questions about Provisioning Tool

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

questions about Provisioning Tool

Jump to solution
2,175 Views
mastupristi
Senior Contributor I

Hello,

I am trying out some features of RT1170-EVK and have some questions:

  1. Is it possible to input an executable provided with boot headers into Secure Provisioning Tool? How?
  2. Is it possible for Secure Provisioning Tool to generate the encrypted bootable image (thus containing FCB, IVT, keyblob, etc.) offline (without having an EVK connected)?
  3. Is it possible, using Secure Provisioning Tool, to force the binary write address (different from the one indicated in the .elf)?
0 Kudos
Reply
1 Solution
2,034 Views
marek-trmac
NXP Employee
NXP Employee

Hi Max,

for the first question: Dual boot for RT11xx is supported since SEC tool v7. Kindly update

Regards,
Marek

View solution in original post

0 Kudos
Reply
10 Replies
2,157 Views
liborukropec
NXP Employee
NXP Employee

Hello Massimiliano,

Is it possible to input an executable provided with boot headers into Secure Provisioning Tool? How?

No, you have to disable the XIP boot header, see User Guide "6.2 RT10xx/RT11xx device workflow" on page 58. Note: In the next version this will be possible.

Is it possible for Secure Provisioning Tool to generate the encrypted bootable image (thus containing FCB, IVT, keyblob, etc.) offline (without having an EVK connected)?

For this device it is not necessary to have board connected for build process. Applies to all encryption types HAB/OTFAD/IEE.

 

Is it possible, using Secure Provisioning Tool, to force the binary write address (different from the one indicated in the .elf)?

No, for srec/elf/axf the address is detected automatically and cannot be changed. But if you provide *.bin, you have to specify the address

Regards,

Libor

0 Kudos
Reply
2,154 Views
mastupristi
Senior Contributor I

For this device it is not necessary to have board connected for build process. Applies to all encryption types HAB/OTFAD/IEE.

so how can I build the binary packed with all the boot headers, including keyblob and FCB?

 

No, for srec/elf/axf the address is detected automatically and cannot be changed. But if you provide *.bin, you have to specify the address

So with Provisioning tool I am not able to try the remap feature, and I necessarily have to use JLINK, right? And that brings us back to the previous question, because to use JLINK I need to have the image bundled all together with the boot headers.

best regards

Max

0 Kudos
Reply
2,132 Views
liborukropec
NXP Employee
NXP Employee

Hi Max,

 

For this device it is not necessary to have board connected for build process. Applies to all encryption types HAB/OTFAD/IEE.

so how can I build the binary packed with all the boot headers, including keyblob and FCB?

SEC tool does all this for you. You provide just the simplified Flash configuration or you have to manually provide the FCB bin and SEC assembles everything together into bootable image, including keyblob if encryption is enabled.

So with Provisioning tool I am not able to try the remap feature, and I necessarily have to use JLINK, right?

You are able to try remap feature, it is supported in SEC tool as well, see the documentation. On the Build tab there's "Dual image boot" button offering configuration of the remap feature - based on the configuration the resulting build and write script files reflect this config, so you do not need to hassle with addresses manually.

 

Regards,

Libor

0 Kudos
Reply
2,096 Views
mastupristi
Senior Contributor I

SEC tool does all this for you. You provide just the simplified Flash configuration or you have to manually provide the FCB bin and SEC assembles everything together into bootable image, including keyblob if encryption is enabled.

Where can I find the explanation of this on the user guide?
The examples I find in the SDK, imported into MCUXpresso IDE, can only be compiled to contain or not contain boot headers (FCB, IVT, etc.), but I have not found a way to have the boot headers generated as separate files.

You are able to try remap feature, it is supported in SEC tool as well, see the documentation. On the Build tab there's "Dual image boot" button offering configuration of the remap feature - based on the configuration the resulting build and write script files reflect this config, so you do not need to hassle with addresses manually.

could you point me to the section in the user guide where it explains this "dual image" feature? I have tried searching inside the PDF without finding anything useful.

 

regards

Max

0 Kudos
Reply
2,150 Views
marek-trmac
NXP Employee
NXP Employee

Hi Massimiliano

I'd recommend to follow the workflow from the user guide and try it. SEC tool generates the script (either build script or write script), that you can review before execution and you can also customize it (create a copy and modify). The scripts are pretty readable, so I suppose you will understand. You can also modify the target address in the script.

About the packed library, SEC tool usually write the parts separately.

The reason, why SEC tool generates scripts is: SEC tool cannot generate all formats and all variants, what users want, so it generates one variant that can be customized.

Regards,
Marek
0 Kudos
Reply
2,097 Views
mastupristi
Senior Contributor I

I'd recommend to follow the workflow from the user guide and try it

I've read the user guide, but I can't get an executable with all the boot headers accepted as input.
In fact, following the guide, it's clear that a connection to an EVK is required.

regards

Max

0 Kudos
Reply
2,047 Views
marek-trmac
NXP Employee
NXP Employee

Hi Max,

here all paragraphs copied from the documentation. I copied unsigned boot type, as it is good to start with something simple and ensure it works. After it works, I recommend to read the build script and write script, to understand how it works. For dual boot, there is not any "step-by-step" procedure. The dual boot shall be configured in 6.2.3.1, step 5.

6.2.1.1 Image running from external NOR flash
Note: For the current version of SEC, a source image for building a bootable image may contain the XIP boot header only for RT10xx processors. It is recommended to disable the XIP boot header by setting the compiler symbol XIP_BOOT_HEADER_ENABLE to 0.
• MCUXpresso IDE
The led_blinky example is linked into external flash by default.
1. Go to Project > Properties > C/C++ Build > Settings > MCU C Compiler > Preprocessor > Defined
symbols and set XIP_BOOT_HEADER_ENABLE to 0.
2. Build the image.
You will find the resulting source image as Debug\evkmimxrt10##_iled_blinky.axf. You can later use it as
Source executable image by SEC.

6.2.2 Connecting the board

6.2.3 Booting images

6.2.3.1 Booting unsigned image
An unsigned image is typically used for development. It is recommended to start with this boot type before working with secured images to verify that the executable image works properly.
First, build a bootable image:
1. Make sure you have selected the Unsigned boot type in the Toolbar.
2. Switch to the Build image view.
3. Select image build in Section 6.2.1 as a Source executable image.
4. For images executed from SDRAM, configure SDRAM using DCD or XMCD (RT11xx). For EVK boards, the following DCD file can be used: data\targets\MIMXRT1###/evkmimxrt1xxx_SDRAM_dcd.
bin. For RT11xx, the following XMCD configuration file can be used: data\targets\MIMXRT11##/
evkmimxrt11xx_xmcd_semc_sdram_simplified.yaml.
Note: For customization of DCD files, refer to Section 6.2.4.
5. If needed, open Dual image boot and configure (RT11xx - FlexSPI NOR).
6. Click Build image to build a bootable image.


When the bootable image has been successfully built:
1. Make sure that the board is in Serial Boot mode.
2. Switch to the Write image view.
3. Make sure that the Use built image check-box is selected.
4. Click Write image.


If the write operation was successful, switch boot mode (see Table 3 ) and reset the board.

Hope this helps

Regards,
Marek
0 Kudos
Reply
2,038 Views
mastupristi
Senior Contributor I

On the Build tab there's "Dual image boot" button offering configuration of the remap feature

here is the screenshot of the build tab, I can't see the "dual image boot" button. Can you point me to it?

SPT_v6.png

 

For the rest: with SEC I cannot create an image that also contains FCB. It seems that it is built and written only by flashloader.
So I try to put the question in other terms:
with SEC and offline (no connection to any card), how do I create an image (plaintext or encrypted) that contains all the boot headers, including FCB and keyblob, so that I can write it to the flash using JLINK (and not with SEC itself)?

regards

Max

0 Kudos
Reply
2,033 Views
marek-trmac
NXP Employee
NXP Employee

Hi Max,

> how do I create an image (plaintext or encrypted) that contains all the boot headers, including FCB and keyblob, so that I can write it to the flash using JLINK (and not with SEC itself)?

SEC tool usually write the parts separately and it is not configurable. SEC tool cannot generate all formats and all variants, what users want, so it generates one variant that can be customized (it is possible to modify build and write scripts manually).

Regards,
Marek
0 Kudos
Reply
2,035 Views
marek-trmac
NXP Employee
NXP Employee

Hi Max,

for the first question: Dual boot for RT11xx is supported since SEC tool v7. Kindly update

Regards,
Marek
0 Kudos
Reply