<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>MCUXpresso Secure Provisioning ToolのトピックRe: Wrong header offset in signed image generated with SPT v6?</title>
    <link>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670268#M251</link>
    <description>&lt;P&gt;Hello,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;as I checked picture of your image, you're using "&lt;SPAN&gt;Plain Signed Load-to-RAM Image" on rt600. And I have to say that you found BUG in documentation. &lt;LI-EMOJI id="lia_disappointed-face" title=":disappointed_face:"&gt;&lt;/LI-EMOJI&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;So the "unknown" 32 bytes on offset 64&amp;nbsp; is injected HMAC value that is required for this type of image, but this injection doesn't change the certification block offset, because this HMAC value is handled by ROM code as a first and after that check the image is restored to original binary without this HMAC value.&lt;BR /&gt;&lt;BR /&gt;So the original offset became again valid.&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;So my recommendation for you if you want to validate signature in your second stage bootloader is following:&lt;BR /&gt;- to find certification block, extend the offset from 0x28 by 32 bytes&lt;BR /&gt;- to validate signature, just omit the 32 bytes on offset 64. Just skip this HMAC value&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;Hope that helps&lt;BR /&gt;Petr&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Thu, 15 Jun 2023 12:01:26 GMT</pubDate>
    <dc:creator>Gargy</dc:creator>
    <dc:date>2023-06-15T12:01:26Z</dc:date>
    <item>
      <title>Wrong header offset in signed image generated with SPT v6?</title>
      <link>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1669294#M250</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;I have noticed an inconsistency between the generated signed image and the documentation of the rt600 user manual.&lt;/P&gt;&lt;P&gt;In chapter 42.4 of the user manual UM11147 is stated, that at offset 0x28 the header offset is located, which holds the offset from beginning of the image i.e index 0x0 to where the certificate block header begins.&lt;/P&gt;&lt;P&gt;I have tested two different images and the offset at 0x28 is off by 32 bytes. I have compared the binaries of the unsigned and signed image and there are 32 bytes inserted at the beginning of the signed image. I have attached two screenshot where one can see what I mean. I wanted to put them inline here but apparently&amp;nbsp; they are too big.&lt;/P&gt;&lt;P&gt;One can see in the screenshot, that the image length field in the unsigned image is the same as the header offset field in the signed image, but there are those additional bytes so the header offset can't be right, can it?&lt;/P&gt;&lt;P&gt;What are those additional 32 bytes? I was not able to find anything about them in the documentation.&lt;/P&gt;&lt;P&gt;The ROM bootloader boots the generated image so I assume it accounts for those 32 additional bytes?&lt;/P&gt;&lt;P&gt;I want to write a second stage bootloader, which checks the signature of the image. Can I assume, that the header offset is always off by 32 bytes? Does the "totalImageLenthInBytes" field in the certificate block header account for those 32 bytes? Otherwise my check of the signature not work.&lt;/P&gt;&lt;P&gt;Thanks for your help.&lt;/P&gt;&lt;P&gt;Regards,&lt;BR /&gt;lorv&lt;/P&gt;</description>
      <pubDate>Wed, 14 Jun 2023 12:12:27 GMT</pubDate>
      <guid>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1669294#M250</guid>
      <dc:creator>lorv</dc:creator>
      <dc:date>2023-06-14T12:12:27Z</dc:date>
    </item>
    <item>
      <title>Re: Wrong header offset in signed image generated with SPT v6?</title>
      <link>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670268#M251</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;as I checked picture of your image, you're using "&lt;SPAN&gt;Plain Signed Load-to-RAM Image" on rt600. And I have to say that you found BUG in documentation. &lt;LI-EMOJI id="lia_disappointed-face" title=":disappointed_face:"&gt;&lt;/LI-EMOJI&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;So the "unknown" 32 bytes on offset 64&amp;nbsp; is injected HMAC value that is required for this type of image, but this injection doesn't change the certification block offset, because this HMAC value is handled by ROM code as a first and after that check the image is restored to original binary without this HMAC value.&lt;BR /&gt;&lt;BR /&gt;So the original offset became again valid.&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;So my recommendation for you if you want to validate signature in your second stage bootloader is following:&lt;BR /&gt;- to find certification block, extend the offset from 0x28 by 32 bytes&lt;BR /&gt;- to validate signature, just omit the 32 bytes on offset 64. Just skip this HMAC value&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;Hope that helps&lt;BR /&gt;Petr&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 15 Jun 2023 12:01:26 GMT</pubDate>
      <guid>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670268#M251</guid>
      <dc:creator>Gargy</dc:creator>
      <dc:date>2023-06-15T12:01:26Z</dc:date>
    </item>
    <item>
      <title>Re: Wrong header offset in signed image generated with SPT v6?</title>
      <link>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670286#M252</link>
      <description>&lt;P&gt;Hi,&lt;BR /&gt;&amp;nbsp;in addition of previous information there could be also optionally KeyStore block, which also doesn't affect header offset.&lt;BR /&gt;&lt;BR /&gt;Keep this in mind.&lt;BR /&gt;&lt;BR /&gt;For inspiration check the&amp;nbsp;Fig 235. Encrypted image&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Thanks Petr&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 15 Jun 2023 12:27:11 GMT</pubDate>
      <guid>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670286#M252</guid>
      <dc:creator>Gargy</dc:creator>
      <dc:date>2023-06-15T12:27:11Z</dc:date>
    </item>
    <item>
      <title>Re: Wrong header offset in signed image generated with SPT v6?</title>
      <link>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670887#M253</link>
      <description>&lt;P&gt;Hello Petr,&lt;/P&gt;&lt;P&gt;Thank you very much for your answer. This helps me a lot.&lt;/P&gt;&lt;P&gt;Regards,&lt;BR /&gt;lorv&lt;/P&gt;</description>
      <pubDate>Fri, 16 Jun 2023 07:22:18 GMT</pubDate>
      <guid>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670887#M253</guid>
      <dc:creator>lorv</dc:creator>
      <dc:date>2023-06-16T07:22:18Z</dc:date>
    </item>
    <item>
      <title>Re: Wrong header offset in signed image generated with SPT v6?</title>
      <link>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670891#M254</link>
      <description>&lt;P&gt;You are welcome,&lt;BR /&gt;&amp;nbsp;thanks for reporting DOC bug, I resend it internally to documentation team. Hope in early update.&lt;/P&gt;</description>
      <pubDate>Fri, 16 Jun 2023 07:26:53 GMT</pubDate>
      <guid>https://community.nxp.com/t5/MCUXpresso-Secure-Provisioning/Wrong-header-offset-in-signed-image-generated-with-SPT-v6/m-p/1670891#M254</guid>
      <dc:creator>Gargy</dc:creator>
      <dc:date>2023-06-16T07:26:53Z</dc:date>
    </item>
  </channel>
</rss>

