# Working with SEC MCUXpresso Secure Provisioning Tool (SEC) is a tool made to simplify the generation and provisioning of bootable executables on NXP MCU platforms. It also offers a command-line interface, enabling integration in automated environments or customization of image building/burning procedure. SEC features are used to generate bootable executables for the targets for which otherwise the bootable executable is not available. For the integration between MCUXpresso for VS Code extension and SEC to work properly, the user must first use MCUXpresso Installer to install SEC. (sec-tool-installation-and-configuration)= ## SEC Tool installation and configuration Minimum SEC Tool Version: 25.3 or higher. Supported Platforms: Windows, macOS, Linux. ### Automatic Detection The MCUXpresso extension detects SEC Tool installations by first checking whether the SEC Tool path is configured in the VS Code User Settings, then scanning standard installation locations. - Windows: C:\nxp\MCUX_Provi_*\bin\securep.exe or C:\nxp\SEC_Provi_*\bin\securep.exe - macOS: /Applications/MCUX_Provi_*/SecureProvisioning.app/Contents/MacOS/securep - Linux: /opt/nxp/MCUX_Provi_*/bin/securep or /opt/nxp/SEC_Provi_*/bin/securep >**Note:** If multiple versions are found, the extension automatically selects the newest version. If SEC Tool is not detected automatically, you'll be prompted with the following options: ![Install SEC](./pictures/nxp-sec-quickpick.png) ### Option 1: Configure in Settings Best for: Custom installation locations or manual configuration 1. Click "⚙️ Configure in Settings". 2. VS Code settings will open automatically. 3. Enter the full path to the securep executable in the mcux.secTool.path setting. 4. Retry your operation. ### Option 2: Install Automatically (Recommended) Best for: Quick setup with minimal effort. Requirements: Internet connection. Steps: 1. Click "☁️ Install Automatically". 2. Wait for download and installation (progress shown in notification). Extension will automatically detect the new installation. 3. Operation will automatically continue. ### Option 3: Open MCUXpresso Installer Best for: Manual installation or when you need additional NXP tools. Steps: 1. Click "📦 Open MCUXpresso Installer". 2. In MCUXpresso Installer application browse to Secure Provisioning Tool package. 3. Click Install. Wait for installation to complete. 4. Return to VS Code and retry your operation. ### Option 4: Disable SEC Tool Usage Best for: When you don't need MCUXpresso Secure Provisioning features. Click "🚫 Disable SEC Tool Usage". Current operation will be cancelled and MCUXpresso Secure Provisioning features will be disabled. To re-enable, open VS Code Settings and search for `mcux.secTool.usage`, then check the box to enable SEC Tool features again. ## RT118x The integration with SEC is available for the flexspi_nor_debug and flexspi_nor_release build configurations for RT118x targets: - evkmimxrt1180 with derivatives (1181, 1182, 1187, 1189) - frdm-imx1186 with derivatives (1185, 118C, 1186) When using these configurations, after building the RT118x project, the MCUXpresso extension will invoke SEC to generate bootable executable for the project. Corresponding messages will appear to make the user aware of the still in progress actions. The MCUXpresso extension will search for SEC Tool as described in the Automatic Detection section above: ![Detect SEC](./pictures/nxp-sec-detect-sec-tool.png) Then, using the detected SEC Tool, the bootable executable will be generated: ![Generating executable using SEC](./pictures/nxp-sec-generate-executable.png) The command used for invoking and generating the bootable image will appear in MCUXpresso for VS Code Output console, along with the output of the command. The generated executable can be found in the .secureprovisioning folder inside the project. After successful build, debug or flash the application. Building with additional images is supported for 118x targets. Although this capability is not included in the generic configuration, users can manually configure their projects to leverage the SEC Tool to generate bootable executables that include additional images. To enable this, after building the project using SEC, you must update the project's MCUX118x.json file located in the project_root_directory/.secureprovisioning folder. Add the following configuration to the "cli_args" section, updating the field values to match your project setup: "--ele-firmware": "path to ele firmware image", "--additional-images": { "images": [ { "enabled": "yes", "entry_type": "general_image", "image_path": "path to additional image", "image_offset_int": "0x000FF000", "load_address_int": "0x28100000", "entry_point_int": "0x28100000", "target_address_int": "0x0", "image_type": "executable", "core_id": "core_1", "is_encrypted": "no", "container_set": "#1" } ] } ## i.MX95 Starting with MCUXpresso for VS Code 24.11.x, SEC features are used to generate bootable image using the needed additional images for the Cortex-M7 projects on i.MX95 target. Also, UUU (Universal Update Utility) tool will be used to debug the Cortex-M7 i.MX95 projects. As a prerequisite, the board should be in serial download mode, boot from CM33, and an external MCU-Link or J-Link probe is connected to the JTAG port. Import MCUXpresso SDK i.MX95 Cortex-M7 project and run the build project command. It is expected that the build will fail the first time, as the needed information must be provided by the user as following: - Open the `additional_images_mx95_cm7_app_cfg.json` file that has been created in `.secureprovisioning` folder inside the project folder. - Edit the file to provide the correct paths for all the requested files listed in the json (DDR, TCM, system manager and ELE firmware). The paths can be relative to SEC workspace (the `.secureprovisioning` folder). Absolute paths and paths formed with user defined environment variables are also accepted. >**Note:** Do not change nor remove the cortex_m7_app and v2x_dummy entries. The SEC and UUU used commands, commands output, as well as any errors that might be SEC and UUU related, will appear in MCUXpresso for VS Code Output console. Build the project again and debug or flash the application. >**Note:** Debugging with J-Link requires a custom jlinkscript with the following implementation: int InitTarget(void) { JLINK_SYS_Report("***************************************************"); JLINK_SYS_Report("J-Link script: iMX95 initialization"); JLINK_SYS_Report("***************************************************"); // ******************************************************************** JLINK_SYS_Report("... reset target via JTAG_ResetPin"); JTAG_ResetPin = 0; JLINK_SYS_Sleep(100); JTAG_ResetPin = 1; JLINK_SYS_Sleep(100); JLINK_SYS_Report("... wait for target initialization after reset"); JLINK_SYS_Sleep(6000); // ******************************************************************** if (JLINK_ActiveTIF == JLINK_TIF_JTAG) { JLINK_SYS_Report("... JLINK_TIF_JTAG"); JLINK_CORESIGHT_Configure("IRPre=0;DRPre=0;IRPost=4;DRPost=0;IRLenDevice=4"); } else { JLINK_SYS_Report("... JLINK_TIF_SWD"); JLINK_CORESIGHT_Configure(""); } return 0; } void ResetTarget(void) { JLINK_TARGET_Halt(); // Make sure that the CPU is halted when reset is called } # Launching MCUXpresso Secure Provisioning Tool from VS Code MCUXpresso for VS Code provides direct integration for launching the **MCUXpresso Secure Provisioning Tool (SEC Tool)** directly from the extension. This allows you to create secure provisioning workspaces directly within your development environment. --- ## Overview The SEC Tool launch integration enables you to: - Open the SEC Tool GUI pre-configured for your project's target device. - Automatically create a new SEC workspace linked to a build artifact (ELF file) from your project. - Reopen an existing SEC workspace without reconfiguring it. - Build your project on demand if no build artifacts are found before launching. > **Note:** This feature is separate from the automated SEC build integration (bootable image generation at build time). Launching the SEC Tool GUI gives you full access to all SEC Tool provisioning and configuration features for your device. --- ## Prerequisites ### SEC Tool installation Before using the launch feature, the MCUXpresso Secure Provisioning Tool must be installed and detectable by the extension. - **Minimum version required for GUI launch:** `26.06` > If your installed SEC Tool version is below `26.06`, the launch command shows an error indicating the minimum version requirement. For installation instructions, see [SEC Tool installation and configuration](#sec-tool-installation-and-configuration). ### Supported devices The target device associated with your project must be supported by the installed SEC Tool version. The extension automatically verifies this before launching. Unsupported devices produce an error in the **MCUXpresso for VS Code** Output panel. ### Project building for creating a new workspace When launching the SEC Tool for the first time (no existing SEC workspace), at least one compiled ELF artifact must be present in the project. If none are found, the extension offers to build the project automatically. --- ## Launching the SEC Tool Use the **"Open Secure Provisioning Tool"** command from the project menu. ![Open with SEC command](./pictures/nxp-sec-open-command.png) --- ## First launch: creating a new SEC workspace When no SEC workspace exists for the project, the extension guides you through the workspace creation process. A Quick Pick dialog appears, prompting you to select the source ELF file: ![QuickPick Elf to Launch SEC](./pictures/nxp-sec-launch-elf-quick-pick.png) - If **only one** ELF file exists in the project, it is selected automatically — no prompt is shown. - If **multiple** ELF files exist, a list is shown with relative paths for easy identification. - If **no ELF files** are found, a dialog prompts you to build the project: ![No Elf Files](./pictures/nxp-sec-launch-no-elf.png) If the build fails or still produces no artifacts, the extension shows an error and cancels the launch. Proceed in the SEC Tool with the workspace creation dialog. The SEC workspace is created at: ``` /secureprovisioning/ ``` ## Subsequent launches: reopening an existing workspace If a SEC workspace already exists at `/secureprovisioning/`, the extension launches the SEC Tool directly with that workspace — no ELF selection or device configuration is needed. For more information, see [Workspaces in MCUXpresso Secure Provisioning](https://docs.mcuxpresso.nxp.com/secure/latest/05_user_interface.html#workspaces). --- ## Preventing duplicate instances The extension tracks all running SEC Tool processes per project. If you attempt to open the SEC Tool for a project that already has an active session, a notification is shown: ![SEC Already Opened](./pictures/nxp-sec-already-opened.png) No second instance will be launched. --- ## Error conditions reference | Condition | Message | |-----------|---------| | SEC Tool not found | *(prompts installation flow — see SEC Tool installation)* | | SEC Tool version below `26.06` | `"MCUXpresso Secure Provisioning Tool minimum version 26.06 is required. Current version is X.XX."` | | Device not found in project | `"MCUXpresso Secure Provisioning Tool cannot be started because an unsupported device is associated to project \"\"."` | | Device not supported by SEC Tool | `"Secure Provisioning Tool does not support \"\" device."` | | No ELF artifacts and build failed | `"Build failed. Cannot continue with launching MCUXpresso Secure Provisioning Tool."` | | No ELF artifacts after build | `"No build artifacts found even after building the project. Please check your build configuration."` | | SEC Tool process error on startup | `"Could not open Secure Provisioning Tool: "` | | Tool already open | `"MCUXpresso Secure Provisioning Tool is already open for project \"\"."` | All errors are also logged to the **MCUXpresso for VS Code** Output panel (channel: `Secure Provisioning`). --- ## Relationship to build-time SEC integration | Feature | Trigger | Workspace Path | Min SEC Version | |---|---|---|---| | **GUI Launch** | Manual command | `secureprovisioning/` | `26.06` | | **Bootable Image Generation** | Automatic at build time | `.secureprovisioning/` | `25.3` | The two features are independent and use separate workspace directories. Use one or both depending on your workflow.