MCUXpresso Secure Provisioning v2 Now Available

Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCUXpresso Secure Provisioning v2 Now Available

NXP Employee
NXP Employee
0 0 1,277


  • Support for i.MX
    • RT1020, RT1050, RT1060 and RT1064
  • Support for LPC
    • LPC55S6x, LPC55S2x and LPC55S1x
  • Unsigned, HAB signed and HAB encrypted Secure Boot modes
  • Conversion of ELF executables, SREC and raw binaries into bootable images files
  • Generation and management of keys, signatures and certificates associated with the image
  • Connectivity to the target via UART, USB-HID.
  • Writing FlexSPI NOR or SD card boot device including configuration of the boot device parameters
  • Use of DCD configuration enabling booting into SDRAM images
  • Programming eFuses per image and use case requirements
  • Optional generation of batch scripts usable later without the GUI
  • Streamlined operation for general users




Revision History

  • 2.0
    • Added support for i.MX RT1020 and i.MX RT1064
    • Added support for LPC55S6x, LPC55S2x and LPC55S1x
      • Unsigned, Unsigned CRC and Signed boot modes
      • TrustZone support (bin + json)
      • Key Management – Secure Boot, Generation of ROT keys
    • BEE boot for i.MX RT10xx
      • OTPMK
      • SW-GP2/GP4
    • Import/Export Keys between workspaces
    • Improved connection dialog, it supports UART test connection, improved processor detection and detection of fuses status
  •  1.0.1
    • Added support for Mac OS X Catalina (10.15) + Ubuntu 18.04
    • Fixed termination of sub-processes of long-running tasks.
  • 1.0
    • Initial version

Known problems and limitations

  • General
    • On Windows platform make sure the windows FIND utility is found first on the PATH (GNU findutils could break the functionality)
    • On Linux platform the USB and/or Serial device files has to be readable and writable by current user. See resources/udev/99-secure-provisioning.rules installed into /etc/udev/rules.d/99-secure-provisioning.rules that solves this issue. On user's machine can be conflicting rule with higher priority. In case of conflict, update the conflicting rule or make this rule file with higher priority by renaming the file with lower number at beginning.
    • Application has to be installed into location where the user has write access.
    • Workspace cannot contain space in the path

    • Secure Provisioning Tool does not burn all possible security features that are available. Only those required by the selected boot type are configured.

  • Mac OS X

    • Closing application using App Menu "securep | Quit securep" doesn't save the workspace setting. Either save settings using menu "File | Save Settings" or use "File | Exit" or use Close button on title bar, which saves the workpsace settings automatically.

    • Selection of wrong UART in connection dialog may cause the test connection operation takes too long and hang up. Killing sdphost and blhost processes will shorten the dialog freeze.

  • Windows

    • Workspace cannot be placed on different disk drive letter then the application is installed.

  • i.MX RT10xx

    • BT_FUSE_SEL is not burned so the boot device is based on corresponding GPIO pins.

    • Parameter "enable_encrypted_XIP" in write script is not properly supported and might not work; this feature is not used in GUI.

  • LPC Signed Boot Type:

    • Write requires keys selected on Build tab

    • Confirmation dialog for enabling security is displayed even security is already enabled

    • Write scripts requires the cmpa.bin and cfpa.bin files exist on the disk; on CLI it is necessary to manually modify write script to create them

  • LPC Trust Zone

    • CLI does not allow to set/override the Trust Zone Settings. If Trust Zone has to be configured and applied in CLI,

      workspace has to be configured with Trust Zone settings in GUI in advance.
    • Configuration of Trust Zone is not supported for Unsigned image