FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

mcuboot: using SNVS Master Key for EXIP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

mcuboot: using SNVS Master Key for EXIP

4 weeks ago
794 Views
mastupristi
Senior Contributor I

Hi,

I use SDK 25.06.00, RT1020-EVK, and I tried mcuboot_opensource and ota_mcuboot_basic examples.

I tried the example as it is and it works. Then I added #define CONFIG_ENCRYPT_XIP_EXT_ENABLE and #define ENCRYPTED_XIP_BEE in sblconfig.h, and it still works using BEE with the SW key to decrypt the image.

Then, on the RT1020-EVK I wrote 0b10 to BEE_KEY1_SEL (fuse addr 0x460[15:14]) to select SNVS Master Key for BEE Region1 instead of the SW Key. And it doesn't work:

hello sbl.
Bootloader Version 2.1.0
Primary   slot: version=1.1.0+0
Image 0 Secondary slot: Image not found
writing copy_done; fa_id=0 off=0x1fffe0 (0x43ffe0)
Image 0 loaded from the primary slot

Starting post-bootloader process of encrypted image...
Referenced image is located in the primary slot
Decrypting and loading the MCUBOOT AES-CTR key for staged image...
AES-CTR key loaded
Checking the execution slot...
No valid image found in staging area...
Preparing execution slot for new image
On-the-fly decryption initialization completed
Installing new image into execution slot from staged area...

Re-encrypting staged image to execution slot...
processed 41668/41668 bytes 
Loading image successful
Image verification failed
verify_image failed
Failed to process encrypted image. Please reboot...

 

The image was built using:

python3 imgtool.py sign \
	--key sign-rsa2048-priv.pem \
        --align 4 \
	--header-size 0x400 \
	--pad-header \
	--slot-size 0x200000 \
	--max-sectors 800 \
	-E enc-rsa2048-pub.pem \
	--encrypt-keylen 128 \
	--pad \
	--version "1.1" \
        evkmimxrt1020_ota_mcuboot_basic.bin \
	ota_sign_padded.bin

 

I attached my projects

Where am I wrong?

 

best regards

Max

Exip_example_with_unique_key.tar.gz
0 Kudos
Reply
7 Replies

4 weeks ago
722 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @mastupristi ,

 

I think the following method should be used for your case, since SNVS master key is provisioned by NXP and only the DCP module inside can access it, so you have to re-encrypt the image by the boot loader. 

Kan_Li_0-1761812227387.png

Please kindly refer to https://github.com/nxp-mcuxpresso/mcuxsdk-examples/blob/release/25.06.00/ota_examples/_doc/encrypted... for more details.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
Reply

4 weeks ago
712 Views
mastupristi
Senior Contributor I

Hi @Kan_Li 

Do you think I didn't follow the documentation when doing this?

Let's do this: try to get the board working in E-XIP yourself with a micro on which you have written 0b10 in the BEE_KEY1_SEL fuses.

 

But in the meantime, I want to explain what I do in more detail.

 

spoiler: I have 3 different cases:

  1. the examples works out of the box
  2. the examples works following the documentation to enable E-XIP with SW key
  3. the example does not work any more after fusing 0b10 to BEE_KEY1_SEL to select OTPMK instead of SW key

 

On RT1020-EVK, and I tried mcuboot_opensource and ota_mcuboot_basic examples provided by SDK 25.06.00.

As I said in a previous mail, I was able to successfully run the examples as is. After flashing the bootloader itself, I wrote an image to the secondary slot. The image was only signed (using the instrucion of the example https://github.com/nxp-mcuxpresso/mcuxsdk-examples/blob/release/25.06.00/ota_examples/mcuboot_openso...), and the bootloader validated it, copied it to the primary slot, and executed it successfully.

Then I wanted to try the Encrypted XIP feature. And for this too, I followed the instructions in the documentation (https://github.com/nxp-mcuxpresso/mcuxsdk-examples/blob/release/25.06.00/ota_examples/_doc/encrypted...). I only added this two defines in the bootloader:
#define CONFIG_ENCRYPT_XIP_EXT_ENABLE
#define ENCRYPTED_XIP_BEE

And I built the image adding encryption, indeed enabling CONFIG_ENCRYPT_XIP_EXT_ENABLE also enable CONFIG_BOOT_ENCRYPT_RSA (see https://github.com/nxp-mcuxpresso/mcuboot/blob/mcux_main/boot/nxp_mcux_sdk/include/mcuboot_config/mc...)

And it worked again.


But it is using the SW key as explained in the code (https://github.com/nxp-mcuxpresso/mcuboot/blob/mcux_main/boot/nxp_mcux_sdk/encrypted_xip/src/encrypt...). So I burned 0b10 to BEE_KEY1_SEL fuse to enable OTPMK instead of SW key, leaving bootloader and ota_mcuboot_basic untouched.

I flashed the image of ota in secondary slot, the bootloader validates it and write the primary slot, as done in the previous test, but at this point the image is not valid anymore:

here is the the serial log:

hello sbl.
Bootloader Version 2.1.0
Primary slot: version=1.1.0+0
Image 0 Secondary slot: Image not found
writing copy_done; fa_id=0 off=0x1fffe0 (0x43ffe0)
Image 0 loaded from the primary slot

Starting post-bootloader process of encrypted image...
Referenced image is located in the primary slot
Decrypting and loading the MCUBOOT AES-CTR key for staged image...
AES-CTR key loaded
Checking the execution slot...
No valid image found in staging area...
Preparing execution slot for new image
On-the-fly decryption initialization completed
Installing new image into execution slot from staged area...

Re-encrypting staged image to execution slot...
processed 41668/41668 bytes
Loading image successful
Image verification failed
verify_image failed
Failed to process encrypted image. Please reboot...

 

I also thought that the problem might be related to the algorithm for obtaining the counter from the nonce.
In fact, we found conflicting information in the documentation and code. We have always understood that to obtain the counter, the upper 96 bits of the nonce are taken, and the 4-bit shifted address is placed in the lower 32 bits.
This is confirmed by the code (https://github.com/nxp-mcuxpresso/mcuboot/blob/mcux_main/boot/nxp_mcux_sdk/encrypted_xip/src/encrypt...), but also in the documentation:

mastupristi_3-1761813824405.png

 

However, in another part of the documentation, we found this:

mastupristi_4-1761813842698.png

I wonder if this algorithm is used exclusively when OTPMK is used.


Otherwise, can you help us understand where we are going wrong?

 

regards

 

Max

0 Kudos
Reply

2 weeks ago
404 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @mastupristi ,

 

There is some feedback from the expert, please kindly refer to the following for details.

 wonder if this algorithm is used exclusively when OTPMK is used.

[JY]Whatever you use OTPMK and SW key, BEE uses this algorithm for both.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

4 weeks ago
762 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @mastupristi ,

 

By default SNVS Master Key is the OTP master key which is provisioned by NXP out of factory, so did you encrypt the app image again with this key before downloading into region 1 on your device?  Please kindly clarify. 

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2 weeks ago
373 Views
mastupristi
Senior Contributor I

Hi @Kan_Li ,

I replied to you privately.

 

regards

0 Kudos
Reply

3 weeks ago
604 Views
mastupristi
Senior Contributor I

@Kan_Li 

so did you encrypt the app image again with this key before downloading into region 1 on your device?

Of course. I thought I had already made this point abundantly clear in previous posts.. As you surely know, it is made by the code provided by NXP:

https://github.com/nxp-mcuxpresso/mcuboot/blob/mcux_main/boot/nxp_mcux_sdk/encrypted_xip/src/encrypt...

mastupristi_0-1762341936310.png

 

You will also have noticed the lines of the serial trace, which should prove beyond doubt that the image is being re-encrypted:


hello sbl.
Bootloader Version 2.1.0
Primary slot: version=1.1.0+0
Image 0 Secondary slot: Image not found
writing copy_done; fa_id=0 off=0x1fffe0 (0x43ffe0)
Image 0 loaded from the primary slot

Starting post-bootloader process of encrypted image...
Referenced image is located in the primary slot
Decrypting and loading the MCUBOOT AES-CTR key for staged image...
AES-CTR key loaded
Checking the execution slot...
No valid image found in staging area...
Preparing execution slot for new image
On-the-fly decryption initialization completed
Installing new image into execution slot from staged area...

Re-encrypting staged image to execution slot...
processed 41668/41668 bytes
Loading image successful
Image verification failed
verify_image failed
Failed to process encrypted image. Please reboot...

 

I hope that this time I have dispelled all reasonable (and even unreasonable) doubts, so that we can finally get to a solution.

 

regards

Max

0 Kudos
Reply

4 weeks ago
747 Views
mastupristi
Senior Contributor I

Hi @Kan_Li 

Thank you for your reply, but I’m afraid your question doesn’t make much sense in the context of the documented NXP workflow.

If you had taken the time to read my message carefully (and NXP’s own documentation, for that matter), you would have noticed that I’m exactly following the official SDK and MCUBoot integration procedure for encrypted XIP with BEE.

I clearly stated that:

  • The example works perfectly with CONFIG_ENCRYPT_XIP_EXT_ENABLE and ENCRYPTED_XIP_BEE using the software key.
  • The issue appears only after switching the fuse BEE_KEY1_SEL[15:14] to 0b10 (SNVS Master Key), while keeping everything else identical.
  • The image was built with the official imgtool.py command line, which I also included in full detail.

Therefore, asking whether I “encrypted the app image again with this key” is meaningless — the SNVS Master Key is not accessible to the user, by definition, and your own documentation explicitly states that the hardware AES engine uses it internally when the key select bits are set to 0b10.
So the question should not be whether I “re-encrypted” the image, but rather why is someone making mistakes in the encryption chain between DCP and BEE?

If you’re unsure how BEE interacts with the SNVS Master Key path, I’d kindly suggest you review the official documentation before replying, because at this point it seems you’ve missed the core of the issue.

In any case, you also have my projects, and as you can see for yourself, they have minimal changes, which are described in the documentation.

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2194423%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Emcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194423%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20use%20SDK%2025.06.00%2C%20RT1020-EVK%2C%20and%26nbsp%3BI%20tried%20mcuboot_opensource%20and%20ota_mcuboot_basic%20examples.%3C%2FP%3E%3CP%3EI%20tried%20the%20example%20as%20it%20is%20and%20it%20works.%20Then%20I%20added%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%23define%20CONFIG_ENCRYPT_XIP_EXT_ENABLE%3C%2FFONT%3E%20and%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%23define%20ENCRYPTED_XIP_BEE%3C%2FFONT%3E%20in%20sblconfig.h%2C%20and%20it%20still%20works%20using%20BEE%20with%20the%20SW%20key%20to%20decrypt%20the%20image.%3C%2FP%3E%3CP%3EThen%2C%20on%20the%20RT1020-EVK%20I%20wrote%200b10%20to%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EBEE_KEY1_SEL%3C%2FFONT%3E%20(fuse%20addr%200x460%5B15%3A14%5D)%20to%20select%26nbsp%3BSNVS%20Master%20Key%20for%20BEE%20Region1%20instead%20of%20the%20SW%20Key.%20And%20it%20doesn't%20work%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Ehello%20sbl.%0ABootloader%20Version%202.1.0%0APrimary%20%20%20slot%3A%20version%3D1.1.0%2B0%0AImage%200%20Secondary%20slot%3A%20Image%20not%20found%0Awriting%20copy_done%3B%20fa_id%3D0%20off%3D0x1fffe0%20(0x43ffe0)%0AImage%200%20loaded%20from%20the%20primary%20slot%0A%0AStarting%20post-bootloader%20process%20of%20encrypted%20image...%0AReferenced%20image%20is%20located%20in%20the%20primary%20slot%0ADecrypting%20and%20loading%20the%20MCUBOOT%20AES-CTR%20key%20for%20staged%20image...%0AAES-CTR%20key%20loaded%0AChecking%20the%20execution%20slot...%0ANo%20valid%20image%20found%20in%20staging%20area...%0APreparing%20execution%20slot%20for%20new%20image%0AOn-the-fly%20decryption%20initialization%20completed%0AInstalling%20new%20image%20into%20execution%20slot%20from%20staged%20area...%0A%0ARe-encrypting%20staged%20image%20to%20execution%20slot...%0Aprocessed%2041668%2F41668%20bytes%20%0ALoading%20image%20successful%0AImage%20verification%20failed%0Averify_image%20failed%0AFailed%20to%20process%20encrypted%20image.%20Please%20reboot...%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EThe%20image%20was%20built%20using%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Epython3%20imgtool.py%20sign%20%5C%0A%09--key%20sign-rsa2048-priv.pem%20%5C%0A%20%20%20%20%20%20%20%20--align%204%20%5C%0A%09--header-size%200x400%20%5C%0A%09--pad-header%20%5C%0A%09--slot-size%200x200000%20%5C%0A%09--max-sectors%20800%20%5C%0A%09-E%20enc-rsa2048-pub.pem%20%5C%0A%09--encrypt-keylen%20128%20%5C%0A%09--pad%20%5C%0A%09--version%20%221.1%22%20%5C%0A%20%20%20%20%20%20%20%20evkmimxrt1020_ota_mcuboot_basic.bin%20%5C%0A%09ota_sign_padded.bin%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EI%20attached%20my%20projects%3C%2FP%3E%3CP%3EWhere%20am%20I%20wrong%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Ebest%20regards%3C%2FP%3E%3CP%3EMax%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2203687%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20mcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2203687%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F59276%22%20target%3D%22_blank%22%3E%40Kan_Li%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EI%20replied%20to%20you%20privately.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eregards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2203091%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20mcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2203091%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124967%22%20target%3D%22_blank%22%3E%40mastupristi%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EThere%20is%20some%20feedback%20from%20the%20expert%2C%20please%20kindly%20refer%20to%20the%20following%20for%20details.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3Bwonder%20if%20this%20algorithm%20is%20used%20exclusively%20when%20OTPMK%20is%20used.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%5BJY%5DWhatever%20you%20use%20OTPMK%20and%20SW%20key%2C%20BEE%20uses%20this%20algorithm%20for%20both.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EHave%20a%20great%20day%2C%3CBR%20%2F%3EKan%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E-------------------------------------------------------------------------------%3CBR%20%2F%3ENote%3A%3CBR%20%2F%3E-%20If%20this%20post%20answers%20your%20question%2C%20please%20click%20the%20%22Mark%20Correct%22%20button.%20Thank%20you!%3CBR%20%2F%3E-%20We%20are%20following%20threads%20for%207%20weeks%20after%20the%20last%20post%2C%20later%20replies%20are%20ignored%3CBR%20%2F%3EPlease%20open%20a%20new%20thread%20and%20refer%20to%20the%20closed%20one%2C%20if%20you%20have%20a%20related%20question%20at%20a%20later%20point%20in%20time.%3CBR%20%2F%3E-------------------------------------------------------------------------------%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2199032%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20mcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2199032%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F59276%22%20target%3D%22_blank%22%3E%40Kan_Li%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3Eso%20did%20you%20encrypt%20the%20app%20image%20again%20with%20this%20key%20before%20downloading%20into%20region%201%20on%20your%20device%3F%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EOf%20course.%20I%20thought%20I%20had%20already%20made%20this%20point%20abundantly%20clear%20in%20previous%20posts..%20As%20you%20surely%20know%2C%20it%20is%20made%20by%20the%20code%20provided%20by%20NXP%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Fencrypted_xip%2Fsrc%2Fencrypted_xip_platform_bee.c%23L313-L317%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Fencrypted_xip%2Fsrc%2Fencrypted_xip_platform_bee.c%23L313-L317%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mastupristi_0-1762341936310.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22mastupristi_0-1762341936310.png%22%20style%3D%22width%3A%20341px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F364118i23F796F08B2CC505%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mastupristi_0-1762341936310.png%22%20alt%3D%22mastupristi_0-1762341936310.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EYou%20will%20also%20have%20noticed%20the%20lines%20of%20the%20serial%20trace%2C%20which%20should%20prove%20beyond%20doubt%20that%20the%20image%20is%20being%20re-encrypted%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Ehello%20sbl.%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EBootloader%20Version%202.1.0%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EPrimary%20slot%3A%20version%3D1.1.0%2B0%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EImage%200%20Secondary%20slot%3A%20Image%20not%20found%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Ewriting%20copy_done%3B%20fa_id%3D0%20off%3D0x1fffe0%20(0x43ffe0)%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EImage%200%20loaded%20from%20the%20primary%20slot%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EStarting%20post-bootloader%20process%20of%20encrypted%20image...%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EReferenced%20image%20is%20located%20in%20the%20primary%20slot%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EDecrypting%20and%20loading%20the%20MCUBOOT%20AES-CTR%20key%20for%20staged%20image...%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EAES-CTR%20key%20loaded%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EChecking%20the%20execution%20slot...%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3ENo%20valid%20image%20found%20in%20staging%20area...%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EPreparing%20execution%20slot%20for%20new%20image%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EOn-the-fly%20decryption%20initialization%20completed%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EInstalling%20new%20image%20into%20execution%20slot%20from%20staged%20area...%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20color%3D%22%23800000%22%3E%3CSTRONG%3ERe-encrypting%20staged%20image%20to%20execution%20slot...%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20color%3D%22%23800000%22%3E%3CSTRONG%3Eprocessed%2041668%2F41668%20bytes%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20color%3D%22%23800000%22%3E%3CSTRONG%3ELoading%20image%20successful%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EImage%20verification%20failed%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Everify_image%20failed%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EFailed%20to%20process%20encrypted%20image.%20Please%20reboot...%3C%2FFONT%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CFONT%20face%3D%22arial%2Chelvetica%2Csans-serif%22%3EI%20hope%20that%20this%20time%20I%20have%20dispelled%20all%20reasonable%20(and%20even%20unreasonable)%20doubts%2C%20so%20that%20we%20can%20finally%20get%20to%20a%20solution.%3C%2FFONT%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CFONT%20face%3D%22arial%2Chelvetica%2Csans-serif%22%3Eregards%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22arial%2Chelvetica%2Csans-serif%22%3EMax%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2195650%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20mcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2195650%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F59276%22%20target%3D%22_blank%22%3E%40Kan_Li%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20think%20I%20didn't%20follow%20the%20documentation%20when%20doing%20this%3F%3C%2FP%3E%3CP%3ELet's%20do%20this%3A%3CSTRONG%3E%20try%20to%20get%20the%20board%20working%20in%20E-XIP%20yourself%20with%20a%20micro%20on%20which%20you%20have%20written%200b10%20in%20the%20BEE_KEY1_SEL%20fuses.%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EBut%20in%20the%20meantime%2C%20I%20want%20to%20explain%20what%20I%20do%20in%20more%20detail.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Espoiler%3A%20I%20have%203%20different%20cases%3A%3C%2FP%3E%3COL%3E%3CLI%3Ethe%20examples%20works%20out%20of%20the%20box%3C%2FLI%3E%3CLI%3Ethe%20examples%20works%20following%20the%20documentation%20to%20enable%20E-XIP%20with%20SW%20key%3C%2FLI%3E%3CLI%3E%3CFONT%20color%3D%22%23800000%22%3Ethe%20example%20does%20not%20work%20any%20more%20after%20fusing%26nbsp%3B0b10%20to%20BEE_KEY1_SEL%20to%20select%20OTPMK%20instead%20of%20SW%20key%3C%2FFONT%3E%3C%2FLI%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3EOn%20RT1020-EVK%2C%20and%20I%20tried%20%3CSTRONG%3Emcuboot_opensource%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Eota_mcuboot_basic%3C%2FSTRONG%3E%20examples%20provided%20by%20%3CSTRONG%3ESDK%2025.06.00.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAs%20I%20said%20in%20a%20previous%20mail%2C%20%3CSTRONG%3EI%20was%20able%20to%20successfully%20run%20the%20examples%20as%20is%3C%2FSTRONG%3E.%20After%20flashing%20the%20bootloader%20itself%2C%20I%20wrote%20an%20image%20to%20the%20secondary%20slot.%20The%20image%20was%20only%20signed%20(using%20the%20instrucion%20of%20the%20example%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2Fmcuboot_opensource%2Freadme.md%23signing-the-application-image%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2Fmcuboot_opensource%2Freadme.md%23signing-the-application-image%3C%2FA%3E)%2C%20and%20the%20bootloader%20validated%20it%2C%20copied%20it%20to%20the%20primary%20slot%2C%20and%20executed%20it%20successfully.%3C%2FP%3E%3CP%3EThen%20I%20wanted%20to%20%3CSTRONG%3Etry%20the%20Encrypted%20XIP%20feature%3C%2FSTRONG%3E.%20And%20for%20this%20too%2C%20I%20followed%20the%20instructions%20in%20the%20documentation%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2F_doc%2Fencrypted_xip_readme.md%235-ota-examples-instructions%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2F_doc%2Fencrypted_xip_readme.md%235-ota-examples-instructions%3C%2FA%3E).%20I%20only%20added%20this%20two%20defines%20in%20the%20bootloader%3A%3CBR%20%2F%3E%23define%20CONFIG_ENCRYPT_XIP_EXT_ENABLE%3CBR%20%2F%3E%23define%20ENCRYPTED_XIP_BEE%3C%2FP%3E%3CP%3EAnd%20I%20built%20the%20image%20adding%20encryption%2C%20indeed%20enabling%20CONFIG_ENCRYPT_XIP_EXT_ENABLE%20also%20enable%20CONFIG_BOOT_ENCRYPT_RSA%20(see%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Finclude%2Fmcuboot_config%2Fmcuboot_config.h%23L79-L82%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Finclude%2Fmcuboot_config%2Fmcuboot_config.h%23L79-L82%3C%2FA%3E)%3C%2FP%3E%3CP%3EAnd%20it%20worked%20again.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBut%20it%20%3CSTRONG%3Eis%20using%20the%20SW%20key%3C%2FSTRONG%3E%20as%20explained%20in%20the%20code%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Fencrypted_xip%2Fsrc%2Fencrypted_xip_platform_bee.c%23L72-L76%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Fencrypted_xip%2Fsrc%2Fencrypted_xip_platform_bee.c%23L72-L76%3C%2FA%3E).%20So%20%3CSTRONG%3EI%20burned%200b10%20to%20BEE_KEY1_SEL%20fuse%20to%20enable%20OTPMK%20instead%20of%20SW%20key%3C%2FSTRONG%3E%2C%20leaving%20bootloader%20and%20ota_mcuboot_basic%20untouched.%3C%2FP%3E%3CP%3EI%20flashed%20the%20image%20of%20ota%20in%20secondary%20slot%2C%20the%20bootloader%20validates%20it%20and%20write%20the%20primary%20slot%2C%20as%20done%20in%20the%20previous%20test%2C%20but%20at%20this%20point%20the%20image%20is%20not%20valid%20anymore%3A%3C%2FP%3E%3CP%3Ehere%20is%20the%20the%20serial%20log%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Ehello%20sbl.%0ABootloader%20Version%202.1.0%0APrimary%20slot%3A%20version%3D1.1.0%2B0%0AImage%200%20Secondary%20slot%3A%20Image%20not%20found%0Awriting%20copy_done%3B%20fa_id%3D0%20off%3D0x1fffe0%20(0x43ffe0)%0AImage%200%20loaded%20from%20the%20primary%20slot%0A%0AStarting%20post-bootloader%20process%20of%20encrypted%20image...%0AReferenced%20image%20is%20located%20in%20the%20primary%20slot%0ADecrypting%20and%20loading%20the%20MCUBOOT%20AES-CTR%20key%20for%20staged%20image...%0AAES-CTR%20key%20loaded%0AChecking%20the%20execution%20slot...%0ANo%20valid%20image%20found%20in%20staging%20area...%0APreparing%20execution%20slot%20for%20new%20image%0AOn-the-fly%20decryption%20initialization%20completed%0AInstalling%20new%20image%20into%20execution%20slot%20from%20staged%20area...%0A%0ARe-encrypting%20staged%20image%20to%20execution%20slot...%0Aprocessed%2041668%2F41668%20bytes%0ALoading%20image%20successful%0AImage%20verification%20failed%0Averify_image%20failed%0AFailed%20to%20process%20encrypted%20image.%20Please%20reboot...%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EI%20also%20thought%20that%20the%20problem%20might%20be%20related%20to%20the%20algorithm%20for%20obtaining%20the%20counter%20from%20the%20nonce.%3CBR%20%2F%3EIn%20fact%2C%20%3CSTRONG%3Ewe%20found%20conflicting%20information%20in%20the%20documentation%3C%2FSTRONG%3E%20and%20code.%20We%20have%20always%20understood%20that%20to%20obtain%20the%20counter%2C%20the%20upper%2096%20bits%20of%20the%20nonce%20are%20taken%2C%20and%20the%204-bit%20shifted%20address%20is%20placed%20in%20the%20lower%2032%20bits.%3CBR%20%2F%3EThis%20is%20confirmed%20by%20the%20code%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Fencrypted_xip%2Fsrc%2Fencrypted_xip_platform_bee.c%23L800-L801%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuboot%2Fblob%2Fmcux_main%2Fboot%2Fnxp_mcux_sdk%2Fencrypted_xip%2Fsrc%2Fencrypted_xip_platform_bee.c%23L800-L801%3C%2FA%3E)%2C%20but%20also%20in%20the%20documentation%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mastupristi_3-1761813824405.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22mastupristi_3-1761813824405.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F363219i3291D022B39FB7D6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mastupristi_3-1761813824405.png%22%20alt%3D%22mastupristi_3-1761813824405.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EHowever%2C%20in%20another%20part%20of%20the%20documentation%2C%20we%20found%20this%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mastupristi_4-1761813842698.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22mastupristi_4-1761813842698.png%22%20style%3D%22width%3A%20285px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F363220iE093B0171B2F7AF0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mastupristi_4-1761813842698.png%22%20alt%3D%22mastupristi_4-1761813842698.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20wonder%20if%20this%20algorithm%20is%20used%20exclusively%20when%20OTPMK%20is%20used.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EOtherwise%2C%20can%20you%20help%20us%20understand%20where%20we%20are%20going%20wrong%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eregards%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EMax%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2195623%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20mcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2195623%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124967%22%20target%3D%22_blank%22%3E%40mastupristi%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EI%20think%20the%20following%20method%20should%20be%20used%20for%20your%20case%2C%20since%20SNVS%20master%20key%20is%20provisioned%20by%20NXP%20and%20only%20the%20DCP%20module%20inside%20can%20access%20it%2C%20so%20you%20have%20to%20re-encrypt%20the%20image%20by%20the%20boot%20loader.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Kan_Li_0-1761812227387.png%22%20style%3D%22width%3A%20596px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22Kan_Li_0-1761812227387.png%22%20style%3D%22width%3A%20596px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F363212iEBAF0DE21154F6AD%2Fimage-dimensions%2F596x334%3Fv%3Dv2%22%20width%3D%22596%22%20height%3D%22334%22%20role%3D%22button%22%20title%3D%22Kan_Li_0-1761812227387.png%22%20alt%3D%22Kan_Li_0-1761812227387.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EPlease%20kindly%20refer%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2F_doc%2Fencrypted_xip_readme.md%2341-bee-bus-encryption-engine%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2F_doc%2Fencrypted_xip_readme.md%2341-bee-bus-encryption-engine%3C%2FA%3E%26nbsp%3Bfor%20more%20details.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EHave%20a%20great%20day%2C%3CBR%20%2F%3EKan%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E-------------------------------------------------------------------------------%3CBR%20%2F%3ENote%3A%3CBR%20%2F%3E-%20If%20this%20post%20answers%20your%20question%2C%20please%20click%20the%20%22Mark%20Correct%22%20button.%20Thank%20you!%3CBR%20%2F%3E-%20We%20are%20following%20threads%20for%207%20weeks%20after%20the%20last%20post%2C%20later%20replies%20are%20ignored%3CBR%20%2F%3EPlease%20open%20a%20new%20thread%20and%20refer%20to%20the%20closed%20one%2C%20if%20you%20have%20a%20related%20question%20at%20a%20later%20point%20in%20time.%3CBR%20%2F%3E-------------------------------------------------------------------------------%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194913%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20mcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194913%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F59276%22%20target%3D%22_blank%22%3E%40Kan_Li%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20reply%2C%20but%20I%E2%80%99m%20afraid%20your%20question%20doesn%E2%80%99t%20make%20much%20sense%20in%20the%20context%20of%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2F_doc%2Fencrypted_xip_readme.md%235-ota-examples-instructions%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Edocumented%20NXP%20workflow%3C%2FA%3E.%3C%2FP%3E%3CP%3EIf%20you%20had%20taken%20the%20time%20to%20read%20my%20message%20carefully%20(and%20NXP%E2%80%99s%20own%20documentation%2C%20for%20that%20matter)%2C%20you%20would%20have%20noticed%20that%20I%E2%80%99m%20exactly%20following%20the%20official%20SDK%20and%20MCUBoot%20integration%20procedure%20for%20encrypted%20XIP%20with%20BEE.%3C%2FP%3E%3CP%3EI%20clearly%20stated%20that%3A%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20example%20works%20perfectly%20with%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3ECONFIG_ENCRYPT_XIP_EXT_ENABLE%3C%2FFONT%3E%20and%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EENCRYPTED_XIP_BEE%3C%2FFONT%3E%20using%20the%20software%20key.%3C%2FLI%3E%3CLI%3EThe%20issue%20appears%20only%20after%20switching%20the%20fuse%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EBEE_KEY1_SEL%5B15%3A14%5D%3C%2FFONT%3E%20to%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E0b10%3C%2FFONT%3E%20(SNVS%20Master%20Key)%2C%20while%20keeping%20everything%20else%20identical.%3C%2FLI%3E%3CLI%3EThe%20image%20was%20built%20with%20the%20official%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Eimgtool.py%3C%2FFONT%3E%20command%20line%2C%20which%20I%20also%20included%20in%20full%20detail.%3C%2FLI%3E%3C%2FUL%3E%3CP%3ETherefore%2C%20asking%20whether%20I%20%E2%80%9Cencrypted%20the%20app%20image%20again%20with%20this%20key%E2%80%9D%20is%20meaningless%20%E2%80%94%20the%20SNVS%20Master%20Key%20is%20not%20accessible%20to%20the%20user%2C%20by%20definition%2C%20and%20your%20own%20documentation%20explicitly%20states%20that%20the%20hardware%20AES%20engine%20uses%20it%20internally%20when%20the%20key%20select%20bits%20are%20set%20to%200b10.%3CBR%20%2F%3ESo%20the%20question%20should%20not%20be%20whether%20I%20%E2%80%9Cre-encrypted%E2%80%9D%20the%20image%2C%20but%20rather%20why%20is%20someone%20making%20mistakes%20in%20the%20encryption%20chain%20between%20DCP%20and%20BEE%3F%3C%2FP%3E%3CP%3EIf%20you%E2%80%99re%20unsure%20how%20BEE%20interacts%20with%20the%20SNVS%20Master%20Key%20path%2C%20I%E2%80%99d%20kindly%20suggest%20you%20review%20the%20official%20documentation%20before%20replying%2C%20because%20at%20this%20point%20it%20seems%20you%E2%80%99ve%20missed%20the%20core%20of%20the%20issue.%3C%2FP%3E%3CP%3EIn%20any%20case%2C%20you%20also%20have%20my%20projects%2C%20and%20as%20you%20can%20see%20for%20yourself%2C%20they%20have%20minimal%20changes%2C%20which%20are%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-mcuxpresso%2Fmcuxsdk-examples%2Fblob%2Frelease%2F25.06.00%2Fota_examples%2F_doc%2Fencrypted_xip_readme.md%235-ota-examples-instructions%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Edescribed%20in%20the%20documentation%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194800%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20mcuboot%3A%20using%20SNVS%20Master%20Key%20for%20EXIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194800%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124967%22%20target%3D%22_blank%22%3E%40mastupristi%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EBy%20default%26nbsp%3B%3CSPAN%3ESNVS%20Master%20Key%20is%20the%20OTP%20master%20key%20which%20is%20provisioned%20by%20NXP%20out%20of%20factory%2C%20so%20did%20you%20encrypt%20the%20app%20image%20again%20with%20this%20key%20before%20downloading%20into%20region%201%20on%20your%20device%3F%26nbsp%3B%20Please%20kindly%20clarify.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EHave%20a%20great%20day%2C%3CBR%20%2F%3EKan%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E-------------------------------------------------------------------------------%3CBR%20%2F%3ENote%3A%3CBR%20%2F%3E-%20If%20this%20post%20answers%20your%20question%2C%20please%20click%20the%20%22Mark%20Correct%22%20button.%20Thank%20you!%3CBR%20%2F%3E-%20We%20are%20following%20threads%20for%207%20weeks%20after%20the%20last%20post%2C%20later%20replies%20are%20ignored%3CBR%20%2F%3EPlease%20open%20a%20new%20thread%20and%20refer%20to%20the%20closed%20one%2C%20if%20you%20have%20a%20related%20question%20at%20a%20later%20point%20in%20time.%3CBR%20%2F%3E-------------------------------------------------------------------------------%3C%2FP%3E%3C%2FLINGO-BODY%3E