MCUXpresso Secure Provisioning v6 Now Available

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCUXpresso Secure Provisioning v6 Now Available

4,462 Views
petrstruzka
NXP Employee
NXP Employee

MCUXpresso Secure Provisioning Tool (SEC) is a graphical user interface (GUI) tool covering secure boot process and Trust Provisioning capabilities, primarily aimed at microcontroller customers. It provides unified GUI front-end over existing command-line tools (elftosb, blhost, sdphost, cst, pfr, tpconfig, tphost).

Features

  • Support for i.MX RT10xx, RT11xx, RT5xx, and RT6xx families:
    • RT1010, RT1015, RT1020, RT1024, RT1040, RT1050, RT1060, and RT1064
    • RT1171, RT1172, RT1173, RT1175, RT1176, RT1165, RT1166
    • RT595S, RT555S, RT533S, RT685S
  • Support for LPC55Sxx and LPC55xx families:
    • LPC55S6x, LPC55S3x, LPC55S2x, LPC55S1x, and LPC55S0x
    • LPC553x, LPC552x, LPC551x, and LPC550x
  • Support for Kinetis W processors:
    • K32W148, KW45B41Zx
  • Conversion of ELF executables, SREC, HEX, and raw binaries into bootable images files
  • Credentials (keys, signatures, and certificates) generation and management associated with signed/encrypted images
  • Target device connection via UART, USB-HID, SPI, and I2C
  • Writing FlexSPI NOR, FlexSPI NAND, SEMC NAND or SD card boot device including configuration of the boot device parameters
  • Use of DCD configuration for SDRAM images bootup
  • Programming customizable eFuses per image and use case requirements
  • Optional batch scripts generation for later use without the GUI
  • Streamlined operation for general users
  • Manufacturing Tool with the support of parallel execution
  • Trust provisioning and device HSM provisioning for selected processors
  • Flash programming GUI tool
  • Debug authentication
  • Detailed supported features for each processor in the user guide
  •  

Downloads

Supported Operating Systems:

  • Microsoft(R) Windows(R) 10 (64-bit)
  • Mac OS 12.4 Monterey
  • Ubuntu 22.04 LTS 64 bit, with "OpenSSL 1.1.1f 31 Mar 2020"; GNOME recommended

Revision History

6.0

  • Added KW45xx and K32W1xx processors
  • Enabled support of LPC55S36 processor
  • Fixed configuration of boot device Macronix_MX25UM51345G_A.json, so it matches recommendations from reference manuals
  • LPC55Sxx: DICE can be enabled by the user, UDS key initialized in write script
  • LPC55Sxx and i.MX RTxxx: It is possible to re-generate ROT certificates with a different serial number (for key revocation)
  • LPC55Sxx: The CFPA content is verified before write and an error is reported, if the version is not
    incremented (GUI only)
  • LPC55Sxx: Added support for encrypted plain boot type
  • Added i.MX RT1040 processor
  • i.MX RT1060: a new EVK board revision supported: MIMXRT1060-EVKC
  • i.MX RT107x: a new EVK board revision supported: RT1170-EVKB
  • i.MX R685: a new EVK board supported: RT600-AUD-EVK
  • i.MX RT5xx: Added support for dual image (ping/pong) boot with PUF key source
  • i.MX RT5xx and RT6xx: Added support eMMC and SD card
  • Trust provisioning: added support for multiple smart cards, USB connection, and performance improvements
  • i.MX RT6xx: Added support for debug authentication
  • Flash programmer performance improvements for higher buffer sizes
  • Build view: displayed all generated files and their status
  • Window locations and sizes are stored in preferences
  • The tool display "dirty" flag; if settings are not saved on the disk; added new preference to save automatically
  • Setting file spt_settings.json changed to settings.sptjson
  • File extension .sptjson associated with SEC tool, so it can be opened directly with the tool
  • CLI: New argument in write scripts: erase_all - perform an erase of the entire flash memory instead erasing regions only
  • Tool localized to Chinese
  • Legacy blhost updated to v2.6.7
  • LPC55S69: dropped support of trust provisioning firmware for silicon revision 8
  • i.MX RT633S: the processor removed, no more supported
  •  

Known problems and limitations

  • See chapter Troubleshooting in documentation

id:mcux-secure-tool

15 Replies

4,317 Views
IvoBCD
Contributor III

HI Marek, that's on macOS 13.1 (Ventura; darwin 22.2.0). 

I know the documentation states only Mac OS 12.4 Monterey is supported, but downgrading to Monterey doesn't seem likely to fix this, given the nature of the error.

0 Kudos
Reply

4,326 Views
IvoBCD
Contributor III

Thanks, but it seems the "MAC" version does not launch.

Looking at the error messages, it seems it does not work on recent (arm64-based) Macs:

 

MCUXpresso Secure Provisioning v6.app % ./Contents/MacOS/securep
INFO: [root] workspace /Users/ivo/secure_provisioning
WARNING: [root] Loading settings from workspace: No settings file found
Traceback (most recent call last):
File "PyInstaller/loader/pyimod03_ctypes.py", line 53, in __init__
File "ctypes/__init__.py", line 374, in __init__
OSError: dlopen(/var/folders/mm/9yxjtsmj5r743v3ps_zmz6n80000gn/T/tmp4j8_kunq.dylib, 0x0006): tried: '/var/folders/mm/9yxjtsmj5r743v3ps_zmz6n80000gn/T/tmp4j8_kunq.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/mm/9yxjtsmj5r743v3ps_zmz6n80000gn/T/tmp4j8_kunq.dylib' (no such file), '/var/folders/mm/9yxjtsmj5r743v3ps_zmz6n80000gn/T/tmp4j8_kunq.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/private/var/folders/mm/9yxjtsmj5r743v3ps_zmz6n80000gn/T/tmp4j8_kunq.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/System/Volumes/Preboot/Cryptexes/OS/private/var/folders/mm/9yxjtsmj5r743v3ps_zmz6n80000gn/T/tmp4j8_kunq.dylib' (no such file), '/private/var/folders/mm/9yxjtsmj5r743v3ps_zmz6n80000gn/T/tmp4j8_kunq.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64'))

 

0 Kudos
Reply

4,312 Views
liborukropec
NXP Employee
NXP Employee

Hello Ivo,

SEC is built for Intel architecture. The first Mac for M1 had an emulator (Rosetta) installed by default. Unfortunately the next versions comes without Rosetta and users have to install it manually. I do not have Mac M1 available, could you please try this: https://support.apple.com/en-us/HT211861

or search other resources for installing Rosetta?

 

Best regards,

Libor

0 Kudos
Reply

4,310 Views
IvoBCD
Contributor III

I'm afraid that despite Rosetta 2 being installed, it still fails with arm64/x86_64 errors even if invoked with "arch -x86_64 /Applications/MCUX_Provi_v6/MCUXpresso\ Secure\ Provisioning\ v6.app/Contents/MacOS/securep" 

No big deal, I'll just use a Linux box.

0 Kudos
Reply

4,124 Views
liborukropec
NXP Employee
NXP Employee

Hello Ivo,

 

we have identified that the issue is integration between Secure Provisioning Python JLink package and installed SEGGER J-Link SW. Most probably you have installed only M1 version of SEGGER J-Link. If "Universal installer" is used (that contains both Intel and Arm architecture), then Secure Provisioning Tool (SEC) works even on Mac M1 (please mind that at this moment it is not a supported platform, and it will be addressed in the future versions of SEC).

https://www.segger.com/downloads/jlink/

liborukropec_0-1685402954948.png

Regards,

Libor

0 Kudos
Reply

2,789 Views
application_ninja
Contributor III

This work around doesn't work. When will Mac M1 be supported? v7 still does not support Mac M1...

0 Kudos
Reply

2,759 Views
liborukropec
NXP Employee
NXP Employee

Hello Scott,

M1 will have native support in the following v8 (mid Q1 2024). Could you please execute the `securep` executable from the terminal and paste here the error, so I can see whether it is above mentioned problem or something different?

 

Thank you,

Libor

0 Kudos
Reply

2,754 Views
application_ninja
Contributor III

It's unfortunate it will take so long for a fix since the Mac arm64 has been out for quite some time now. Is it open source, could I compile the app myself?

Here is the error:

"

Traceback (most recent call last):

  File "PyInstaller/loader/pyimod03_ctypes.py", line 53, in __init__

  File "ctypes/__init__.py", line 374, in __init__

OSError: dlopen(/var/folders/gl/4qfmnn7s10l2s624c_mmlldr0000gn/T/tmpi7dou0_w.dylib, 0x0006): tried: '/var/folders/gl/4qfmnn7s10l2s624c_mmlldr0000gn/T/tmpi7dou0_w.dylib' (mach-o file, but is an incompatible architecture (have (arm64), need (x86_64))), '/private/var/folders/gl/4qfmnn7s10l2s624c_mmlldr0000gn/T/tmpi7dou0_w.dylib' (mach-o file, but is an incompatible architecture (have (arm64), need (x86_64)))"

0 Kudos
Reply

2,728 Views
marek-trmac
NXP Employee
NXP Employee

Hi Scott,

if you run SEC tool as Intel application under Rosetta, all used libraries must be installed for Intel architecture. The SEC tool fails if it invokes any library for M1 architecture.

From your log, it is not clear, which library is failing. If you can find this, you can replace/re-install it.

Regards,
Marek
0 Kudos
Reply

2,714 Views
application_ninja
Contributor III

It won't run under Rosetta, already tried everything. Need a new compiled app under arm64 is the only solution.

2,690 Views
liborukropec
NXP Employee
NXP Employee

Hi Scott,

on clean Intel Mac OS with the Rosetta the SEC can be executed (even it is not officially supported). There must be something interfering (brew? other python?) on your machine, that is not obvious from the console output.

I'm afraid you have to wait for v8, or do a workaround with a virtualization like UTM, VirtualBox, etc.

 

Regards,

Libor

0 Kudos
Reply

2,685 Views
application_ninja
Contributor III

I am trying to use this on a ARM Mac, not an Intel Mac... My machine is clean, technically only a month old, fresh install of Mac Sonoma 14.1 on a Mac Studio M2 Ultra...

0 Kudos
Reply

2,750 Views
liborukropec
NXP Employee
NXP Employee

Hi Scott,

It's unfortunate it will take so long for a fix since the Mac arm64 has been out for quite some time now. Is it open source, could I compile the app myself?

No, it is not an open source.

OSError: dlopen(/var/folders/gl/4qfmnn7s10l2s624c_mmlldr0000gn/T/tmpi7dou0_w.dylib, 0x0006): tried: '/var/folders/gl/4qfmnn7s10l2s624c_mmlldr0000gn/T/tmpi7dou0_w.dylib' (mach-o file, but is an incompatible architecture (have (arm64), need (x86_64))), '/private/var/folders/gl/4qfmnn7s10l2s624c_mmlldr0000gn/T/tmpi7dou0_w.dylib' (mach-o file, but is an incompatible architecture (have (arm64), need (x86_64)))"

The folder and file names are cryptic so I'm unable to tell what library is in conflict with the Secure Provisioning Tool, but symptoms are similar. Secure Provisioning Tool running under Rosetta as x86_64, finds a library arm64 only.

Could you please check if you have set DYLD_LIBRARY_PATH or DYLD_FALLBACK_LIBRARY_PATH?

set | grep DYLD

 and if yes, unset them by

unset DYLD_LIBRARY_PATH
unset DYLD_FALLBACK_LIBRARY_PATH

and from the same terminal execute the ./securep ? There might be a library that interferes with the Secure Provisioning. I must say it is a shot in the dark, still worth to try it.

Regards,

Libor

0 Kudos
Reply

2,746 Views
application_ninja
Contributor III

Sorry, nothing comes up with: "set | grep DYLD"...

0 Kudos
Reply

4,319 Views
marek-trmac
NXP Employee
NXP Employee

Hi Ivo,

what Mac OS version is it?

Regards,
Marek
0 Kudos
Reply