Features

• Support for i.MX
  • RT1010, RT1015, RT1020, RT1024, RT1050, RT1060 and RT1064
  • RT1171, RT1172, RT1173, RT1175, RT1176, RT1165, RT1166
  • RT595S, RT555S, RT533S, RT685S, RT633S
• Support for LPC
  • LPC55S6x, LPC55S2x, LPC55S1x and LPC55S0x
• Conversion of ELF executables, SREC, HEX and raw binaries into bootable images files
• Generation and management of keys, signatures and certificates associated with the image
• Connectivity to the target via UART, USB-HID.
• Writing FlexSPI NOR, SEMC NAND or SD card boot device including configuration of the boot device parameters
• Use of DCD configuration enabling booting into SDRAM images
• Programming customizable eFuses per image and use case requirements
• Optional generation of batch scripts usable later without the GUI
• Streamlined operation for general users
• Manufacturing tool with support of parallel execution

Downloads

•  To download the installer, please login to our download site via:
  • https://nxp.com/mcuxpresso/secure

Revision History

3.1

• Support for Microsoft(R) Windows(R) 7 dropped
• Added support for Mac OS X Big Sur (version 11)
• Added support for i.MX RT1171, RT1172, RT1173, RT1175, RT1165, RT1166
• CLI command `write_fuses` removed, it was replaced by OTP Configuration
• [LPC] CLI command `clear-security` marked deprecated; the code is now part of the unsigned write script
• [LPC] Added support for PFR Configuration GUI
• [LPC] Added support for PRINCE encryption of 'Whole Image` without necessity to enter exact address range
• [RTxxx, RT11xx] Added support for OTFAD encryption
• Added support for i.MX RT1010: Unsigned and Authenticated (HAB) modes

Known problems and limitations

• General
  • Application has to be installed into location where the user has write access.
  • Workspace cannot contain space in the path
  • By default, Secure Provisioning Tool does not burn all possible security features that are available. Only those required by the selected boot type are configured. The rest can be configured in OTP Configuration.
  • Html documentation - Search and Contents menus do not work in Firefox version 68 and later. Workaround is to use different browser or by setting privacy.file_unique_origin=false in Firefox about:config page, then restarting the browser
• Windows
  • On Windows platform make sure the windows FIND utility is found first on the PATH (GNU findutils could break the functionality)
  • Workspace cannot be placed on different disk drive letter than the application is installed.
• Linux
  • On Linux platform the USB and/or Serial device files has to be readable and writable by current user. See resources/udev/99-secure-provisioning.rules installed into /etc/udev/rules.d/99-secure-provisioning.rules that solves this issue. On user's machine can be conflicting rule with higher priority. In case of conflict, update the conflicting rule or make this rule file with higher priority by renaming the file with lower number at beginning.
• Mac OS X
  • Fields with invalid input are marked with background red color. Fixing the value might not change the background color correctly and the focus must be changed to other field for correct repaint.
• i.MX RTxxx
  • Repetitive write to QSPI flash might fail in case the board is not reset, see documentation RTxxx Device Workflow/Booting Images chapters.
• i.MX RTxxx/OTFAD with Security Enabled
  • After the fuses are burnt into empty chip, it is needed hard reset of the processors to apply fuses values before SB file is uploaded. So the first execution of the write script fails, and then after hard reset, the write script must be run again. This issue is not reproducible with shadow registers. This is limitation is planned to be addressed in next release.
• LPC/RTxxx Trust Zone
  • Configuration of Trust Zone is not supported for Unsigned image
• i.MX RT1024
  • SD card boot device is currently not supported for MIMXRT1024-EVK board due to limitation in FlashLoader
• i.MX RT1015-EVK / Mac OS X / UART
  • OpenSDA does not work On Mac OS X when the device has HAB enabled and UART port is used for communication. Either USB HID communication should be used, or the OpenSDA must be disconnected from RX and TX pins (jumpers J45 and J46) and device must be programmed via external USB to serial converter (3.3V)
• i.MX RT1060-EVK / Mac OS X / UART
  • For communication over UART on MacOS, J44 jumper (SDA_RST_TGTMCU) must be opened.
• i.MX RT11xx
  • If "lock after write" is selected in OTP Configuration, the write script will always burn all user requirements, because the "lock" status cannot be detected from processor