Flash encryption engines#
nxpimage currently supports generation of bootable images and keyblobs for NXP bus encryption engines – OTFAD (On-the-fly AES decryption engines), BEE (Bus encryption engine) and IEE (Inline encryption engine).
Note
For Prince algorithm based inline encryption & decryption engines (IPED, Prince & NPX) we don’t support offline image creation.
IEE#
nxpimage supports generation of bootable image for MIMXRT117x. More details can be found in the security reference manual: https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMXRT1170SRM&appType=moderated or in the Secure Boot modes application note https://www.nxp.com/webapp/Download?colCode=AN13250
IEE engine provides means to perform inline encryption and decryption. Following algorithms are supported AES-128/256-CTR and AES-256/512-XTS. The IEE key blob containing keys and context structures is encrypted by a KEK according to the RFC3394 key-wrapping algorithm, because the key blob resides in the external memory along with the image and it must be protected
Generation of bootable image
First step is to get a template for configuration. The template might look like the file below.
nxpimage iee get-template -f rt1170 iee_template.yaml
IEE for mimxrt1165#
IEE for mimxrt1165 JSON schema
IEE for mimxrt1165 YAML configuration template
# =========================================== IEE template for mimxrt1165 ============================================
# ======================================================================================================================
# == IEE for mimxrt1165 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE for mimxrt1166#
IEE for mimxrt1166 JSON schema
IEE for mimxrt1166 YAML configuration template
# =========================================== IEE template for mimxrt1166 ============================================
# ======================================================================================================================
# == IEE for mimxrt1166 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE for mimxrt1171#
IEE for mimxrt1171 JSON schema
IEE for mimxrt1171 YAML configuration template
# =========================================== IEE template for mimxrt1171 ============================================
# ======================================================================================================================
# == IEE for mimxrt1171 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE for mimxrt1172#
IEE for mimxrt1172 JSON schema
IEE for mimxrt1172 YAML configuration template
# =========================================== IEE template for mimxrt1172 ============================================
# ======================================================================================================================
# == IEE for mimxrt1172 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE for mimxrt1173#
IEE for mimxrt1173 JSON schema
IEE for mimxrt1173 YAML configuration template
# =========================================== IEE template for mimxrt1173 ============================================
# ======================================================================================================================
# == IEE for mimxrt1173 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE for mimxrt1175#
IEE for mimxrt1175 JSON schema
IEE for mimxrt1175 YAML configuration template
# =========================================== IEE template for mimxrt1175 ============================================
# ======================================================================================================================
# == IEE for mimxrt1175 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE for mimxrt1176#
IEE for mimxrt1176 JSON schema
IEE for mimxrt1176 YAML configuration template
# =========================================== IEE template for mimxrt1176 ============================================
# ======================================================================================================================
# == IEE for mimxrt1176 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
# ----------------------------------===== IBKEK1 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK1 AES-XTS key for keyblob encryption
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------------===== IBKEK2 AES-XTS 256-bit key [Required] =====-----------------------------------
# Description: IBKEK2 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
key_blobs:
-
# ----------------------------------===== Keyblob lock attribute [Optional] =====-----------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# -----------------------------------------===== AES mode [Required] =====------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# -----------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# ----------------------------------------===== Page offset [Optional] =====----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# --------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====---------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ---------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====---------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x30001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000'
IEE for mimxrt1181#
IEE for mimxrt1181 JSON schema
IEE for mimxrt1181 YAML configuration template
# =========================================== IEE template for mimxrt1181 ============================================
# ======================================================================================================================
# == IEE for mimxrt1181 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
key_blob:
# -----------------------------------===== Keyblob lock attribute [Optional] =====------------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# ------------------------------------------===== AES mode [Required] =====-------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# ------------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====-------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# -----------------------------------------===== Page offset [Optional] =====-----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# ---------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====----------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====----------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# -------------------------------===== Start address of key blob data [Required] =====--------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x04001000'
# --------------------------------===== End address of key blob data [Required] =====---------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x04008000'
IEE for mimxrt1182#
IEE for mimxrt1182 JSON schema
IEE for mimxrt1182 YAML configuration template
# =========================================== IEE template for mimxrt1182 ============================================
# ======================================================================================================================
# == IEE for mimxrt1182 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
key_blob:
# -----------------------------------===== Keyblob lock attribute [Optional] =====------------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# ------------------------------------------===== AES mode [Required] =====-------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# ------------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====-------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# -----------------------------------------===== Page offset [Optional] =====-----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# ---------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====----------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====----------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# -------------------------------===== Start address of key blob data [Required] =====--------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x04001000'
# --------------------------------===== End address of key blob data [Required] =====---------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x04008000'
IEE for mimxrt1187#
IEE for mimxrt1187 JSON schema
IEE for mimxrt1187 YAML configuration template
# =========================================== IEE template for mimxrt1187 ============================================
# ======================================================================================================================
# == IEE for mimxrt1187 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
key_blob:
# -----------------------------------===== Keyblob lock attribute [Optional] =====------------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# ------------------------------------------===== AES mode [Required] =====-------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# ------------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====-------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# -----------------------------------------===== Page offset [Optional] =====-----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# ---------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====----------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====----------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# -------------------------------===== Start address of key blob data [Required] =====--------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x04001000'
# --------------------------------===== End address of key blob data [Required] =====---------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x04008000'
IEE for mimxrt1189#
IEE for mimxrt1189 JSON schema
IEE for mimxrt1189 YAML configuration template
# =========================================== IEE template for mimxrt1189 ============================================
# ======================================================================================================================
# == IEE for mimxrt1189 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175, mimxrt1176, mimxrt1181,
# mimxrt1182, mimxrt1187, mimxrt1189>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# -------------------------------------===== IEE output directory [Required] =====--------------------------------------
# Description: Path to directory where the IEE output will be generated
output_folder: iee_output
# ---------------------------------===== Output binary image filename [Optional] =====----------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: iee_whole_image
# ---------------------------------------===== Keyblob filename [Optional] =====----------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: iee_keyblob
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ---------------------------===== Generate blhost batch file to burn fuses [Optional] =====----------------------------
# Description: BCF file with fuses configuration
generate_fuses_script: true
# --------------------------------===== Base address of the IEE keyblob [Required] =====--------------------------------
# Description: Should be aligned to 1 kB
keyblob_address: '0x30000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs that will be encrypted
data_blobs:
-
# -------------------------------------===== Binary data blob [Required] =====--------------------------------------
# Description: Path to binary file with plain text data to be encrypted
data: my_data.bin
# -------------------------------------===== Data blob address [Optional] =====-------------------------------------
# Description: Data blob address, it doesn't have to be specified for S-REC
address: '0x30001000'
key_blob:
# -----------------------------------===== Keyblob lock attribute [Optional] =====------------------------------------
# Description: Determines if the ROM will lock the IEE configuration to prevent later changes.
region_lock: false
# ------------------------------------------===== AES mode [Required] =====-------------------------------------------
# Description: AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream
# only
# Possible options: <Bypass, AesXTS, AesCTRWAddress, AesCTRWOAddress, AesCTRkeystream>
aes_mode: AesXTS
# ------------------===== AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS [Required] =====-------------------
# Description: AES mode, AES-XTS or AES-CTR
# Possible options: <CTR256XTS512, CTR128XTS256>
key_size: CTR256XTS512
# -----------------------------------------===== Page offset [Optional] =====-----------------------------------------
# Description: Page offset, IEE_REG0PO value
page_offset: 0
# ---------------------------------===== AES-XTS key1 / AES-CTR key [Required] =====----------------------------------
# Description: AES key for the key blob, size depends on key_size
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
# ----------------------------===== AES-CTR Counter value or AES-XTS key2 [Required] =====----------------------------
# Description: AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F'
# -------------------------------===== Start address of key blob data [Required] =====--------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x04001000'
# --------------------------------===== End address of key blob data [Required] =====---------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x04008000'
# =========== IEE: Inline Encryption Engine Configuration template for rt1170. ===========
# ----------------------------------------------------------------------------------------------------
# == Basic Settings ==
# ----------------------------------------------------------------------------------------------------
family: rt1170 # [Required], MCU family, MCU family name., Possible options:['rt1170']
output_folder: iee_output # [Required], IEE output directory, Path to directory where the IEE output will be generated
output_name: encrypted.bin # [Optional], Output binary image file name, File name of the output image containing keyblobs and encrypted data blobs
keyblob_name: iee_keyblob.bin # [Optional], Keyblob file name, File name of the keyblob, output_folder/keyblob_name
encrypted_name: encrypted_blob.bin # [Optional], Encrypted name, filename of the encrypted datablobs
# ----------------------------------------------------------------------------------------------------
# == IEE Settings ==
# ----------------------------------------------------------------------------------------------------
ibkek1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], IBKEK1 AES-XTS 256-bit key, IBKEK1 AES-XTS key for keyblob encryption
ibkek2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], IBKEK2 AES-XTS 256-bit key, IBKEK2 AES-XTS key for keyblob encryption
keyblob_address: '0x30000000' # [Required], Base address of the IEE keyblob, Should be aligned to 1 kB
data_blobs: # [Optional], Data blobs list, List of all data blobs that will be encrypted
- data: my_data.bin # [Required], Binary data blob, Path to binary file with plain text data to be encrypted
address: '0x03001000' # [Optional], Data blob address, Data blob address, it doesn't have to be specified for S-REC
key_blobs: # [Required], List of Key Blobs used by IEE, The list of definition of individual key blobs including plain data. Add other array items as you need and device allows
- region_lock: false # [Optional], Keyblob lock attribute, Determines if the ROM will lock the IEE configuration to prevent later changes.
aes_mode: AesXTS # [Required], AES mode, AES mode, Encryption bypass, AES-XTS, AES-CTR (with or without address binding) or AES-CTR keystream only, Possible options:['Bypass', 'AesXTS', 'AesCTRWAddress', 'AesCTRWOAddress', 'AesCTRkeystream']
key_size: CTR256XTS512 # [Required], AES key size, 128/256 for AES-CTR or 256/512 for AES-XTS, AES mode, AES-XTS or AES-CTR, Possible options:['CTR256XTS512', 'CTR128XTS256']
page_offset: 0 # [Optional], Page offset, Page offset, IEE_REG0PO value
key1: '0x000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F' # [Required], AES-XTS key1 / AES-CTR key, AES key for the key blob, size depends on key_size
key2: '0x202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F' # [Required], AES-CTR Counter value or AES-XTS key2, AES key for the key blob, size depends on key_size
start_address: '0x30001000' # [Required], Start address of key blob data, Start address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x30008000' # [Required], End address of key blob data, End address of key blob data, it should be aligned to 1 KB (1024 B)
Fill the configuration file and export the image.
nxpimage iee export iee_template.yaml
OTFAD#
The On-The-Fly AES Decryption (OTFAD) module provides an advanced hardware implementation that minimizes any incremental cycles of latency introduced by the decryption in the overall external memory-access time. It implements a block cipher mode of operation supporting the counter mode (CTR). The CTR mode provides a confidentiality mode that features the application of the forward cipher to a set of input blocks (called counters) to produce a sequence of output blocks that are exclusive-ORed with the plaintext to produce the ciphertext and vice versa. The OTFAD engine includes complete hardware support for a standard AES key unwrap mechanism to decrypt a key BLOB data instruction containing the parameters needed for up to 4 unique AES contexts. Each context has a unique 128-bit key, a 64-bit counter, and a 64-bit memory region descriptor.
OTFAD for mimx9352#
OTFAD for mimx9352 JSON schema
OTFAD for mimx9352 YAML configuration template
# =========================================== OTFAD template for mimx9352 ============================================
# ======================================================================================================================
# == OTFAD for mimx9352 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, a1, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
OTFAD for mimxrt1010#
OTFAD for mimxrt1010 JSON schema
OTFAD for mimxrt1010 YAML configuration template
# ========================================== OTFAD template for mimxrt1010 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1010 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1165#
OTFAD for mimxrt1165 JSON schema
OTFAD for mimxrt1165 YAML configuration template
# ========================================== OTFAD template for mimxrt1165 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1165 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1166#
OTFAD for mimxrt1166 JSON schema
OTFAD for mimxrt1166 YAML configuration template
# ========================================== OTFAD template for mimxrt1166 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1166 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1171#
OTFAD for mimxrt1171 JSON schema
OTFAD for mimxrt1171 YAML configuration template
# ========================================== OTFAD template for mimxrt1171 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1171 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1172#
OTFAD for mimxrt1172 JSON schema
OTFAD for mimxrt1172 YAML configuration template
# ========================================== OTFAD template for mimxrt1172 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1172 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1173#
OTFAD for mimxrt1173 JSON schema
OTFAD for mimxrt1173 YAML configuration template
# ========================================== OTFAD template for mimxrt1173 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1173 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1175#
OTFAD for mimxrt1175 JSON schema
OTFAD for mimxrt1175 YAML configuration template
# ========================================== OTFAD template for mimxrt1175 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1175 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1176#
OTFAD for mimxrt1176 JSON schema
OTFAD for mimxrt1176 YAML configuration template
# ========================================== OTFAD template for mimxrt1176 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1176 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1181#
OTFAD for mimxrt1181 JSON schema
OTFAD for mimxrt1181 YAML configuration template
# ========================================== OTFAD template for mimxrt1181 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1181 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1182#
OTFAD for mimxrt1182 JSON schema
OTFAD for mimxrt1182 YAML configuration template
# ========================================== OTFAD template for mimxrt1182 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1182 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1187#
OTFAD for mimxrt1187 JSON schema
OTFAD for mimxrt1187 YAML configuration template
# ========================================== OTFAD template for mimxrt1187 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1187 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt1189#
OTFAD for mimxrt1189 JSON schema
OTFAD for mimxrt1189 YAML configuration template
# ========================================== OTFAD template for mimxrt1189 ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt1189 ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
key_scramble:
# ----------------------------------------===== Key Scramble [Required] =====-----------------------------------------
# Description: OTFAD Key Scramble mask (4 bytes size)
key_scramble_mask: '0x12345678'
# -------------------------------------===== Key Scramble Align [Required] =====--------------------------------------
# Description: OTFAD Key scramble mask align (1 byte size)
key_scramble_align: '0x72'
OTFAD for mimxrt533s#
OTFAD for mimxrt533s JSON schema
OTFAD for mimxrt533s YAML configuration template
# ========================================== OTFAD template for mimxrt533s ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt533s ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
OTFAD for mimxrt555s#
OTFAD for mimxrt555s JSON schema
OTFAD for mimxrt555s YAML configuration template
# ========================================== OTFAD template for mimxrt555s ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt555s ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
OTFAD for mimxrt595s#
OTFAD for mimxrt595s JSON schema
OTFAD for mimxrt595s YAML configuration template
# ========================================== OTFAD template for mimxrt595s ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt595s ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
OTFAD for mimxrt685s#
OTFAD for mimxrt685s JSON schema
OTFAD for mimxrt685s YAML configuration template
# ========================================== OTFAD template for mimxrt685s ===========================================
# ======================================================================================================================
# == OTFAD for mimxrt685s ==
# ======================================================================================================================
# -------------------------------------===== The chip family name [Required] =====--------------------------------------
# Description: NXP chip family identifier.
# Possible options: <mimx9352, mimxrt1010, mimxrt1165, mimxrt1166, mimxrt1171, mimxrt1172, mimxrt1173, mimxrt1175,
# mimxrt1176, mimxrt1181, mimxrt1182, mimxrt1187, mimxrt1189, mimxrt533s, mimxrt555s, mimxrt595s, mimxrt685s>
family: CHOOSE_FROM_TABLE
# -----------------------------------------===== MCU revision [Optional] =====------------------------------------------
# Description: Revision of silicon. The 'latest' name, means most current revision.
# Possible options: <a0, b0, latest>
revision: latest
# --------------------------------------===== OTFAD output folder [Required] =====--------------------------------------
# Description: Path to directory where the OTFAD output will be generated
output_folder: otfad_output
# ---------------------------------===== Output binary image file name [Optional] =====---------------------------------
# Description: Filename of the output image containing keyblobs and encrypted data blobs without file extension (.bin
# will be appended)
output_name: otfad_whole_image
# ---------------------------------------===== Keyblob file name [Optional] =====---------------------------------------
# Description: Filename of the keyblob without file extension (.bin will be appended)
keyblob_name: OTFAD_Table
# ----------------------------------------===== Encrypted name [Optional] =====-----------------------------------------
# Description: filename of the encrypted datablobs without file extension (.bin will be appended)
encrypted_name: encrypted_blob
# --------------------------------------===== Generate readme.txt [Optional] =====--------------------------------------
# Description: Readme file contains information about image layout
generate_readme: true
# ----------------------------------------------===== KEK [Required] =====----------------------------------------------
# Description: OTFAD Key Encryption Key to encrypt OTFAD table. Might be provided as a path to binary file containing
# KEK or as a string or number
kek: my_secret_kek.bin
# ---------------------------------===== OTFAD key blobs table address [Required] =====---------------------------------
# Description: The base address of key blob table, it should be aligned to 1 KB (1024 B)
otfad_table_address: '0x08000000'
# ----------------------------------------===== Data blobs list [Optional] =====----------------------------------------
# Description: List of all data blobs included in this key blob
data_blobs:
-
# -----------------------------------===== Plain Text data blob [Required] =====------------------------------------
# Description: Path to binary file with plain text data to be encrypted if desired
data: my_data.bin
# -------------------------------------===== Data blob address [Required] =====-------------------------------------
# Description: Data blob address, it could be omitted if data blob starts at start_address
address: '0x08001000'
# --------------------------------===== List of Key Blobs used by OTFAD [Required] =====--------------------------------
# Description: The list of definition of individual key blobs including plain data. Add other array items as you need
# and device allows
key_blobs:
-
# ------------------------------------------===== AES key [Required] =====------------------------------------------
# Description: AES key for the key blob
aes_key: '0xB1A0C56AF31E98CD6936A79D9E6F829D'
# -------------------------------------===== AES Counter value [Required] =====-------------------------------------
# Description: AES counter value for the key blob
aes_ctr: '0x5689fab8b4bfb264'
# ------------------------------===== Start address of key blob data [Required] =====-------------------------------
# Description: Start address of key blob data, it should be aligned to 1 KB (1024 B)
start_address: '0x08001000'
# -------------------------------===== End address of key blob data [Required] =====--------------------------------
# Description: End address of key blob data, it should be aligned to 1 KB (1024 B)
end_address: '0x08010000'
# --------------------------------===== AES decryption enable flag [Optional] =====---------------------------------
# Description: For accesses hitting in a valid context, this bit indicates if the fetched data is to be decrypted or
# simply bypassed
aes_decryption_enable: true
# ----------------------------------------===== Valid flag [Optional] =====-----------------------------------------
# Description: This field signals if the context is valid or not
valid: true
# --------------------------------------===== Read Only flag [Optional] =====---------------------------------------
# Description: This field signals if the context is Read only or not
read_only: true
BEE#
i.MX RT10xx, except i.MX1010, provides an on-the-fly encryption engine called Bus Encryption Engine(BEE) Refer to this application note for more info: AN12852.
BeeNxp#
BeeNxp JSON schema
BeeNxp YAML configuration template
# =================================================== BEE template ===================================================
# ======================================================================================================================
# == BeeNxp ==
# ======================================================================================================================
# ---------------------------------------===== BEE output folder [Required] =====---------------------------------------
# Description: Folder name to store generated BEE output
output_folder: bee_output
# ---------------------------------------===== Input binary file [Required] =====---------------------------------------
# Description: Path to input binary file
input_binary: input_bin.bin
# ------------------------------------===== Output binary file name [Optional] =====------------------------------------
# Description: File name of the encrypted file, output_folder/output_name or full path (.bin will be appended)
output_name: encrypted
# -------------------------===== File name of the exported BEE region headers [Optional] =====--------------------------
# Description: output_folder/header_name or full path + index will be appended (.bin will be appended)
header_name: bee_ehdr
# ---------------------------------------===== Engine selection [Required] =====----------------------------------------
# Description: BEE Engine Selection, engine0, engine1 or both engines
# Possible options: <engine0, engine1, both>
engine_selection: engine0
# -------------------------------------===== Engine Key selection [Required] =====--------------------------------------
# Description: Random Key or Zero key
# Possible options: <random, zero>
engine_key_selection: random
# -----------------------------------===== Base address of the image [Required] =====-----------------------------------
# Description: Base address of the image
base_address: '0x60001000'
# ------------------------------------------===== Bee engines [Required] =====------------------------------------------
# Description: Configuration of BEE engines
bee_engine:
-
# ====================================================================================================================
# == List of possible 2 options. ==
# Options [bee_cfg, bee_binary_cfg]
# ====================================================================================================================
# =========================== [Example of possible configuration: #0 , erase if not used] ============================
# BEE engine configuration
bee_cfg:
# ------------------------------------===== User AES-128 key [Required] =====-------------------------------------
# Description: AES key for encryption
user_key: '0x0123456789abcdeffedcba9876543210'
# ------------------------------------===== Protected region [Optional] =====-------------------------------------
# Description: List of protected regions, up to four regions
protected_region:
-
# --------------------------===== Start address of protected region [Required] =====--------------------------
# Description: Start address of protected region, it should be aligned to 1 KB (1024 B)
start_address: '0x60001000'
# -----------------------------===== Length of protected region [Required] =====------------------------------
# Description: Length of protected region, it should be aligned to 1 KB (1024 B)
length: '0x4400'
# -----------------------------------===== Protected level [Required] =====-----------------------------------
# Description: Protected level (0/1/2/3), 0 is default
protected_level: 0
# =========================== [Example of possible configuration: #1 , erase if not used] ============================
# BEE engine configuration with binary header
bee_binary_cfg:
# -------------------------------------===== BEE header path [Required] =====-------------------------------------
# Description: Path to the existing BEE header in binary form
header_path: bee_ehdr0.bin
# ------------------------------------===== User AES-128 key [Required] =====-------------------------------------
# Description: AES key that was used for header encryption
user_key: '0x0123456789abcdeffedcba9876543210'