Release Notes for MCUXpresso Secure Provisioning Tool

Version: 25.03.01

Date: Apr-2025

Overview

MCUXpresso Secure Provisioning Tool (SEC) is a graphical user interface (GUI) tool covering secure boot process and trust provisioning capabilities, primarily aimed at microcontroller customers. It provides a unified GUI front-end over SPSDK command-line tools. The tool is designed to help users to prepare complex security configuration easily, while it keeps the possibility to customize the generated scripts.

Supported processors

• i.MX RT1xxx processors:

  • RT101x, RT102x, RT104x, RT1050, RT106x

  • RT116x, RT117x, RT118x

• i.MX RT5xx/6xx/7xx processors:

  • RT5xxS, RT685S, RT7xxS

• Kinetis W processors:

  • K32W148, KW45B41Zx, KW47B42Zxx, KW47Z420xx

• LPC55Sxx and LPC55xx processors:

  • LPC55S6x, LPC55S3x, LPC55S2x, LPC55S1x and LPC55S0x

  • LPC553x, LPC552x, LPC551x and LPC550x

  • LPC865

• NHS52S04

• MC56F816xx/7xx/8xx processors

• MCX processors:

  • MCXA13x, MCXA14x, MCXA15x

  • MCXCx4x

  • MCXN94x, MCXN54x, MCXN23x

  • MCXW236, MCXW716x, MCXW727x

• RW61x processors

• MWCT2x12/D2 processors

• i.MX 9x processors:

  • MIMX9352

  • MIMX9596

Features

• Conversion of ELF executables, SREC, HEX, and raw binaries into bootable images files

• Credentials (keys, signatures, and certificates) generation and management associated with signed/encrypted images

• Target device connection via UART, USB-HID, SPI, and I2C

• Writing FlexSPI NOR, FlexSPI NAND, SEMC NAND, eMMC or SD card boot device including configuration of the boot device parameters

• Use of DCD/XMCD configuration for SDRAM images bootup

• Programming customizable eFuses and/or protected flash regions per image and use case requirements

• Optional batch scripts generation for later use without the GUI

• Streamlined operation for general users

• Manufacturing Tool with the support of parallel execution

• Trust provisioning and device HSM provisioning for selected processors

• Flash programming GUI tool

• Debug authentication

• SB editor tool including support of device HSM SB files

• Support of MCUboot secondary bootloader

• Detailed supported features for each processor in the user guide (see SEC-Tool-Features.xls spreadsheet embedded in the PDF)

• Available for Windows, Linux, and macOS

System requirements

• One of the following Host Operating systems:

  • Microsoft(R) Windows(R) 11 (64-bit)

  • macOS 14 Sonoma (Intel x86_64 or Aarch64)

  • Ubuntu 22.04 LTS 64 bit, with “OpenSSL 1.1.1f 31 Mar 2020”; GNOME recommended

  • Ubuntu 24.04 LTS 64 bit, with GNOME and OpenSSL 3.0.13 30 Jan 2024; GNOME is recommended.

• 4 GB RAM or more

• Minimal display with resolution:

  • Windows: 1280 x 720 with 100% scale; higher resolution can be used with higher scale (for example 1920 x 1080 with 150% scale)

  • Linux: 1366 x 768

• P&E Micro debug probe users: install drivers from P&E web site or install MCUXpresso IDE

  • P&E Micro does not support macOS Aarch64

• Lauterbach debug probe users: install Lauterbach from Lauterbach web site and configure access over network in config.t32

• MCU-Link or LPC-Link debug probe users: install drivers from NXP web site (see user guide for the links)

Known issues and limitations

• For more information, see chapter Troubleshooting in the documentation.

What is new

This chapter provides details about the changes for each released version of the tool.

Version 25.03.01, April 2025

• Minor update to fix failure of the write script for Windows if CFPA is not updated

• This version is available for Windows only, for other OSes use version 25.03

Version 25.03, March 2025

• Supported new processors:

  • i.MX RT1043 and RT1046 processors

  • MCX A13x processors

  • MCX C processors: MCXC041, MCXC242, MCXC444

  • MCX W236 processor

  • i.MX 9352 (unsigned and signed images)

  • KW47 and MCXW727x processors, unsigned boot types only

• Support of EdgeLock 2GO Trust provisioning for KW45, K32W, MCXW71x and MCXN

• LPC55Sxx and NHS: added support of dual boot (ping/pong)

• RT7xx: added support of signed load-to-ram image via SB file; added XMCD support

• Key revocation for LPC55Sxx/RTxxx processors

• RT118x: added support for RSA-PSS keys

• Added Merge Images tool to merge up to 8 images into one single binary file

• Ability to export and import workspace, see main menu > File

• Added command main menu > Help > Release notes

• LPC55Sxx and RT5xx/6xx: RSA4K bit set if 4K keys generated, so debug authentication works

• Option to check for a new version of the tool, see main menu > File > Preferences

• Added detection whether device HSM rebuild is needed, if not it is skipped automatically

• Log files moved to new workspace sub-directory called ‘logs’

• CMPA and CFPA yaml files contains values in RAW format, to avoid problems with hidden post progress conversions

• Added warning if user opens a workspace from older version

• Improved names of the boot modes (plain vs encrypted)

• Fuses from restricted data package moved to the tool and they are no more restricted

• LPC55S0x/1x/2x/6x and NHS52S04: Backward incompatibility with version 10:

  • PFR.CMPA.RSA4K bit-field is not preset by the tool; it is only validated and warning is displayed

• Integrated SPSDK 2.6.1 with lpcprog and nxpuuu tools

  • nxpuuu is intended to replace uuu tool which is now deprecated and might be removed in next release

• Lauterbach debug probe support (Windows only)

Version 10.0, November 2024

• A new dialog for workspace creation with predefined profiles is added.

• Support for MCX W71xx processors is added.

• Preliminary support for i.MX RT798, plain, crc, and signed images is added.

• Preliminary support for i.MX 95, silicon revision a1, unsigned images is added.

• Support of EdgeLock 2GO Trust provisioning for MCXNx4x and RW61x; device HSM unified with the EdgeLock 2GO process is added.

• RW61x: FRDM-RW61x is now the default memory configuration for a new workspace; fuses were updated.

• The Manufacturing package can be optionally encrypted with a password.

• A hook for modification of environment variables at the start of the build and write scripts is added.

• Support of additional images for KW45xx and K32W1xx is added.

• Additional predefined configurations are added for the boot memory configuration (not verified on silicon).

• The `Create FCB` command is now back-up and restores the content of the memory where FCB is stored.

• The TrustZone templates are now preset on the build page, so it is easier to find them and customize; the file can be also in the YAML format.

• i.MX RT10xx: the SEC_SET_ENGINE section is removed from the BD file.

• Third-party licenses are added into the product layout. See the “licenses” subfolder.

• Support of environment variables in CLI is added. Environment variables are supported in all paths arguments and in configuration json files.

• Integrated NXP Secure Provisioning SDK 2.3.1

Version 9.0.1, August 2024

• Authentication for ECC keys for i.MX RT116x/7x is fixed.

  • Authentication for ECC 384/521 is fixed.

  • The random invalid signature for ECC 256 is fixed.

• Freeze in the PRINCE dialog setting for MCXN and LPCs is fixed.

• MCX N PRINCE incorrect configuration, mainly if more regions are configured, is fixed by the configMemory parameter in the SB file.

Version 9.0, July 2024

• Support for MCF56816xx/7xx/8xx processors is added.

• Support for MCXN23x and additional MCXA14x/MCXA15x processors is added.

• Support for MWCT2x12/D2 processors is added.

• Support for the NHS52S04 processor is added.

• Support for MCUboot - open source secondary bootloader ia added.

• Additional images can be used for most of the processors (except KW).

• The exported OTP/PFR/IFR configuration now contains the page name that is validated during the import.

• The firmware version is supported for LPC55Sxx and i.MX RTxxx processors; for RT118x it is available only for signed images.

• The minimal firmware version can now be specified in the firmware configuration dialog.

• Support for build, write, and manufacturing script hooks is added.

• The limitation for key chain length for LPC55S6x and i.MX RTxxx processors is removed; for other LPCs changed to warning.

• The support for FlexSPI instance selection for FlexSPI NAND for i.MX RT116x/7x is added.

• The supported key revocation constraint for LPC55S3x, MCX N1xx, RW61x, KW45, and K32W processors.

• The MBI image is partially erased before the device HSM, so it does not boot after reset. Applies for MCXN10, MCXN11, LPC55S3x, RW61x, and MWCT2x12.

• In the installation layout, the “sample_data” sub-folder (soft link) is created. It contains sample binary applications, signature provider examples, trust zone, XMCD, and DCD configuration templates.

• Signature provider:

  • Support of sending only a hash of the data for signing is added.

  • Incompatible change in encoding of send public keys, public keys are encoded in the standard key encodings (pem, der, nxp) instead of the hex format.

• Integrated NXP Secure Provisioning SDK 2.2.x with the following highlighted changes:

  • New tools: nxpmemcfg, dk6prog, el2go, nxpwpc

• i.MX RT1050/6x: eMMC supported

• RW61x: device HSM provisioning now required device HSM loader from restricted data

• The support for JLink and PEmicro debug libraries is removed. All debug probes are now supported via pyOCD.

• CLI tools (imgtool and uuu) are added.

• CLI: support to save or change workspace settings and specify additional images is added.

• $check_fw_versions SB2.1 high-level commands for SB editor are fixed.

• The default flash (W25Q512NWEQ) for i.MX RT117x based on the flash used on RT117x-EVKB is fixed.

• The key used to sign flashloader for i.MX RT10xx and RT116x/7x is fixed - changed from the first key to the selected key.

• The flashloader for i.MX RT1181/82 processors is fixed.

Version 8.0, January 2024

• LPC55S3x, KW45xx, K32W1xx: added support for images executed in RAM (xip images)

• Added support for MCXN9xx/MCXN5xx/MCXA14x/MCXA15x processors

• Added support for i.MX RT118x processors with new option to include additional images into the build

  • RT1181 and RT1182 processors are not available in the release time, the tool was tested on preproduction silicon only

• Added support for RW61x processors (including shadow registers)

• Added support for SB 2.1 Editor, supported for i.MX RTxxx and LPC55Sxx processors

• Added an option to configure signature provider via a custom web server

• Added an option to specify separate FCB files for flash programming and runtime

• Supported ECC keys for i.MX RT116x/7x

• i.MX RT11xx bootable image can be used as the source image for the build (previously this was only for RT10xx)

• Added support for multiple monitors

• Integrated NXP Secure Provisioning SDK 2.x with the following highlighted changes:

  • elftosb tool removed, replaced by nxpimage; nxpkeygen tool replaced by nxpcrypto

  • updated changes in command-line arguments

  • several additional incompatible changes in configuration files

• LPC55S3x, KW45xx, K32W1xx: spsdk/nxpkeygen tool replaced by spsdk/nxpcrypto

• Removed legacy tools arm-none-eabi-objcopy, blhost, sdphost, elftosb, image_enc, and cst (fully replaced by spsdk tools)

• New installer for Mac OS with Apple M processor (previously Intel processor only was supported)

• Windows: the workspace can now be located on a drive with a letter other than the letter of the installed application.

Version 7.0, July 2023

• Smart card trust provisioning is supported for the LPC55S36 processor

• Smart card trust provisioning is supported only for smart card 1.2 or higher

• Redesigned configuration of boot memory; added support for user presets and custom-protected area

• Newly added dual image (ping/pong) boot support is extended to LPC55(S)3x, KW45xx, K32W1xx, and RT116x/7x

• Added support for SB 3.1 editor for LPC55S3x, KW45xx, and K32W1xx processors

• Improved configuration of IFR/ROMCFG for KW45xx and K32W1xx processors, now configured per 16-byte blocks

• i.MX RT116x/7x: legacy elftosb and image_enc tools are replaced by spsdk/nxpimage

• i.MX RT116x/7x: flashloader is updated and detection of locked fuses (via blhost get-property 31) is added

• i.MX RT116x/7x: eMMC is supported

• i.MX RT11xx: XMCD is supported, either via the link to the configuration file or via a simplified GUI editor

• i.MX RT10xx: support for SPI NAND is added

• Grouping of processors in the “New workspace” dialog is improved

• NXP Secure Provisioning SDK 1.10.2 is integrated

Version 6.0, March 2023

• Added KW45xx and K32W1xx processors

• Enabled support of the LPC55S36 processor

• Fixed configuration of boot device Macronix_MX25UM51345G_A.json, so it matches recommendations from reference manuals

• LPC55Sxx: DICE can be enabled by the user, UDS key initialized in the write script

• LPC55Sxx and i.MX RTxxx: It is possible to regenerate ROT certificates with a different serial number (for key revocation)

• LPC55Sxx: The CFPA content is verified before write and an error is reported if the version is not incremented (GUI only)

• LPC55Sxx: Added support for encrypted plain boot type

• Added i.MX RT1040 processor

• i.MX RT1060: a new EVK board revision supported: MIMXRT1060-EVKC

• i.MX RT107x: a new EVK board revision supported: RT1170-EVKB

• i.MX R685: a new EVK board supported: RT600-AUD-EVK

• i.MX RT5xx: Added support for dual image (ping/pong) boot with PUF key source

• i.MX RT5xx and RT6xx: Added support eMMC and SD card

• i.MX RT6xx: Added support for debug authentication

• Trust provisioning: added support for multiple smart cards, USB connection, and performance improvements

• Flash programmer performance improvements for higher buffer sizes

• Build view: displayed all generated files and their status

• Window locations and sizes are stored in preferences

• The tool display “dirty” flag; if settings are not saved on the disk; added new preference to save automatically

• Setting file spt_settings.json changed to settings.sptjson

• File extension .sptjson associated with the SEC tool, so it can be opened directly with the tool

• CLI: New argument in write scripts: erase_all - perform an erase of the entire flash memory instead erasing regions only

• Tool localized to Chinese

• Legacy blhost updated to v2.6.7

• LPC55S69: dropped support of trust provisioning firmware for silicon revision 8

• i.MX RT633S: the processor removed, no more supported

• Integrated NXP Secure Provisioning SDK 1.9.1

Version 5.0, November 2022

• Added support for LPC55xx and LPC553x processors (non-S)

• Added support for main menu > Tools > Flash Programmer

• Added support for trust provisioning using Smart Card for LPC55S0x/1x processors

• Added support for device HSM provisioning for i.MX RT6xx processors

• Added support for dual image (ping/pong) boot for i.MX RTxxx processors with OTP key source

• Legacy elftosb is replaced by elftosb from SPSDK for i.MX RTxxx processors

• OTP Configuration is moved from the Write image page to the Build image page

• write_parameters.json is generated for write with parameters reused from build; CLI parameters updated

• Added support for burning fuses in SB file for i.MX RTxxx processors

• Added support for debug authentication for LPC55Sxx and i.MX RTxxx processors

• Added support for OTFAD encrypted boot mode with master key for i.MX RT1011 processor

• Added support for FlexSPI NAND boot for i.MX RT117x/RT116x processors

• Added support for localization, Manufacturing Tool is localized to Chinese (see Preferences)

• Added “MX25U51245G_B” boot device configuration for i.MX RT600-AUD-EVK

• The command “main menu> File > Generate Scripts” is removed, it was replaced by the link on Build image and Write image views

• Integrated SPSDK 1.7 with the following highlighted changes:

  • new tools: nxpimage and nxpcrypto

  • elftosb: added support to burn fuses in the SB file

Version 4.1.1, July 2022

• Trust provisioning tools are updated from NXP Secure Provisioning SDK 1.6.3

Version 4.1, June 2022

• LPC55S69: 2 versions of trust provisioning firmware for different silicon revisions are now supported.

• Ubuntu 22.04 LTS is supported

Version 4.0.1, May 2022

• Windows: Fix for LPC55Sxx write script in sealing the CMPA page

• Updated terminology in GUI and documentation

Version 4.0, May 2022

• Added support for Trust Provisioning using Smart Card for LPC55S6x/2x

• Added support for “life cycle” selection instead of the “Enable security” checkbox (for all processors)

• Added support for Encrypted (HAB) and Encrypted (IEE) boot modes for RT11xx

• Added support for FlexSPI instance selection for i.MX RT11xx processors

• Added support for OTFAD encrypted boot mode with user keys for i.MX RT1010 processors

• Added support for SPI and I2C connection types (for LPC55Sxx and i.MX RTxxx)

• Improved fields and bits names in PFC Configuration for LPC55Sxx processors

• Improvements on the Manufacturing Tool: Added counter of successful operations and a “Test connection” button

• Improved layout of PFR Configuration dialog for improving the user experience on Linux

• Several fixes and improvements for write script for i.MX RTxxx processors

• Added a “Clear CMPA” button into the PFR configuration dialog

• CLI command “clear-security” was removed. It was replaced by the PFR configuration and a “Clear CMPA” button

• Windows: Fixed the problem that the Secure Provisioning Tool does not run with some region settings

• Integrated SPSDK 1.6 with the following highlighted changes:

  • Additional CLI tools added: tpconfig, tphost, nxpcertgen, nxpdevhsm, shadowregs, nxpdevscan

  • blhost:

    • The performance of the “receive-sb-file” command was significantly improved; however, if it fails, the reported error code might not be correct; use the parameter “–check-errors” to see the detailed problem information

    • The command “efuse-program-once” automatically verifies the written value to avoid problems on i.MX RT11xx processors, where the write failure was reported as a successful operation (see also –verify/–no-verify option)

  • pfr, pfrc:

    • The names of the fields and their bits were updated without preserving backward compatibility.

Version 3.1, August 2021

• Support for Mac OS X Big Sur (version 11) is added; support for Microsoft(R) Windows(R) 7 is dropped.

• Support for i.MX RT1171, RT1172, RT1173, RT1175, RT1165, RT1166 is added.

• The CLI command “write_fuses” was removed, it was replaced by OTP Configuration.

• [LPC55Sxx] Support for PFR Configuration GUI is added.

• [LPC55Sxx] Support for PRINCE encryption of “Whole image” without the necessity to enter an exact address range is added.

• [RTxxx, RT11xx] support for OTFAD encryption is added.

• Support for i.MX RT1010: Unsigned and Authenticated (HAB) modes are added.

• NXP Secure Provisioning SDK 1.4 is integrated.

Version 3.0, April 2021

• Support for i.MX RT1176: Unsigned and Signed modes is added.

• Support for i.MX RT5xx/RT6xx: Unsigned/CRC/Signed boot modes is added.

• Support for PRINCE encryption for LPC55Sxx processors is added.

• Support for OTP configuration is added.

• Support for Manufacturing Tool is added.

• [LPC55Sxx] CMPA/CFPA.bin files generated using the PFR tool; CMPA/CFPA.json used as an input

• [LPC55Sxx] The initial version of CFPA for Signed boot mode (0x02000_0000 to 0x0000_0002) is fixed.

• i.MX RT10xx/RT11xx: support for restricted data is added.

• RT5xx/RT6xx: the ability to use Shadow registers instead of using FUSEs

• Support for Ubuntu 20.04 is added.

• blhost and sdphost utilities are replaced with SPSDK alternatives; new CLI utilities: pfr, nxpkeygen, and nxpdebugmbox (Debug Authentication) in tools/spsdk are added.

• LPC55Sxx Key Store: The key store is initialized only once in the device life cycle and after that SBKEK cannot be changed.

• i.MX RT10xx GPx fuse lock: lock for the GPx fuse provided in previous versions was removed in V3 as the lock is not required for a bootable image;

  Note: However, it is still recommended to lock the fuse; see “OTP Configuration”

Version 2.1, December 2020

• Support for i.MX RT1015, i.MX RT1024, LPC55S06, and LPC55S04 is added.

• Mac OS X - fixed saving the workspace setting in case the App Menu “securep | Quit securep” is used.

• Mac OS X - fixed connection dialog freeze in case a wrong UART is used.

• [LPC55Sxx] several improvements for Signed LPC images

• [LPC55Sxx] CLI allows setting/overriding the Trust Zone Settings.

• Other minor improvements and bug-fixes

Version 2.0, August 2020

• Support for i.MX RT1020 and i.MX RT1064 is added.

• Support for LPC55S6x, LPC55S2x, and LPC55S1x is added.

  • Unsigned, Unsigned CRC, and Signed boot modes

  • TrustZone support (bin + json)

  • Key Management - Secure Boot, Generation of ROT keys

• BEE boot for i.MX RT10xx

  • OTPMK

  • SW-GP2/GP4

• Import/Export Keys between workspaces

• The connection dialog is improved, it supports UART test connection, processor detection and detection of fuse status are improved.

Version 1.0.1, January 2020

• Support for Mac OS X Catalina (10.15) + Ubuntu 18.04 is added.

• Termination of subprocesses of long-running tasks is fixed.

Version 1.0, December 2019

• Initial version with i.MX RT1050 and i.MX RT1060; for Windows

Revision history

Table 1. Revision history

Document ID	Release date	Description
MCUXSPTRN v.11	14 April 2025	Changes for 25.03.01 are added.
MCUXSPTRN v.10	28 March 2025	Features for 25.03 are added.
MCUXSPTRN v.9	13 November 2024	Features for v.10 are added.
MCUXSPTRN v.8	19 August 2024	Features for v.9.0.1 are added.
MCUXSPTRN v.7	31 July 2024	Features for v.9 are added.
MCUXSPTRN v.6	11 January 2024	Features for v.8 are added.
MCUXSPTRN v.5	20 July 2023	Features for v.7 are added.
MCUXSPTRN v.4	15 March 2023	Features for v.6 are added.
MCUXSPTRN v.3	30 September 2022	Features for v.5 are added.
MCUXSPTRN v.2	24 June 2022	Features for v.4.1 are added.
MCUXSPTRN v.1	10 May 2022	Features for v.4.0.1 are added.
MCUXSPTRN v.0	28 April 2022	Initial release