I.MX RT1050 Manufacturing User's Guide
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 56
| Download | |
| Open PDF In Browser | View PDF |
NXP Semiconductors
User's Guide
Document Number: IMXMCUMFUUG
Rev. 3, December 2018
i.MX RT1050 Manufacturing User's Guide
Contents
Contents
Chapter 1 Introduction........................................................................................ 4
Chapter 2 Overview............................................................................................. 5
2.1 i.MX RT Boot ROM...................................................................................................................................................... 5
2.2 MCUBOOT-based Flashloader ................................................................................................................................... 5
2.3 Host utilities .................................................................................................................................................................5
2.4 Terminology..................................................................................................................................................................5
Chapter 3 i.MX RT bootable image.....................................................................7
3.1 Bootable image layout in target flash device................................................................................................................7
3.2 Boot image format........................................................................................................................................................7
3.2.1 IVT and boot data......................................................................................................................................... 8
3.2.2 Boot data structure........................................................................................................................................8
3.3 Signed image............................................................................................................................................................... 9
3.4 Encrypted image.......................................................................................................................................................... 9
Chapter 4 Generate i.MX RT bootable image.................................................. 10
4.1 Description of the elftosb utility.................................................................................................................................. 10
4.1.1 The elftosb utility options............................................................................................................................. 10
4.1.2 BD file ......................................................................................................................................................... 10
4.1.3 BD file for i.MX RT bootable image generation............................................................................................ 11
4.1.3.1 Options block................................................................................................................................ 11
4.1.3.2 Sources block .............................................................................................................................. 12
4.1.3.3 Constants block............................................................................................................................ 12
4.1.3.4 Section blocks ..............................................................................................................................12
4.1.4 BD file for memory programming.................................................................................................................20
4.2 Generate unsigned normal i.MX RT bootable image................................................................................................. 21
4.3 Generate signed normal i.MX RT bootable image..................................................................................................... 21
4.4 Generate encrypted normal i.MX RT bootable image................................................................................................23
4.5 Generate Plugin boot image...................................................................................................................................... 26
Chapter 5 Generate SB file for bootable image programming...................... 27
5.1 Generate SB file for FlexSPI NOR image programming............................................................................................ 27
5.1.1 Generate Normal Bootable Image...............................................................................................................27
5.1.2 Generate SB file for plaintext FlexSPI NOR image programming................................................................27
5.1.3 Generate SB file for FlexSPI NOR Image encryption and programming..................................................... 28
5.2 Generate SB file for FlexSPI NAND image programming.......................................................................................... 29
5.2.1 Generate SB file for FlexSPI NAND image programming........................................................................... 30
5.2.2 Generate SB file for encrypted FlexSPI NAND Image and KeyBlob programming..................................... 30
5.3 Generate SB file for SD image programming.............................................................................................................31
5.3.1 Steps to Generate SB file for SD image programming................................................................................32
5.4 Generate SB file for eMMC image programming....................................................................................................... 33
5.4.1 Normal mode.............................................................................................................................................. 33
5.4.2 Fast Mode................................................................................................................................................... 34
5.5 Generate SB file for Serial NOR/EEPROM image programming............................................................................... 35
5.6 Generate SB file for SEMC NOR image programming.............................................................................................. 36
5.7 Generate SB file for SEMC NAND image programming............................................................................................ 37
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
2
NXP Semiconductors
Contents
5.8 Generate SB file for fuse program..............................................................................................................................38
Chapter 6 Program bootable image................................................................. 40
6.1 MfgTool...................................................................................................................................................................... 40
6.1.1 MfgTool Directory structure..........................................................................................................................40
6.1.2 Preparation before image programming using MfgTool............................................................................... 42
6.2 Connect to the i.MX RT Platform............................................................................................................................... 42
6.3 Program bootable image during development............................................................................................................42
6.4 Program bootable image for production..................................................................................................................... 43
Chapter 7 Appendix........................................................................................... 44
7.1 Plugin boot application............................................................................................................................................... 44
7.1.1 Principles for Plugin boot application design................................................................................................44
7.1.2 Boot Flow of Plugin boot application............................................................................................................ 44
7.1.3 Example Plugin boot application to enable non-XIP boot on FlexSPI NOR................................................. 44
7.1.4 Images loaded by plugin boot application.................................................................................................... 46
7.2 Example of complete manufacturing flow................................................................................................................... 46
7.2.1 Manufacturing process in Development phase............................................................................................46
7.2.1.1 Create i.MX RT bootable image.................................................................................................... 46
7.2.1.2 Create SB file for HyperFlash programming..................................................................................47
7.2.1.3 Program Image to Flash using MfgTool......................................................................................... 48
7.2.2 Manufacturing process in Production phase................................................................................................ 48
7.2.2.1 Generate signed i.MX RT bootable image....................................................................................49
7.2.2.2 Create SB file for Fuse programming............................................................................................51
7.2.2.3 Create SB file for Image encryption and programming for Hyper Flash....................................... 52
7.2.2.4 Create signed Flashloader image.................................................................................................52
7.2.2.5 Program Image to Flash using MfgTool........................................................................................ 53
7.3 Generate KeyBlob manually....................................................................................................................................... 53
Chapter 8 Revision history............................................................................... 55
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
3
Introduction
Chapter 1
Introduction
This document describes the generation of bootable image for i.MX RT devices. It also explains the process to interface i.MX RT
Boot ROM and MCUBOOT-based Flashloader and to program a bootable image into the external flash including:
• QuadSPI NOR/Octal Flash / HyperFlash
• Serial NAND
• eMMC
• SD
• Parallel NOR
• SLC raw NAND
• SPI NOR/EEPROM
The i.MX RT Boot ROM resides in the ROM and enables RAM loading. The Flashloader is loaded into SRAM and facilitates
loading of boot images from boot devices into RAM. It also authenticates and executes the boot image.
This document introduces the Flashloader, a companion tool to i.MX RT Boot ROM, and a complete solution for programming
boot images to bootable devices. The Flashloader runs in SRAM so it should be downloaded to SRAM typically via ROM serial
download interface. The Flashloader prepares and configures the devices for boot. It creates boot configuration structure on the
bootable media, assists in programming encrypted images, generates key blobs, and communicates with master on serial
peripherals like USB and UART using MCUBOOT commands interface protocol in downloading boot images.
It also introduces the elftosb utility. The elftosb utility converts an elf images to signed, encrypted, and bootable image for i.MX
RT devices. It also creates all the boot structures like image vector table, boot data, etc. It generates the input command sequence
file required to code sign or encrypt the image using the NXP signing tool (cst). It also calls the cst to generate the signatures and
packs it as a boot image acceptable by boot ROM.
The document describes the usage of MfgTool.exe (Manufacturing Tool) in a manufacturing environment for production of devices
(programming boot images on the bootable media using all the available tools).
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
4
NXP Semiconductors
i.MX RT Boot ROM
Chapter 2
Overview
2.1 i.MX RT Boot ROM
The i.MX RT Boot ROM is a standard bootloader for all i.MX RT devices. It resides in ROM and supports booting from external
flash devices for both XIP and non-XIP boot cases. It also provides serial downloader feature via UART or USB-HID interface into
the internal RAM of i.MX RT devices.
The i.MX RT Boot ROM is a specific implementation of the existing i.MX MPU ROM Bootloader. For flash programming, the i.MX
RT Boot ROM provides serial downloader feature powered by SDP command interface. For additional information, see chapter,
“System Boot” in i.MX RT1050 Processor Reference Manual (document IMXRT1050RM). The MfgTool then can load the MCU
Boot based Flashloader into internal SRAM and jump to the Flashloader to enable Flash programming features.
2.2 MCUBOOT-based Flashloader
The MCUBOOT-based Flashloader is a specific implementation of the MCU Bootloader. It is used as a one-time programming
aid for manufacturing. Most of the MCUBOOT commands are supported in the Flashloader to enable external Flash programming.
See MCU Flashloader Reference Manual for details.
2.3 Host utilities
The MfgTool is a GUI host program used to interface with devices running i.MX RT Boot ROM under serial downloader mode. It
can also be used to program an application image by interfacing with the Flashloader.
The blhost is a command-line host program used to interface with devices running MCUBOOT-based bootloaders. It is part of
MfgTool release.
The elftosb utility is a command-line host program used to generate bootable images for i.MX RT Boot ROM.
The cst is a command-line host program used to generate certificates, image signatures, and encrypt images for i.MX RT Boot
ROM.
2.4 Terminology
Table 1 summarizes the terms and abbreviations included in this document.
Table 1. Terminology and Abbreviations
Terminology
Description
MCUBOOT
MCU Bootloader
KeyBlob
KeyBlob is a data structure that wraps the DEK for image decryption using AES-CCM algorithm
DEK
“Key” used to decrypt the encrypted bootable image
Table continues on the next page...
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
5
Overview
Table 1. Terminology and Abbreviations (continued)
SB file
The SB file is the NXP binary file format for bootable images. The file consists of sections,
sequence of bootloader commands, and data that assists MCU Bootloader in programming the
image to target memory. The image data can also be encrypted in the SB file. The file can be
downloaded to the target using the MCU Bootloader receive-sb-file command.
CST
Code Signing Tool
XIP
Execute-In-Place
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
6
NXP Semiconductors
Bootable image layout in target flash device
Chapter 3
i.MX RT bootable image
3.1 Bootable image layout in target flash device
There are two types of supported boot image:
• XIP (Execute-In-Place) boot image: This type of boot image is only applicable to Serial NOR devices connected to
QuadSPI or FlexSPI interfaces and Parallel NOR devices connected to WEIM or SEMC interface. The boot device memory
is identical to the destination memory. ROM can boot this boot image directly.
• Non-XIP boot image: This type of boot image is usually for the NAND, SD, and eMMC devices that does not support the
XIP feature. The boot device memory is different from the destination memory. ROM loads the boot image from the Boot
device memory to Destination memory and then boots from the Destination memory.
Figure 1. Bootable image layout
3.2 Boot image format
This section describes the boot image format and data structures. For ease-of-use, the elftosb utility is provided to help customers
automatically generate the boot image format file. The elftosb utility usage is described later in this document.
Some data structures must be included in the bootable image. The bootable image consists of
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
7
i.MX RT bootable image
• Image Vector Table (IVT): a list of pointers located at a fixed address that ROM examines to determine where the other
components of the bootable image are located
• Boot Data: a table that indicates the bootable image location, image size in bytes and the plugin flag
• Device configuration data (DCD) (optional): IC configuration data, usually is used to configure DDR/SDRAM memory. This
is optional
• User application and data
• CSF (optional): signature block for Secure Boot, generated by CST
• KeyBlob (optional) – a data structure consists of wrapped DEK for encrypt boot
Each bootable image starts with appropriate IVT. In general, for the external memory devices that support XIP feature, the IVT
offset is 0x1000 else it is 0x400. For example, for FlexSPI NOR on RT1050, the IVT must start at address 0x60001000 (start
address is 0x6000_0000, IVT offset is 0x1000). Refer to corresponding Processor Reference Manual for additional information.
3.2.1 IVT and boot data
The IVT is the data structure that the Boot ROM reads from the boot devices supplying the bootable image containing the required
data components to perform a successful boot.
See the Program image section in the System Boot Chapter of the device reference manual for more details
Table 2. IVT data structure
Offset
Field
Description
0x00 - 0x03
header
• Byte 0 tag, fixed to 0xD1
• Byte 1,2 length, bit endian format containing the overall length of the
IVT in bytes, fixed to 0x00, 0x20
• Byte 3: version, valid values: 0x40, 0x41, 0x42, 0x43
0x04 - 0x07
entry
Absolute address of the first instruction to execute from the image, or the
vector address of the image
0x08 - 0x0b
reserved1
Reserved for future use, set to 0
0x0c - 0x0f
dcd
Absolute address of the image DCD. It is optional, so this field can be set
to NULL if no DCD is required.
0x10 - 0x13
boot_data
Absolute address of the boot data
0x14 - 0x17
self
Absolute address of the IVT.
0x18 - 0x1b
csf
Absolute address of the Command Sequence File (CSF) used by the
HAB library
0x1c - 0x1f
reserved2
Reserved, set to 0
3.2.2 Boot data structure
Table 3. Boot Data structure
Offset
Field
Description
0x00-0x03
start
Absolute address of the bootable image
0x04-0x07
length
Size of the bootable image
0x08-0x0b
plugin
Plugin flag, set to 0 if it is a normal boot image
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
8
NXP Semiconductors
Signed image
3.3 Signed image
The bootable image can be signed by CST tool. The tool generates the CSF data in the binary file format that consists of command
sequences and signatures based on given input command sequence file (csf file). Refer to the documentation in the CST release
package for further details.
In this document, a simple method is introduced to generate signed images using elftosb utility.
3.4 Encrypted image
There are two types of encrypted image formats:
Encrypted XIP image format
The Flashloader generates the encrypted XIP image using the AES CTR algorithm when programming the image on the device.
On execution, the hardware engine does on-the-fly decryption.
Encrypted image generated by CST
To increase the security level, the bootable image can be signed and further encrypted by the CST. The KeyBlob must be generated
on the device. The hardware deletes all sensitive keys if any security violation happens, so the sensitive keys cannot be cloned.
In this document, a simple method is introduced to generate signed images using elftosb utility.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
9
Generate i.MX RT bootable image
Chapter 4
Generate i.MX RT bootable image
There are two types of bootable image for i.MX RT devices.
• Normal boot image: This type of image can boot directly by boot ROM.
• Plugin boot image: This type of image can be used to load a boot image from devices that are not natively supported by
boot ROM.
Both types of images can be unsigned, signed, and encrypted for different production phases and different security level
requirements:
• Unsigned Image: The image does not contain authentication-related data and is used during development phase.
• Signed Image: The image contains authentication-related data (CSF section) and is used during production phase.
• Encrypted Image: The image contains encrypted application data and authentication-related data and is used during the
production phase with higher security requirement.
The above types of bootable images can be generated by using the elftosb utility. The detailed usage of the elftosb utility is
available in elftosb User's Guide.
4.1 Description of the elftosb utility
The elftosb utility is a command-line host program used to generate the i.MX RT bootable image for the i.MX RT Boot ROM. The
utility also generates wrapped binary file with command sequences and a bootable image. To create a SB file, use commandline options and an input text file (also called BD or command file).
4.1.1 The elftosb utility options
Table 4 shows the command line options used to create the i.MX RT bootable image.
Table 4. elftosb utility options
Option
-f
Description
Specify the bootable image format
To create the i.MX RT bootable image, the usage for family argument “-f” is: “-f imx”
To create the SB file, the usage is: “-f kinetis”
-c
Command file to generate corresponding bootable image
For example, “-c program_flexspi_nor_hyperflash.bd”
-o
Output file path
For example, “-o ivt_flashloader.bin”
-V
Print extra detailed log information
-?
Print help info
4.1.2 BD file
Each BD file consists of the following four blocks: options, sources, constants, section
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
10
NXP Semiconductors
Description of the elftosb utility
• The image paths are typically defined in the “sources” block.
• The constant variables are defined in the “constants” block.
• The memory configuration and programming-related operations are defined in the “section” block.
There are two types of BD files that are supported by the elftosb utility. The first type of file is used for the i.MX RT bootable image
generation. The “-f imx” option is mandatory during boot image generation using the elftosb utility. The second type of file contains
commands that are mainly used for memory programming. The “-f kinetis” flag is mandatory in this use case.
4.1.3 BD file for i.MX RT bootable image generation
The BD file for i.MX RT bootable image generation usually consists of four blocks. These are options, sources, constants, and
section.
4.1.3.1 Options block
Table 5 shows the options used to generate a bootable image for the Options block.
Table 5. Supported options in the “Options” block
Options
Flags
Description
Generates unsigned, signed, encrypted boot images, and plugin images:
• bit 2 - Encrypted image flag
• bit 3 - Signed image flag
• bit 4 - Plugin image flag
For example:
• 0x00 - unsigned image
• 0x08 - signed image
• 0x04 - encrypted image (encrypted image is always a signed image)
• 0x18 - signed plugin image
startAddress
ivtOffset
Provides the starting address of the target memory where image should be loaded by ROM.
Provides offset where the IVT data structure must appear in the boot image. The default is 0x400 if
not specified.
The valid value is 0x400 or 0x1000 for i.MX RT boot image.
initialLoadSize
Defines the start of the executable image data from elf or the srec file.
The default value is 0x2000 if not specified.
In general, this value should be 0x1000 or 0x2000.
DCDFilePath
Defines the path to DCD file.
If not specified, the DCD pointer in the IVT will be set to NULL (0) else the dcd file contents will be
loaded at offset 0x40 from ivtOffset. The dcd file size is limited to (initialLoadSize - ivtOffset-0x40).
cstFolderPath
Defines the path for platform dependent CST. (windows, linux)
If not specified, elftosb tool will search for cst executable in same path as elftosb executable.
Table continues on the next page...
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
11
Generate i.MX RT bootable image
Table 5. Supported options in the “Options” block (continued)
entryPointAddress
Provides the entry point address for ELF or SREC image.
If not specified, ELF image uses its source image entry point address but SREC image will use default
entry point address (0).
4.1.3.2 Sources block
Typically, all the application image paths are provided in this section. Currently, the ELF file and SREC file are supported for i.MX
RT Bootable image generation, for example:
sources {
elfFile = extern(0);
}
4.1.3.3 Constants block
The Constants block provides a constant variable that is used to generate CSF data for image authentication and decryption. The
Constants block is optional for an unsigned image. The supported constants are listed below.
Constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_INSTALL_NOCAK = 23;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_ AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
SEC_NOP = 29;
SEC_SET_MID = 30;
SEC_SET_ENGINE = 31;
SEC_INIT = 32;
SEC_UNLOCK = 33;
}
4.1.3.4 Section blocks
The Section blocks are used to create the sections for an i.MX RT bootable image, for example, all sections for CSF data. For the
unsigned image, the Section block is simple, just a fixed blank section, as shown below.
section (0)
{
}
For signed and encrypted image, the following sections are defined for elftosb utility to generate the CSF descriptor file which is
required by CST for CSF data generation.
• SEC_CSF_HEADER
This section defines the necessary elements required for CSF Header generation as well as default values used for other sections
throughout the remaining CSF.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
12
NXP Semiconductors
Description of the elftosb utility
Table 6. Elements for CSF Header section generation
Element
Description
Header_Version
HAB library version
Valid values: 4.0, 4.1, 4.2, 4.3
Header_HashAlgorithm
Default Hash Algorithm
Valid values: sha1, sha256, sha512
Header_Engine
Default Engine
Valid values: ANY, DCP, CAAM, SW
Header_EngineConfiguration
Default Engine Configuration
Recommended value: 0
Header_CertificateFormat
Default Certificate Format
Valid values: WTLS, X509
Header_SignatureFormat
Default signature format
Valid values: PKCS, CMS
Header_SecurityConfiguration
Fused security configuration
Valid values: Engineering, Production
Header_UID
Generic (matches any value)
U0, U1,... Un
where each Ui=0..255 and n<255
Header_CustomerCode
Value expected in “customer code” fuses
0..255
An example section block is shown as follows.
section (SEC_CSF_HEADER;
Header_Version="4.3",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}
• SEC_CSF_INSTALL_SRK
This section contains the elements to authenticate and install the root public key for use in subsequent sections, as shown in the
following table.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
13
Generate i.MX RT bootable image
Table 7. Elements for CSF Install SRK section generation
Element
Description
InstallSRK_Table
InstallSRK_Source
InstallSRK_HashAlgorithm
Path pointing to the Super Root Key Table file
SRK index with the SRK table
SRK table hash algorithm.
Valid values: SHA1, SHA256 and SHA512
An example section block is shown as follows.
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
InstallSRK_SourceIndex=0
)
{
}
• SEC_CSF_INSTALL_CSFK
This section consists of the elements used to authenticate and install a public key for use in subsequent sections.
Table 8. Elements for CSF Install CSFK section generation
Element
Description
InstallCSFK_File
InstallCSFK_CertificateFormat
File path pointing to CSFK certificate
CSFK certificate format
Valid values: WTLS, X509
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
InstallCSFK_CertificateFormat="x509" // "x509"
)
{
}
• SEC_CSF_INSTALL_NOCAK
The Install NOCAK command authenticates and installs a public key for use with the fast authentication mechanism (HAB 4.1.2
and later only). With this mechanism, one key is used for all signatures.
The following table lists the install NOCAK command arguments.
Table 9. Elements for CSF Install NOCAK section generation
Element
Description
InstallNOCAK_File
InstallNOCAK_CertificateFormat
File path pointing to CSFK certificate
CSFK certificate format
Valid values: WTLS, X509
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
14
NXP Semiconductors
Description of the elftosb utility
An example section block is shown as follows:
section (SEC_CSF_INSTALL_NOCAK;
InstallNOCAK_File= "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem") // "valid file path"
InstallNOCAK_CertificateFormat= "WTLS" // "WTLS", "X509"
)
{
}
• SEC_CSF_AUTHENTICATE_CSF
This section is used to authenticate the CSF from which it is executed using the CSFK mentioned in the section above. The default
setting is enough. See the following table for more details.
Table 10. Elements for CSF Authenticate CSF section generation
Element
Description
AuthenticateCSF_Engine
CSF signature hash engine
Valid values: ANY, SAHARA, RTIC, DCP, CAAM and SW
AuthenticateCSF_EngineConfiguration
Configuration flags for the hash engine. Note that the hash is computed over
an internal RAM copy of the CSF
Valid engine configuration values corresponding to engine name.
AuthenticateCSF_SignatureFormat
CSF signature format
Valid values: PKCS1, CMS
An example section block is shown as follows:
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
• SEC_CSF_INSTALL_KEY
This section consists of elements used to authenticate and install a public key for use in subsequent sections, as shown in the
following table.
Table 11. Elements for CSF Install Key section generation
Element
Description
InstallKey_File
File path pointing to a Public key file
InstallKey_VerificationIndex
Verification key index in Key store
Valid values: 0, 2, 3, 4
InstallKey_TargetIndex
Target key index in key store
Valid values: 2, 3, 4
InstallKey_CertificateFormat
Valid values: WTLS, X509
Table continues on the next page...
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
15
Generate i.MX RT bootable image
Table 11. Elements for CSF Install Key section generation (continued)
InstallKey_HashAlgorithm
Hash algorithm for certificate binding.
If present, a hash of the certificate specified in the File argument is included
in the command to prevent installation from other sharing the same
verification key
Valid values: SHA1, SHA256, SHA512
section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0, // Accepts integer or string
InstallKey_TargetIndex=2) // Accepts integer or string
{
}
• SEC_CSF_AUTHENTICATE_DATA
This section contains elements that are used to verify the authenticity of pre-loaded data in memory.
Table 12. Elements for CSF Authenticate Data section generation
Element
Description
AuthenticateData_VerificationIndex
AuthenticateData_Engine
Verification key index in key store
Data signature hash engine
Valid values: ANY, DCP, CAAM, SW
AuthenticateData_EngineConfiguration
AuthenticateData_SignatureFormat
Configuration flags for the engine
Data signature format
Valid values: PKCS1, CMS
AuthenticateData_Binding
64-bit unique ID (UID) for binding.
If present, authentication succeeds only if the UID fuse value matches this
argument, and the TYPE fuse value matches the Security Configuration
argument from the Header command
Valid values:
U0, U1, ... U7
with
Ui: 0, ..., 255.
UID bytes separated by commas
An example section block is shown as follows:
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0)
{
}
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
16
NXP Semiconductors
Description of the elftosb utility
• SEC_CSF_INSTALL_SECRET_KEY
This section contains elements used to install the secret key to the MCU secret key store, which is used for Keyblob decryption.
This section is required for encrypted image generation and not for signed image.
Table 13. Elements for CSF Install Secret Key section generation
Element
Description
SecretKey_Name
Specifies the file path used for CST to generate the random decryption key
file
SecretKey_Length
Key length in bits
Valid values: 128, 192, and 256
SecretKey_VerifyIndex
Master KEK index
Valid values: 0 or 1
SecretKey_TargetIndex
Target secret key store index
Valid values: 0-3
SecretKey_BlobAddress
Internal or external DDR address
An example section block is shown as follows:
section (SEC_CSF_INSTALL_SECRET_KEY;
SecretKey_Name="dek.bin",
SecretKey_Length=128,
SecretKey_VerifyIndex=0,
SecretKey_TargetIndex=0)
{
}
• SEC_CSF_DECRYPT_DATA
This section is required for encrypted image generation and not for signed image. It contains the necessary elements used to
decrypt and authenticate a list of code/data blocks using the secret key stored in the secret key store, as shown in the following
table.
Table 14. Elements for CSF Decrypt Data section generation
Element
Description
Decrypt_Engine
MAC engine
Valid value: CAAM, DCP
Decrypt_EngineConfiguration
Configuration flags for the engine
Default value: 0
Decrypt_VerifyIndex
Secret key index in the Secret key store
Valid values: 0-3
Table continues on the next page...
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
17
Generate i.MX RT bootable image
Table 14. Elements for CSF Decrypt Data section generation (continued)
Decrypt_MacBytes
Size of MAC in bytes
If engine is CAAM, the valid value is even number between 4-16. The
recommended value is 16.
If engine is DCP, the valid value is 16.
An example section block is shown as follows.
section (SEC_CSF_DECRYPT_DATA;
Decrypt_Engine="DCP",
Decrypt_EngineConfiguration="0", // "valid engine configuration values"
Decrypt_VerifyIndex=0,
Decrypt_MacBytes=16)
{
}
• SEC_NOP
The command in this section has no effect. It also has no arguments.
An example section block is shown as follows.
section (SEC_NOP)
// NOP command has no arguments
{
}
• SEC_SET_MID
The Set MID command selects a range of fuse locations to use as a manufacturing identifier (MID). MID values are bound with
Authenticate Data signatures when verified using keys with the MID binding flag in the Install Key command.
Table 15. Elements for CSF Set MID section generation
Element
Description
SetMID_Bank
Fuse bank containing MID.
Valid values: 0, …, 255
SetMID_Row
Starting row number of MID within bank.
Valid values: 0, …, 255
SetMID_Fuse
Starting fuse of MID within row.
Valid values: 0, …, 255
SetMID_Bits
Number of bits for MID.
Valid values: 0, …, 255
An example section block is shown as follows:
section (SEC_SET_MID;
SetMID_Bank = 4,
SetMID_Row = 0,
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
18
NXP Semiconductors
Description of the elftosb utility
SetMID_Fuse = 7,
SetMID_Bits = 64)
{
}
• SEC_SET_ENGINE
The Set Engine command selects the default engine and engine configuration for a given algorithm.
Table 16. Elements for CSF Set Engine section generation
Element
Description
SetEngine_Engine
Engine
Use ANY to restore the HAB internal criteria.
Valid values: ANY, SAHARA, RTIC, DCP, CAAM and SW
SetEngine_HashAlgorithm
Hash algorithm
Valid values: SHA1, SHA256 and SHA512
SetEngine_EngineConfiguration
Configuration flags for the engine.
Valid engine configuration values corresponding to engine name.
An example section block is shown as follows:
section (SEC_SET_ENGINE;
SetEngine_HashAlgorithm = "sha256",
SetEngine_Engine = "DCP",
SetEngine_EngineConfiguration = "0")
{
}
• SEC_INIT
The Init command initializes specified engine features when exiting the internal boot ROM.
Table 17. Elements for CSF Init section generation
Element
Description
INIT_Engine
Engine to initialize
Valid value – SRTC
INIT_Features
Comma-separated list of features to initialize
Valid engine feature corresponding to engine argument.
An example section block is shown as follows:
section (SEC_INIT;
Init_Engine = "SRTC")
// Init_Features= "MID"
{
}
• SEC_UNLOCK The Unlock command prevents specified engine features from being locked when exiting the internal boot ROM.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
19
Generate i.MX RT bootable image
Table 18. Elements for CSF Unlock section generation
Element
Description
Unlock_Engine
Engine to unlock
Valid values: SRTC, CAAM, SNVS and OCOTP
Unlock_features
Comma-separated list of features to unlock
Valid engine feature corresponding to engine argument.
Unlock_UID
Device specific 64-bit UID
U0, U1, …, U7 with Ui=0...255
UID bytes separated by commas
An example section block is shown as follows:
section (SEC_UNLOCK;
Unlock_Engine = "OCOTP",
Unlock_features = "JTAG, SRK REVOKE",
Unlock_UID = "0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef")
{
}
4.1.4 BD file for memory programming
Typically, “load”, “enable”, and “erase” commands are the most commonly used commands in a BD file for memory programming.
1. “load” command: It can be used to load raw binary, srec file, elf file, hex string, etc. It also supports loading data to
external memory devices, for example:
• Load itcm_boot_image.bin > 0x8000; (Load data to ITCM)
• Load flexspi_nor_boot_image.bin > 0x60001000; (Load data to the memory mapped memory device)
• Load semc_nor_boot_image.bin > 0x80001000; (Load data to SEMC NOR, memory mapped memory device)
• Load spinand boot_image.bin > 0x04; (Load data to SPI NAND)
• Load sdcard boot_image.bin > 0x400; (Load data to the SD Card)
• Load mmccard boot_image.bin > 0x400; (Load data to eMMC)
• Load spieeprom boot_image.bin > 0x400; (Load data to SPI EEPROM/NOR)
• Load semcnand boot_image.bin > 0x400; (Load data to SLC raw NAND via SEMC)
• Load fuse 0x00000000 > 0x10; (Load data to the Fuse block)
2. “enable” command: It is used to configure external memory devices, for example:
• Enable flexspinor 0x1000
• Enable spinand 0x1000
• Enable sdcard 0x1000
• Enable mmccard 0x1000
• Enable spieeprom 0x1000
• Enable semcnor 0x1000
• Enable semcnand 0x1000
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
20
NXP Semiconductors
Generate unsigned normal i.MX RT bootable image
3. “erase” command: It is used to erase a memory range in the selected memory device. For example:
• Erase 0x60000000..0x60010000 (Erase 64 KB from FlexSPI NOR)
• Erase spinand 0x4..0x08 (Erase 4 blocks from SPI NAND)
• Erase sdcard 0x400..0x14000
• Erase mmccard 0x400..0x14000
• Erase spieeprom 0x400..0x14000
• Erase semcnand 0x400..0x14000
4.2 Generate unsigned normal i.MX RT bootable image
Typically, the unsigned bootable image is generated and programmed to the destination memory during the development phase.
The elftosb utility supports unsigned bootable image generation using options, BD file, and ELF/SREC file generated by toolchain.
Taking the Flashloader project as an example, here are the steps to create a bootable image for Flashloader.
Step 1: Create a BD file. For unsigned image creation, the “constants” block is optional, as shown below.
options {
flags = 0x00;
startAddress = 0x20000000;
ivtOffset = 0x400;
initialLoadSize = 0x2000;
}
sources {
elfFile = extern(0);
}
section (0)
{
}
After the BD file is created, place it into the same folder that holds elftosb utility executable.
Step 2: Copy Flashloader.srec provided in the release package into the same folder that holds elftosb utility executable.
Step 3: Generate the Bootable image using elftosb utility.
Figure 2. Example command to generate unsigned boot image
Then, there are two bootable images generated by elftosb utility. The first one is ivt_flashloader_unsigned.bin. The memory
regions from 0 to ivt_offset are filled with padding bytes (all 0x00s).
The second one is ivt_flashloader_nopadding.bin, which starts from ivtdata directly without any padding before ivt.
4.3 Generate signed normal i.MX RT bootable image
To generate a signed bootable image using elftosb utility, perform the following steps:
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
21
Generate i.MX RT bootable image
Step 1: Create a BD file. The BD file can be as follows.
options {
flags = 0x08;
startAddress = 0x60000000;
ivtOffset = 0x1000;
initialLoadSize = 0x2000;
}
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER
SEC_CSF_INSTALL_SRK
SEC_CSF_INSTALL_CSFK
SEC_CSF_INSTALL_NOCAK
SEC_CSF_AUTHENTICATE_CSF
SEC_CSF_INSTALL_KEY
SEC_CSF_AUTHENTICATE_DATA
SEC_CSF_INSTALL_SECRET_KEY
SEC_CSF_DECRYPT_DATA
SEC_NOP
SEC_SET_MID
SEC_SET_ENGINE
SEC_INIT
SEC_UNLOCK
}
=
=
=
=
=
=
=
=
=
=
=
=
=
=
20;
21;
22;
23;
24;
25;
26;
27;
28;
29;
30;
31;
32;
33;
section (SEC_CSF_HEADER;
Header_Version="4.2",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
InstallSRK_SourceIndex=0
)
{
}
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
InstallCSFK_CertificateFormat="x509" // "x509"
)
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
22
NXP Semiconductors
Generate encrypted normal i.MX RT bootable image
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0, // Accepts integer or string
InstallKey_TargetIndex=2) // Accepts integer or string
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_SET_ENGINE;
SetEngine_HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512"
SetEngine_Engine = "DCP", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW"
SetEngine_EngineConfiguration = "0") // "valid engine configuration values"
{
}
section (SEC_UNLOCK;
Unlock_Engine = "SNVS",
Unlock_features = "ZMK WRITE"
)
{
}
After the blank BD file is created, place it into the same folder that holds elftosb utility executable.
Step 2: Copy Flashloader.srec provided in the release package into the same folder that holds elftosb utility executable.
Step 3: Copy the “cst” executable, “crts” folder, and “keys” folder from “” to the same folder that holds elftosb
utility executable.
Step 4: Generate a bootable image using elftosb utility.
Figure 3. Example command to generate a signed boot image
Then, there are two bootable images generated by elftosb utility. The first one is ivt_flashloader_signed.bin. The memory regions
from 0 to ivt_offset is filled with padding bytes (all 0x00s). The second one is ivt_flashloader_signed_nopadding.bin, which starts
from ivt_offset directly. The CSF section is generated and appended to the unsigned bootable image successfully.
4.4 Generate encrypted normal i.MX RT bootable image
To generate an encrypted image, perform the following steps:
Step 1: Create a BD file.
options {
flags = 0x0c;
startAddress = 0x20000000;
ivtOffset = 0x400;
initialLoadSize = 0x2000;
}
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
23
Generate i.MX RT bootable image
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER
SEC_CSF_INSTALL_SRK
SEC_CSF_INSTALL_CSFK
SEC_CSF_INSTALL_NOCAK
SEC_CSF_AUTHENTICATE_CSF
SEC_CSF_INSTALL_KEY
SEC_CSF_AUTHENTICATE_DATA
SEC_CSF_INSTALL_SECRET_KEY
SEC_CSF_DECRYPT_DATA
SEC_NOP
SEC_SET_MID
SEC_SET_ENGINE
SEC_INIT
SEC_UNLOCK
}
=
=
=
=
=
=
=
=
=
=
=
=
=
=
20;
21;
22;
23;
24;
25;
26;
27;
28;
29;
30;
31;
32;
33;
section (SEC_CSF_HEADER;
Header_Version="4.3",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
InstallSRK_SourceIndex=0
)
{
}
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
InstallCSFK_CertificateFormat="x509" // "x509"
)
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0, // Accepts integer or string
InstallKey_TargetIndex=2) // Accepts integer or string
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
24
NXP Semiconductors
Generate encrypted normal i.MX RT bootable image
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_CSF_INSTALL_SECRET_KEY;
SecretKey_Name="dek.bin",
SecretKey_Length=128,
SecretKey_VerifyIndex=0,
SecretKey_TargetIndex=0)
{
}
section (SEC_CSF_DECRYPT_DATA;
Decrypt_Engine="DCP",
Decrypt_EngineConfiguration="0", // "valid engine configuration values"
Decrypt_VerifyIndex=0,
Decrypt_MacBytes=16)
{
}
Step 2: Copy Flashloader.srec provided in the release package into the same folder that holds elftosb utility executable.
Step 3: Copy the “cst” executable, “crts” folder, and “keys” folder from “” to the same folder that holds elftosb
utility executable.
Step 4: Generate an encrypted bootable image using elftosb utility.
Figure 4. Example command to generate encrypt image
Then, there are two bootable images generated by elftosb utility. The first one is ivt_flashloader_encrypt.bin. The memory regions
from 0 to ivt_offset are filled with padding bytes (all 0x00s).
The Key Blob offset printed out in the example above is used in later section.
The second one is ivt_flashloader_encrypt_nopadding.bin, which starts from ivt_offset directly. The CSF section is generated and
appended to the unsigned bootable image successfully.
Step 5: Generate the KeyBlob section using Flashloader.
The encrypted image generated by elftosb utility is incomplete because the KeyBlob section must be generated on the SoC side
only.
There are two methods to generate the KeyBlob block:
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
25
Generate i.MX RT bootable image
• Generate KeyBlob using the “generate-key-blob ” command supported by Flashloader and blhost.
See Appendix for more details.
• Generate KeyBlob during manufacturing and use the KeyBlob option block. See Chapter 5 for more details.
4.5 Generate Plugin boot image
The plugin boot image generation process is similar as the one for normal boot image. The only difference is that the bit 4 in the
“flags” element within the “options” block must be set to 1, in other words, the valid flags value list for the plugin boot image is
{0x10, 0x18, 0x1c}.
An example BD file for plugin boot image generation is shown as follows.
options {
flags = 0x10;
startAddress = 0x60000000;
ivtOffset = 0x1000;
initialLoadSize = 0x2000;
}
sources {
elfFile = extern(0);
}
section (0)
{
}
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
26
NXP Semiconductors
Generate SB file for FlexSPI NOR image programming
Chapter 5
Generate SB file for bootable image programming
To make the manufacturing process easier, all the commands supported by Flashloader and bootable image, can be wrapped
into a single SB file. Even if there are any changes in the application, MfgTool still uses this SB file to manufacture. The SB file
can be updated separately without updating scripts for MfgTool use.
In this section, a bootable image will be created using the method introduced in former chapter. Then corresponding SB file is
generated using the bootable image. The corresponding BD file is prepared first to generate SB file for bootable image.
5.1 Generate SB file for FlexSPI NOR image programming
5.1.1 Generate Normal Bootable Image
For example, in RT1050, the FlexSPI NOR memory starts from address 0x6000_0000 and IVT from offset 0x1000. After following
the steps in section 4.2, Generate unsigned normal i.MX RT bootable image, and BD file generation, here is the usage of elftosb
utility to create bootable image for FlexSPI NOR. All the BD files are provided in the release package. The figure below refers to
the example command to generate signed image.
Figure 5. Example command to generate signed FlexSPI boot image
After running above command, a file with suffix “_nopadding.bin” is programed into destination memory via subsequent SB file
based on this binary.
5.1.2 Generate SB file for plaintext FlexSPI NOR image
programming
Usually, a BD file for FlexSPI NOR boot consists of 7 parts.
1. The bootable image file path is provided in sources block
2. The FlexSPI NOR Configuration Option block is provided in section block
3. To enable FlexSPI NOR access, the “enable” command must be provided following above option block.
4. In case the Flash device is not erased, an “erase” command is required before programming data to Flash device. The
erase operation is time consuming and is not required for a blank Flash device (factory setting) during Manufacturing.
5. The FlexSPI NOR Configuration Block (FNORCB) is required for FlexSPI NOR boot. To program the FNORCB
generated by FlexSPI NOR Configuration Option block, a special magic number ‘0xF000000F” must load into RAM first
6. To notify the Flashloader to program the FNORCB, an “enable” command must be used following the magic number
loading
7. After above operation, Flashloader can program the bootable image binary into Serial NOR Flash through FlexSPI
module using load command
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
27
Generate SB file for bootable image programming
A simple example containing the above steps is shown in the figure below.
Figure 6. Example BD file for FlexSPI NOR programming
Here is an example to generate SB file using elftosb utility, ivt_flexspi_nor_xip.bin and BD file shown in figure below.
Figure 7. Example command to generate SB file for FlexSPI NOR programming
After above command, a file named boot_image.sb will be created in the same folder that holds elftosb utility executable.
5.1.3 Generate SB file for FlexSPI NOR Image encryption and
programming
Usually, a BD file for FlexSPI NOR image encryption and programming consists of 7 parts.
1. The bootable image file path is provided in sources block
2. Enable FlexSPI NOR access using FlexSPI NOR Configuration Option block
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
28
NXP Semiconductors
Generate SB file for FlexSPI NAND image programming
3. Erase the Flash device if it is not blank. The erase operation is time consuming and is not required for a blank Flash
device (factory setting) during Manufacturing.
4. Enable image encryption using PRDB option block
5. Program FNORCB using magic number
6. Program boot image binary into Serial NOR via FlexSPI module
7. Enable Encrypted XIP fuse bits.
Figure 8. Example BD file for encrypted FlexSPI NOR image generation and programming
The steps to generate SB file is the same as above section.
5.2 Generate SB file for FlexSPI NAND image programming
For FlexSPI NAND boot, the IVT offset is always 0x400. However, to reduce effort in calculating the start address for each firmware
region, the Flashloader supports programming the FlexSPI NAND boot image to corresponding firmware region in block
granularity. So, the bootable image without “_nopadding” suffix will be used.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
29
Generate SB file for bootable image programming
5.2.1 Generate SB file for FlexSPI NAND image programming
In general, a BD file for FlexSPI NAND image programming consists of 4 parts.
1. The bootable image file path is provided in sources block
2. Enable FlexSPI NAND access using FlexSPI NAND Configuration Option block
3. Erase SPI NAND device as needed
4. Program boot image binary into Serial NAND via FlexSPI module
Figure 9. Example BD file for FlexSPI NAND image programming
5.2.2 Generate SB file for encrypted FlexSPI NAND Image and
KeyBlob programming
Generally, the BD file for FlexSPI NAND image programming with KeyBlob consists of 7 parts.
1. The bootable image file path is provided in sources block
2. Enable FlexSPI NAND access using FlexSPI NAND Configuration Option block
3. Erase SPI NAND device as needed
4. Program boot image binary into Serial NAND via FlexSPI module
5. Update KeyBlob information using KeyBlob Option block
6. Program KeyBlob block into SPI NAND for firmware 0
7. Program KeyBlob block into SPI NAND for firmware 1
An example BD file is shown in the figure below.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
30
NXP Semiconductors
Generate SB file for SD image programming
Figure 10. Example BD file for encrypted FlexSPI NAND image and KeyBlob programming
5.3 Generate SB file for SD image programming
The SD image always starts at offset 0x400. The i.MX RT boot image generated by elftosb utility with “_nopadding.bin” will be
used for programming.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
31
Generate SB file for bootable image programming
5.3.1 Steps to Generate SB file for SD image programming
In general, there are six steps in the BD file to program the bootable image to SD card.
1. The bootable image file path is provided in sources block
2. Prepare SDCard option block
3. Enable SDCard access using enable command
4. Erase SD card memory as needed
5. Program boot image binary into SD card
6. Program optimal SD boot parameters into Fuse (optional, remove it if it is not required in actual project)
An example is shown in the figure below.
Figure 11. Example BD file for SD boot image programming
The steps to generate SB file for encrypted SD boot image and KeyBlob programming is similar to FlexSPI NAND. See example
below for more details.
# The source block assign file name to identifiers
sources {
myBootImageFile = extern (0);
dekFile = extern (1);
}
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
#1. Prepare SDCard option block
load 0xd0000000 > 0x100;
load 0x00000000 > 0x104;
#2. Configure SDCard
enable sdcard 0x100;
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
32
NXP Semiconductors
Generate SB file for eMMC image programming
#3. Erase blocks as needed.
erase sdcard 0x400..0x14000;
#4. Program SDCard Image
load sdcard myBootImageFile > 0x400;
#5. Generate KeyBlob and program it to SD Card
# Load DEK to RAM
load dekFile > 0x10100;
# Construct KeyBlob Option
#--------------------------------------------------------------------------# bit [31:28] tag, fixed to 0x0b
# bit [27:24] type, 0 - Update KeyBlob context, 1 Program Keyblob to SPI NAND
# bit [23:20] keyblob option block size, must equal to 3 if type =0,
#
reserved if type = 1
# bit [19:08] Reserved
# bit [07:04] DEK size, 0-128bit 1-192bit 2-256 bit, only applicable if type=0
# bit [03:00] Firmware Index, only applicable if type = 1
# if type = 0, next words indicate the address that holds dek
#
the 3rd word
#---------------------------------------------------------------------------# tag = 0x0b, type=0, block size=3, DEK size=128bit
load 0xb0300000 > 0x10200;
# dek address = 0x10100
load 0x00010100 > 0x10204;
# keyblob offset in boot image
# Note: this is only an example bd file, the value must be replaced with actual
#
value in users project
load 0x00004000 > 0x10208;
enable sdcard 0x10200;
#6. Program KeyBlob to firmware0 region
load 0xb1000000 > 0x10300;
enable sdcard 0x10300;
#7. Program Efuse for optimal read performance (optional)
#load fuse 0x00000000 > 0x07;
}
5.4 Generate SB file for eMMC image programming
The eMMC image always starts at offset 0x400. The i.MX RT boot image generated by elftosb utility with “_nopadding.bin” will
be used for programming.
There are two types of eMMC boot mode: Normal boot and Fast boot
5.4.1 Normal mode
There are 6 steps in the BD file to program the bootable image to eMMC for normal boot mode.
1. The bootable image file path is provided in sources block
2. Prepare eMMC option block
3. Enable eMMC access using enable command
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
33
Generate SB file for bootable image programming
4. Erase eMMC card memory as needed
5. Program boot image binary into eMMC
6. Program optimal eMMC boot parameters into Fuse (optional, remove it if it is not required in actual project).
Figure 12. Example BD file for eMMC boot image programming for Normal boot mode
5.4.2 Fast Mode
There are nine steps in the BD file to program the bootable image to eMMC for Fast boot mode.
1. The bootable image file path is provided in “sources” block
2. Prepare eMMC option block and enable eMMC access using “enable” command
3. Erase eMMC card memory as needed.
4. Program boot image binary into eMMC
5. Program optimal eMMC boot parameters into Fuse (optional, remove it if it is not required in actual project).
6. Prepare 2nd eMMC option block
7. Re-enable eMMC access using new option block
8. Erase data in User Data area as required
9. Load User Data file to User Data area
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
34
NXP Semiconductors
Generate SB file for Serial NOR/EEPROM image programming
Figure 13. Example BD file for eMMC boot image programming for Fast boot mode
The BD file for encrypted eMMC boot image and KeyBlob programming is similar to SD.
5.5 Generate SB file for Serial NOR/EEPROM image
programming
There are five steps in the BD file to program the bootable image to SD card.
1. The bootable image file path is provided in sources block
2. Prepare Serial NOR/EEPROM option block and enable Serial NOR/EEPROM access using enable command.
3. Erase Serial NOR/EEPROM memory as required
4. Program boot image binary into Serial NOR/EEPROM device
5. Enable Recovery Boot via Serial NOR/EEPROM as required
An example is shown the figure below.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
35
Generate SB file for bootable image programming
Figure 14. Example BD file for Serial NOR/EEPROM boot image programming
The BD file for encrypted SPI EEPRM/NOR boot image and KeyBlob programming is similar to SD.
5.6 Generate SB file for SEMC NOR image programming
In general, there are 5 steps in the BD file to program the bootable image to SD card.
1. The bootable image file path is provided in sources block
2. Prepare SEMC NOR option block and SEMC NOR access using enable command.
3. Erase SEMC NOR memory as required
4. Program boot image binary into SEMC NOR device
5. Program optimal SEMC NOR access parameters to Fuse as required
An example BD file is shown in the figure below.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
36
NXP Semiconductors
Generate SB file for SEMC NAND image programming
Figure 15. Example BD file for SEMC NOR boot image programming
5.7 Generate SB file for SEMC NAND image programming
There are 5 steps in the BD file to program the bootable image to SD card.
1. The bootable image file path is provided in sources block
2. Prepare SEMC NAND FCB option block and SEMC NAND access using enable command
3. Erase SEMC NAND memory as required
4. Program boot image binary into SEMC NAND device
5. Program optimal SEMC NAND access parameters to Fuse as required
An example is shown in figure below.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
37
Generate SB file for bootable image programming
Figure 16. Example BD file for SEMC NAND boot image programming
5.8 Generate SB file for fuse program
In certain cases, the fuse must be programmed first to enable specific features for selected boot devices or security levels. For
example, to enable Fast boot mode for eMMC, enable HAB closed mode, the fuse must be programmed first.
The elftosb utility can support programming Fuse using built-in supported “load fuse” command, an example to program SRK
table and enable HAB closed mode is shown as follows.
# The source block assign file name to identifiers
sources {
}
constants {
}
section (0) {
# Program
load fuse
load fuse
load fuse
SRK table
0xD132E7F1 > 0x18;
0x63CD795E > 0x19;
0x8FF38102 > 0x1A;
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
38
NXP Semiconductors
Generate SB file for fuse program
load
load
load
load
load
fuse
fuse
fuse
fuse
fuse
0x22A78E77
0x01019c82
0xFC3AC699
0xF2C327A3
0xDAC9214E
>
>
>
>
>
0x1B;
0x1C;
0x1D;
0x1E;
0x1F;
# Program SEC_CONFIG to enable HAB closed mode
load fuse 0x00000002 > 0x06;
}
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
39
Program bootable image
Chapter 6
Program bootable image
Bootable image programming is supported by MfgTool only.
6.1 MfgTool
The MfgTool supports i.MX RT Boot ROM and MCUBOOT-based Flashloader. It can be used in factory production environment.
The MfgTool can detect i.MX RT Boot ROM devices connected to PC and invokes “blhost” to program the image on target memory
devices connected to i.MX RT device.
The template of MfgTool configuration profile is provided along with this document. It is applicable to most use cases without any
modifications.
6.1.1 MfgTool Directory structure
Figure 17. MfgTool organization
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
40
NXP Semiconductors
MfgTool
1. In the release package, the mfgtools-rel folder appears in the tools folder along with blhost folder
2. The blhost.exe appears in the blhost/win folder and the MfgTools executable “MfgTool2.exe”
3. The Profiles folder contains the profile for the supported devices that include an “OS Firmware” folder and player.ini file
4. The ucl2.xml file in the OS Firmware folder is the main XML that MfgTool processes. It contains the flow of the manufacturing
process for the device. The process includes identification parameters for the device and blhost commands parameter to
identify the device connected to the PC host and a set of blhost commands required for updating the image. The ucl2.xml
file can be customized to suit custom setup or manufacturing process flow. The folder contains an example xml files for
user’s reference. An example ucl2.xml is shown below. In general, it defines the supported states and lists
Figure 18. Example UCL2.xml settings
5. The “ivt_flashloader.bin” file under the “OS firmware” is the Flashloader released to support image programming
6. The “ivt_flashloader_signed.bin” file under the “OS firmware” is the bootable Flashloader image file generated by users for
SecureBoot solution in production phase, it can be generated by following section 4.3
7. The “boot_image.sb” file under the “OS firmware” is the wrapped file with command sequences and bootable images
generated using elftosb utility by users
8. The “enable_hab.sb” file under the “OS firmware” is the wrapped file with command sequences that programs Fuses to
enable HAB closed mode, which is generated using elftosb utility by users
9. The play.ini in the “Device” profile folder contains configurable parameters for the manufacturing tool application
10. The cfg.ini and UICfg.ini files provide customizable parameters for the look and feel of the tool’s GUI. The cfg.ini in tool’s
GUI is used to select “chip”, “platform” and “name” in list. Refer to the example below
NOTE
Select appropriate “chip” from Device list, “name” from list in ucl2.xml in Device/OS Firmware folder.
[profiles]
chip = MXRT105X
[platform]
board =
[LIST]
name = MXRT105X-DevBoot
11. UlCfg.ini is used to select the number of instances supported by MfgTool UI. The valid instance range is 1-4
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
41
Program bootable image
12. The MfgTool.log text file is a useful tool to debug failures reported on MfgTool UI. The MfgTool logs the entire command
line string which was used to invoke blhost and collects the output response text the blhost puts out on stdout into the
MfgTool log file. The log file should be the considered first while troubleshooting
6.1.2 Preparation before image programming using MfgTool
See Chapter 4, Generate i.MX RT bootable image and Chapter 5, Generate SB file for bootable image programming for more
details.
6.2 Connect to the i.MX RT Platform
The i.MX RT platform can be connected to a host computer to interface with the i.MX RT Boot ROM application. After the platform
is connected in serial downloader mode, use the MfgTool to program bootable image into the target flash memory. If the connection
establishes successfully and the cfg.ini, UlCfg.ini are configured appropriately, the device will be recognized by MfgTool figure
below.
Figure 19. MfgTool GUI with device connected
6.3 Program bootable image during development
In development phase, the device may be in HAB open mode for most use cases. Users can configure the “name” field in cfg.ini
file as -DevBoot, then prepare the boot_image.sb file using elftosb utility. After the “boot_image.sb” is generated, place
it into “/OS Firmware/” folder. Then put device into serial downloader mode and connect it to host PC. After opening the
MfgTool.exe and click “Start” to trigger a programming sequence. When the programming completes, the window shown in figure
below appears. To exit MfgTool, click “Stop” and “Exit” in turn.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
42
NXP Semiconductors
Program bootable image for production
Figure 20. Successful result for programming with MfgTool for DevBoot
6.4 Program bootable image for production
In production phase, the device can be in HAB closed mode for most use cases. Users can configure the “name” field in cfg.ini
file as -SecureBoot, then prepare the boot_image.sb file, enable_hab.sb and ivt_flashloader_signed.bin using elftosb
utility. After all are generated, place them into “/OS Firmware/” folder, then put device in serial downloader, connect it to
host PC. Open MfgTool.exe and click “Start” to trigger a programming sequence. After the programming completes, the below
window will be seen. To exit MfgTool, click “Stop” and “Exit” in turn.
Figure 21. Successful result for programming with MfgTool for SecureBoot
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
43
Appendix
Chapter 7
Appendix
7.1 Plugin boot application
The plugin boot application is usually used to enable boot features that are not natively supported by Boot ROM, for example,
• Boot from USB disk
• Boot from Ethernet,
• DDR/SDRAM configuration
• Redundant boot/reliable boot
The prototype of plugin boot application is:
bool (*plugin_download)(void **start, size_t *bytes, uint32_t *ivt_offset);
7.1.1 Principles for Plugin boot application design
The Boot ROM needs to jump between Plugin boot image and the normal boot image that is loaded by the plugin boot application.
To avoid any impact on the ROM boot flow, here are some recommended principles for plugin boot application design.
1. The plugin boot application must not use the memory that is currently reserved for ROM use
2. The plugin boot application should use minimum stack spaces to avoid the possibility of stack overflow caused by plugin
boot application
3. The plugin boot application must consider Watchdog service, if the WDOG enable bit is enabled in the Fuse block
7.1.2 Boot Flow of Plugin boot application
The boot flow for Plugin boot application is as follows
1. Boot ROM loads the XIP plugin boot image, does authentication and execution and then jump to plugin boot application
2. The plugin boot application loads the signed Non-XIP image from address 0x60008000 and jumps back to Boot ROM
3. Boot ROM does authentication/decryption based on the parameters output by plugin boot application and jumps to the
non-XIP boot image after authenticating successfully
7.1.3 Example Plugin boot application to enable non-XIP boot on
FlexSPI NOR
The Non-XIP boot case is not natively supported by some i.MX RT Boot ROM devices. In this case, a simple plugin boot image
can be created to enable non-XIP boot case for these boot devices.
The basic flow of how Plugin boot works is as follows:
Here are the example codes for plugin boot application for RT10xx FlexSPI NOR boot.
#define BOOT_IMAGE_LOAD_BASE 0x60008000
enum
{
kTag_HAB_IVT = 0xd1,
};
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
44
NXP Semiconductors
Plugin boot application
typedef struct _hab_hdr
{
uint8_t tag;
uint8_t len[2];
uint8_t version;
} hab_hdr_t;
typedef struct _hab_ivt
{
hab_hdr_t hdr;
uint32_t entry;
uint32_t reserved1;
uint32_t dcd;
uint32_t boot_data;
uint32_t self;
uint32_t csf;
uint32_t reserved2;
} hab_ivt_t;
//!@brief Boot data structure
typedef struct _boot_data
{
uint32_t start;
uint32_t length;
uint32_t plugin;
uint32_t reserved;
} boot_data_t;
//!@brief Boot Image header, including both IVT and BOOT_DATA
typedef struct _boot_image_hdr
{
hab_ivt_t ivt;
boot_data_t boot_data;
} boot_image_hdr_t;
/*!@brief Plugin Download function
*
* This function is used to copy non-xip boot image from Flash to RAM
*
*/
bool plugin_download(void **start, size_t *bytes, uint32_t *ivt_offset)
{
bool result = false;
const boot_image_hdr_t *boot_hdr;
//Search IVT
uint32_t ivt_offset_list[3] = {0, 0x400, 0x1000};
uint32_t search_index = 0;
while (search_index < sizeof(ivt_offset_list) / sizeof(ivt_offset_list[0]))
{
boot_hdr = (const boot_image_hdr_t *)(ivt_offset_list[search_index] +
BOOT_IMAGE_LOAD_BASE);
if (boot_hdr->ivt.hdr.tag != kTag_HAB_IVT)
{
search_index++;
continue;
}
*start = (void *)boot_hdr->boot_data.start;
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
45
Appendix
*bytes = boot_hdr->boot_data.length;
*ivt_offset = boot_hdr->ivt.self - boot_hdr->boot_data.start;
uint32_t *dst = (uint32_t *)boot_hdr->boot_data.start;
uint32_t *src = (uint32_t *)((uint32_t)boot_hdr - *ivt_offset);
size_t remaining_length = ((*byte + 3) & ~0x03) / 4;
while (remaining_length--)
{
*dst++ = *src++;
}
result = true;
break;
}
return result;
}
7.1.4 Images loaded by plugin boot application
The image loaded by Plugin boot application can be either XIP image or the non-XIP image. Refer to Chapter 4, Generate i.MX
RT bootable image for more details.
7.2 Example of complete manufacturing flow
Taking a pre-compiled led-demo as an example, a quick start guide is provided in this section to demonstrate the complete
manufacturing flow for FlexSPI NOR boot based on RT1050-EVK board.
7.2.1 Manufacturing process in Development phase
In development phase, mostly the image is unsigned and it is mainly for functional test.
7.2.1.1 Create i.MX RT bootable image
Following Chapter 4, based on the memory map assigned for RT105x SoC, here are the steps to generate i.MX RT bootable
image using elftosb utility.
1. Generate the BD file for boot image generation. The BD file content is showed as follows.
options {
flags = 0x00;
startAddress = 0x60000000;
ivtOffset = 0x1000;
initialLoadSize = 0x2000;
}
sources {
elfFile = extern(0);
}
section (0)
{
}
2. Generate the i.MX RT bootable image using elftosb utility.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
46
NXP Semiconductors
Example of complete manufacturing flow
Here is the example command:
Figure 22. Example command to generate FlexSPI NOR boot image
• ivt_flexspi_nor_xip.bin
• ivt_flexspi_nor_xip_nopadding.bin
The ivt_flexspi_nor_xip_nopadding.bin will be used to generate SB file for HyperFlash programming in subsequent section.
7.2.1.2 Create SB file for HyperFlash programming
An example to generate the SB file for HyperFlash programming for RT1050-EVKB board is shown as follows.
# The source block assign file name to identifiers
sources {
myBinFile = extern (0);
}
constants {
kAbsAddr_Start= 0x60000000;
kAbsAddr_Ivt = 0x60001000;
kAbsAddr_App = 0x60002000;
}
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
#1. Prepare Flash option
# 0xc0233007 is the tag for Serial NOR parameter selection
# bit [31:28] Tag fixed to 0x0C
# bit [27:24] Option size fixed to 0
# bit [23:20] Flash type option
#
0 - QuadSPI SDR NOR
#
1 - QUadSPI DDR NOR
#
2 - HyperFLASH 1V8
#
3 - HyperFLASH 3V
#
4 - Macronix Octal DDR
#
6 - Micron Octal DDR
#
8 - Adesto EcoXIP DDR
# bit [19:16] Query pads (Pads used for query Flash Parameters)
#
0 - 1
#
2 - 4
#
3 - 8
# bit [15:12] CMD pads (Pads used for command)
#
0 - 1
#
2 - 4
#
3 - 8
# bit [11: 08] fixed to 0
# bit [07: 04] fixed to 0
# bit [03: 00] Flash Frequency, device specific
#
# In this example, the 0xc0233007 represents:
#
HyperFLASH 1V8, Query pads: 8 pads, Cmd pads: 8 pads, Frequency: 133MHz
load 0xc0233007 > 0x2000;
# Configure HyperFLASH using option a address 0x2000
enable flexspinor 0x2000;
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
47
Appendix
#2 Erase flash as needed.(Here only 1MBytes are erased)
erase 0x60000000..0x60100000;
#3. Program config block
# 0xf000000f is the tag to notify Flashloader to program FlexSPI NOR config block to the start of
device
load 0xf000000f > 0x3000;
# Notify Flashloader to response the option at address 0x3000
enable flexspinor 0x3000;
#5. Program image
load myBinFile > kAbsAddr_Ivt;
}
After the BD file is ready, the next step is to generate the boot_image.sb file that is for MfgTool use later. Here is the example
command:
Figure 23. Example command to generate SB file for FlexSPI NOR programming
After performing above command, the boot_image.sb is generated in elftosb utility folder.
7.2.1.3 Program Image to Flash using MfgTool
Use the following steps to program a boot image into a flash device
1. Copy the boot_image.sb file to “/Profiles/device_name/OS Firmware” folder
2. Change the “name” under “[List]” to MXRT105x-SecureBoot in cfg.ini file in folder
3. Put the device_name-EVK board to Serial Downloader mode by setting SW7 to “1-OFF, 2-ON, 3-OFF, 4-ON”
4. Power up device_name-EVK board and insert USB cable to J9
5. Open MfgTool, it will show as the detected device like the one shown in Figure 19 .
6. Click “Start”, MfgTool will do manufacturing process. After completion, it will show the status as success as shown in
Figure 20. Click “Stop” and close the MfgTool
7. Put the device_name-EVK board to internal boot mode and select HyperFlash as boot device by setting SW7 to “1-OFF,
2-ON, 3-ON, 4-OFF”. Then reset the device to start running application.
7.2.2 Manufacturing process in Production phase
In production phase, the image requires to be signed and even encrypted. In this case, the device must be configured to HAB
closed mode.
Assuming the PKI tree is ready for cst use, copy “ca”, “crts”, and “keys” folder and cst executable to the folder that holds elftosb
utility executable, as shown below
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
48
NXP Semiconductors
Example of complete manufacturing flow
Figure 24. Copy required key and certs for signed image generation
7.2.2.1 Generate signed i.MX RT bootable image
To generate a bootable image for a specific memory, users need to know the memory map of i.MX RT device SoC. Details of
generating bootable image can be found in Chapter 4. Here are the steps to generate signed i.MX RT bootable image using elftosb
utility.
1. Generate the BD file for boot image generation. The BD file content is showed in figure below. It is also available in the
release package in “/middleware/mcu-boot/bin/Tools/bd_file/imxrt10xx” folder.
options {
flags = 0x08;
startAddress = 0x0000000;
ivtOffset = 0x1000;
initialLoadSize = 0x2000;
//DCDFilePath = "dcd.bin";
# Note: This is required if the cst and elftsb are not in the same folder
//cstFolderPath = "path/CSTFolder";
# Note: This is required if the default entrypoint is not the Reset_Handler
# Please set the entryPointAddress to base address of Vector table
//entryPointAddress = 0x0002000;
}
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_INSTALL_NOCAK = 23;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
SEC_NOP = 29;
SEC_SET_MID = 30;
SEC_SET_ENGINE = 31;
SEC_INIT = 32;
SEC_UNLOCK = 33;
}
section (SEC_CSF_HEADER;
Header_Version="4.2",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
49
Appendix
Header_SignatureFormat="CMS")
{
}
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
InstallSRK_SourceIndex=0)
{
}
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
InstallCSFK_CertificateFormat="x509") // "x509"
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0, // Accepts integer or string
InstallKey_TargetIndex=2) // Accepts integer or string
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_SET_ENGINE;
SetEngine_HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512"
SetEngine_Engine = "DCP", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW"
SetEngine_EngineConfiguration = "0") // "valid engine configuration values"
{
}
section (SEC_UNLOCK;
Unlock_Engine = "SNVS, OCOTP", // "SRTC", "CAAM", SNVS and OCOTP
Unlock_features = "ZMK WRITE, SRK REVOKE")
{
}
2. Generate the i.MX RT bootable image using elftosb utility file.
Here is the example command:
After above command, two bootable images are generated:
• ivt_flexspi_nor_xip_signed.bin
• ivt_flexspi_nor_xip_signed_nopadding.bin
The ivt_flexspi_nor_xip_signed_nopadding.bin will be used to generate SB file for HyperFlash programming in subsequent
section.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
50
NXP Semiconductors
Example of complete manufacturing flow
7.2.2.2 Create SB file for Fuse programming
In the keys folder, there is a file named “SRK_1_2_3_4_fuse.bin”. This is the HASH table for SRK authentication during boot. It
must be programmed to fuses to enable secure boot mode.
Below is an example file
Figure 25. Example SRK_1_2_3_4_fuse.bin file
Below is an example BD file which shows the procedure to program fuses. The fuse field is a 32-bit long word data. It will be
programmed into fuses by Flashloader in little-endian mode.
# The source block assign file name to identifiers
sources {
}
constants {
}
# The section block specifies the sequence of boot commands to be written to the SB file
# Note: this is just a template, please update it to actual values in users' project
section (0) {
# Program
load fuse
load fuse
load fuse
load fuse
load fuse
load fuse
load fuse
load fuse
SRK table
0xD132E7F1
0x63CD795E
0x8FF38102
0x22A78E77
0x01019c82
0xFC3AC699
0xF2C327A3
0xDAC9214E
>
>
>
>
>
>
>
>
0x18;
0x19;
0x1A;
0x1B;
0x1C;
0x1D;
0x1E;
0x1F;
# Program SEC_CONFIG to enable HAB closed mode
load fuse 0x00000002 > 0x06;
}
The last command in above BD file is used to enable HAB closed mode by setting SEC_CONFIG [1] bit in the fuse to 1.
After BD file is ready, the next step is to create SB file for Fuse programming to enable HAB closed mode.
An example command is shown below:
Figure 26. Example command to generate SB file for Fuse programming
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
51
Appendix
After the command “enable_hab.bd -o enable_hab.sb” in Figure above is executed, a file named “enable_hab.sb” gets generated.
It is required in MfgTool for SecureBoot solution.
7.2.2.3 Create SB file for Image encryption and programming for
Hyper Flash
Following chapter 5, here is an example to generate the SB file for image encryption and programming on HyperFlash for RT1050EVK board.
Refer to the BD file in Section 5.1.3, Generate SB file for FlexSPI NOR Image encryption and programming.
After the BD file is ready, the next step is to generate the SB file. Refer below for an example command.
Figure 27. Example command to generate SB file for FlexSPI NOR image encryption and programming
After the command “program_flexspinor_image_hyperflash_encrypt.bd -o boot_image.sb
ivt_flexspi_nor_xip_signed_nopadding.bin” in Figure above , a file named “boot_image.sb” is generated in the folder that contains
elftosb utility executable.
7.2.2.4 Create signed Flashloader image
The BD file for signed Flashloader image generation is similar as the one in section Generate signed i.MX bootable image
The only difference is that the startAddress is 0x20000000 and IVTOffset is 0x400.
After the BD file is ready, the next step is to generate i.MX boot image using elftosb utility. The example command is as below:
Figure 28. Example command for Signed Flashloader image generation
After the command “imx-dtcm-signed.bd -o ivt_flashloader_signed.bin flashloader.srec” in Figure above , two bootable images
are generated:
• ivt_flashloader_signed.bin
• ivt_flashloader_signed_nopadding.bin
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
52
NXP Semiconductors
Generate KeyBlob manually
The first one is required by MfgTool for Secure Boot.
7.2.2.5 Program Image to Flash using MfgTool
Here are the steps to program boot image into Flash device
1. Copy the boot_image.sb file, ivt_flashloader_signed.bin and enable_hab.sb to “/Profiles/
device_name/OS Firmware” folder
2. Change the “name” under “[List]” to device_name-SecureBoot in cfg.ini file in folder
3. Put the device_name-EVK board to Serial Downloader mode by setting SW7 to “1-OFF, 2-ON, 3-OFF, 4-ON”
4. Power up device_name-EVK board, and insert USB cable to J9
5. Open MfgTool, it will show the detected device like the one shown in Figure 19 .
6. Click “Start”, MfgTool will do manufacturing process and after completion, it will show the status as success as shown in
Figure 20 . Click “Stop” and close the MfgTool
7. Put the device_name-EVK board to internal boot mode and select HyperFlash as boot device by setting SW7 to “1-OFF,
2-ON, 3-ON, 4-OFF”. Then reset the device to start running the application.
7.3 Generate KeyBlob manually
Users may need to generate the Keyblob manually in some cases. Flashloader supports such usage with blhost.
The KeyBlob must be generated when the device works under HAB closed mode with signed Flashloader application.
Assuming the dek.bin is ready (generated by elftosb utility during encrypted image generation). Here is an example command to
generate KeyBlob block.
Figure 29. Generate KeyBlob using Flashloader
After the command, “blhost.exe -u –generate-key-blob dek.bin keyblob.bin” in figure below is executed, a “keyblob.bin” file gets
generated.
Figure 30. Example KeyBlob
With the encrypted image generated by elftosb utility and keyblob.bin generated by flashloader, it is also feasible to combine the
encrypted image and keyblob.bin. Then create a complete encrypted boot image with a Hex Editor. In this example, the KeyBlob
offset is 0x18000 in the boot image.
Figure below is an example piece of encrypted image combined by Hex Editor.
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
53
Appendix
Figure 31. Create complete encrypted image using Hex editor
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
54
NXP Semiconductors
Chapter 8
Revision history
Table 19 summarizes the changes done to this document since the initial release.
Table 19. Revision history
Revision number
Date
Substantial changes
0
10/2017
Initial release
1
05/2018
MCU Bootloader v2.5.0 release
2
09/2018
MCU Bootloader v2.6.0 release
3
11/2018
MCU Bootloader v2.7.0 release
i.MX RT1050 Manufacturing User's Guide, Rev. 3, December 2018
NXP Semiconductors
55
How To Reach Us
Home Page:
nxp.com
Information in this document is provided solely to enable system and software implementers to
use NXP products. There are no express or implied copyright licenses granted hereunder to
design or fabricate any integrated circuits based on the information in this document. NXP
reserves the right to make changes without further notice to any products herein.
Web Support:
NXP makes no warranty, representation, or guarantee regarding the suitability of its products for
nxp.com/support
any particular purpose, nor does NXP assume any liability arising out of the application or use
of any product or circuit, and specifically disclaims any and all liability, including without limitation
consequential or incidental damages. “Typical” parameters that may be provided in NXP data
sheets and/or specifications can and do vary in different applications, and actual performance
may vary over time. All operating parameters, including “typicals,” must be validated for each
customer application by customer's technical experts. NXP does not convey any license under
its patent rights nor the rights of others. NXP sells products pursuant to standard terms and
conditions of sale, which can be found at the following address: nxp.com/
SalesTermsandConditions.
NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, COOLFLUX,
EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE
CLASSIC, MIFARE DESFire, MIFARE PLUS, MIFARE FLEX, MANTIS, MIFARE ULTRALIGHT,
MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET,
TRENCHMOS, UCODE, Freescale, the Freescale logo, AltiVec, C‑5, CodeTEST, CodeWarrior,
ColdFire, ColdFire+, C‑Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV,
mobileGT, PEG, PowerQUICC, Processor Expert, QorIQ, QorIQ Qonverge, Ready Play,
SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit,
BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine, SMARTMOS, Tower,
TurboLink, and UMEMS are trademarks of NXP B.V. All other product or service names are the
property of their respective owners. Arm, AMBA, Arm Powered, Artisan, Cortex, Jazelle, Keil,
SecurCore, Thumb, TrustZone, and μVision are registered trademarks of Arm Limited (or its
subsidiaries) in the EU and/or elsewhere. Arm7, Arm9, Arm11, big.LITTLE, CoreLink, CoreSight,
DesignStart, Mali, Mbed, NEON, POP, Sensinode, Socrates, ULINK and Versatile are trademarks
of Arm Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Oracle and
Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and
Power.org word marks and the Power and Power.org logos and related marks are trademarks
and service marks licensed by Power.org.
Ⓒ 2018 NXP B.V.
©
NXP B.V. 2018.
All rights reserved.
For more information, please visit: http://www.nxp.com
For sales office addresses, please send an email to: salesaddresses@nxp.com
Date of release: December 2018
Document identifier: IMXMCUMFUUG
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Create Date : 2018:11:29 10:14:54-08:00 Keywords : IMXMCUMFUUG Modify Date : 2018:11:29 15:00:06-06:00 Language : EN XMP Toolkit : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03 Creator Tool : AH XSL Formatter V6.2 MR6 for Windows (x64) : 6.2.8.19325 (2015/01/06 12:40JST) Metadata Date : 2018:11:29 15:00:06-06:00 Producer : Antenna House PDF Output Library 6.2.640 (Windows (x64)) Trapped : False Format : application/pdf Title : i.MX RT1050 Manufacturing User's Guide Description : This document describes the generation of bootable image for i.MX RT devices. It also explains the process to interface i.MX RT..Boot ROM and MCUBOOT-based Flashloader and to program a bootable image into the external flash including:..• QuadSPI NOR/Octal Flash / HyperFlash..• Serial NAND..• eMMC..• SD..• Parallel NOR..• SLC raw NAND..• SPI NOR/EEPROM..The i.MX RT Boot ROM resides in the ROM and enables RAM loading. The Flashloader is loaded into SRAM and facilitates..loading of boot images from boot devices into RAM. It also authenticates and executes the boot image...This document introduces the Flashloader, a companion tool to i.MX RT Boot ROM, and a complete solution for programming..boot images to bootable devices. The Flashloader runs in SRAM so it should be downloaded to SRAM typically via ROM serial..download interface. The Flashloader prepares and configures the devices for boot. It creates boot configuration structure on the..bootable media, assists in programming encrypted images, generates key blobs, and communicates with master on serial..peripherals like USB and UART using MCUBOOT commands interface protocol in downloading boot images...It also introduces the elftosb utility. The elftosb utility converts an elf images to signed, encrypted, and bootable image for i.MX..RT devices. It also creates all the boot structures like image vector table, boot data, etc. It generates the input command sequence..file required to code sign or encrypt the image using the NXP signing tool (cst). It also calls the cst to generate the signatures and..packs it as a boot image acceptable by boot ROM...The document describes the usage of MfgTool.exe (Manufacturing Tool) in a manufacturing environment for production of devices..(programming boot images on the bootable media using all the available tools). Creator : Subject : IMXMCUMFUUG Document ID : uuid:18678aa9-142f-4645-b6af-662093e9ff34 Instance ID : uuid:1d280bb6-6473-411d-b32a-0aa16370bba1 Page Mode : UseOutlines Page Count : 56 Warning : [Minor] Ignored duplicate Info dictionaryEXIF Metadata provided by EXIF.tools