MCUXpresso Secure Provisioning Tool (SEC) is a graphical user interface (GUI) tool covering secure boot process and Trust Provisioning capabilities, primarily aimed at microcontroller customers. It provides unified GUI front-end over existing command-line tools (elftosb, blhost, sdphost, cst, pfr, tpconfig, tphost).
Features
- Support for i.MX RT10xx, RT11xx, RT5xx and RT6xx families:
- RT1010, RT1015, RT1020, RT1024, RT1050, RT1060 and RT1064
- RT1171, RT1172, RT1173, RT1175, RT1176, RT1165, RT1166
- RT595S, RT555S, RT533S, RT685S, RT633S
- Support for LPC55Sxx family:
- LPC55S6x, LPC55S2x, LPC55S1x and LPC55S0x
- Conversion of ELF executables, SREC, HEX and raw binaries into bootable images files
- Credentials (keys, signatures and certificates) generation and management associated with signed/encrypted images
- Target device connection via UART, USB-HID, SPI and I2C
- Writing FlexSPI NOR, SEMC NAND or SD card boot device including configuration of the boot device parameters
- Use of DCD configuration for SDRAM images bootup
- Programming customizable eFuses per image and use case requirements
- Optional batch scripts generation for later use without the GUI
- Streamlined operation for general users
- Manufacturing tool with the support of parallel execution
- Detailed supported features for each processor in the user guide
Downloads
- To download the installer, please login to our download site via:
Supported Operating Systems:
- Microsoft(R) Windows(R) 10 (64-bit)
- Mac OS 11.6 Big Sur
- Ubuntu 22.04 LTS 64 bit, with GNOME and "OpenSSL 1.1.1f 31 Mar 2020".
Revision History
4.1.1
- Updated trust provisioning tools from SPSDK
4.1
- LPC55S69: supported 2 versions of trust provisioning firmware for different silicon revisions
- Supported Ubuntu 22.04 LTS
4.0.1
- Windows: Fix for LPC55Sxx write script in sealing CMPA page
- Updated terminology in GUI and documentation
4.0
- Added support for Trust Provisioning using Smart Card for LPC55S6x/2x
- Added support for "life cycle" selection instead of "Enable security" checkbox (for all processors)
- Added support for Encrypted (HAB) and Encrypted (IEE) boot modes for RT11xx
- Added support for FlexSPI instance selection for i.MX RT11xx processors
- Added support for OTFAD encrypted boot mode with user keys for i.MX RT1010 processors
- Added support for SPI and I2C connection types (for LPC55Sxx and i.MX RTxxx)
- Improved fields and bits names in PFC Configuration for LPC55Sxx processors
- Improvements on the Manufacturing Tool: Added counter of successful operations and a "Test connection" button
- Improved layout of PFR Configuration dialog for improving the user experience on Linux
- Several fixes and improvements for write script for i.MX RTxxx processors
- Added a "Clear CMPA" button into PFR Configuration dialog
- CLI command "clear-security" was removed. It was replaced by PFR configuration and a "Clear CMPA" button
- Windows: Fixed problem that the Secure Provisioning Tool does not run with some region settings
- Integrated SPSDK 1.6 with the following highlighted changes:
- additional CLI tools added: tpconfig, tphost, nxpcertgen, nxpdevhsm, shadowregs, nxpdevscan
- blhost:
- performance of the "receive-sb-file" command was significantly improved, however, if it fails, the reported error code might not be correct; use the parameter "--check-errors" to see the detailed problem information
- command "efuse-program-once" automatically verifies the written value so as to avoid problems on i.MX RT11xx processors, where the write failure was reported as a successful operation (see also --verify/--no-verify option)
- pfr, pfrc:
- the names of the fields and their bits were updated without preserving backward compatibility
Known problems and limitations
- RTxxx: shadow registers supported only for secured boot types, not supported for "Plain" and "Plain with CRC"
- Windows: Do not use workspace path with spaces, it is not supported by some command line tools.
- See also chapter Troubleshooting in documentation
