Appendix

Example of complete manufacturing flow

Using a pre-compiled led-demo as an example, a quick start guide is provided in this section to demonstrate the complete manufacturing flow for FlexSPI NOR boot based on MIMXRT1015-EVK board.

Manufacturing process in Development phase

In development phase, generally the image is unsigned and is used for functional testing.

Create i.MX RT bootable image

Using Chapter 4, Generate i.MX RT botable image, based on the memory map assigned for RT1015 SoC, here are the steps to generate i.MX RT bootable image using elftosb utility.

  1. Generate the BD file for boot image generation. The BD file content is showed as follows.

    options {
    flags = 0x00;
    startAddress = 0x60000000;
    ivtOffset = 0x1000;
    initialLoadSize = 0x2000;
}
sources {
    elfFile = extern(0);
}
section (0)
{
}

  2. Generate the i.MX RT bootable image using elftosb utility.

    Here is the example command:

    Example command to generate FlexSPI NOR boot image

  • ivt_flexspi_nor_xip.bin

  • ivt_flexspi_nor_xip_nopadding.bin

The ivt_flexspi_nor_xip_nopadding.bin will be used to generate SB file for QSPI NOR Flash programming in a subsequent section.

Create SB file for Adesto 25SF128A programming

An example to generate the SB file for Adesto 25SF128A programming for MIMXRT1015-EVK board is shown as follows.

# The source block assign file name to identifiers
sources {
 myBinFile = extern (0);
}
constants {
    kAbsAddr_Start= 0x60000000;
    kAbsAddr_Ivt = 0x60001000;
    kAbsAddr_App = 0x60002000;
}
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
    #1. Prepare Flash option
    # 0xc0000207 is the tag for Serial NOR parameter selection
    # bit [31:28] Tag fixed to 0x0C
    # bit [27:24] Option size fixed to 0
    # bit [23:20] Flash type option
    #             0 - QuadSPI SDR NOR
    #             1 - QuadSPI DDR NOR
    #             2 - HyperFLASH 1V8
    #             3 - HyperFLASH 3V
    #             4 - Macronix Octal DDR
    #             6 - Micron Octal DDR
    #             8 - Adesto EcoXIP DDR
    # bit [19:16] Query pads (Pads used for query Flash Parameters)
    #             0 - 1
    #             2 - 4
    #             3 - 8
    # bit [15:12] CMD pads (Pads used for command)
    #             0 - 1
    #             2 - 4
    #             3 - 8
    # bit [11: 08] fixed to 0
    # bit [07: 04] fixed to 0
    # bit [03: 00] Flash Frequency, device specific
    #
    load 0xc0000207 > 0x2000;
    # Configure QSPI NOR Flash using option a address 0x2000
    enable flexspinor 0x2000;
    #2 Erase flash as needed.(Here only 1MBytes are erased)
    erase 0x60000000..0x60100000;
    #3. Program config block
    # 0xf000000f is the tag to notify Flashloader to program FlexSPI NOR config block to the start of device
    load 0xf000000f > 0x3000;
    # Notify Flashloader to response the option at address 0x3000
    enable flexspinor 0x3000;
    #5. Program image
    load myBinFile > kAbsAddr_Ivt;
}

After the BD file is ready, the next step is to generate the boot_image.sb file that is for MfgTool use later. Here is the example command:

Example command to generate SB file for FlexSPI NOR programming

After performing above command, the boot_image.sb is generated in elftosb utility folder.

Program Image to Flash using MfgTool

Use the following steps to program a boot image into a flash device

  1. Copy the boot_image.sb file to “<mfgtool_root_dir>/Profiles/device_name/OS Firmware” folder.

  2. Change the “name” under “[List]” to MXRT1015-SecureBoot in cfg.ini file in <mfgtool_root_dir> folder.

  3. Put the device_name-EVK board to Serial Downloader mode by setting SW8 to “1-OFF, 2-ON, 3-OFF, 4-ON” .

  4. Power up device_name-EVK board and insert USB cable to J9.

  5. Open MfgTool, it will show as the detected device like the one shown in Connect to the i.MX RT Platform.

  6. Click “Start”, MfgTool will do manufacturing process. After completion, it will show the status as success as shown in Program bootable image during development. Click “Stop” and close the MfgTool.

Manufacturing process in Production phase

In production phase, the image requires to be signed and possibly encrypted. In this case, the device must be configured to HAB closed mode.

Assuming the PKI tree is ready for cst use, copy “ca”, “crts”, and “keys” folder and cst executable to the folder that holds the elftosb utility executable, as shown below

Copy required key and certificates for signed image generation

Generate signed i.MX RT bootable image

To generate a bootable image for a specific memory, users need the memory map of the i.MX RT device SoC. Chapter 4, Generate i.MX RT bootable image, provides details for generating a bootable image. Here are the steps to generate signed i.MX RT bootable image using the elftosb utility.

  1. Generate the BD file for boot image generation. The BD file content is showed in the figure below. It is also available in the release package in folder.

options {
    flags = 0x08;
    startAddress = 0x0000000;
    ivtOffset = 0x1000;
    initialLoadSize = 0x2000;
    //DCDFilePath = "dcd.bin";
    # Note: This is required if the cst and elftsb are not in the same folder
    //cstFolderPath = "path/CSTFolder";
    # Note: This is required if the default entrypoint is not the Reset_Handler
    # Please set the entryPointAddress to base address of Vector table
    //entryPointAddress = 0x0002000;
}
sources {
    elfFile = extern(0);
}
constants {
    SEC_CSF_HEADER = 20;
    SEC_CSF_INSTALL_SRK = 21;
    SEC_CSF_INSTALL_CSFK = 22;
    SEC_CSF_INSTALL_NOCAK = 23;
    SEC_CSF_AUTHENTICATE_CSF = 24;
    SEC_CSF_INSTALL_KEY = 25;
    SEC_CSF_AUTHENTICATE_DATA = 26;
    SEC_CSF_INSTALL_SECRET_KEY = 27;
    SEC_CSF_DECRYPT_DATA = 28;
    SEC_NOP = 29;
    SEC_SET_MID = 30;
    SEC_SET_ENGINE = 31;
    SEC_INIT = 32;
    SEC_UNLOCK = 33;
}
section (SEC_CSF_HEADER;
    Header_Version="4.2",
    Header_HashAlgorithm="sha256",
    Header_Engine="DCP",
    Header_EngineConfiguration=0,
    Header_CertificateFormat="x509",
    Header_SignatureFormat="CMS")
{
}
section (SEC_CSF_INSTALL_SRK;
    InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
    InstallSRK_SourceIndex=0)
{
}
section (SEC_CSF_INSTALL_CSFK;
    InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
    InstallCSFK_CertificateFormat="x509") // "x509"
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
    InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
    InstallKey_VerificationIndex=0, // Accepts integer or string
    InstallKey_TargetIndex=2) // Accepts integer or string
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
    AuthenticateData_VerificationIndex=2,
    AuthenticateData_Engine="DCP",
    AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_SET_ENGINE;
    SetEngine_HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512"
    SetEngine_Engine = "DCP", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW"
    SetEngine_EngineConfiguration = "0") // "valid engine configuration values"
{
}
section (SEC_UNLOCK;
    Unlock_Engine = "SNVS, OCOTP", // "SRTC", "CAAM", SNVS and OCOTP
    Unlock_features = "ZMK WRITE, SRK REVOKE")
{
}

  1. Generate the i.MX RT bootable image using the elftosb utility file.

Here is the example command:

After the above command, two bootable images are generated:

  • ivt_flexspi_nor_xip_signed.bin

  • ivt_flexspi_nor_xip_signed_nopadding.bin

The ivt_flexspi_nor_xip_signed_nopadding.bin will be used to generate SB file for QSPI NOR Flash programming in a subsequent section.

Create SB file for Fuse programming

In the keys folder, there is a file named “SRK_1_2_3_4_fuse.bin”. This is the HASH table for SRK authentication during boot. It must be programmed to fuses to enable secure boot mode.

Below is an example file

Example SRK_1_2_3_4_fuse.bin file

Below is an example BD file which shows the procedure to program fuses. The fuse field is a 32-bit long word data. It will be programmed into the fuses by Flashloader in little-endian mode.

# The source block assign file name to identifiers
sources {
}
constants {
}
# The section block specifies the sequence of boot commands to be written to the SB file
# Note: this is just a template, please update it to actual values in users' project
section (0) {
    # Program SRK table
    load fuse 0xD132E7F1 > 0x18;
    load fuse 0x63CD795E > 0x19;
    load fuse 0x8FF38102 > 0x1A;
    load fuse 0x22A78E77 > 0x1B;
    load fuse 0x01019c82 > 0x1C;
    load fuse 0xFC3AC699 > 0x1D;
    load fuse 0xF2C327A3 > 0x1E;
    load fuse 0xDAC9214E > 0x1F;
    # Program SEC_CONFIG to enable HAB closed mode
    load fuse 0x00000002 > 0x06;
}

The last command in above BD file is used to enable HAB closed mode by setting SEC_CONFIG [1] bit in the fuse to 1.

After BD file is ready, the next step is to create SB file for Fuse programming to enable HAB closed mode.

An example command is shown below:

Example command to generate SB file for Fuse programming

After the command “enable_hab.bd -o enable_hab.sb” in the figure above is executed, a file named “enable_hab.sb” gets generated. It is required in MfgTool for Secure Boot solution.

Create SB file for Image encryption and programming for Flash

Following chapter 5, here is an example to generate the SB file for image encryption and programming on Flash for MIMXRT1015-EVK board.

Refer to the BD file in Section 5.1.3, Generate SB file for FlexSPI NOR Image encryption and programming.

After the BD file is ready, the next step is to generate the SB file. Refer below for an example command.

Example command to generate SB file for FlexSPI NOR image encryption and programming

After the command “program_flexspinor_image_encrypt.bd -o boot_image.sb ivt_flexspi_nor_xip_signed_nopadding.bin” in the figure above , a file named “boot_image.sb” is generated in the folder that contains the elftosb utility executable.

Create signed Flashloader image

The BD file for signed Flashloader image generation is similar as the one in section Generate signed i.MX bootable image.

The only difference is that the startAddress is 0x20208000 and IVTOffset is 0.

After the BD file is ready, the next step is to generate i.MX boot image using elftosb utility. The example command is as below:

Example command for Signed Flashloader image generation

After the command “imx-flashloader-signed.bd -o ivt_flashloader_signed.bin flashloader.srec” in Figure above, two bootable images are generated:

  • ivt_flashloader_signed.bin

  • ivt_flashloader_signed_nopadding.bin

The first one is required by MfgTool for Secure Boot.

Program Image to Flash using MfgTool

Here are the steps to program boot image into Flash device

  1. Copy the boot_image.sb file, ivt_flashloader_signed.bin and enable_hab.sb to “<mfgtool_root_dir>/Profiles/device_name/OS Firmware” folder.

  2. Change the “name” under “[List]” to device_name-SecureBoot in cfg.ini file in <mfgtool_root_dir> folder.

  3. Put the device_name-EVK board to Serial Downloader mode by setting SW8 to “1-OFF, 2-ON, 3-OFF, 4-ON”.

  4. Power up device_name-EVK board, and insert USB cable to J9.

  5. Open MfgTool, it will show the detected device like the one shown in Connect to the i.MX RT Platform.

  6. Click “Start”, MfgTool will do manufacturing process and after completion, it will show the status as success as shown in Program bootable image during development. Click “Stop” and close the MfgTool.

  7. Put the device_name-EVK board to internal boot mode and select QSPI NOR Flash as boot device by setting SW8 to “1-OFF, 2-ON, 3-ON, 4-OFF”. Then reset the device to start running the application.