rt118x  ===========
# ----------------------------------------------------------------------------------------------------
#                                    == IEE template for rt118x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x']
output_folder: iee_output # [Required], IEE output directory; Path to directory where the IEE output will be generated
output_name: iee_whole_image # [Optional], Output binary image filename; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: iee_keyblob # [Optional], Keyblob filename; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
generate_fuses_script: true # [Optional], Generate blhost batch file to burn fuses; BCF file with fuses configuration
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob; Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list; List of all data blobs that will be encrypted
  - data: my_data.bin  # [Required], Binary data blob; Path to binary file with plain text data to be encrypted
    address: '0x30001000' # [Optional], Data blob address, it doesn't have to be specified for S-REC
master: CM7 # [Optional], Master ID for RT118x; M33 or M7 core; Possible options:['CM33', 'CM7']
key_blob: # [Optional], Keyblob configuration, keyblob won't be generated.
  aes_mode: AesXTS  # [Required], AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only; Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
  key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS; AES mode, AES-XTS or AES-CTR; Possible options:['CTR256XTS512', 'CTR128XTS256']
  key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key; AES key for the key blob, size depends on key_size
  key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2; AES key for the key blob, size depends on key_size

# ===========  IEE: Inline Encryption Engine Configuration template for rt1170.  ===========
# ----------------------------------------------------------------------------------------------------
#                                         == Basic Settings ==
# ----------------------------------------------------------------------------------------------------
family: rt1170  # [Required], MCU family, MCU family name., Possible options:['rt1170']
output_folder: iee_output # [Required], IEE output directory, Path to directory where the IEE output will be generated
output_name: encrypted.bin # [Optional], Output binary image file name, File name of the output image containing keyblobs and encrypted data blobs
keyblob_name: iee_keyblob.bin # [Optional], Keyblob file name, File name of the keyblob, output_folder/keyblob_name
encrypted_name: encrypted_blob.bin # [Optional], Encrypted name, filename of the encrypted datablobs
# ----------------------------------------------------------------------------------------------------
#                                          == IEE Settings ==
# ----------------------------------------------------------------------------------------------------
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key, IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key, IBKEK2 AES-XTS key for keyblob encryption
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob, Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list, List of all data blobs that will be encrypted
- data: my_data.bin  # [Required], Binary data blob, Path to binary file with plain text data to be encrypted
    address: '0x03001000' # [Optional], Data blob address, Data blob address, it doesn't have to be specified for S-REC
key_blobs: # [Required], List of Key Blobs used by IEE, The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- region_lock: false  # [Optional], Keyblob lock attribute, Determines if the ROM will lock the IEE configuration to prevent later changes.
    aes_mode: AesXTS # [Required], AES mode, AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only, Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
    key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS, AES mode, AES-XTS or AES-CTR, Possible options:['CTR256XTS512', 'CTR128XTS256']
    page_offset: 0 # [Optional], Page offset, Page offset, IEE_REG0PO value
    key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key, AES key for the key blob, size depends on key_size
    key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2, AES key for the key blob, size depends on key_size
    start_address: '0x30001000' # [Required], Start address of key blob data, Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x30008000' # [Required], End address of key blob data, End address of key blob data, it should be aligned to 1 KB (1024 B)

Fill the configuration file and export the image. nxpimage iee export iee_template.yaml

OTFAD

The On-The-Fly AES Decryption (OTFAD) module provides an advanced hardware implementation that minimizes any incremental cycles of latency introduced by the decryption in the overall external memory-access time. It implements a block cipher mode of operation supporting the counter mode (CTR). The CTR mode provides a confidentiality mode that features the application of the forward cipher to a set of input blocks (called counters) to produce a sequence of output blocks that are exclusive-ORed with the plaintext to produce the ciphertext and vice versa. The OTFAD engine includes complete hardware support for a standard AES key unwrap mechanism to decrypt a key BLOB data instruction containing the parameters needed for up to 4 unique AES contexts. Each context has a unique 128-bit key, a 64-bit counter, and a 64-bit memory region descriptor.

OTFAD template for rt116x

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"].

  • output_folder (string): Path to directory where the OTFAD output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "otfad_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "OTFAD_Table".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • kek (string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.

  • otfad_table_address ([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).

  • data_blobs (array): List of all data blobs included in this key blob.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted if desired.

      • address ([‘number’, ‘string’], required): Data blob address, it could be omitted if data blob starts at start_address.

  • key_blobs (array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.

    • Items (object)

      • aes_key ([‘number’, ‘string’], required): AES key for the key blob.

      • aes_ctr ([‘number’, ‘string’], required): AES counter value for the key blob.

      • start_address ([‘number’, ‘string’], required): Start address of key blob data, it should be aligned to 1 KB (1024 B).

      • end_address ([‘number’, ‘string’], required): End address of key blob data, it should be aligned to 1 KB (1024 B).

      • aes_decryption_enable (boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default: true.

      • valid (boolean): This field signals if the context is valid or not. Default: true.

      • read_only (boolean): This field signals if the context is Read only or not. Default: true.

  • key_scramble (object): If Key scrambling is not required, this section must be commented out.

    • key_scramble_mask ([‘number’, ‘string’], required): OTFAD Key Scramble mask (4 bytes size).

    • key_scramble_align ([‘number’, ‘string’], required): OTFAD Key scramble mask align (1 byte size).

# ===========  OTFAD template for rt116x  ===========
# ----------------------------------------------------------------------------------------------------
#                                   == OTFAD template for rt116x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
  - data: my_data.bin  # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
    address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
  - aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'  # [Required], AES key for the key blob
    aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
    start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
    aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
    valid: true # [Optional], Valid flag; This field signals if the context is valid or not
    read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
key_scramble: # [Optional], If Key scrambling is not required, this section must be commented out
  key_scramble_mask: '0x12345678'  # [Required], Key Scramble; OTFAD Key Scramble mask (4 bytes size)
  key_scramble_align: '0x72' # [Required], Key Scramble Align; OTFAD Key scramble mask align (1 byte size)

OTFAD template for rt117x

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"].

  • output_folder (string): Path to directory where the OTFAD output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "otfad_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "OTFAD_Table".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • kek (string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.

  • otfad_table_address ([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).

  • data_blobs (array): List of all data blobs included in this key blob.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted if desired.

      • address ([‘number’, ‘string’], required): Data blob address, it could be omitted if data blob starts at start_address.

  • key_blobs (array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.

    • Items (object)

      • aes_key ([‘number’, ‘string’], required): AES key for the key blob.

      • aes_ctr ([‘number’, ‘string’], required): AES counter value for the key blob.

      • start_address ([‘number’, ‘string’], required): Start address of key blob data, it should be aligned to 1 KB (1024 B).

      • end_address ([‘number’, ‘string’], required): End address of key blob data, it should be aligned to 1 KB (1024 B).

      • aes_decryption_enable (boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default: true.

      • valid (boolean): This field signals if the context is valid or not. Default: true.

      • read_only (boolean): This field signals if the context is Read only or not. Default: true.

  • key_scramble (object): If Key scrambling is not required, this section must be commented out.

    • key_scramble_mask ([‘number’, ‘string’], required): OTFAD Key Scramble mask (4 bytes size).

    • key_scramble_align ([‘number’, ‘string’], required): OTFAD Key scramble mask align (1 byte size).

# ===========  OTFAD template for rt117x  ===========
# ----------------------------------------------------------------------------------------------------
#                                   == OTFAD template for rt117x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
  - data: my_data.bin  # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
    address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
  - aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'  # [Required], AES key for the key blob
    aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
    start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
    aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
    valid: true # [Optional], Valid flag; This field signals if the context is valid or not
    read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
key_scramble: # [Optional], If Key scrambling is not required, this section must be commented out
  key_scramble_mask: '0x12345678'  # [Required], Key Scramble; OTFAD Key Scramble mask (4 bytes size)
  key_scramble_align: '0x72' # [Required], Key Scramble Align; OTFAD Key scramble mask align (1 byte size)

OTFAD template for rt118x

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"].

  • output_folder (string): Path to directory where the OTFAD output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "otfad_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "OTFAD_Table".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • kek (string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.

  • otfad_table_address ([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).

  • data_blobs (array): List of all data blobs included in this key blob.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted if desired.

      • address ([‘number’, ‘string’], required): Data blob address, it could be omitted if data blob starts at start_address.

  • key_blobs (array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.

    • Items (object)

      • aes_key ([‘number’, ‘string’], required): AES key for the key blob.

      • aes_ctr ([‘number’, ‘string’], required): AES counter value for the key blob.

      • start_address ([‘number’, ‘string’], required): Start address of key blob data, it should be aligned to 1 KB (1024 B).

      • end_address ([‘number’, ‘string’], required): End address of key blob data, it should be aligned to 1 KB (1024 B).

      • aes_decryption_enable (boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default: true.

      • valid (boolean): This field signals if the context is valid or not. Default: true.

      • read_only (boolean): This field signals if the context is Read only or not. Default: true.

  • key_scramble (object): If Key scrambling is not required, this section must be commented out.

    • key_scramble_mask ([‘number’, ‘string’], required): OTFAD Key Scramble mask (4 bytes size).

    • key_scramble_align ([‘number’, ‘string’], required): OTFAD Key scramble mask align (1 byte size).

# ===========  OTFAD template for rt118x  ===========
# ----------------------------------------------------------------------------------------------------
#                                   == OTFAD template for rt118x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
  - data: my_data.bin  # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
    address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
  - aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'  # [Required], AES key for the key blob
    aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
    start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
    aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
    valid: true # [Optional], Valid flag; This field signals if the context is valid or not
    read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not
key_scramble: # [Optional], If Key scrambling is not required, this section must be commented out
  key_scramble_mask: '0x12345678'  # [Required], Key Scramble; OTFAD Key Scramble mask (4 bytes size)
  key_scramble_align: '0x72' # [Required], Key Scramble Align; OTFAD Key scramble mask align (1 byte size)

OTFAD template for rt5xx

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"].

  • output_folder (string): Path to directory where the OTFAD output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "otfad_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "OTFAD_Table".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • kek (string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.

  • otfad_table_address ([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).

  • data_blobs (array): List of all data blobs included in this key blob.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted if desired.

      • address ([‘number’, ‘string’], required): Data blob address, it could be omitted if data blob starts at start_address.

  • key_blobs (array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.

    • Items (object)

      • aes_key ([‘number’, ‘string’], required): AES key for the key blob.

      • aes_ctr ([‘number’, ‘string’], required): AES counter value for the key blob.

      • start_address ([‘number’, ‘string’], required): Start address of key blob data, it should be aligned to 1 KB (1024 B).

      • end_address ([‘number’, ‘string’], required): End address of key blob data, it should be aligned to 1 KB (1024 B).

      • aes_decryption_enable (boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default: true.

      • valid (boolean): This field signals if the context is valid or not. Default: true.

      • read_only (boolean): This field signals if the context is Read only or not. Default: true.

# ===========  OTFAD template for rt5xx  ===========
# ----------------------------------------------------------------------------------------------------
#                                    == OTFAD template for rt5xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
  - data: my_data.bin  # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
    address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
  - aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'  # [Required], AES key for the key blob
    aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
    start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
    aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
    valid: true # [Optional], Valid flag; This field signals if the context is valid or not
    read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not

OTFAD template for rt6xx

  • family (string): MCU family name. Must be one of: ["rt116x", "rt117x", "rt118x", "rt5xx", "rt6xx"].

  • output_folder (string): Path to directory where the OTFAD output will be generated.

  • output_name (string): Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended). Default: "otfad_whole_image".

  • keyblob_name (string): Filename of the keyblob without file extension (.bin will be appended). Default: "OTFAD_Table".

  • encrypted_name (string): filename of the encrypted datablobs without file extension (.bin will be appended). Default: "encrypted_blob".

  • generate_readme (boolean): Readme file contains information about image layout. Default: true.

  • kek (string): OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number.

  • otfad_table_address ([‘number’, ‘string’]): The base address of key blob table, it should be aligned to 1 KB (1024 B).

  • data_blobs (array): List of all data blobs included in this key blob.

    • Items (object)

      • data (string, required): Path to binary file with plain text data to be encrypted if desired.

      • address ([‘number’, ‘string’], required): Data blob address, it could be omitted if data blob starts at start_address.

  • key_blobs (array): The list of definition of individual key blobs including plain data. Add other array items as you need and device allows. Length must be at least 1.

    • Items (object)

      • aes_key ([‘number’, ‘string’], required): AES key for the key blob.

      • aes_ctr ([‘number’, ‘string’], required): AES counter value for the key blob.

      • start_address ([‘number’, ‘string’], required): Start address of key blob data, it should be aligned to 1 KB (1024 B).

      • end_address ([‘number’, ‘string’], required): End address of key blob data, it should be aligned to 1 KB (1024 B).

      • aes_decryption_enable (boolean): For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed. Default: true.

      • valid (boolean): This field signals if the context is valid or not. Default: true.

      • read_only (boolean): This field signals if the context is Read only or not. Default: true.

# ===========  OTFAD template for rt6xx  ===========
# ----------------------------------------------------------------------------------------------------
#                                    == OTFAD template for rt6xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE  # [Required], MCU family name; Possible options:['rt116x', 'rt117x', 'rt118x', 'rt5xx', 'rt6xx']
output_folder: otfad_output # [Required], OTFAD output folder; Path to directory where the OTFAD output will be generated
output_name: otfad_whole_image # [Optional], Output binary image file name; Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin will be appended)
keyblob_name: OTFAD_Table # [Optional], Keyblob file name; Filename of the keyblob without file extension (.bin will be appended)
encrypted_name: encrypted_blob # [Optional], Encrypted name; filename of the encrypted datablobs without file extension (.bin will be appended)
generate_readme: true # [Optional], Generate readme.txt; Readme file contains information about image layout
kek: my_secret_kek.bin # [Required], KEK; OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing KEK or as a string or number
otfad_table_address: '0x08000000' # [Required], OTFAD key blobs table address; The base address of key blob table, it should be aligned to 1 KB (1024 B)
data_blobs: # [Optional], Data blobs list; List of all data blobs included in this key blob
  - data: my_data.bin  # [Required], Plain Text data blob; Path to binary file with plain text data to be encrypted if desired
    address: '0x08001000' # [Required], Data blob address, it could be omitted if data blob starts at start_address
key_blobs: # [Required], List of Key Blobs used by OTFAD; The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
  - aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'  # [Required], AES key for the key blob
    aes_ctr: '0x5689fab8b4bfb264' # [Required], AES counter value for the key blob
    start_address: '0x08001000' # [Required], Start address of key blob data, it should be aligned to 1 KB (1024 B)
    end_address: '0x08010000' # [Required], End address of key blob data, it should be aligned to 1 KB (1024 B)
    aes_decryption_enable: true # [Optional], AES decryption enable flag; For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or simply bypassed
    valid: true # [Optional], Valid flag; This field signals if the context is valid or not
    read_only: true # [Optional], Read Only flag; This field signals if the context is Read only or not

BEE

i.MX RT10xx, except i.MX1010, provides an on-the-fly encryption engine called Bus Encryption Engine(BEE) Refer to this application note for more info: AN12852.

BeeNxp

  • output_folder (string): Folder name to store generated BEE output.

  • input_binary (string): Path to input binary file.

  • output_name (string): File name of the encrypted file, output_folder/output_name.

  • header_name (string): output_folder/header_name + index will be prepended.

  • engine_selection (string): BEE Engine Selection, engine0, engine1 or both engines. Must be one of: ["engine0", "engine1", "both"].

  • engine_key_selection (string): Random Key or Zero key. Must be one of: ["random", "zero"].

  • base_address ([‘string’, ‘number’]): Base address of the image.

  • bee_engine (array): Configuration of BEE engines. Length must be between 1 and 2 (inclusive).

    • Items

      • One of

        • object

          • user_key ([‘string’, ‘number’], required): AES key for encryption.

          • aes_mode (string, required): AES mode - counter or ECB. Must be one of: ["CTR", "ECB"].

          • protected_region (array): List of protected regions, up to four regions.

            • Items (object)

              • start_address ([‘string’, ‘number’], required): Start address of protected region, it should be aligned to 1 KB (1024 B).

              • length ([‘string’, ‘number’], required): Length of protected region, it should be aligned to 1 KB (1024 B).

              • protected_level (number, required): Protected level (0/1/2/3), 0 is default.

        • object

          • header_path (string, required): Path to the existing BEE header in binary form.

          • user_key ([‘string’, ‘number’], required): AES key that was used for header encryption.

# ===========  BEE template  ===========
# ----------------------------------------------------------------------------------------------------
#                                             == BeeNxp ==
# ----------------------------------------------------------------------------------------------------
output_folder: bee_output  # [Required], BEE output folder; Folder name to store generated BEE output
input_binary: input_bin.bin # [Required], Input binary file; Path to input binary file
output_name: encrypted.bin # [Optional], Output binary file name; File name of the encrypted file, output_folder/output_name
header_name: bee_ehdr.bin # [Optional], File name of the exported BEE region headers; output_folder/header_name + index will be prepended
engine_selection: engine0 # [Required], Engine selection; BEE Engine Selection, engine0, engine1 or both engines; Possible options:['engine0', 'engine1', 'both']
engine_key_selection: random # [Required], Engine Key selection; Random Key or Zero key; Possible options:['random', 'zero']
base_address: '0x60001000' # [Required], Base address of the image
bee_engine: # [Required], Bee engines; Configuration of BEE engines
    # ----------------------------------------------------------------------------------------------------
    #                    == List of possible 2 options. Option types[object,object] ==
    # ----------------------------------------------------------------------------------------------------
  -  # [Example of possible configuration #0]
    user_key: '0x0123456789abcdeffedcba9876543210'  # [Required], User AES-128 key; AES key for encryption
    aes_mode: CTR # [Required], AES mode - counter or ECB; Possible options:['CTR', 'ECB']
    protected_region: # [Optional], Protected region; List of protected regions, up to four regions
      - start_address: '0x60001000'  # [Required], Start address of protected region, it should be aligned to 1 KB (1024 B)
        length: '0x4400' # [Required], Length of protected region, it should be aligned to 1 KB (1024 B)
        protected_level: 0 # [Required], Protected level (0/1/2/3), 0 is default
  - # [Example of possible configuration #1]
    header_path: bee_ehdr0.bin  # [Required], BEE header path; Path to the existing BEE header in binary form
    user_key: '0x0123456789abcdeffedcba9876543210' # [Required], User AES-128 key; AES key that was used for header encryption