https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046091#M154065 <HTML><HEAD></HEAD><BODY><P>Hi, can someone help me in understanding why cst is generating 2 different hashes for the same input binary?</P><P>I'm using this input csf:</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P></P><P>[Header]<BR /> Version = 4.2<BR /> Engine = DCP<BR /> Engine Configuration = 0<BR /> Certificate Format = x509<BR /> Signature Format = CMS<BR /> Hash Algorithm = sha256</P><P>[Install SRK]<BR /> File = "keys/SRK_1_2_3_4_table.bin"<BR /> Source Index = 0</P><P>[Install CSFK]<BR /> File = "crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"<BR /> Certificate Format = x509</P><P>[Authenticate CSF]</P><P>[Install Key]<BR /> File = "crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"<BR /> Verification Index = 0<BR /> Target Index = 2</P><P>[Authenticate Data]<BR /> Verification Index = 2<BR /> Engine = DCP<BR /> Engine Configuration = 0<BR /> Blocks = 0x60001000 0x1000 0x40 "test.bin",\<BR /> 0x60002000 0x2000 0x40090 "test.bin"</P><P>[Set Engine]<BR /> Hash Algorithm = sha256<BR /> Engine = DCP<BR /> Engine Configuration = 0</P><P>[Unlock]<BR /> Engine = SNVS<BR /> Features = ZMK WRITE</P></BLOCKQUOTE><P>with this command line invocation:</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>cst.exe -o out_csf.bin -i input.csf</P></BLOCKQUOTE><P>&nbsp;the result from cst seems ok:</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>CSF Processed successfully and signed data available in out_csf.bin</P></BLOCKQUOTE><P>But if I&nbsp;execute this process twice, the content of&nbsp;&nbsp;out_csf.bin is different.</P><P>I tried to debug this thing by using the program&nbsp;hab_csf_parser part of the cst package and analyzing the 2 generated out_csf.bin but the only different part is what follows the&nbsp;HAB_TAG_SIG 0xD8 which from my understanding is the signature itself. Am I doing something wrong here?</P></BODY></HTML> Wed, 19 Aug 2020 08:10:22 GMT paride_russo 2020-08-19T08:10:22Z https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046091#M154065 <HTML><HEAD></HEAD><BODY><P>Hi, can someone help me in understanding why cst is generating 2 different hashes for the same input binary?</P><P>I'm using this input csf:</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P></P><P>[Header]<BR /> Version = 4.2<BR /> Engine = DCP<BR /> Engine Configuration = 0<BR /> Certificate Format = x509<BR /> Signature Format = CMS<BR /> Hash Algorithm = sha256</P><P>[Install SRK]<BR /> File = "keys/SRK_1_2_3_4_table.bin"<BR /> Source Index = 0</P><P>[Install CSFK]<BR /> File = "crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"<BR /> Certificate Format = x509</P><P>[Authenticate CSF]</P><P>[Install Key]<BR /> File = "crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"<BR /> Verification Index = 0<BR /> Target Index = 2</P><P>[Authenticate Data]<BR /> Verification Index = 2<BR /> Engine = DCP<BR /> Engine Configuration = 0<BR /> Blocks = 0x60001000 0x1000 0x40 "test.bin",\<BR /> 0x60002000 0x2000 0x40090 "test.bin"</P><P>[Set Engine]<BR /> Hash Algorithm = sha256<BR /> Engine = DCP<BR /> Engine Configuration = 0</P><P>[Unlock]<BR /> Engine = SNVS<BR /> Features = ZMK WRITE</P></BLOCKQUOTE><P>with this command line invocation:</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>cst.exe -o out_csf.bin -i input.csf</P></BLOCKQUOTE><P>&nbsp;the result from cst seems ok:</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>CSF Processed successfully and signed data available in out_csf.bin</P></BLOCKQUOTE><P>But if I&nbsp;execute this process twice, the content of&nbsp;&nbsp;out_csf.bin is different.</P><P>I tried to debug this thing by using the program&nbsp;hab_csf_parser part of the cst package and analyzing the 2 generated out_csf.bin but the only different part is what follows the&nbsp;HAB_TAG_SIG 0xD8 which from my understanding is the signature itself. Am I doing something wrong here?</P></BODY></HTML> Wed, 19 Aug 2020 08:10:22 GMT https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046091#M154065 paride_russo 2020-08-19T08:10:22Z https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046092#M154066 <HTML><HEAD></HEAD><BODY><P><A class="jx-jive-macro-user" href="https://community.nxp.com/people/paride.russo@orbotech.com">paride.russo@orbotech.com</A>&nbsp;</P><P>Hello,</P><P></P><P>&nbsp;&nbsp; Please use the following resources for i.MX RT:</P><P></P><P>1.</P><P>"<A href="https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=AN12079&amp;appType=moderated" style="box-sizing: border-box; background-color: #ffffff; color: #215bd6; text-decoration: underline; cursor: pointer; outline: -webkit-focus-ring-color auto 5px; outline-offset: -2px; font-family: Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;" target="_blank"><SPAN style="box-sizing: border-box; font-weight: bold;"><STRONG>Security Application Note AN12079</STRONG></SPAN></A>"</P><P></P><P><A class="link-titled" href="https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=AN12079&amp;appType=moderated" title="https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=AN12079&amp;appType=moderated">https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=AN12079&amp;appType=moderated</A>&nbsp;</P><P></P><P>2.</P><P><A href="https://community.nxp.com/docs/DOC-340904">i.MX RT Secure Boot Lab Guide.pdf</A>&nbsp;</P><P></P><P>3.</P><P><A class="link-titled" href="https://www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-secure-provisioning-tool:MCUXPRESSO-SECURE-PROVISIONING" title="https://www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-secure-provisioning-tool:MCUXPRESSO-SECURE-PROVISIONING">MCUXpresso Secure Provisioning Tool | Software Development for NXP Microcontrollers (MCUs) | NXP | NXP</A>&nbsp;</P><P></P><P>Regards,</P><P>Yuri.</P></BODY></HTML> Mon, 24 Aug 2020 05:44:45 GMT https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046092#M154066 Yuri 2020-08-24T05:44:45Z https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046093#M154067 <HTML><HEAD></HEAD><BODY><P>Thanks Yuri,</P><P></P><P>I've already&nbsp;read that documents but I need to drive "the low level" of the code signing tool because I'm bypassing elftosb and the flashloader; I'm loading the fw signed and encrypted via ethernet via a custom bootloader and some custom hardware that I did. It is working though, I&nbsp;generated multiple times the binary signed with cst&nbsp;and the i.mx is&nbsp;starting every time in closed mode so the signature makes sense and is valid. I just don't understand why the signature keeps changing value every time I generated even if the source binary is always the same. I was expecting the signature to be the same...are you including some random/time number/info in the signature?&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P></BODY></HTML> Mon, 24 Aug 2020 06:31:44 GMT https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046093#M154067 paride_russo 2020-08-24T06:31:44Z https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046094#M154068 <HTML><HEAD></HEAD><BODY><P><A class="jx-jive-macro-user" href="https://community.nxp.com/people/paride.russo@orbotech.com">paride.russo@orbotech.com</A>&nbsp;</P><P>Hello,</P><P></P><P>&nbsp; It is expected behavior - that the signature is changed.</P><P>Details of signature data are not provided - sorry.</P><P></P><P>Regards,</P><P>Yuri.</P></BODY></HTML> Mon, 24 Aug 2020 11:09:47 GMT https://community.nxp.com/t5/i-MX-Processors/cst-different-hashes-from-same-input-binary/m-p/1046094#M154068 Yuri 2020-08-24T11:09:47Z