New in version 1.39:
secure-image:
      ▪ Added support for generating binary compatible QBEC encrypted images.
      ▪ Fixed a bug where signing would fail when using --signing-mode CASS if the default signature hash algorithm in the --security-profile did not match that of the --cass-capability.
metabuild-secure-image:
      ▪ Added support for generating binary compatible QBEC encrypted images.
      ▪ Fixed a bug where signing would fail when using --signing-mode CASS if the default signature hash algorithm in the --security-profile did not match that of the --cass-capability.
fuse-blower:
      ▪ Fixed a bug where signing would fail when using --signing-mode CASS if the default signature hash algorithm in the --security-profile did not match that of the --cass-capability.
secure-debug:
      ▪ Fixed a bug where signing would fail when using --signing-mode CASS if the default signature hash algorithm in the --security-profile did not match that of the --cass-capability.
tme-secure-debug:
      ▪ Fixed a bug where signing would fail when using --signing-mode CASS if the default signature hash algorithm in the --security-profile did not match that of the --cass-capability.
fuseblower-profile-generator:
      ▪ Added support for new fuse regions: OEM_IMAGE_ENCRYPTION_KEY_0, OEM_IMAGE_ENCRYPTION_KEY_1, and RFA_OEM_SECURE.

New in version 1.38:
secure-image:
      ▪ Fixed a bug where the inspect output for ELF Preamble images containing a Hash Table Segment did not contain information about the Hash Table Segment.
metabuild-secure-image:
      ▪ Fixed a bug where the inspect output for ELF Preamble images containing a Hash Table Segment did not contain information about the Hash Table Segment.

New in version 1.37:
secure-image:
      ▪ Added an example plugin signer script for --signing-mode PLUGIN, plugin_signer_example.py.
      ▪ Fixed a bug where the inspect output for MRC images where multiple root certificates have the same subject/issuer line incorrectly identified one of the root certificates as a CA certificate.
tme-secure-debug:
      ▪ Added support for TME tags version 1.16.
      ▪ Added an example plugin signer script for --signing-mode PLUGIN, plugin_signer_example.py.
      ▪ Fixed a bug where the inspect output for MRC images where multiple root certificates have the same subject/issuer line incorrectly identified one of the root certificates as a CA certificate.
fuse-blower:
      ▪ Added support for new region types, BT_OEM_SECURE and WLAN_OEM_SECURE.
      ▪ Added an example plugin signer script for --signing-mode PLUGIN, plugin_signer_example.py.
      ▪ Fixed a bug where the inspect output for MRC images where multiple root certificates have the same subject/issuer line incorrectly identified one of the root certificates as a CA certificate.
metabuild-secure-image:
      ▪ Added an example plugin signer script for --signing-mode PLUGIN, plugin_signer_example.py.
secure-debug:
      ▪ Added an example plugin signer script for --signing-mode PLUGIN, plugin_signer_example.py.
      ▪ Fixed a bug where the inspect output for MRC images where multiple root certificates have the same subject/issuer line incorrectly identified one of the root certificates as a CA certificate.
mbn-tool:
      ▪ Added two new arguments, --boot-image-id and --image-dest-ptr, which allow setting the Boot Image ID and Image Destination Pointer, respectively, when generating MBNv3 images.

New in version 1.36:
secure-image:
      ▪ Added support for specifying the desired certificate chain depth via --certificate-chain-depth when using --signing-mode=TEST.
      ▪ Added the ability to block individual images from being added to MISC via the Security Profile.
      ▪ Added ability to QBEC encrypt previously hashed images.
      ▪ Refactored validation of infile when performing QBEC encryption.
tme-secure-debug:
      ▪ Added support for TME tags version 1.15.
      ▪ Added support for specifying the desired certificate chain depth via --certificate-chain-depth when using --signing-mode=TEST.
fuse-blower:
      ▪ Added support for specifying the desired certificate chain depth via --certificate-chain-depth when using --signing-mode=TEST.
metabuild-secure-image:
      ▪ Added ability to auto-detect images that can be added to MISC when performing --vouch-for and no --image-id is specified.
      ▪ Added support for specifying the desired certificate chain depth via --certificate-chain-depth when using --signing-mode=TEST.
      ▪ Added the ability to block individual images from being added to MISC via the Security Profile.
      ▪ Added ability to QBEC encrypt previously hashed images.
      ▪ Refactored validation of infile when performing QBEC encryption.
secure-debug:
      ▪ Added support for specifying the desired certificate chain depth via --certificate-chain-depth when using --signing-mode=TEST.
profile-validator:
      ▪ Added warning message when the number of images which can be added to MISC exceeds the max_entry_count.


New in version 1.35:
secure-image:
      ▪ Added support for validating a signed image's root certificate hash against a sec.elf via  --validate and --fuse-blower-images when the root certificate hash is stored in QFPROM fuses PK_HASH, PK_HASH_0, or TME_OEM_MRC_HASH. Previously only fuses OEM_PK_HASH and MRC_HASH were supported.
fuse-blower:
      ▪ Added support for displaying FEC fuses which compute to 0 for non-zero fuse rows when performing --inspect along with --security-profile.
metabuild-secure-image:
      ▪ Added support for validating a signed image's root certificate hash against a sec.elf via  --validate and --fuse-blower-images when the root certificate hash is stored in QFPROM fuses PK_HASH, PK_HASH_0, or TME_OEM_MRC_HASH. Previously only fuses OEM_PK_HASH and MRC_HASH were supported.
mbn-tool:
      ▪ Added support for a new argument, --data-size-alignment, which will cause the data passed via --data to be padded to a multiple of the specified size.

New in version 1.34:
secure-image:
      ▪ Added support for ensuring that no short R/S values are included in the signature or certificate chain when performing the --sign operation with ECDSA secp384r1 and the provided --security-profile specifies that only R/S values of length 48 and 49 are supported.
      ▪ Added support for UIE Adata 2.0.
      ▪ Fixed bug where the --vouch-for operation could not be performed without --segment-hash-algorithm if the default segment hash algorithm for the Multi Image format used One-Shot hashing.
      ▪ Fixed bug where performing any additional operations on an image signed with MRC 3.0 would corrupt the MRC 3.0 certificate chain.
tme-secure-debug:
      ▪ Added support for ensuring that no short R/S values are included in the signature or certificate chain when performing the --sign operation with ECDSA secp384r1 and the provided --security-profile specifies that only R/S values of length 48 and 49 are supported.
      ▪ Fixed bug where performing any additional operations on an image signed with MRC 3.0 would corrupt the MRC 3.0 certificate chain. This same bug also caused the augmented --inspect output to display the wrong root certificate hashes for MRC 3.0 images.
fuse-blower:
      ▪ Added support for ensuring that no short R/S values are included in the signature or certificate chain when performing the --sign operation with ECDSA secp384r1 and the provided --security-profile specifies that only R/S values of length 48 and 49 are supported.
      ▪ Fixed bug where performing any additional operations on an image signed with MRC 3.0 would corrupt the MRC 3.0 certificate chain. This same bug also caused the augmented --inspect output to display the wrong root certificate hashes for MRC 3.0 images.
metabuild-secure-image:
      ▪ Added support for ensuring that no short R/S values are included in the signature or certificate chain when performing the --sign operation with ECDSA secp384r1 and the provided Security Profile specifies that only R/S values of length 48 and 49 are supported.
      ▪ Added support for UIE Adata 2.0.
      ▪ Fixed bug where the --vouch-for operation could not be performed without --segment-hash-algorithm if the default segment hash algorithm for the Multi Image format used One-Shot hashing.
      ▪ Fixed bug where performing any additional operations on an image signed with MRC 3.0 would corrupt the MRC 3.0 certificate chain.
secure-debug:
      ▪ Added support for ensuring that no short R/S values are included in the signature or certificate chain when performing the --sign operation with ECDSA secp384r1 and the provided --security-profile specifies that only R/S values of length 48 and 49 are supported.
      ▪ Fixed bug where performing any additional operations on an image signed with MRC 3.0 would corrupt the MRC 3.0 certificate chain. This same bug also caused the augmented --inspect output to display the wrong root certificate hashes for MRC 3.0 images.
tme-secure-debug:
      ▪ Added support for generating binary-compatible debug policies. This can be done by specifying a --security-profile for each DPR when generating multiple DPRs in a Debug Policy ELF via --new-dpr.
      ▪ Added support for ensuring that no short R/S values are included in the signature or certificate chain when performing the --sign operation with ECDSA secp384r1 and the provided --security-profile specifies that only R/S values of length 48 and 49 are supported.
      ▪ Fixed bug where performing any additional operations on an image signed with MRC 3.0 would corrupt the MRC 3.0 certificate chain. This same bug also caused the augmented --inspect output to display the wrong root certificate hashes for MRC 3.0 images.

New in version 1.33:
secure-image:
      ▪ Added support for One-Shot and ZI hashing.
      ▪ Added support for QBEC Key Management Scheme ECDH_P384_HKDF_SIV_CMAC_GCM, used for LLM QBEC encryption.
      ▪ Added support for Hash Table Segment Metadata v3.1 which allows enabling invasive JTAG debugging.
tme-secure-debug:
      ▪ Added support for One-Shot and ZI hashing.
      ▪ Added support for Hash Table Segment Metadata v3.1 which allows enabling invasive JTAG debugging.
elf-tool:
      ▪  Removed logic to automatically convert JSON representations of TME objects to binary representations prior to ELF insertion.
fuse-blower:
      ▪ Added support for One-Shot and ZI hashing.
      ▪ Added support for Hash Table Segment Metadata v3.1 which allows enabling invasive JTAG debugging.
metabuild-secure-image:
      ▪ Added support for One-Shot and ZI hashing.
      ▪ Added support for QBEC Key Management Scheme ECDH_P384_HKDF_SIV_CMAC_GCM, used for LLM QBEC encryption.
      ▪ Added support for Hash Table Segment Metadata v3.1 which allows enabling invasive JTAG debugging.
secure-debug:
      ▪ Added support for One-Shot and ZI hashing.
      ▪ Added support for Hash Table Segment Metadata v3.1 which allows enabling invasive JTAG debugging.
tme-command:
      ▪ Introduced new tool for creating SoC Terminate Request images. Run the following command for full usage details: sectools tme-command soc-terminate generate -h
tme-secure-debug:
      ▪ Added support for One-Shot and ZI hashing.
      ▪ Added support for Hash Table Segment Metadata v3.1 which allows enabling invasive JTAG debugging.

New in version 1.32:
metabuild-secure-image:
      ▪ Added support for new QBEC Key Management Scheme, ECDH_P384_HKDF_SIV_64_GCM, which allows a custom Feature ID to be set in the Encryption Parameters via --feature-id.
      ▪ Fixed bug which prevented re-signing certain double-signed images.
      ▪ Fixed bug which prevented encrypting and re-signing certain signed images.
      ▪ Fixed bug where the Program Header Table was not being placed immediately after the ELF Header in certain cases.
      ▪ Fixed bug where binary compatible images could not be generated with certain Security Profiles describing different but compatible image formats.
secure-image:
      ▪ Added support for new QBEC Key Management Scheme, ECDH_P384_HKDF_SIV_64_GCM, which allows a custom Feature ID to be set in the Encryption Parameters via --feature-id.
      ▪ Fixed bug which prevented re-signing certain double-signed images.
      ▪ Fixed bug which prevented encrypting and re-signing certain signed images.
      ▪ Fixed bug where the Program Header Table was not being placed immediately after the ELF Header in certain cases.
      ▪ Fixed bug where binary compatible images could not be generated with certain Security Profiles describing different but compatible image formats.
tme-secure-debug:
      ▪ Added support for the latest TME tag values, v1.13.

New in version 1.31:
fuse-blower:
      ▪ Added support for generating Fuse Blower Images (sec.elf or sec.dat) with fuses from the QC Spare region.
      ▪ Added support for signing using MRC 3.0. The --sign operation may now be performed using up to 6 root certificates for supporting chipsets.
metabuild-secure-image:
      ▪ Added support for encrypting using QBEC 2.0. The new argument --encryption-order may now be used to specify the order in which the --encrypt and --sign or --hash operations are to be performed on an image, for chipsets which support QBEC 2.0.
      ▪ Added support for signing using MRC 3.0. The --sign operation may now be performed using up to 6 root certificates for supporting chipsets.
secure-image:
      ▪ Added support for encrypting using QBEC 2.0. The new argument --encryption-order may now be used to specify the order in which the --encrypt and --sign or --hash operations are to be performed on an image, for supporting chipsets.
      ▪ Added support for signing using MRC 3.0. The --sign operation may now be performed using up to 6 root certificates for supporting chipsets.
secure-debug:
      ▪ Added support for signing using MRC 3.0. The --sign operation may now be performed using up to 6 root certificates for supporting chipsets.
tme-secure-debug:
      ▪ Added support for signing using MRC 3.0. The --sign operation may now be performed using up to 6 root certificates for supporting chipsets.

New in version 1.30:
metabuild-secure-image:
      ▪ Added support for including hardware context and BSVE as part of QBEC public keys.
secure-image:
      ▪ Added support for including hardware context and BSVE as part of QBEC public keys.

New in version 1.29:
fuse-blower:
      ▪ Fixed bug where multi-row fuse values, such as --fuse-mrc-hash, starting with a 0 were being set incorrectly.

New in version 1.28:
elf-tool:
      ▪ Fixed bug where certain images caused tool to crash during certificate chain parsing.
fuse-blower:
      ▪ Fixed bug where certain images caused tool to crash during certificate chain parsing.
metabuild-secure-image:
      ▪ Enabled cu flags, compressed size, and uncompressed size in XZ compressed files via integration of XZ Utils.
      ▪ Added support for viewing which Image IDs support compression by providing --available-image-ids and the new argument --json-info. This information is displayed in a json format.
      ▪ Fixed bug where certain images were being incorrectly padded prior to XTS encryption.
      ▪ Fixed bug where certain images caused tool to crash during certificate chain parsing.
profile-consolidator:
      ▪ Fixed bug where the consolidated profile contained the wrong minimum_sectools_version when consolidating profiles with different minimum_sectools_versions.
secure-debug:
      ▪ Fixed bug where certain images caused tool to crash during certificate chain parsing.
secure-image:
      ▪ Enabled cu flags, compressed size, and uncompressed size in XZ compressed files via integration of XZ Utils.
      ▪ Added support for viewing which Image IDs support compression by providing --available-image-ids and the new argument --json-info. This information is displayed in a json format.
      ▪ Fixed bug where certain images were being incorrectly padded prior to XTS encryption.
      ▪ Fixed bug where certain images caused tool to crash during certificate chain parsing.
tme-secure-debug:
      ▪ Fixed bug where certain arguments were unnecessarily required in all clusters when using --new-dpr.
      ▪ Fixed bug where certain images caused tool to crash during certificate chain parsing.

New in version 1.27:
elf-tool:
      ▪ Added new --remove-sections argument which allows users to remove all sections from an ELF.
      ▪ Added support for inserting NOTE segments via the insert and generate operations.
fuse-blower:
      ▪ Added new argument --signature-format which specifies the desired signature format that will be used when signing. Must be a format supported by the Security Profile. If not provided, a default signature format from the Security Profile will be used.
      ▪ Added new argument --available-signature-formats which displays all --signature-formats which are supported by the Security Profile.
      ▪ Added logic to retry CASS signing if the first attempt fails due to a mismatch between actual and expected signature format.
      ▪ Added support for a new environment variable, SECTOOLS_BLOCK_PLUGINS. When set, sectools will not allow any commands which include the arguments --plugin-signer or --plugin-encrypter.
      ▪ Added support for a new environment variable, SECTOOLS_ADDITIONAL_ARGUMENTS. If set, this value will be appended to all sectools invocations as additional arguments. This value may include the arguments --plugin-signer or --plugin-encrypter even if SECTOOLS_BLOCK_PLUGINS is set.
      ▪ Updated the --dump operation to not include padding in dumped ECDSA signatures.
      ▪ Added validation that all FEC fuses are exactly 7 bits long.
      ▪ Updated internal certificate chain validation logic to be more permissive with the validity periods of certificates.
      ▪ Fixed bug where multi-bit recommended values were being calculated incorrectly.
      ▪ Bug fix for blowing multi-row fuses which share a row with other fuses.
fuseblower-profile-generator:
      ▪ Added validation that all FEC fuses are exactly 7 bits long.
      ▪ Added logic to skip fuse regions which contain only reserved fuses.
metabuild-secure-image:
      ▪ Added new argument --signature-format which specifies the desired signature format that will be used when signing. Must be a format supported by the Security Profile. If not provided, a default signature format from the Security Profile will be used.
      ▪ Added new argument --available-signature-formats which displays all --signature-formats which are supported by the Security Profile.
      ▪ Added logic to retry CASS signing if the first attempt fails due to a mismatch between actual and expected signature format.
      ▪ Added support for a new environment variable, SECTOOLS_BLOCK_PLUGINS. When set, sectools will not allow any commands which include the arguments --plugin-signer or --plugin-encrypter.
      ▪ Added support for a new environment variable, SECTOOLS_ADDITIONAL_ARGUMENTS. If set, this value will be appended to all sectools invocations as additional arguments. This value may include the arguments --plugin-signer or --plugin-encrypter even if SECTOOLS_BLOCK_PLUGINS is set.
      ▪ Updated internal certificate chain validation logic to be more permissive with the validity periods of certificates.
      ▪ Updated ELF manipulation logic to not shift zero-sized segments.
      ▪ Fixed bug which prevented some logs from being displayed.
profile-consolidator:
      ▪ Added validation that all FEC fuses are exactly 7 bits long.
profile-validator:
      ▪ Added validation that all FEC fuses are exactly 7 bits long.
secure-debug:
      ▪ Added new argument --signature-format which specifies the desired signature format that will be used when signing. Must be a format supported by the Security Profile. If not provided, a default signature format from the Security Profile will be used.
      ▪ Added new argument --available-signature-formats which displays all --signature-formats which are supported by the Security Profile.
      ▪ Added logic to retry CASS signing if the first attempt fails due to a mismatch between actual and expected signature format.
      ▪ Added support for a new environment variable, SECTOOLS_BLOCK_PLUGINS. When set, sectools will not allow any commands which include the arguments --plugin-signer or --plugin-encrypter.
      ▪ Added support for a new environment variable, SECTOOLS_ADDITIONAL_ARGUMENTS. If set, this value will be appended to all sectools invocations as additional arguments. This value may include the arguments --plugin-signer or --plugin-encrypter even if SECTOOLS_BLOCK_PLUGINS is set.
      ▪ Added validation of the number of Multi-Image entries when performing --validate on a Multi-Image.
      ▪ Updated the --dump operation to not include padding in dumped ECDSA signatures.
      ▪ Updated internal certificate chain validation logic to be more permissive with the validity periods of certificates.
secure-image:
      ▪ Added new argument --signature-format which specifies the desired signature format that will be used when signing. Must be a format supported by the Security Profile. If not provided, a default signature format from the Security Profile will be used.
      ▪ Added new argument --available-signature-formats which displays all --signature-formats which are supported by the Security Profile.
      ▪ Added logic to retry CASS signing if the first attempt fails due to a mismatch between actual and expected signature format.
      ▪ Added support for a new environment variable, SECTOOLS_BLOCK_PLUGINS. When set, sectools will not allow any commands which include the arguments --plugin-signer or --plugin-encrypter.
      ▪ Added support for a new environment variable, SECTOOLS_ADDITIONAL_ARGUMENTS. If set, this value will be appended to all sectools invocations as additional arguments. This value may include the arguments --plugin-signer or --plugin-encrypter even if SECTOOLS_BLOCK_PLUGINS is set.
      ▪ Updated LZMA compression to include uncompressed data size in the LZMA header.
      ▪ Added validation of the number of Multi-Image entries when performing --validate on a Multi-Image.
      ▪ Updated the --dump operation to not include padding in dumped ECDSA signatures.
      ▪ Updated internal certificate chain validation logic to be more permissive with the validity periods of certificates.
      ▪ Updated ELF manipulation logic to not shift zero-sized segments.
tme-secure-debug:
      ▪ Added support for new QAD-Dump and IP-Scan-Dump debug fields.
      ▪ Added new argument --signature-format which specifies the desired signature format that will be used when signing. Must be a format supported by the Security Profile. If not provided, a default signature format from the Security Profile will be used.
      ▪ Added new argument --available-signature-formats which displays all --signature-formats which are supported by the Security Profile.
      ▪ Added logic to retry CASS signing if the first attempt fails due to a mismatch between actual and expected signature format.
      ▪ Added support for a new environment variable, SECTOOLS_BLOCK_PLUGINS. When set, sectools will not allow any commands which include the arguments --plugin-signer or --plugin-encrypter.
      ▪ Added support for a new environment variable, SECTOOLS_ADDITIONAL_ARGUMENTS. If set, this value will be appended to all sectools invocations as additional arguments. This value may include the arguments --plugin-signer or --plugin-encrypter even if SECTOOLS_BLOCK_PLUGINS is set.
      ▪ Updated the --dump operation to not include padding in dumped ECDSA signatures.
      ▪ Updated internal certificate chain validation logic to be more permissive with the validity periods of certificates.
      ▪ Internal refactor.

New in version 1.26:
elf-consolidator:
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Internal refactor.
elf-tool:
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Bug fix when performing combine operation on ELFs containing multiple zero-sized segments at offset zero.
      ▪ Internal refactor.
fuse-blower:
      ▪ Added new --fuse-group argument which allows users to generate Fuse Blower images more easily, where each group is equivalent to providing multiple individual fuse arguments. All available fuse groups can be viewed by providing --available-fuse-groups along with --security-profile.
      ▪ Added new --recommended-fuses argument which allows users to generate a Fuse Blower image containing all fuse values which Qualcomm recommends blowing. To see all fuses which will be included with this argument, provide --show-recommended-fuses along with --security-profile.
      ▪ Added new --show-oem-choice-fuses argument which displays all fuses for which Qualcomm does not make a recommendation.
      ▪ Added support for CASS signing with multiple USB tokens connected to the same machine. The desired token can be specified using the new --cass-token-serial-number argument.
      ▪ Added Region to the output when performing --inspect with --security-profile.
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Added support for Security Profile schema v1.6.
      ▪ Added support for generating Fuse Blower images with OEM_SPARE_31 region fuses.
      ▪ Bug fix for attestation certificate validation failure on macOS when using newer versions of LibreSSL.
      ▪ Internal refactor.
fuse-validator:
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Internal refactor.
metabuild-secure-image:
      ▪ Added support for CASS signing with multiple USB tokens connected to the same machine. The desired token can be specified using the new --cass-token-serial-number argument.
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Added support for Security Profile schema v1.6.
      ▪ Blocked the ability to double-encrypt images with QBEC.
      ▪ Improved error messaging when attempting to create a MISC using the --vouch-for operation that would result in more entries than are allowed by the Security Profile.
      ▪ Bug fix where --vouch-for operation failed when run from a metabuild containing an existing MISC image.
      ▪ Bug fix where certain secure-image failures caused metabuild-secure-image to abort.
      ▪ Bug fix for attestation certificate validation failure on macOS when using newer versions of LibreSSL.
      ▪ Bug fix for validation failure when performing --validate operation with --fuse-blower-images containing fuses which span multiple rows.
      ▪ Bug fix where --validate could not be performed using --qti.
      ▪ Internal refactor.
secure-debug:
      ▪ Added support for generating Debug Policy v8 images.
      ▪ Added support for CASS signing with multiple USB tokens connected to the same machine. The desired token can be specified using the new --cass-token-serial-number argument.
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Added support for Security Profile schema v1.6.
      ▪ Corrected naming of GPDSP Debug Policy flags.
      ▪ Bug fix for attestation certificate validation failure on macOS when using newer versions of LibreSSL.
      ▪ Internal refactor.
secure-image:
      ▪ Added support for new --compress operation. Provide --compressed-outfile if both a compressed and an uncompressed image are desired.
      ▪ Added support for CASS signing with multiple USB tokens connected to the same machine. The desired token can be specified using the new --cass-token-serial-number argument.
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Added support for Security Profile schema v1.6.
      ▪ Blocked the ability to double-encrypt images with QBEC.
      ▪ Improved error messaging when attempting to create a MISC using the --vouch-for operation that would result in more entries than are allowed by the Security Profile.
      ▪ Bug fix for attestation certificate validation failure on macOS when using newer versions of LibreSSL.
      ▪ Bug fix for validation failure when performing --validate operation with --fuse-blower-images containing fuses which span multiple rows.
      ▪ Bug fix where --validate could not be performed using --qti.
      ▪ Internal refactor.
tme-secure-debug:
      ▪ Added support for aarch64 Linux machines.
      ▪ Added support for macOS universal binary distribution.
      ▪ Added support for CASS signing with multiple USB tokens connected to the same machine. The desired token can be specified using the new --cass-token-serial-number argument.
      ▪ Added support for Security Profile schema v1.6.
      ▪ Bug fix for attestation certificate validation failure on macOS when using newer versions of LibreSSL.
      ▪ Internal refactor.

New in version 1.25:
metabuild-secure-image:
      ▪ Enabled range syntax for --encrypted-segment-index values. For example, "--encrypted-segment-index 3-5 8 11-13" instead of "--encrypted-segment-index 3 4 5 8 11 12 13".
      ▪ Bug fix for PHDR type segments not being included in the Hash Table.
      ▪ Bug fix for crash when performing QBEC GCM segment encryption.
secure-image:
      ▪ Enabled range syntax for --encrypted-segment-index values. For example, "--encrypted-segment-index 3-5 8 11-13" instead of "--encrypted-segment-index 3 4 5 8 11 12 13".
      ▪ Bug fix for PHDR type segments not being included in the Hash Table.
      ▪ Bug fix for crash when performing QBEC GCM segment encryption.

New in version 1.24:
elf-tool:
      ▪ Added support to generate ELF images with user provided ELF machine type via --elf-machine-type.
fuse-blower:
      ▪ Added support for new fuseblower regions RFA_CALIBRATION_OEM and RFA_SW_OEM.
      ▪ Removed requirement that root certificates be self-signed.
      ▪ Corrected displayed certificate algorithms when inspecting a signed image.
metabuild-secure-image:
      ▪ Added hidden --encrypt-then-sign flag which allows users to perform signing and QBEC encryption as OEM in the same order as is used for QTI.
      ▪ Removed requirement that root certificates be self-signed.
      ▪ Introduced support for new QBEC Key Managment Feature ID MODEM-IMAGE-KPV4 and AUDIO-IMAGE.
      ▪ Corrected displayed certificate algorithms when inspecting a signed image.
      ▪ Fixed bug where not enough padding was being reserved when double signing and encrypting an image.
      ▪ Fixed bug when signing and QBEC encrypting in the same operation an image using --encrypted-segment-index.
      ▪ Fixed bug preventing some vouch for images from being added to MISC image.
secure-debug:
      ▪ Removed serial number dependency from the --ns-crash-dumps argument.
      ▪ Removed requirement that root certificates be self-signed.
      ▪ Corrected displayed certificate algorithms when inspecting a signed image.
secure-image:
      ▪ Added hidden --encrypt-then-sign flag which allows users to perform signing and QBEC encryption as OEM in the same order as is used for QTI.
      ▪ Removed requirement that root certificates be self-signed.
      ▪ Introduced support for new QBEC Key Managment Feature ID MODEM-IMAGE-KPV4 and AUDIO-IMAGE.
      ▪ Corrected displayed certificate algorithms when inspecting a signed image.
      ▪ Fixed bug where not enough padding was being reserved when double signing and encrypting an image.
      ▪ Fixed bug when signing and QBEC encrypting in the same operation an image using --encrypted-segment-index.
      ▪ Fixed bug preventing some vouch for images from being added to MISC image.
tme-secure-debug:
      ▪ Removed requirement that root certificates be self-signed.
      ▪ Corrected displayed certificate algorithms when inspecting a signed image.

New in version 1.23:
elf-tool:
      ▪ Fixed bug when adding a segment to an ELF whose Program Header Table does not immediately follow the ELF Header.
fuse-blower:
      ▪ Fixed issue when CASS signing a Secure Boot 3.0 image via a CASS capability restricted to a whitelist of SOC HW Versions.
metabuild-secure-image:
      ▪ Improved error handling when performing encryption.
      ▪ Fixed issue when CASS signing a Secure Boot 3.0 image via a CASS capability restricted to a whitelist of SOC HW Versions.
secure-debug:
      ▪ Fixed issue when CASS signing a Secure Boot 3.0 image via a CASS capability restricted to a whitelist of SOC HW Versions.
secure-image:
      ▪ Improved error handling when performing encryption.
      ▪ Fixed issue when CASS signing a Secure Boot 3.0 image via a CASS capability restricted to a whitelist of SOC HW Versions.
tme-secure-debug:
      ▪ Added support for latest TME tags.
      ▪ Fixed issue when CASS signing a Secure Boot 3.0 image via a CASS capability restricted to a whitelist of SOC HW Versions.

New in version 1.22:
elf-consolidator:
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.
elf-tool:
      ▪ Added new "combine" operation which combines two or more ELFs into a single ELF file. The output image will contain all segments from the input images.
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.
fuse-blower:
      ▪ Added new column in --inspect representation of the Program Header Table detailing if a segment is encrypted.
      ▪ Updated image format detection logic to enforce output format is correct.
      ▪ Fixed bug where users could sign using --platform-binding INDEPENDENT even when not supported in the security profile.
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.
fuse-validator:
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.
metabuild-secure-image:
      ▪ Added new column in --inspect representation of the Program Header Table detailing if a segment is encrypted.
      ▪ Enabled QBEC encryption of all segment types except for the Hash Table Segment and the Program Header Segment.
      ▪ Miscellaneous changes to QBEC encryption to align with on-target implementation.
      ▪ Fixed bug where users could sign using --platform-binding INDEPENDENT even when not supported in the security profile.
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.
secure-debug:
      ▪ Added new column in --inspect representation of the Program Header Table detailing if a segment is encrypted.
      ▪ Updated image format detection logic to enforce output format is correct.
      ▪ Fixed bug where users could sign using --platform-binding INDEPENDENT even when not supported in the security profile.
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.
secure-image:
      ▪ Added new column in --inspect representation of the Program Header Table detailing if a segment is encrypted.
      ▪ Enabled QBEC encryption of all segment types except for the Hash Table Segment and the Program Header Segment.
      ▪ Miscellaneous changes to QBEC encryption to align with on-target implementation.
      ▪ Updated image format detection logic to enforce output format matches that specified by Image ID.
      ▪ Fixed bug where multiple users could not write to --outfile-record on the same machine.
      ▪ Fixed bug where users could sign using --platform-binding INDEPENDENT even when not supported in the security profile.
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.
tme-secure-debug:
      ▪ Added new column in --inspect representation of the Program Header Table detailing if a segment is encrypted.
      ▪ Updated DP/DEC chip constraints validation to account for don't-care bits.
      ▪ Fixed bug when parsing an ELF whose program header table does not immediately follow the ELF header.

New in version 1.21:
elf-consolidator:
      ▪ Bug fix for empty directories being created when operations fail.
elf-tool:
      ▪ Bug fix for empty directories being created when operations fail.
fuse-blower:
      ▪ Bug fix for incorrect fuse entry values displayed via --inspect operation.
      ▪ Bug fix for empty directories being created when operations fail.
fuseblower-profile-generator:
      ▪ Bug fix for crash when providing a v1.4 or v1.5 Security Profile.
      ▪ Bug fix for empty directories being created when operations fail.
fuse-validator:
      ▪ Bug fix for empty directories being created when operations fail.
metabuild-secure-image:
      ▪ Updated QBEC structures and logic to conform to latest specifications.
      ▪ Bug fix for padding between ELF segment becoming corrupted when operating on block encrypted images.
      ▪ Bug fix for segment padding logic of block encrypted images whose physical addresses overlap.
      ▪ Bug fix for empty directories being created when operations fail.
mbn-tool:
      ▪ Bug fix for empty directories being created when operations fail.
profile-consolidator:
      ▪ Bug fix for empty directories being created when operations fail.
secure-debug:
      ▪ Bug fix for empty directories being created when operations fail.
secure-image:
      ▪ Updated QBEC structures and logic to conform to latest specifications.
      ▪ Bug fix for padding between ELF segment becoming corrupted when operating on block encrypted images.
      ▪ Bug fix for segment padding logic of block encrypted images whose physical addresses overlap.
      ▪ Bug fix for empty directories being created when operations fail.
tme-secure-debug:
      ▪ Bug fix for issue preventing DPR signing via CASS.
      ▪ Bug fix for empty directories being created when operations fail.

New in version 1.20:
elf-consolidator:
      ▪ Added validation logic to block repeated cmdline arguments.
elf-tool:
      ▪ Added validation logic to block repeated cmdline arguments.
fuse-blower:
      ▪ Added support for CASS signing of images containing v3.0 OEM or QTI Metadata.
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
      ▪ Bug fix for incorrectly formatted --available-variants output when Security Profile does not contain variants.
      ▪ Bug fix for crash caused by expired image certificates.
fuseblower-profile-generator:
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
fuse-validator:
      ▪ Added validation logic to block repeated cmdline arguments.
metabuild-secure-image:
      ▪ Added support for CASS signing of images containing v3.0 OEM or QTI Metadata.
      ▪ Added support for CASS signing of images containing QBEC encryption parameters.
      ▪ Added ability to generate unsigned images lacking OEM and QTI Metadata for images which cannot be signed with --platform-binding INDEPENDENT. To do so, provide --platform-binding INDEPENDENT when performing --hash or --encrypt operations.
      ▪ Added support for AES-256 QBEC segment encryption.
      ▪ Implemented checks to ensure signing and QBEC encryption operations are performed in supported order.
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added support for Security Profiles whose authenticator descriptions contain encryption features yet lack signing features.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for crash when operating on multiple images of the same file name lacking a common parent directory.
      ▪ Bug fix for computation of Hash Table entries when QBEC encrypting.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
      ▪ Bug fix for incorrectly formatted --available-variants output when Security Profile does not contain variants.
      ▪ Bug fix for crash caused by expired image certificates.
mbn-tool:
      ▪ Added validation logic to block repeated cmdline arguments.
profile-consolidator:
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added support for Security Profiles whose authenticator descriptions contain encryption features yet lack signing features.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
profile-validator:
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added support for Security Profiles whose authenticator descriptions contain encryption features yet lack signing features.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
secure-debug:
      ▪ Added support for generating and operating on v6 and v7 Debug Policies.
      ▪ Added support for debug options defined in Security Profile via Security Profile schema v1.5. Debug options defined in Security Profile are displayed in help menu when --security-profile is provided alongside -h/--help.
      ▪ Added ability to set JTAG_DEBUG flag in isolation.
      ▪ Added --eud-uart non-secure flag option.
      ▪ Removed ability to provide --qti and --qti-test-root-certificate-hash if Security Profile does not support generation of QTI-signed Debug Policy.
      ▪ Removed ability to provide --wlan-encrypted-mini-dumps non-secure flag option when generating a v4 or lower Debug Policy.
      ▪ Added requirement that --serial-number be provided when setting secure flags.
      ▪ Added ability to set OEM-designated debug flags.
      ▪ Added support for CASS signing of images containing v3.0 OEM or QTI Metadata.
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for misnamed --mpps-encrypted-mini-dumps non-secure flag option. Option is now named --mpss-encrypted-mini-dumps.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
      ▪ Bug fix for incorrectly formatted --available-variants output when Security Profile does not contain variants.
      ▪ Bug fix for crash caused by expired image certificates.
secure-image:
      ▪ Added support for CASS signing of images containing v3.0 OEM or QTI Metadata.
      ▪ Added support for CASS signing of images containing QBEC encryption parameters.
      ▪ Added ability to generate unsigned images lacking OEM and QTI Metadata for images which cannot be signed with --platform-binding INDEPENDENT. To do so, provide --platform-binding INDEPENDENT when performing --hash or --encrypt operations.
      ▪ Added support for AES-256 QBEC segment encryption.
      ▪ Implemented checks to ensure signing and QBEC encryption operations are performed in supported order.
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added support for Security Profiles whose authenticator descriptions contain encryption features yet lack signing features.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for computation of Hash Table entries when QBEC encrypting.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
      ▪ Bug fix for incorrectly formatted --available-variants output when Security Profile does not contain variants.
      ▪ Bug fix for crash caused by expired image certificates.
tme-secure-debug:
      ▪ Added support for CASS signing of images containing v3.0 OEM or QTI Metadata.
      ▪ Added support for latest TME tags.
      ▪ Added support for Security Profile schema v1.5.
      ▪ Added validation logic to block repeated cmdline arguments.
      ▪ Bug fix for crash on systems whose default encoding scheme is not utf-8.
      ▪ Bug fix for incorrectly formatted --available-variants output when Security Profile does not contain variants.
      ▪ Bug fix for crash caused by expired image certificates.

New in version 1.19:
elf-consolidator:
      ▪ Internal refactor.
elf-tool:
      ▪ Internal refactor.
fuse-blower:
      ▪ Internal refactor.
fuseblower-profile-generator:
      ▪ Performance improvements.
      ▪ Internal refactor.
fuse-validator:
      ▪ Internal refactor.
metabuild-secure-image:
      ▪ Internal refactor.
mbn-tool:
      ▪ Internal refactor.
profile-consolidator:
      ▪ Internal refactor.
profile-validator:
      ▪ Internal refactor.
secure-debug:
      ▪ Internal refactor.
secure-image:
      ▪ Internal refactor.
tme-secure-debug:
      ▪ Internal refactor.

New in version 1.18:
metabuild-secure-image:
      ▪ Added support for QBEC image encryption.
      ▪ Added support for binding images to PRODUCT-SEGMENT-ID (only supported for images with v3.0 Hash Segment Metadata).
      ▪ Added support for v1.4 Security Profile schema. New schema supports PRODUCT-SEGMENT-ID and QBEC.
      ▪ Added --available-variants help option.
      ▪ Added support for --available-encryption-formats help option.
      ▪ Added support for --encryption-format cmdline option for specifying desired encryption format when image supports being encrypted with multiple formats.
      ▪ Added validation of Hash Segment Metadata for --fuse-blower-images when format is sec.elf.
      ▪ Corrected --validate behavior when validating images bound to more than one SoC HW Version.
      ▪ Fixed bug causing --validate operation to crash when --fuse-blower-images were sec.dat format.
secure-debug:
      ▪ Added support for binding images to PRODUCT-SEGMENT-ID.
secure-image:
      ▪ Added support for QBEC image encryption.
      ▪ Added support for binding images to PRODUCT-SEGMENT-ID (only supported for images with v3.0 Hash Segment Metadata).
      ▪ Added support for v1.4 Security Profile schema. New schema supports PRODUCT-SEGMENT-ID and QBEC.
      ▪ Added support for --available-encryption-formats help option.
      ▪ Added support for --encryption-format cmdline option for specifying desired encryption format when image supports being encrypted with multiple formats.
      ▪ Fixed issue which caused tool to erroneously state that there is insufficient space in image to insert generated signature and certificate chain.
      ▪ Miscellaneous bug fixes and improvements.
tme-secure-debug:
      ▪ Fixed bug causing crash when generating Cmd Version 1.0 DPR.
