# SecImage configuration file Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) The SecImage configuration file provides configurations to sign, post‑process, and validate secure images. It consists of a number of configurations for signing attributes and image properties. The main configuration file has the following sections: | -- metadata (chipset and config file version) | -- general_properties (basic configuration of signing attributes) | -- data_provisioning (base path to data provisiong assets) | -- image_list (a list of supported images with image format and signing attributes)Copy to clipboard ## Metadata Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) As the SecImage configuration XML is chipset‑specific, the metadata section specifies which chipset this XML is for and which configuration version it's. qcc730 2.0 Copy to clipboard ## General properties Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) The basic configuration includes all the fields that the user can modify for generating secure images. The meaning of each property is as follows: Table : Configuration properties | Properties | Description | | --- | --- | | selected\_signer | Use local signer with test keys by default. | | selected\_cert\_config | To sign images using a local signer with the generated key, create a folder in sectools\resources\data\_prov\_assets\Signing\Local\< selected\_cert\_config>-key<key\_size>\_exp<exponent>. | | cass\_capability | Use SHA256‑signed root cert. | | key\_size | Size (in bits) of the key used for signing. | | Exponent | The exponent value used in attestation key generation, only supports 257 and 65537. | | mrc\_index | Specify which of the multiroot cert should be used. | | num\_root\_certs | Specify the total number of root certificates included in the image after signing. | | soc\_hw\_version | Specify the chipset hardware version. | | in\_use\_soc\_hw\_version | Specify whether soc\_hw\_version should be used for HW\_ID, as described in [HW_ID field](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html#hw_id_field). | | oem\_id | OEM identification for signing (in hex). | | model\_id | Model identification to sign and authenticate image (in hex). | | debug | Specify the DEBUG field described in [DEBUG field](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html#debug_field) (in hex). | | max\_cert\_size | Maximum size (in bytes) of one certificate. | | num\_certs\_in\_certchain | Number of certificates in the certificate chain. | The basic configuration for a single root certificate is as follows. local_v2 qc_presigned_certs secboot_sha2_root 2048 257 0 1 0x0029F0E1 0x0000 0x0000 0x0000000000000002 2048 2 Copy to clipboard ### Signing attributes configuration Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) **Signer selection** The SecImage for QCC730 supports a local signer that uses Qualcomm platform signing application (QPSA) test public key infrastructure (PKI) for image signing. The default signer is the local signer. **Local signing** The local signer and the test PKI are provided by QTI as a test tool to demonstrate the certificate and signature format expected by secure boot. The test PKI package is the same as the QPSA tool for backward compatibility. This tool uses OpenSSL to generate signing keys and signatures. - To sign images using a local signer with the generated key, create a folder in the following location: sectools\resources\data\_prov\_assets\Signing\Local\<your\_presigned\_certs> - The folder name must be one word, which is used as “selected\_cert\_config.” - Create config.xml with the following template and ensure that the filenames match: False True False False test_rootca.certest_rootca.key Copy to clipboard - In <chipset>\_secimage.xml, update the following field with folder name: your_presigned_certsCopy to clipboard ## Image list Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) The image list consists of all supported SBL and APP images and their configurations from previous configuration sections. Each image has the following attributes. For more details, see [SW_ID field](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html#sw_id_field). | -- image_list (a list of supported images with following attributes) | -- sign_id (unique ID to identify image signing configuration) | -- name (image name) | -- image_type (image format ID, defined in parsegen section) | -- general_properties_overrides | -- sw_id (upper 32 bits software version and lower 32 bits software type)Copy to clipboard The basic configuration is as follows. 0x0000000000000000 0x0000000000000001 0x0000000000000002 0x0000000000000003 Copy to clipboard ## OU fields in certificate Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) [Table : OU fields](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html#organization_unit_ou_fields_in_certificate__table_s3s_1zf_h1c) lists the organization unit (OU) fields defined for the attestation certificate. Table : OU fields | OU field | Length (bits) | Description | | --- | --- | --- | | SW\_ID | 64 | 32 MSB: Anti‑rollback version

32 LSB: Image ID

The anti image version compared to the anti‑rollback version in OTP. | | HW\_ID | 64 | 32 MSB: Hardware SoC version

16 bits: OEM\_ID

16 LSB: MODEL\_ID | | DEBUG | 64 | 32 MSB: 32 LSB of S/N

32 LSB: Debug vector

Allow OEM return merchandise authorization (RMA) to generate a personalized certificate that re‑enables debug. | | OEM\_ID | 16 | Default value: 0x0000

OEM identification for signing. | | MODEL\_ID | 16 | Default value: 0x0000

Model identification to sign and authenticate an image. | ### SW\_ID field Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) A 64‑bit field splits into two parts: | 32 bits | 32 bits | | --- | --- | | Software version | Software type | **Software version**: The anti‑rollback value to be compared against the anti‑rollback OTPs according to the software type. **Software type**: Used for images with anti‑rollback check: - FERMION\_SBL = 0x00 SBL image - FERMION\_APP = 0x01 APP image For example, the following configuration shows software version 0x01 for SBL image with anti‑rollback check. 0x0000000100000000 Copy to clipboard ### HW\_ID field Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) A 64‑bit field identifying a specific hardware: | 32 bits | 16 bits | 16 bits | | --- | --- | --- | | SOC\_HW\_VERSION (in\_use\_soc\_hw\_version=1) | OEM\_ID | MODEL\_ID | **SOC\_HW\_VERSION**: This field is used in the newer family of processors to tie an image to a family of chipsets. The `in_use_soc_hw_version` element is set as 1 to indicate that SOC\_HW\_VERSION is used. **OEM\_ID**: 16‑bit designate OEM ID. Compared against the same field in OTP. **MODEL\_ID**: 16‑bit designate model ID. Compared against the same field in OTP. ### DEBUG field Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) This field is used to override OEM debug disable OTPs. In any commercial image, this field should be all zeros. Set this field to nonzero values only for JTAG debugging as follows: | 32 bits | 32 bits | | --- | --- | | Serial number | Debug flag | **Serial number**: This field specifies the 32 LSB of the 48‑bit SoC serial number. **Debug flag**: This field is the override vector for PBL to write in the OEM debug override vector. OEMs can specify what the PBL is to do using the following debug flag value: - `0x2` indicates that 0 is to be written to the one‑time debug override registers. This preserves the OEM debug disable fuse settings. No image post‑PBL can change these settings using the one‑time debug override registers. - `0x3` indicates that 1 is to be written to the one‑time debug override registers only if the chip’s serial number matches the serial number in the upper 32 bits of this field. This causes JTAG debug to be re‑enabled since Qualcomm doesn't disable JTAG debugging. For example, the value of 0x1234567800000003 denotes a debug certificate for a chip with a serial number 0x12345678. If this certificate is used on a chip with a different serial number, authentication fails. If this OU field isn't found in the certificate, the default value of 0x0000000000000000 is used, that is, no operation is performed in the PBL with the one‑time override registers. ... 0x1234567800000003 ... Copy to clipboard ### OEM\_ID field Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) This field denotes the `OEM_ID` value in the `HW_ID` OU field. ### MODEL\_ID field Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html) This field denotes the `MODEL_ID` value in the `HW_ID` OU field. Last Published: Feb 10, 2026 [Previous Topic Generate secure images](https://docs.qualcomm.com/bundle/publicresource/80-Y8730-8/topics/generate_secure_images.md) [Next Topic Generating SHA256‑signed certificates](https://docs.qualcomm.com/bundle/publicresource/80-Y8730-8/topics/generating_sha256_signed_certificates.md)