# Overview

This Quick Start Guide provides a step-by-step overview to help you install, configure, and begin using the MCUXpresso Secure Provisioning Tool efficiently. Whether you are new to secure boot and encryption workflows or looking to integrate secure provisioning into your production process, this guide will help you get started quickly.

The MCUXpresso Secure Provisioning Tool (SEC tool) is a powerful utility developed by NXP to streamline the secure provisioning of embedded devices. Designed to support a wide range of NXP microcontrollers, this tool enables developers to configure security features, generate cryptographic keys, and securely program devices with minimal setup.



# Hardware requirements

- It is recommended to start with the reference design board (FRDM/EVK) from NXP.
- Detailed requirements to start the MCUXpresso Secure Provisioning Tool are listed in  [MCUXpresso Secure Provisioning Tool Release Notes](#release-notes).



# Software requirements

MCUXpresso Secure Provisioning Tool can be executed on Windows, Linux, or MacOS. The detailed requirements are listed in the [MCUXpresso Secure Provisioning Tool Release Notes](#release-notes).



# Installing and configuring the SEC tool

The MCUXpresso Secure Provisioning Tool installers are available for Windows, Linux, or MacOS, and can be downloaded from [NXP Secure Provisioning web](#nxp-secure-provisioning-web). For Windows and MacOS, the installers work as a wizard that guides you step by step through the installation process. The Debian package is available for Linux.
The details about the installation can be found in the [MCUXpresso Secure Provisioning Tool User Guide](#user-guide).



# Using the tool

## Prerequisites

As an input for the tool, use an application binary (S19, HEX, ELF/AXF or BIN file format) that works on the processor. Based on the boot device, build the application either for RAM or for Flash. It is recommended to start with any MCUXpresso SDK example, which is already pre-configured for the right address.
Before using the MCUXpresso Secure Provisioning Tool, run the application in debugger and check if it works as expected.

For FRDM and EVK boards, there are sample applications provided in the binary form that usually blinks the onboard LED. It can be used to evaluate the tool functionality even if you do not have any specific application yet.

To load the application into the board, switch the board into In-System-Programming (ISP) mode. For details on how to do that, check documentation for the board or reference manual of the processor.

## New workspace

When you start the MCUXpresso Secure Provisioning tool for the first time, it will ask you to create a new workspace, the folder with all files needed for your project. You can also create a new workspace later using command: **main menu > File > New Workspace**.

```{eval-rst}
.. figure:: _images/quick_start_guide_new_workspace.png
   :scale: 60%
   :align: center
   
   **New Workspace**
```

To create the workspace, fill in the following parameters:
1. Select the workspace path on the disk. It is recommended to create a new folder for each project.
2. Connect the device to your computer and select the connection used such as UART COM port or USB. Using a USB connection allows the tool to automatically select the processor series.
3. Select the processor either directly from tree or use the search bar.
4. Select the path to your application as a source executable image.

    **Note:** for the NXP board, the tool includes pre-complied SDK examples that can be selected from the drop down list.

5. To verify the build and write process with your application, use the default profile that application code is unsigned and plain (not encrypted). Later, when you already have the application tested in the tool, you can select secure profile, and the tool generates a keys and pre-generates a configuration for the secure boot.

6. Click the **Create** button to create the workspace.

## Tool GUI

After you create a workspace, the tool main window will be shown. The main window contains:
1. main menu
2. toolbar
3. tabs "Build image", "Write image", and "PKI management"
4. log view
5. status line

```{eval-rst}
.. figure:: _images/sec_tool_gui.png
   :scale: 60%
   :align: center
   
   **Tool GUI**
```

As a first step, double-check that the configuration on the toolbar matches your requirements. You will find there:
1. selected processor (already selected in the wizard)
2. connection to the processor (already selected in the wizard)
3. boot mode (already selected in the wizard)
4. boot memory
5. life cycle (it is recommended to start with the default value)
6. trust provisioning (it is recommended to start with the default value)
7. debug probe (for most processors you will not need this; it might be used to set up shadow registers used instead of fuses)
8 quick fix button

```{eval-rst}
.. figure:: _images/tool_bar.png
   :scale: 70%
   :align: center
   
   **Toolbar**
```

## Check connection

Either use command **main menu > Target > Connection** or click the connection button in the toolbar and select button **Test connection** in the connection configuration dialog. This pings the processor in ISP mode and checks whether the connection can be established. If the connection is successfully established, the dialog shows the detected status of the connected processor.

If the connection does not work, check if the board is configured to ISP/SDP mode and reset the board.

## Build bootable image

If you create a workspace using the wizard, there should not be any error on the build page. The errors are displayed using red color and the description of the problem is displayed in the tooltip, so if there are any errors indicated, fix them. **Note:** Ignore the error on the Write page, there will be an error until you build the image.

Click the **Build image** button to build the bootable image. The progress is shown in the log. In case there was any problem, read the log and fix it. The files generated as a part of the process are shown below the button. The most important is listed as the first one. It is called the "build_image" script, a script executed during the build process. It is possible to click it and check the content.

## Test bootable image

Once the bootable image is built, you can continue to the **Write image** page and write it into the boot memory. Double-check that there are no errors reported and click the **Write image** button to start the process. The write process works similar to the build process. It will do pre-checks and if no problem is found, it will generate the write script. If the write script does any irreversible changes in the processor, the GUI displays a confirmation dialog with the list of changes. After that, the write script is executed, and the details are listed in the log view.

Once the application is written, verify it boots correctly (switch from ISP to RUN mode and reset).

## What is next

Once you have a bootable application working, it is possible to add additional security configurations, for example:
- secure boot with signed or encrypted image
- dual image boot
- anti-roll back configuration
- configuration of One-Time-Programamble (OTP)
- etc

It is recommended to check the application after each change. If the application does not boot, revert and figure out what change causes the problem.
The tool provides various checks to prevent invalid configurations. Errors (red) are blocking issues, to prevent any invalid configuration to be applied to the processor. Warnings (yellow) are unusual/not recommended settings, but they are non-blocking.

Once the secure configuration of the application is finalized and stable, you con continue to manufacturing. The tool can generate a manufacturing package - a ZIP file with all files needed for the manufacturing. In the manufacturing facility, import the package and apply (the manufacturing tool allows applying it to several boards in parallel).

## Processor-specific workflows

There are some processor-specific features that need to be configured. This is the reason there is a processor-specific workflow described in the [MCUXpresso Secure Provisioning Tool User Guide](#user-guide), section "Processor-specific workflows" that contains a step-by-step process how to configure different secure configurations.



# References

## Release Notes
<a href="https://docs.mcuxpresso.nxp.com/secure/latest/release_notes.html" target="_blank">https://docs.mcuxpresso.nxp.com/secure/latest/release_notes.html</a>

*MCUXpresso Secure Provisioning Tool Release Notes* (document <a href="https://docs.mcuxpresso.nxp.com/secure/latest/release_notes.html" target="_blank">MCUXSPTRN</a>)

## User Guide
<a href="https://docs.mcuxpresso.nxp.com/secure/latest/01_introduction.html" target="_blank">https://docs.mcuxpresso.nxp.com/secure/latest/01_introduction.html</a>

*MCUXpresso Secure Provisioning Tool User Guide* (document <a href="https://docs.mcuxpresso.nxp.com/secure/latest/01_introduction.html" target="_blank">MCUXSPTUG</a>)

## NXP Secure Provisioning web
<a href="https://nxp.com/mcuxpresso/secure" target="_blank">https://nxp.com/mcuxpresso/secure</a>

## Community, forum, knowledge base
<a href="https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/tkb-p/mcux-secure-tool" target="_blank">https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/tkb-p/mcux-secure-tool</a>



# Revision history

|Document ID|Release date|Description|
|-----------|------------|-----------|
|UG10241 v.1 | 30 June 2025  |Initial version.|