Release 1.7.1

marekvi95 · Sep 16, 2022 · d30ad4e · d30ad4e
1 parent 053fb9a
commit d30ad4e
Show file tree

Hide file tree

Showing 88 changed files with 2,603 additions and 1,021 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.7.0
+current_version = 1.7.1
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\.(?P<suffix>.*))?
 serialize =
 	{major}.{minor}.{patch}.{suffix}

diff --git a/SW_Content_Register_SPSDK.txt b/SW_Content_Register_SPSDK.txt
@@ -1,6 +1,6 @@
 NXP Software Content Register
 
-Package:                   NXP SPSDK 1.7.0
+Package:                   NXP SPSDK 1.7.1
 Outgoing License:          BSD-3-Clause
 License Files:             LICENSE
 Type of content:           Source code

diff --git a/docs/apps/images.rst b/docs/apps/images.rst
@@ -130,7 +130,7 @@ For more information about the Secure boot setup for LPC55Sxx family follow the
 
 Example of SB2 generation for 4 root keys
 
-nxpimage: ``nxpimage sb21 -k "sbkek.txt" -c "commandFile.bd" -o "output.sb2" -s private_key_1_2048.pem
+nxpimage: ``nxpimage sb21 export -k "sbkek.txt" -c "commandFile.bd" -o "output.sb2" -s private_key_1_2048.pem
 -S certificate_1_2048.der.crt -R certificate_1_2048.der.crt -R
 certificate_2_2048.der.crt -R certificate_3_2048.der.crt -R certificate_4_2048.der.crt -h "RHKT.bin"
 "input.bin"``
@@ -150,7 +150,7 @@ The configuration is done in a similar way as a master boot image by configurati
 
 Example of use
 nxpimage: ``nxpimage sb31 export "sb3_config.yaml``
-elftosb: ``elftosb.exe -j "sb3_config.yaml``
+elftosb: ``elftosb -j "sb3_config.yaml``
 
 -------------------------
 AHAB
@@ -161,10 +161,10 @@ JSON is used to instruct nxpimage how the output should look like.
 AHAB container is not supported by elftosb tool.
 
 Example of use for export
-``nxpimage.exe ahab export "path\to\config\file.yaml"``
+``nxpimage ahab export "path\to\config\file.yaml"``
 
 Example of use for parse binary AHAB container
-``nxpimage.exe ahab parse -b "my_ahab_container.bin" "path\to_parsed_data"``
+``nxpimage ahab parse -b "my_ahab_container.bin" "path\to_parsed_data"``
 
 .. code-block:: yaml
 
@@ -245,5 +245,5 @@ Example of use for parse binary AHAB container
             wrapped_key_path: my_wrapped_key.pem  # [Required], KEK blob wrapped key, Wrapped Data Encryption key. Used for AES CBC-MAC (128/192/256 size).
 
 
-The full AHAB configuration template could be generated by nxpimage tool "get-templates" sub-command for family that supports AHAB, example:
-``nxpimage.exe get-templates -f rt1180 ./my_config_templates``
+The full AHAB configuration template could be generated by nxpimage tool "get_template" sub-command for family that supports AHAB, example:
+``nxpimage ahab get-template -f rt1180 ./my_config_templates``
diff --git a/docs/release_notes.rst b/docs/release_notes.rst
@@ -8,6 +8,28 @@
 Release Notes
 =============
 
+-------------------------
+1.7.1 (16-September-2022)
+-------------------------
+
+**New features**
+
+* :ref:`nxpimage`:
+    - add OTFAD support for RT5xx and RT6xx devices
+* :ref:`pfr`:
+    - read command allows independent binary and yaml exports
+* :ref:`shadowregs`:
+    - new subcommand: fuses-script
+* add OEM cert size check into TPConfig
+
+**Bugfixes**
+
+* :ref:`nxpdebugmbox`:
+    - fix debug authentication for RT595
+* :ref:`nxpimage`:
+    - fix sb21 command line argument in documentation
+* fix the use of pyyaml's load in tests (use safe_load())
+
 --------------------
 1.7.0 (29-July-2022)
 --------------------

diff --git a/examples/sbfile.py b/examples/sbfile.py
@@ -18,6 +18,7 @@
 from spsdk.sbfile.sb2.commands import CmdErase, CmdLoad, CmdReset
 from spsdk.sbfile.sb2.images import BootImageV20, BootImageV21, BootSectionV2, SBV2xAdvancedParams
 from spsdk.utils.crypto import CertBlockV2, Certificate, KeyBlob, Otfad
+from spsdk.utils.misc import align_block
 
 THIS_DIR = os.path.dirname(os.path.abspath(__file__))
 DATA_DIR = os.path.join(THIS_DIR, "data")
@@ -80,7 +81,7 @@ def gen_boot_section_otfad() -> BootSectionV2:
             crc=bytes(4),
         )
     )  # zero_fill and crc should be used only for testing !
-    enc_image = otfad.encrypt_image(boot_data, 0x08001000, True)
+    enc_image = otfad.encrypt_image(align_block(boot_data, 512), 0x08001000, True)
     key_blobs = otfad.encrypt_key_blobs(kek=bytes.fromhex("50F66BB4F23B855DCD8FEFC0DA59E963"))
     if len(key_blobs) != 256:
         raise SPSDKError("Length of key blobs is not 256")

diff --git a/release_notes.txt b/release_notes.txt
@@ -7,61 +7,29 @@ configure the device, prepare, download and upload data, including security oper
 delivered in the form of a python library and command-line applications.
 
 
-Version: 1.7.0
+Version: 1.7.1
 
 ==============
-Date: 29-July-2022
+Date: 16-September-2022
 
 New features
 
-- nxpimage application as replacement for elftosb
-- nxpcrypto application for generating and verifying keys, certificates, hash digest, converting key's format
-- trust provisioning applications (tphost and tpconfig)
-- blhost:
-    - support LifeCycleUpdate command for RT1180
-    - add option to specify peripheral index of SPI/I2C for LIBUSBSIO
-    - allow lowercase names in the filter for USB mboot devices
-- nxpdebugmbox:
-    - utility to read/write memory using debug probe
 - nxpimage:
-    - support of Master Boot Images
-    - support AHAB container for RT1180
-    - support of Secure Binary 2.1 / 3.1
-    - support for TrustZone blocks
-    - support for Bootable images for RTxxx devices
-    - support for FCB block parsing and exporting for RTxxx and some RTxxxx devices
-    - simply binary image support, like create, merge, extract and convert (S19,HEX,ELF and BIN format)
+    - add OTFAD support for RT5xx and RT6xx devices
 - pfr:
-    - load PFR configuration directly from chip using BLHOST
-- sdphost:
-    - support for SET_BAUDRATE command
-    - support for iMX93
-- drop support for Python 3.6
-- pypemicro dependency update in order to cover latest bug fixes in this package
-- libusbsio update to version 2.1.11
-- unify debug options within applications
-- API to compute RKTH
-- support LPC553x in elftosb/nxpimage
-- support dual image boot on RT5xx and RT6xx
-- replace click/sys.exit with raising an SPSDKAppError exception
-- encryption of remapped images
+    - read command allows independent binary and yaml exports
+- shadowregs:
+    - new subcommand: fuses-script
+- add OEM cert size check into TPConfig
+
 
 Bugfixes
 
-- blhost:
-    - efuse_program_once returns failure message when using 'lock' option but still the fuse is burnt
-    - fix in re-scanning LIBUSBSIO devices when target MCU is not connected
-    - scan_usb() should return nxp devices
-    - read memory command doesn't print read data when mem region is defined
-- elftosb:
-    - fix trustzone config template for rt5xx and rt6xx
-    - fix MBI_PLainRamRTxxx image
-    - fix CRC bootable image on RT685 EVK
-    - fix image located in FLASH executed in RAM on RT6xx
-    - fix burning fuses in BD file
 - nxpdebugmbox:
-    - fix in Jlink debugger probe initialization
-    - fix get-crp command
+    - fix debug authentication for RT595
+- nxpimage:
+    - fix sb21 command line argument in documentation
+- fix the use of pyyaml's load in tests (use safe_load())
 
 
 Supported devices
@@ -89,6 +57,51 @@ Python 3.7+ interpreter, old version 2.x is not supported
 
 Revision History
 ================
+1.7.0
+- nxpimage application as replacement for elftosb
+- nxpcrypto application for generating and verifying keys, certificates, hash digest, converting key's format
+- trust provisioning applications (tphost and tpconfig)
+- blhost:
+    - support LifeCycleUpdate command for RT1180
+    - add option to specify peripheral index of SPI/I2C for LIBUSBSIO
+    - allow lowercase names in the filter for USB mboot devices
+    - efuse_program_once returns failure message when using 'lock' option but still the fuse is burnt
+    - fix in re-scanning LIBUSBSIO devices when target MCU is not connected
+    - scan_usb() should return nxp devices
+    - read memory command doesn't print read data when mem region is defined
+- elftosb:
+    - fix trustzone config template for rt5xx and rt6xx
+    - fix MBI_PLainRamRTxxx image
+    - fix CRC bootable image on RT685 EVK
+    - fix image located in FLASH executed in RAM on RT6xx
+    - fix burning fuses in BD file
+- nxpdebugmbox:
+    - utility to read/write memory using debug probe
+    - fix in Jlink debugger probe initialization
+    - fix get-crp command
+- nxpimage:
+    - support of Master Boot Images
+    - support AHAB container for RT1180
+    - support of Secure Binary 2.1 / 3.1
+    - support for TrustZone blocks
+    - support for Bootable images for RTxxx devices
+    - support for FCB block parsing and exporting for RTxxx and some RTxxxx devices
+    - simply binary image support, like create, merge, extract and convert (S19,HEX,ELF and BIN format)
+- pfr:
+    - load PFR configuration directly from chip using BLHOST
+- sdphost:
+    - support for SET_BAUDRATE command
+    - support for iMX93
+- drop support for Python 3.6
+- pypemicro dependency update in order to cover latest bug fixes in this package
+- libusbsio update to version 2.1.11
+- unify debug options within applications
+- API to compute RKTH
+- support LPC553x in elftosb/nxpimage
+- support dual image boot on RT5xx and RT6xx
+- replace click/sys.exit with raising an SPSDKAppError exception
+- encryption of remapped images
+
 1.6.3
 - pypemicro dependency update in order to cover latest bug fixes in this package
 - libusbsio update to version 2.1.11

diff --git a/spsdk/__version__.py b/spsdk/__version__.py
@@ -10,4 +10,4 @@
 Having the version in a separate file makes it easier to share it with setup.py
 """
 
-__version__ = "1.7.0"
+__version__ = "1.7.1"
diff --git a/spsdk/apps/nxpcertgen.py b/spsdk/apps/nxpcertgen.py
@@ -31,7 +31,7 @@
 )
 from spsdk.crypto.certificate_management import generate_name
 from spsdk.crypto.loaders import extract_public_key, load_certificate
-from spsdk.utils.misc import load_configuration
+from spsdk.utils.misc import find_file, load_configuration
 
 NXPCERTGEN_DATA_FOLDER: str = os.path.join(SPSDK_DATA_FOLDER, "nxpcertgen")
 
@@ -105,9 +105,12 @@ def generate(config: str, output: str, encoding: str, force: bool) -> None:
 
     config_data = load_configuration(config)
     cert_config = CertificateParametersConfig(config_data)
+    search_paths = [os.path.dirname(config)]
 
-    priv_key = load_private_key(cert_config.issuer_private_key)
-    pub_key = load_public_key(cert_config.subject_public_key)
+    priv_key = load_private_key(
+        find_file(cert_config.issuer_private_key, search_paths=search_paths)
+    )
+    pub_key = load_public_key(find_file(cert_config.subject_public_key, search_paths=search_paths))
 
     certificate = generate_certificate(
         subject=cert_config.subject_name,

diff --git a/spsdk/apps/nxpdebugmbox.py b/spsdk/apps/nxpdebugmbox.py
@@ -36,8 +36,9 @@
 from spsdk.dat.debug_mailbox import DebugMailbox
 from spsdk.debuggers.debug_probe import DebugProbe
 from spsdk.debuggers.utils import PROBES, DebugProbeUtils, test_ahb_access
+from spsdk.utils.crypto.rkht import RKHT
 from spsdk.utils.images import BinaryImage
-from spsdk.utils.misc import find_file, load_configuration, write_file
+from spsdk.utils.misc import find_file, load_binary, load_configuration, write_file
 
 logger = logging.getLogger(__name__)
 colorama.init()
@@ -168,7 +169,10 @@ def _open_debugmbox(pass_obj: Dict) -> Iterator[DebugMailbox]:
     "-o",
     "--debug-probe-option",
     multiple=True,
-    help="This option could be used " "multiply to setup non-standard option for debug probe.",
+    help=(
+        "This option could be used multiply to setup non-standard option for debug probe."
+        " The example of use: -o KEY=VALUE"
+    ),
 )
 @click.option(
     "--operation-timeout",
@@ -231,8 +235,7 @@ def auth(pass_obj: dict, beacon: int, certificate: str, key: str, no_exit: bool)
         logger.info("Starting Debug Authentication")
 
         with _open_debugmbox(pass_obj) as mail_box:
-            with open(certificate, "rb") as f:
-                debug_cred_data = f.read()
+            debug_cred_data = load_binary(certificate)
             debug_cred = DebugCredential.parse(debug_cred_data)
             dac_rsp_len = 30 if debug_cred.HASH_LENGTH == 48 and debug_cred.socc == 4 else 26
             dac_data = dm_commands.DebugAuthenticationStart(dm=mail_box, resplen=dac_rsp_len).run()
@@ -663,12 +666,16 @@ def gendc(
     assert "rot_id" in yaml_content, "Config file doesn't contain the 'rot_id' field"
 
     logger.info(f"Creating {'RSA' if is_rsa else 'ECC'} debug credential object...")
-    dc = DebugCredential.create_from_yaml_config(version=protocol, yaml_config=yaml_content)
+    rotkh = RKHT(keys=yaml_content["rot_meta"], search_paths=[os.path.dirname(config)]).rotkh()
+    click.echo(f"RoT Key Hash: {rotkh.hex()}")
+    dc = DebugCredential.create_from_yaml_config(
+        version=protocol, yaml_config=yaml_content, search_paths=[os.path.dirname(config)]
+    )
     dc.sign()
     data = dc.export()
     logger.info("Saving the debug credential to a file...")
-    with open(dc_file_path, "wb") as f:
-        f.write(data)
+    write_file(data, dc_file_path, mode="wb")
+
     print_output(True, "Creating Debug credential file")
 
 
@@ -681,7 +688,7 @@ def gendc(
     default=False,
     help="Force overwriting of an existing file. Create destination folder, if doesn't exist already.",
 )
-def get_cfg_template(output: click.Path, force: bool) -> None:
+def get_cfg_template(output: str, force: bool) -> None:
     """Generate the template of Debug Credentials YML configuration file.
 
     \b