NAME¶

ahab_signed_message - generate signed messages for unlocking services of AHAB devices

SYNOPSIS¶

ahab_signed_message -t file -m file -o file [-v] [-V] [-h]

NOTE¶

This manpage is a short description of NXP ahab_signed_message. For a detailed discussion refer to the Code Signing Tool User Guide UG10106, section 5.5 and NXP Application Note AN13770. The user guide and the application note can be obtained from www.nxp.com and are excluded from Debian for copyright reasons.

DESCRIPTION¶

The ahab_signed_message tool is used to generate signed messages for unlocking services of AHAB devices running on an OEM-closed life cycle. Generated signed messages can be sent to a NXP SECO crypto processor or an NXP EdgeLock Enclave (ELE) module after signing them with the cst tool and a valid key.

Templates and payloads for messages supported by SECO and ELE can be found in /usr/share/doc/imx-code-signing-tool/examples/signed_message.

OPTIONS¶

-t file

Specify the message template file.

-m file

Specify the message payload file.

-o file

Specify the output file.

-v

Enable verbose output.

-V

Print version information.

-h

Display help message and exit.

EXAMPLES¶

To generate a message for SECO to enable secure debugging, retrieve the unique ID and monotonic counter for the target processor and enter the values to a copy of /usr/share/doc/imx-code-signing-tool/examples/signed_message/ahab-signed-msg-header-template.json. Then create the binary message with

  ahab_signed_message \
      -t ahab-signed-msg-header-template.json \
      -m /usr/share/doc/imx-code-signing-tool/examples/signed_message/ahab-EnableDebug-example-msg.json \
      -o msg.bin

msg.bin can then be signed using cst and a suitable CSF file, and can be sent to SECO through the SCFW API or by placing it in a boot container. Details on the process are discussed in NXP application note AN13770, section 11.

SEE ALSO¶

cst(1)