# Terms and definitions

**Table Terms and definitions**

|Term|Definition|
|----|----------|
|AES|Advanced Encryption Standard|
|AES-128|Rijndael cipher with block and key sizes of 128 bits|
|AHAB|Advanced High Assurance Boot|
|ATF|ARM Trusted Firmware|
|BCA|Bootloader Configuration Area|
|BEE|Bus Encryption Engine|
|Block cipher|Encryption algorithm that works on blocks of N=\{64, 128, ...\} bits|
|CA|Certificate Authority, the holder of a private key used to certify public keys|
|CAAM|Cryptographic Acceleration and Assurance Module, an accelerator for encryption, stream cipher, and hashing algorithms, with a random number generator and runtime integrity checker|
|CBC|Cipher Block Chaining, a cipher mode that uses the feedback between the ciphertext blocks|
|CBC-MAC|A message authentication code computed with a block cipher|
|CFPA|Customer In-field Programmable Area|
|Cipher block|The minimum amount of data on which a block cipher operates|
|Ciphertext|Encrypted data|
|CMPA|Customer Manufacturing/Factory Programmable Area|
|CMS|Cryptographic Message Syntax, a general format for data that may have cryptography applied to it, such as digital signatures and digital envelopes. HAB uses the CMS as a container holding PKCS\#1 signatures.|
|CSF|Command Sequence File, a binary data structure interpreted by the HAB to guide authentication operations|
|DA|Debug Authentication|
|DAP|Debug Authentication Protocol|
|DCD|Device Configuration Data, a binary table used by the ROM code to configure the device at an early boot stage|
|DCP|Data coprocessor, an accelerator for AES encryption and SHA hashing algorithms|
|DEK|Data encryption key, a one-time session key used to encrypt the bulk of the boot image|
|DUK|Device Unique Key|
|DUKB|DUK certificate block|
|ECB|Electronic Code Book, a cipher mode with no feedback between the ciphertext blocks|
|EKIB|Encrypted Key Info Block|
|ELE|EdgeLock Secure Enclave|
|EPRDB|Encrypted Protection Region Descriptor Block|
|FAC|Flash Access Controlled|
|FCB|Flash Configuration Block or Flash Control Block|
|FCF|Flash Configuration Field|
|HAB|High Assurance Boot, a software library executed in internal ROM on the Freescale processor at boot time that, among other things, authenticates software in external memory by verifying digital signatures in accordance with a CSF. This document is strictly limited to processors running HABv4.|
|Hash|Digest computation algorithm|
|HSM|Hardware System Module|
|IEE|Inline Encryption Engine|
|IFR|Information Flash Region|
|IMG|Image Signing Key, interchangeable term with ISK|
|ISK|Image Signing Key, interchangeable term with IMG|
|ISP|In-system programming, a mode in which the processor can be programmed directly into the product.|
|IVT|Image Vector Table|
|KEK|Key Encryption Key, used to encrypt a session key or DEK|
|KeyBlob|KeyBlob is a data structure that wraps the key and the counter and the range of image decryption using AESCTR \(AES in Counter mode\) algorithm|
|KIB|Key Info Block with KEY and IV for AES128-CBC, recall key and IV used in PRDB wrap and unwrap is defined as key info block|
|MAC|Message Authentication Code. Provides integrity and authentication checks|
|Message digest|A unique value computed from the data using a hash algorithm. Provides only an integrity check \(unless encrypted\).|
|NBU|Narrow Band Unit|
|NDA|Non-disclosure Agreement|
|OEI|Optional Executable Image|
|OEM|Original Equipment Manufacturer|
|OS|Operating System|
|OTFAD|On-The-Fly AES Decryption|
|OTP|One-Time Programmable. OTP hardware includes masked ROM, and electrically programmable fuses \(eFuses\).|
|OTPMK|One-Time Programmable Master Key|
|PFR|Protected Flash Region|
|PKCS\#1|Standard specifying the use of the RSA algorithm. For more information, see [https://en.wikipedia.org/wiki/PKCS\_1](https://en.wikipedia.org/wiki/PKCS_1) and [https://web.archive.org/web/20051029040347/http://rsasecurity.com/rsalabs/node.asp?id=2125](https://web.archive.org/web/20051029040347/http://rsasecurity.com/rsalabs/node.asp?id=2125).|
|PKI|Public Key Infrastructure, a hierarchy of public key certificates in which each certificate \(except the root certificate\) can be verified using the public key above it.|
|Plaintext|Unencrypted data|
|PRDB|Protection Region Descriptor Block recalls the counter and the range of image decryption using the AES-CTR algorithm.|
|PUF|Physical Unclonable Function|
|pyOCD|Python-based tool and API for debugging, programming, and exploring Arm Cortex microcontrollers; for details, see [http://pyocd.io/](http://pyocd.io/)|
|Rijndael|Block cipher chosen by the US Government to replace DES. Pronounced *rain-dahl*.|
|ROMCFG|ROM Bootloader configurations|
|RoT|Root of Trust|
|RSA|A public key cryptography algorithm developed by Rivest, Shamir, and Adleman. Accelerator \(including hash acceleration\) is found on some processors.|
|RSA-PSS|RSA probabilistic signature scheme|
|SDP|Serial Download Protocol, also called UART/USB Serial Download mode. IT allows code provisioning through UART or USB during production and development phases.|
|SEC Tool|Secure Provisioning Tool|
|Session key|Encryption key is generated at the time of encryption. Only ever used once.|
|SHA-1|Hash algorithm that produces a 160-bit message digest|
|SNVS|Secure Non-Volatile Storage|
|SPL|Secondary Program Loader|
|SPSDK|Secure Provisioning SDK, an open source Python library and command-line tools for secure provisioning of NXP MCUs.|
|SRK|Super Root Key, an RSA key pair that forms the start of the boot-time authentication chain. The hash of the SRK public key is embedded in the processor using OTP hardware. The SRK private key is held by the CA. Unless explicitly noted, SRK in this document refers to the public key only.|
|TEE|Trusted Execution Environment|
|UID|Unique Identifier, a unique value \(such as a serial number\) assigned to each processor during fabrication|
|UUU|Universal Update Utility used to download images to different MPU devices|
|V2X|Vehicle-to-everything is a standalone cryptographic accelerator \(EdgeLock Accelerator\) on i.MX 95|
|XIP|Execute-In-Place refers to a software image that is executed directly from its non-volatile storage location rather than first being copied to volatile memory.|
|XMCD|External Memory Configuration Data|