Hi,
I am currently implementing my own secure boot (not using the secure boot loader) and I encountered some issues/questions:
I am using the MCUXpresso Secure Provisioning Software to create signed version of my image (*.bin files, no secure binares (*.sb)). In the LPC55S16 User Manual as well as in AN12283 it states that the field "totalImageLengthInBytes" of the x509 certificate block indicates the "total length of the signed data". Going by this value it means that the image starting from the absolute address 0x00000000 up until the end(!) of the complete certificate block is signed (i.e. hashed using SHA256 and then signed using RSA2048). Is this assumption correct or is only the image up until the start of the certificate block signed?
When the image is first hashed, the data is hashed using the exact way it is stored in memory (i.e. little endian), so in my own secure boot implementation I dont have to enable byte swapping for the Hashcrypt engine, right?
When using the ModExp(...) function of the CASPER engine for RSA verification, which what would be the correct parameter for the worldLen paremter? On the one hand my understanding is that it should be 2048/32=64 in my case, but this gives me results that all have length of 2048 bits (256 byte) (the result should of course have 256 bits, as its a SHA256 value).
I am just asking these questions, because I somehow dont manage get a successful verification. The hashing works perfectly, but the ModExp-RSA part gives me wrong values and I am trying to narrow down the possible reasons..
Thanks in advance!
Hello @jesm86
1) The Singed image generated by MCUXpresso Secure Provisioning Software is signed+ secure, you can see the generate file is *. sb.
2) Recommend you use secure boot loader, and the tool MCUXpresso Secure Provisioning Software is used in conjunction with Secure bootloader.
BR
Alice