Python tools for provisioning Cypress/Infineon MCUs
Project description
This package contains security tools for creating keys, creating certificates, signing user applications, and provisioning Cypress MCUs.
Table of Contents
- Prerequisites
- Documentation
- Installing package
- Supported devices
- Interface and Usage
- Logging
- Installing libusb driver
- Known issues
- License and Contributions
HW/SW compatibility
PSoC 64
Target/Kit | Silicon Revision1 | Silicon ID, Silicon Rev., Family ID | Secure FlashBoot Version | CyBootloader Version | |
512K | |||||
cyb06xx5 cy8cproto‑064b0s3 |
A1 | 0xE70D, 0x12, 0x105 | 4.0.2.1842 | 2.0.1.6441 | |
2M | |||||
cyb06xxa cy8ckit‑064b0s2‑4343w |
A1 | 0xE470, 0x12, 0x102 | 4.0.3.2319 | 2.0.2.8102 | |
cys06xxa cy8ckit‑064s0s2‑4343w |
A1 | 0xE4A0, 0x12, 0x02 | 4.0.3.2319 | 2.0.2.8102 | |
1M | |||||
cyb06xx7 cy8cproto‑064s1‑sb cy8cproto‑064b0s1‑ble cy8cproto‑064b0s1‑ssa |
B3 | 0xE262, 0x24, 0x100 0xE261, 0x24, 0x100 | 4.0.2.1842 | 2.0.0.4041 |
CYW20829
Target/Kit | Silicon Revision1 | Silicon ID, Silicon Rev., Family ID | ROM Boot Version | RAM Applications Version |
cyw20829 | A0 | 0xEB40, 0x11, 0x110 | 1.0.0.7120 | 1.0.0.2857 |
cyw20829 | B0 | 0xEB43, 0x21, 0x110 | 1.2.0.8334 | 1.2.0.3073 |
1 Specify --rev
option for older revision of the silicon (e.g. $ cysecuretools -t cyw20829 --rev a0 <COMMAND>
). Using the latest revision does not require specifying the option.
CYW89829
Target/Kit | Silicon Revision | Silicon ID, Silicon Rev., Family ID | ROM Boot Version | RAM Applications Version |
cyw89829 | B0 | 0xEB47, 0x21, 0x110 | 1.2.0.8334 | 1.2.0.3073 |
Prerequisites
- General
- Python 3.6 or later
- Installed Cypress OpenOCD
- For PSoC 64 devices
- Ensure the KitProg3 programming mode is CMSIS-DAP Bulk
- Ensure the power selection jumper is set to provide 2.5 V to the power supply pin related to eFuse power. This voltage level is required to blow eFuses
- For CYW20829/CYW89829 devices
- Ensure the KitProg3 programming mode is CMSIS-DAP Bulk
- Ensure the power selection jumper is set to provide 2.5 V to the power supply pin related to eFuse power. This voltage level is required to blow eFuses
Documentation
Installing Package
Invoke pip install
from the command line:
$ pip install cysecuretools
To update the already installed package:
$ pip install --upgrade --force-reinstall cysecuretools
Supported devices
Use device-list
command for output of the supported devices list.
$ cysecuretools device-list
Interface and Usage
PSoC 64
See README_PSOC64.md
CYW20829/CYW89829
XMC7100/7200
Logging
Every time the tool is invoked, a new log file is created in the logs directory of the project. By default, the console output has INFO logging severity. The log file contains the DEBUG logging severity.
Known issues
- Using the policy from version 4.0.0 in projects created by version 4.1.0 causes the CY_FB_INVALID_IMG_JWT_SIGNATURE error during re-provisioning on PSoC64-2M devices:
...
ERROR : SFB status: CY_FB_INVALID_IMG_JWT_SIGNATURE: Invalid image certificate signature. Check the log for details
Workaround:
- Open the policy file.
- Navigate to section 1 of the
boot_upgrade/firmware
. - Set
boot_auth
andbootloader_keys
as follows:
"boot_auth": [
3
],
"bootloader_keys": [
{
"kid": 3,
"key": "../keys/cy_pub_key.json"
}
]
- During the installation of the package via pip on Mac OS Big Sur, the following exception is raised:
...
distutils.errors.DistutilsError: Setup script exited with error: SandboxViolation:
mkdir('/private/var/root/Library/Caches/com.apple.python/private/tmp/easy_install-y8c1npmz', 511) {}
The package setup script has attempted to modify files on your system
that are not within the EasyInstall build area, and has been aborted.
This package cannot be safely installed by EasyInstall, and may not
support alternate installation locations even if you run its setup
script by hand. Please inform the package's author and the EasyInstall
maintainers to find out if a fix or workaround is available.
Solution: Upgrade the pip
package running the following command from the terminal: python3 -m pip install --upgrade pip
.
License and Contributions
The software is provided under the Apache-2.0 license. Contributions to this project are accepted under the same license. This project contains code from other projects. The original license text is included in those source files.
Changelog
All notable changes to this project will be documented in this file.
5.1.0
Added
- Support for CYW89829 devices
5.0.0
Changed
- Removed pyOCD support. OpenOCD is used as a default On-Chip debugger for all platforms
- High-level API module refactoring
Added
- Support for XMC7100, XMC7200 devices
4.2.0
Added
- Support for CYW20829 B0 silicon revision
- Multi-image NV counter for CYW20829
- Transition PSoC 64 devices to RMA LCS
- Open PSoC 64 devices in RMA LCS for debugging
- OpenOCD autodiscovery in ModusToolbox directory
- Add SW/HW compatibility table to the readme
Changed
- Target
cyw20829
is used for the latest silicon revision. For the previous silicon revision (A0) add --rev option in the command line (-t cyw20829 --rev a0
)
4.1.0
Added
- OpenOCD support for PSoC 64 devices
- Creating update package in the unsigned image (extend-image command)
Changed
- Fixed installation failure using pip 22.1
- CyBootloader 2.0.2.8102 for PSoC 64 2M:
- Improved performance of SWAP algorithm
- Image certificate signed with the Infineon key (id=3)
- Use Infineon key (id=3) for bootloader in the policy files
4.0.0
Added
- Support of CYW20829 devices
- Support Python 3.10
- Signing images with HSM
Changed
- Separated PSoC 64 and CYW20829 devices CLI
- Updated PSoC 64 CyBootloader for 512k and 2M:
- added "reset_after_failure" feature
- decreased boot time
- Protect PSA API from NSPE in PSoC 64 2M-S0 policy
- Prevent signing of already signed images
- Change MCUboot image header padding to erase value
- Use CyBootloader from the project directory if the project exists
- Updated dependencies packages to the latest versions
- Use pyocd 0.32.3
3.1.1
Changed
- Fixed installation failure on macOS Big Sur and Apple M1 chip
- Fixed installation failure in Python 3.9
3.1.0
Added
- SCRATCH with Status Partition swap mode
- Small image slots support in the external memory
3.0.0
Added
- Image SWAP using Status Partition
Changed
- CyBootloader 2.0
- Secure Flash Boot 4.0.2 support
2.1.0
Added
- Support PSoC64 1M
- New command to read device die ID
- Optionally add boot record to the signed image
- New policy validators (address overlaps between images and bootloader, slots address alignment with the SMPU address limits, DAP closure, monotonic counter)
- Log the device response JWT during the provisioning process
Changed
- Fixed issue with using group private key
- Use pyocd 0.27.3
2.0.0
Added
- Support PSoC64 2M, PSoC64 512K
- Command line interface
- Encrypted programming
- Single-image and multi-image policy
Changed
- Update provisioning according to new Secure Flash Boot functionality (update system calls, reprovisioning, encrypted image support)
- New CyBootloaders (CY8CKIT-064B0S2-4343W, CY8CKIT-064S0S2-4343W, CY8CPROTO-064B0S3)
- Use pyocd 0.27.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for cysecuretools-5.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b379981398d2065e9d4f166331d25cb085537be9d3e8561fe188cdf46bddea58 |
|
MD5 | c7a836a8fe8cbb8a22d6885ebfa5cbc7 |
|
BLAKE2b-256 | b5bef9b01774294ac440dc47a92c097560de6618b8d95e60984fcd377db50a3a |