Skip to end of banner

Go to start of banner

LPC55Sxx - Preparing files for programming (Secure Binary)

Skip to end of metadata

Created by Grzegorz Meller (Unlicensed), last modified on May 05, 2022

Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Used software to transform the original file and generate the necessary files:

MCUXpresso Secure Provisioning Tool - version 3.1.
Command Prompt (cmd.exe)

\uD83D\uDCD8 Instructions

MCUXpresso Secure Provisioning Tool

Open MCUXpresso Secure Provisioning Tool. You can download the latest software version from here: https://www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-secure-provisioning-tool:MCUXPRESSO-SECURE-PROVISIONING
Create a New Workspace. The Workspace will contain the keys, certificates, source file, boot file and configuration settings.

Select the path for the New Workspace, Series and Processor.

Select the Boot Type. Only the "Signed", "Encrypted (PRINCE) with CRC", and "Encrypted (PRINCE) and Signed" options generate a Secure Binary file.

After selecting the boot image type, generate/add the necessary certificates/keys. Choose “Keys Management”.

Select "Add keys", "Generate keys" or "Import keys" depending on your needs.

Once the keys have been generated/added, return to page one. Choose “Bulid image”.

Select the location of the executable image source file, the start address and bootable image path.

Select “TrustZone pre-configuration“ and ROT image depending on your needs.

Generate randomly or enter your SBKEK. SBKEK is necessary to decrypt secure binary file.

If you want to enable an additional security option, you can select the "Write image" option and click “PFR Configuration”.

Additional configuration data and additional security can be set in the "CFPA" and "CMPA" windows. Confirm the changes by clicking the “OK” button.

Return to page one. Choose “Bulid image”.

Click "Bulid Image" button. Now there is a Secure Binary file in the bootable_images folder in the workspace.

2. Command Prompt (cmd.exe)

Open Command Prompt.
Point to the location of the pfr.exe file. By default, it is installed in the folder with the given path: "C:\NXP\MCUX_Provi_v3.1\bin\tools\spsdk\".

Run pfr.exe with the appropriate command (Use your own file path with workspace!):

pfr.exe generate-binary -c "C:\..\gen_sb\cmpa.json" -o "C:\..\gen_sb\cmpa_sealed.bin" -a -e "C:\..\gen_sb\mbi_config.json"
pfr.exe generate-binary -c "C:\..\gen_sb\cmpa.json" -o "C:\..\gen_sb\cmpa_non_sealed.bin" -e "C:\..\gen_sb\mbi_config.json"
pfr.exe generate-binary -c "C:\..\gen_sb\cfpa.json" -o "C:\..\gen_sb\cfpa.bin"

The necessary files can be found:

SB file - "C:\..\bootable_images\lpc55s06.sb",
CMPA file - “C:\..\gen_sb\cmpa_sealed.bin” or "C:\..\gen_sb\cmpa_non_sealed.bin",
CFPA file - "C:\..\gen_sb\cfpa.bin",
SBKEK - “C:\..\gen_scripts\sbkek.txt”.

No labels