Questions about Signed images (Secure Boot) - LPC55S16

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Questions about Signed images (Secure Boot) - LPC55S16

368 Views
jesm86
Contributor II

Hi,

I am currently implementing my own secure boot (not using the secure boot loader) and I encountered some issues/questions:

I am using the MCUXpresso Secure Provisioning Software to create signed version of my image (*.bin files, no secure binares (*.sb)). In the LPC55S16 User Manual as well as in AN12283 it states that the field "totalImageLengthInBytes" of the x509 certificate block indicates the "total length of the signed data". Going by this value it means that the image starting from the absolute address 0x00000000 up until the end(!) of the complete certificate block is signed (i.e. hashed using SHA256 and then signed using RSA2048). Is this assumption correct or is only the image up until the start of the certificate block signed?

When the image is first hashed, the data is hashed using the exact way it is stored in memory (i.e. little endian), so in my own secure boot implementation I dont have to enable byte swapping for the Hashcrypt engine, right?

When using the ModExp(...) function of the CASPER engine for RSA verification, which what would be the correct parameter for the worldLen paremter? On the one hand my understanding is that it should be 2048/32=64 in my case, but this gives me results that all have length of 2048 bits (256 byte) (the result should of course have 256 bits, as its a SHA256 value).

I am just asking these questions, because I somehow dont manage get a successful verification. The hashing works perfectly, but the ModExp-RSA part gives me wrong values and I am trying to narrow down the possible reasons..

Thanks in advance!

0 Kudos
Reply
1 Reply

354 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello @jesm86 

1) The Singed image generated by MCUXpresso Secure Provisioning Software is signed+ secure, you can see the generate file is *. sb.

Alice_Yang_0-1701251255216.png

 

2) Recommend you use secure boot loader, and the tool MCUXpresso Secure Provisioning Software is used in conjunction with Secure bootloader.

 

BR

Alice

0 Kudos
Reply