Features

• Support for i.MX
  • RT1015, RT1020, RT1024, RT1050, RT1060 and RT1064
  • RT117x
  • RT5xx and RT6xx
• Support for LPC
  • LPC55S6x, LPC55S2x, LPC55S1x and LPC55S0x
• Conversion of ELF executables, SREC and raw binaries into bootable images files
• Generation and management of keys, signatures and certificates associated with the image
• Connectivity to the target via UART, USB-HID.
• Writing FlexSPI NOR, SEMC NAND or SD card boot device including configuration of the boot device parameters
• Use of DCD configuration enabling booting into SDRAM images
• Programming customizable eFuses per image and use case requirements
• Optional generation of batch scripts usable later without the GUI
• Streamlined operation for general users
• Manufacturing tool with support of parallel execution

Downloads

•  To download the installer, please login to our download site via:
  • https://nxp.com/mcuxpresso/secure

Revision History

3.0

• Added support for i.MX RT117x: Unsigned and Signed modes
• Added support for i.MX RT5xx/RT6xx: Unsigned/CRC/Signed boot modes
• Added support for PRINCE Encryption for LPC55Sx processors
• Added support for OTP Configuration
• Added support for Manufacturing Tool
• LPC55Sx: CMPA/CFPA.bin files generated using PFR tool; CMPA/CFPA.json used as an input
• LPC55Sx: fixed the initial version of CFPA for Signed boot mode (0x02000_0000 to 0x0000_0002)
• i.MX RT10xx/RT11xx: added support for restricted data
• RT5xx/RT6xx: ability to use Shadow registers instead of using FUSEs
• Added support for Ubuntu 20.04
• blhost and sdphost utilities replaced with SPSDK alternatives; added new CLI utilities pfr, nxpkeygen and nxpdebugmbox (Debug Authentication) in tools/spsdk
  

Known problems and limitations

• General
• On Windows platform make sure the windows FIND utility is found first on the PATH (GNU findutils could break the functionality)
• On Linux platform the USB and/or Serial device files has to be readable and writable by current user. See resources/udev/99-secure-provisioning.rules installed into /etc/udev/rules.d/99-secure-provisioning.rules that solves this issue. On user's machine can be conflicting rule with higher priority. In case of conflict, update the conflicting rule or make this rule file with higher priority by renaming the file with lower number at beginning.
• Application has to be installed into location where the user has write access.

• Workspace cannot contain space in the path.

• By default, Secure Provisioning Tool does not burn all possible security features that are available. Only those required by the selected boot type are configured. The rest can be configured in OTP Configuration.

• Html documentation - Search and Contents menus do not work in Firefox version 68 and later. Workaround is to use different browser or by setting privacy.file_unique_origin=false in Firefox about:config page, then restarting the browser

• Windows

  • Workspace cannot be placed on different disk drive letter then the application is installed.

• Mac OS X
  • Fields with invalid input are marked with background red color. Fixing the value
    might not change the background color correctly and the focus must be changed to other field for correct repaint.

• LPC Signed Boot Type:

  • Write scripts requires the cmpa.bin and cfpa.bin files exist on the disk; on CLI it is necessary to manually modify write script or calling the generate_pfr command to create them
  • SBKEK keys are currently NOT supported by Import/Export command. It is recommended to backup and restore the gen_scripts/sbkek.bin and gen_scripts/sbkek.txt files manually.

• LPC Key Store

  • The key-store is initialized only once in device life cycle and after that SBKEK cannot be changed. Details are described in documentation.

• LPC/RTxxx Trust Zone

  • Configuration of Trust Zone is not supported for Unsigned image

• i.MX RT1024

  • SD card boot device is currently not supported for MIMXRT1024-EVK board due to limitation in FlashLoader

• i.MX RT10xx GPx fuse lock

  • lock for GPx fuse provided in previous versions was removed in V3 as the lock is not required for bootable image; However it is still recommended to lock the fuse; see `OTP Configuration` (on write tab)

• i.MX RT11xx

  • If "lock after write" is selected in OTP Configuration, the write script will always burn all user requirements, because the "lock" status cannot be detected from processor

• i.MX RT1015-EVK / Mac OS X

  • OpenSDA does not work On Mac OS X when the device has HAB enabled and UART port is used for communication. Either USB HID communication should be used, or the OpenSDA must be disconnected from RX and TX pins (jumpers J45 and J46) and device must be programmed via external USB to serial converter (3.3V)