Master Boot Image (MBI)
Master Boot Image can be used directly (e.g. by using blhost write-memory command) or it can be used for further processing (e.g. used as input to Secure Binary image container). Image is created based on a supplied configuration file, either JSON or YAML is supported.
We can divide into two categories based on layout.
- eXecute-In-Place (XIP) images
Plain
CRC
Signed
- Load-to-RAM images
Plain
CRC
Signed images with HMAC signed header. Since load-to-RAM copies the image from untrusted media to on-chip RAM, the length field in header should be authenticated before copy. Hence HMAC signed headers are used.
Encrypted (plain header with HMAC + AES-CBC encrypted).
Example of use
nxpimage: nxpimage mbi export <path to config file>
Sample configuration for LPC55s6x plain signed XIP image. Other sample configurations might be obtained with the get-templates sub-command.
# =========== Master Boot Image Configuration template for lpc55s6x, Plain Signed XIP Image. ===========
#
# == Basic Settings ==
#
family: lpc55s6x # MCU family., MCU family name.
outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.
masterBootOutputFile: my_mbi.bin # Master Boot Image name., The file for Master Boot Image result file.
inputImageFile: my_application.bin # Plain application image., The input application image to by modified to Master Boot Image.
#
# == Trust Zone Settings ==
#
enableTrustZone: false # TrustZone enable option, If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # TrustZone Customization file, If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
#
# == Certificate V2 Settings ==
#
mainCertPrivateKeyFile: my_prv_key.pem # Main Certificate private key, Main Certificate private key used to sign certificate
imageBuildNumber: 0 # Image Build Number, If it's omitted, it will be used 0 as default value.
rootCertificate0File: my_certificate0.pem # Root Certificate File 0, Root certificate file index 0.
rootCertificate1File: my_certificate1.pem # Root Certificate File 1, Root certificate file index 1.
rootCertificate2File: my_certificate2.pem # Root Certificate File 2, Root certificate file index 2.
rootCertificate3File: my_certificate3.pem # Root Certificate File 3, Root certificate file index 3.
mainCertChainId: 0 # Main Certificate Index, Index of certificate that is used as a main.
chainCertificate0File0: chain_certificate0_depth0.pem # Chain certificate 0 for root 0, Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # Chain certificate 1 for root 0, Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # Chain certificate 2 for root 0, Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # Chain certificate 3 for root 0, Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # Chain certificate 0 for root 1, Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # Chain certificate 1 for root 1, Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # Chain certificate 2 for root 1, Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # Chain certificate 3 for root 1, Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # Chain certificate 0 for root 2, Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # Chain certificate 1 for root 2, Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # Chain certificate 2 for root 2, Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # Chain certificate 3 for root 2, Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # Chain certificate 0 for root 3, Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # Chain certificate 1 for root 3, Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # Chain certificate 2 for root 3, Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # Chain certificate 3 for root 3, Chain certificate 3 for root certificate 3
Supported devices for MBI
NXPIMAGE support devices from LPC55xx family (LPC55S0x, LPC55S1x, LPC55S2x, LPC552x, LPC55S6x), RT5xx, RT6xx, LPC55S3x, MCXN9xx and RW61x. Supported execution targets are: Internal flash (XIP), External Flash (XIP) and Load to RAM and image authentication types: Plain, CRC, Signed, Encrypted and NXP Signed.
The following table shows the supported image types for each device, it either shows “N/A” if the configuration is not available or respective class that will be used for image creation.
Target in the table represents outputImageExecutionTarget in the configuration file and authentication in the table represents outputImageAuthenticationType.
Targets |
Internal flash (XIP) |
Internal flash (XIP) |
Internal flash (XIP) |
Internal flash (XIP) |
Internal flash (XIP) |
External flash (XIP) |
External flash (XIP) |
External flash (XIP) |
External flash (XIP) |
External flash (XIP) |
RAM |
RAM |
RAM |
RAM |
RAM |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Authentication |
Plain |
CRC |
Signed |
NXP Signed |
Encrypted + Signed |
Plain |
CRC |
Signed |
NXP Signed |
Encrypted + Signed |
Plain |
CRC |
Signed |
NXP Signed |
Encrypted + Signed |
lpc55xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s0x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc550x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s1x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc551x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s2x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc552x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
lpc55s6x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
nhs52sxx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||
rt5xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||||
rt6xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
|||||||
lpc55s3x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
||||||||
kw45xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
||||
k32w1xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
||||
lpc553x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
||||||||
mcxn9xx |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
||||||||
rw61x |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
Supported configuration options
Refer to the documentation below for the supported configuration options for each image type. Please note that the outputImageExecutionTarget and outputImageAuthenticationType must be filled in addition to the basic settings according to the table with supported devices.
outputImageExecutionTarget: Internal flash (XIP) # Application target., Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence.
outputImageAuthenticationType: Signed # Type of boot image authentication., Specification of final master boot image authentication.
Mbi_CrcExtXipRw61x
family(string): MCU family name. Must be one of:["rw61x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcExtXipRw61x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcExtXipRw61x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rw61x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcRam
family(string): MCU family name. Must be one of:["lpc551x", "nhs52sxx", "lpc550x", "lpc55xx", "lpc55s2x", "lpc55s0x", "lpc55s1x", "lpc55s6x", "lpc552x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_CrcRam ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRam ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc551x', 'nhs52sxx', 'lpc550x', 'lpc55xx', 'lpc55s2x', 'lpc55s0x', 'lpc55s1x', 'lpc55s6x', 'lpc552x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_CrcRamLpc55s3x
family(string): MCU family name. Must be one of:["lpc55s3x", "lpc553x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcRamLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcRamMcxNx
family(string): MCU family name. Must be one of:["mcxn9xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcRamMcxNx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamMcxNx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['mcxn9xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcRamRtxxx
family(string): MCU family name. Must be one of:["rt5xx", "rt6xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string, required): The binary file to be added to final application.destAddress([‘string’, ‘number’], required): Destination address in RAM of additional binary.load(boolean, required): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_CrcRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt5xx', 'rt6xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries; This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file; The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address in RAM of additional binary.
load: true # [Required], Enable load; Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_CrcRamRw61x
family(string): MCU family name. Must be one of:["rw61x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcRamRw61x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcRamRw61x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rw61x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcXip
family(string): MCU family name. Must be one of:["lpc551x", "nhs52sxx", "lpc550x", "lpc55xx", "lpc55s2x", "lpc55s6x", "lpc552x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
# =========== YAML template Mbi_CrcXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc551x', 'nhs52sxx', 'lpc550x', 'lpc55xx', 'lpc55s2x', 'lpc55s6x', 'lpc552x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
Mbi_CrcXipKw45xx
family(string): MCU family name. Must be one of:["kw45xx", "k32w1xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageSubtype(string): Image subtype determine the image use in MCU (Main application or something else).
# =========== YAML template Mbi_CrcXipKw45xx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipKw45xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['kw45xx', 'k32w1xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageSubtype: MAIN # [Optional], Image subtype determine the image use in MCU (Main application or something else).
Mbi_CrcXipLpc55s3x
family(string): MCU family name. Must be one of:["lpc55s3x", "lpc553x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcXipLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcXipMcxNx
family(string): MCU family name. Must be one of:["mcxn9xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_CrcXipMcxNx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipMcxNx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['mcxn9xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_CrcXipRtxxx
family(string): MCU family name. Must be one of:["rt5xx", "lpc55s0x", "lpc55s1x", "rt6xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_CrcXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_CrcXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt5xx', 'lpc55s0x', 'lpc55s1x', 'rt6xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_EncryptedRamRtxxx
family(string): MCU family name. Must be one of:["rt5xx", "rt6xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string, required): The binary file to be added to final application.destAddress([‘string’, ‘number’], required): Destination address in RAM of additional binary.load(boolean, required): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.keyStoreFile(string): Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added into MBI.outputImageEncryptionKeyFile(string): The HMAC encryption key (file path). Could be defined as hex number and also as hex/binary file.CtrInitVector(string): The initial vector for encryption counter. Could be defined as hex number and also as hex/binary file.
# =========== YAML template Mbi_EncryptedRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_EncryptedRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt5xx', 'rt6xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries; This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file; The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address in RAM of additional binary.
load: true # [Required], Enable load; Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file; Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added into MBI.
outputImageEncryptionKeyFile: hmac_key.bin # [Required], HMAC Key; The HMAC encryption key (file path). Could be defined as hex number and also as hex/binary file
CtrInitVector: '0xc3df2316fd40b15586cb5ae49483aee2' # [Optional], The output image encryption initial vector for encryption counter; The initial vector for encryption counter. Could be defined as hex number and also as hex/binary file
Mbi_PlainExtXipSignedRw61x
family(string): MCU family name. Must be one of:["rw61x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Don’t use when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted (‘useIsk’, ‘mainRootCertPrivateKeyFile’, ‘signingCertificateFile’, ‘signingCertificateConstraint’, ‘signCertData’) In case that ISK is defined, certicate block must be deleted.useIsk(boolean): Enable ISK type of signature certification. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Don’t use when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestDigestHashAlgorithm(string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of:["sha256", "sha384", "sha521"].outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_PlainExtXipSignedRw61x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainExtXipSignedRw61x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rw61x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Don't use when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted ('useIsk', 'mainRootCertPrivateKeyFile', 'signingCertificateFile', 'signingCertificateConstraint', 'signCertData') In case that ISK is defined, certicate block must be deleted
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Don't use when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Don't use when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Don't use when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Don't use when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestDigestHashAlgorithm: sha256 # [Optional], Manifest signing hash algorithm; Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest; Possible options:['sha256', 'sha384', 'sha521']
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_PlainRamLpc55s3x
family(string): MCU family name. Must be one of:["lpc55s3x", "lpc553x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_PlainRamLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_PlainRamMcxNx
family(string): MCU family name. Must be one of:["mcxn9xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_PlainRamMcxNx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamMcxNx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['mcxn9xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_PlainRamRtxxx
family(string): MCU family name. Must be one of:["rt5xx", "rt6xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt5xx', 'rt6xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainRamRw61x
family(string): MCU family name. Must be one of:["rw61x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.
# =========== YAML template Mbi_PlainRamRw61x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainRamRw61x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rw61x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
Mbi_PlainSignedRamRtxxx
family(string): MCU family name. Must be one of:["rt5xx", "rt6xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.applicationTable(array): This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.Items (object)
binary(string, required): The binary file to be added to final application.destAddress([‘string’, ‘number’], required): Destination address in RAM of additional binary.load(boolean, required): Enabler to load/use the image.
outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.outputImageEncryptionKeyFile(string): The HMAC encryption key (file path). Could be defined as hex number and also as hex/binary file.keyStoreFile(string): Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added into MBI.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainSignedRamRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainSignedRamRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt5xx', 'rt6xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
applicationTable: # [Optional], The list of additional binaries; This is software future of RTxxx family that NXP SDK startup code(not ROM) could load additional images.
- binary: my_additional_binary.bin # [Required], Binary file; The binary file to be added to final application.
destAddress: 536870912 # [Required], Destination address in RAM of additional binary.
load: true # [Required], Enable load; Enabler to load/use the image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
outputImageEncryptionKeyFile: hmac_key.bin # [Required], HMAC Key; The HMAC encryption key (file path). Could be defined as hex number and also as hex/binary file
keyStoreFile: my_key_store_data.bin # [Optional], The Key store data file; Optional KeyStore data file for included keystore in LoadToRam images. If defined the KeyStore is added into MBI.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainSignedRamRw61x
family(string): MCU family name. Must be one of:["rw61x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Don’t use when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted (‘useIsk’, ‘mainRootCertPrivateKeyFile’, ‘signingCertificateFile’, ‘signingCertificateConstraint’, ‘signCertData’) In case that ISK is defined, certicate block must be deleted.useIsk(boolean): Enable ISK type of signature certification. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Don’t use when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestDigestHashAlgorithm(string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of:["sha256", "sha384", "sha521"].outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_PlainSignedRamRw61x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainSignedRamRw61x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rw61x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Don't use when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted ('useIsk', 'mainRootCertPrivateKeyFile', 'signingCertificateFile', 'signingCertificateConstraint', 'signCertData') In case that ISK is defined, certicate block must be deleted
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Don't use when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Don't use when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Don't use when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Don't use when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestDigestHashAlgorithm: sha256 # [Optional], Manifest signing hash algorithm; Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest; Possible options:['sha256', 'sha384', 'sha521']
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_PlainSignedXipRtxxx
family(string): MCU family name. Must be one of:["rt5xx", "lpc55s0x", "lpc55s1x", "rt6xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainSignedXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainSignedXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt5xx', 'lpc55s0x', 'lpc55s1x', 'rt6xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainXip
family(string): MCU family name. Must be one of:["lpc551x", "nhs52sxx", "lpc550x", "lpc55xx", "lpc55s2x", "lpc55s6x", "lpc552x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
# =========== YAML template Mbi_PlainXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc551x', 'nhs52sxx', 'lpc550x', 'lpc55xx', 'lpc55s2x', 'lpc55s6x', 'lpc552x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
Mbi_PlainXipKw45xx
family(string): MCU family name. Must be one of:["kw45xx", "k32w1xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageSubtype(string): Image subtype determine the image use in MCU (Main application or something else).
# =========== YAML template Mbi_PlainXipKw45xx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipKw45xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['kw45xx', 'k32w1xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageSubtype: MAIN # [Optional], Image subtype determine the image use in MCU (Main application or something else).
Mbi_PlainXipRtxxx
family(string): MCU family name. Must be one of:["rt5xx", "lpc55s0x", "lpc55s1x", "rt6xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.enableHwUserModeKeys([‘boolean’, ‘string’]): Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
# =========== YAML template Mbi_PlainXipRtxxx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipRtxxx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['rt5xx', 'lpc55s0x', 'lpc55s1x', 'rt6xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
enableHwUserModeKeys: false # [Required], Enable User HW key sharing; Controlling secure hardware key bus. If enabled(1), then it is possible to access keys on hardware secure bus from non-secure application, else non-secure application will read zeros.
Mbi_PlainXipSignedKw45xx
family(string): MCU family name. Must be one of:["kw45xx", "k32w1xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Don’t use when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted (‘useIsk’, ‘mainRootCertPrivateKeyFile’, ‘signingCertificateFile’, ‘signingCertificateConstraint’, ‘signCertData’) In case that ISK is defined, certicate block must be deleted.useIsk(boolean): Enable ISK type of signature certification. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Don’t use when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestDigestHashAlgorithm(string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of:["sha256", "sha384", "sha521"].noSignature(boolean): When is set, the signature is not included. The signature could be later added by HSM.
# =========== YAML template Mbi_PlainXipSignedKw45xx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipSignedKw45xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['kw45xx', 'k32w1xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Don't use when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted ('useIsk', 'mainRootCertPrivateKeyFile', 'signingCertificateFile', 'signingCertificateConstraint', 'signCertData') In case that ISK is defined, certicate block must be deleted
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Don't use when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Don't use when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Don't use when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Don't use when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestDigestHashAlgorithm: sha256 # [Optional], Manifest signing hash algorithm; Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest; Possible options:['sha256', 'sha384', 'sha521']
noSignature: false # [Optional], No Signature; When is set, the signature is not included. The signature could be later added by HSM.
Mbi_PlainXipSignedLpc55s3x
family(string): MCU family name. Must be one of:["lpc55s3x", "lpc553x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Don’t use when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted (‘useIsk’, ‘mainRootCertPrivateKeyFile’, ‘signingCertificateFile’, ‘signingCertificateConstraint’, ‘signCertData’) In case that ISK is defined, certicate block must be deleted.useIsk(boolean): Enable ISK type of signature certification. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Don’t use when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestDigestHashAlgorithm(string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of:["sha256", "sha384", "sha521"].outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_PlainXipSignedLpc55s3x ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipSignedLpc55s3x ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc55s3x', 'lpc553x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Don't use when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted ('useIsk', 'mainRootCertPrivateKeyFile', 'signingCertificateFile', 'signingCertificateConstraint', 'signCertData') In case that ISK is defined, certicate block must be deleted
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Don't use when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Don't use when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Don't use when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Don't use when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestDigestHashAlgorithm: sha256 # [Optional], Manifest signing hash algorithm; Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest; Possible options:['sha256', 'sha384', 'sha521']
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_PlainXipSignedMcxNx
family(string): MCU family name. Must be one of:["mcxn9xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Don’t use when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted (‘useIsk’, ‘mainRootCertPrivateKeyFile’, ‘signingCertificateFile’, ‘signingCertificateConstraint’, ‘signCertData’) In case that ISK is defined, certicate block must be deleted.useIsk(boolean): Enable ISK type of signature certification. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Don’t use when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestDigestHashAlgorithm(string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of:["sha256", "sha384", "sha521"].outputImageSubtype(string): Image subtype determine the image use in MCU (Main application or something else).outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.
# =========== YAML template Mbi_PlainXipSignedMcxNx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipSignedMcxNx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['mcxn9xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Don't use when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted ('useIsk', 'mainRootCertPrivateKeyFile', 'signingCertificateFile', 'signingCertificateConstraint', 'signCertData') In case that ISK is defined, certicate block must be deleted
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Don't use when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Don't use when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Don't use when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Don't use when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestDigestHashAlgorithm: sha256 # [Optional], Manifest signing hash algorithm; Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest; Possible options:['sha256', 'sha384', 'sha521']
outputImageSubtype: MAIN # [Optional], Image subtype determine the image use in MCU (Main application or something else).
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
Mbi_PlainXipSignedNxpKw45xx
family(string): MCU family name. Must be one of:["kw45xx", "k32w1xx"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.mainRootCertPrivateKeyFile(string): Path to Main root Certification Private Key. Don’t use when ‘binaryCertificateBlock’ is defined.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. binaryCertificateBlock(string): Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted (‘useIsk’, ‘mainRootCertPrivateKeyFile’, ‘signingCertificateFile’, ‘signingCertificateConstraint’, ‘signCertData’) In case that ISK is defined, certicate block must be deleted.useIsk(boolean): Enable ISK type of signature certification. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateFile(string): Path to Signing Certificate. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificateConstraint([‘string’, ‘number’]): Signing certificate constrain number. Don’t use when ‘binaryCertificateBlock’ is defined. Default:0.signCertData(string): Path to Signing Certificate data. Don’t use when ‘binaryCertificateBlock’ is defined.signingCertificatePrivateKeyFile(string): ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.iskSignProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.firmwareVersion([‘number’, ‘string’]): Version of application image firmware.manifestDigestHashAlgorithm(string): Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest. Must be one of:["sha256", "sha384", "sha521"].outputImageSubtype(string): Image subtype determine the image use in MCU (Main application or something else).noSignature(boolean): When is set, the signature is not included. The signature could be later added by HSM.
# =========== YAML template Mbi_PlainXipSignedNxpKw45xx ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_PlainXipSignedNxpKw45xx ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['kw45xx', 'k32w1xx']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
mainRootCertPrivateKeyFile: main_cert_prv_key.pem # [Conditionally required], Main root Certification Private Key; Path to Main root Certification Private Key. Don't use when 'binaryCertificateBlock' is defined
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
binaryCertificateBlock: my_isk_cert.bin # [Conditionally required], Binary Certificate; Optionally the certificate could be defined as a pre-generated binary block. In case that is defined, all other configuration for certification block must be deleted ('useIsk', 'mainRootCertPrivateKeyFile', 'signingCertificateFile', 'signingCertificateConstraint', 'signCertData') In case that ISK is defined, certicate block must be deleted
useIsk: false # [Conditionally required], Use ISK for signature certification; Enable ISK type of signature certification. Don't use when 'binaryCertificateBlock' is defined
signingCertificateFile: sign_cert.pem # [Conditionally required], Signing Certificate; Path to Signing Certificate. Don't use when 'binaryCertificateBlock' is defined
signingCertificateConstraint: 0 # [Optional], Signing certificate constrain number. Don't use when 'binaryCertificateBlock' is defined
signCertData: sign_cert.bin # [Optional], Signing Certificate data; Path to Signing Certificate data. Don't use when 'binaryCertificateBlock' is defined
signingCertificatePrivateKeyFile: isk_prv_key.pem # [Optional], ISK Certificate private key used to sign certificate. It can be replaced by signProvider key.
iskSignProvider: type=file;file_path=my_isk_prv_key.pem # [Optional], ISK Signature Provider; Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>".
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
firmwareVersion: 0 # [Optional], Firmware version; Version of application image firmware.
manifestDigestHashAlgorithm: sha256 # [Optional], Manifest signing hash algorithm; Optional Manifest signing hash algorithm name to create Certificate v3.1 Manifest; Possible options:['sha256', 'sha384', 'sha521']
outputImageSubtype: MAIN # [Optional], Image subtype determine the image use in MCU (Main application or something else).
noSignature: false # [Optional], No Signature; When is set, the signature is not included. The signature could be later added by HSM.
Mbi_SignedRam
family(string): MCU family name. Must be one of:["lpc551x", "nhs52sxx", "lpc550x", "lpc55xx", "lpc55s2x", "lpc55s0x", "lpc55s1x", "lpc55s6x", "lpc552x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.outputImageExecutionAddress([‘number’, ‘string’]): Application loading address in RAM if not XiP, otherwise address of load in XiP.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.
# =========== YAML template Mbi_SignedRam ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_SignedRam ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc551x', 'nhs52sxx', 'lpc550x', 'lpc55xx', 'lpc55s2x', 'lpc55s0x', 'lpc55s1x', 'lpc55s6x', 'lpc552x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
outputImageExecutionAddress: 0 # [Required], Loading address of application; Application loading address in RAM if not XiP, otherwise address of load in XiP.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.
Mbi_SignedXip
family(string): MCU family name. Must be one of:["lpc551x", "nhs52sxx", "lpc550x", "lpc55xx", "lpc55s2x", "lpc55s6x", "lpc552x"].outputImageExecutionTarget(string): Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence. Must be one of:["Internal flash (XIP)", "External flash (XIP)", "Internal Flash (XIP)", "External Flash (XIP)", "RAM", "ram", "xip"].outputImageAuthenticationType(string): Specification of final master boot image authentication. Must be one of:["Plain", "CRC", "Signed", "Encrypted + Signed", "NXP Signed", "encrypted", "signed", "crc"].masterBootOutputFile(string): The file for Master Boot Image result file.inputImageFile(string): The input application image to by modified to Master Boot Image.enableTrustZone(boolean): If not specified, the Trust zone is disabled.trustZonePresetFile(string): If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.mainCertPrivateKeyFile(string): Main Certificate private key used to sign certificate. It can be replaced by signProvider key.signProvider(string): Signature provider configuration in format ‘type=<sp_type>;= ; = ”. It can be replaced by mainCertPrivateKeyFile key. imageBuildNumber([‘number’, ‘string’]): If it’s omitted, it will be used 0 as default value.chainCertificate0File0(string): Chain certificate 0 for root certificate 0.chainCertificate0File1(string): Chain certificate 1 for root certificate 0.chainCertificate0File2(string): Chain certificate 2 for root certificate 0.chainCertificate0File3(string): Chain certificate 3 for root certificate 0.chainCertificate1File0(string): Chain certificate 0 for root certificate 1.chainCertificate1File1(string): Chain certificate 1 for root certificate 1.chainCertificate1File2(string): Chain certificate 2 for root certificate 1.chainCertificate1File3(string): Chain certificate 3 for root certificate 1.chainCertificate2File0(string): Chain certificate 0 for root certificate 2.chainCertificate2File1(string): Chain certificate 1 for root certificate 2.chainCertificate2File2(string): Chain certificate 2 for root certificate 2.chainCertificate2File3(string): Chain certificate 3 for root certificate 2.chainCertificate3File0(string): Chain certificate 0 for root certificate 3.chainCertificate3File1(string): Chain certificate 1 for root certificate 3.chainCertificate3File2(string): Chain certificate 2 for root certificate 3.chainCertificate3File3(string): Chain certificate 3 for root certificate 3.rootCertificate0File(string): Root certificate file index 0.rootCertificate1File(string): Root certificate file index 1.rootCertificate2File(string): Root certificate file index 2.rootCertificate3File(string): Root certificate file index 3.mainRootCertId([‘number’, ‘string’]): Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.mainCertChainId([‘number’, ‘string’]): Caution! This property is kept here for backwards compatibility with old schemas. Use mainRootCertId instead.
# =========== YAML template Mbi_SignedXip ===========
# ----------------------------------------------------------------------------------------------------
# == Mbi_SignedXip ==
# ----------------------------------------------------------------------------------------------------
family: CHOOSE_FROM_TABLE # [Required], MCU family name; Possible options:['lpc551x', 'nhs52sxx', 'lpc550x', 'lpc55xx', 'lpc55s2x', 'lpc55s6x', 'lpc552x']
outputImageExecutionTarget: CHOOSE_FROM_TABLE # [Required], Application target; Definition if application is Execute in Place(XiP) or loaded to RAM during reset sequence; Possible options:['Internal flash (XIP)', 'External flash (XIP)', 'Internal Flash (XIP)', 'External Flash (XIP)', 'RAM', 'ram', 'xip']
outputImageAuthenticationType: CHOOSE_FROM_TABLE # [Required], Type of boot image authentication; Specification of final master boot image authentication; Possible options:['Plain', 'CRC', 'Signed', 'Encrypted + Signed', 'NXP Signed', 'encrypted', 'signed', 'crc']
masterBootOutputFile: my_mbi.bin # [Required], Master Boot Image name; The file for Master Boot Image result file.
inputImageFile: my_application.bin # [Required], Plain application image; The input application image to by modified to Master Boot Image.
enableTrustZone: false # [Optional], TrustZone enable option; If not specified, the Trust zone is disabled.
trustZonePresetFile: my_tz_custom.yaml # [Optional], TrustZone Customization file; If not specified, but TrustZone is enabled(enableTrustZone) the default values are used.
mainCertPrivateKeyFile: my_prv_key.pem # [Conditionally required], Main Certificate private key used to sign certificate. It can be replaced by signProvider key.
signProvider: type=file;file_path=my_prv_key.pem # [Conditionally required], Signature provider configuration in format 'type=<sp_type>;<key1>=<value1>;<key2>=<value2>". It can be replaced by mainCertPrivateKeyFile key.
imageBuildNumber: 0 # [Optional], Image Build Number; If it's omitted, it will be used 0 as default value.
chainCertificate0File0: chain_certificate0_depth0.pem # [Optional], Chain certificate 0 for root 0; Chain certificate 0 for root certificate 0
chainCertificate0File1: chain_certificate0_depth1.pem # [Optional], Chain certificate 1 for root 0; Chain certificate 1 for root certificate 0
chainCertificate0File2: chain_certificate0_depth2.pem # [Optional], Chain certificate 2 for root 0; Chain certificate 2 for root certificate 0
chainCertificate0File3: chain_certificate0_depth3.pem # [Optional], Chain certificate 3 for root 0; Chain certificate 3 for root certificate 0
chainCertificate1File0: chain_certificate1_depth0.pem # [Optional], Chain certificate 0 for root 1; Chain certificate 0 for root certificate 1
chainCertificate1File1: chain_certificate1_depth1.pem # [Optional], Chain certificate 1 for root 1; Chain certificate 1 for root certificate 1
chainCertificate1File2: chain_certificate1_depth2.pem # [Optional], Chain certificate 2 for root 1; Chain certificate 2 for root certificate 1
chainCertificate1File3: chain_certificate1_depth3.pem # [Optional], Chain certificate 3 for root 1; Chain certificate 3 for root certificate 1
chainCertificate2File0: chain_certificate2_depth0.pem # [Optional], Chain certificate 0 for root 2; Chain certificate 0 for root certificate 2
chainCertificate2File1: chain_certificate2_depth1.pem # [Optional], Chain certificate 1 for root 2; Chain certificate 1 for root certificate 2
chainCertificate2File2: chain_certificate2_depth2.pem # [Optional], Chain certificate 2 for root 2; Chain certificate 2 for root certificate 2
chainCertificate2File3: chain_certificate2_depth3.pem # [Optional], Chain certificate 3 for root 2; Chain certificate 3 for root certificate 2
chainCertificate3File0: chain_certificate3_depth0.pem # [Optional], Chain certificate 0 for root 3; Chain certificate 0 for root certificate 3
chainCertificate3File1: chain_certificate3_depth1.pem # [Optional], Chain certificate 1 for root 3; Chain certificate 1 for root certificate 3
chainCertificate3File2: chain_certificate3_depth2.pem # [Optional], Chain certificate 2 for root 3; Chain certificate 2 for root certificate 3
chainCertificate3File3: chain_certificate3_depth3.pem # [Optional], Chain certificate 3 for root 3; Chain certificate 3 for root certificate 3
rootCertificate0File: my_certificate0.pub # [Conditionally required], Root Certificate File 0; Root certificate file index 0.
rootCertificate1File: my_certificate1.pub # [Optional], Root Certificate File 1; Root certificate file index 1.
rootCertificate2File: my_certificate2.pub # [Optional], Root Certificate File 2; Root certificate file index 2.
rootCertificate3File: my_certificate3.pub # [Optional], Root Certificate File 3; Root certificate file index 3.
mainRootCertId: 0 # [Conditionally required], Main Certificate Index; Index of certificate that is used as a main. If not defined, the certificate matching private key will be selected.