- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- MCUXpresso软件和工具
- :
- MCUXpresso安全指配工具
- :
- Re: Wrong header offset in signed image generated with SPT v6?
Wrong header offset in signed image generated with SPT v6?
Hi,
I have noticed an inconsistency between the generated signed image and the documentation of the rt600 user manual.
In chapter 42.4 of the user manual UM11147 is stated, that at offset 0x28 the header offset is located, which holds the offset from beginning of the image i.e index 0x0 to where the certificate block header begins.
I have tested two different images and the offset at 0x28 is off by 32 bytes. I have compared the binaries of the unsigned and signed image and there are 32 bytes inserted at the beginning of the signed image. I have attached two screenshot where one can see what I mean. I wanted to put them inline here but apparently they are too big.
One can see in the screenshot, that the image length field in the unsigned image is the same as the header offset field in the signed image, but there are those additional bytes so the header offset can't be right, can it?
What are those additional 32 bytes? I was not able to find anything about them in the documentation.
The ROM bootloader boots the generated image so I assume it accounts for those 32 additional bytes?
I want to write a second stage bootloader, which checks the signature of the image. Can I assume, that the header offset is always off by 32 bytes? Does the "totalImageLenthInBytes" field in the certificate block header account for those 32 bytes? Otherwise my check of the signature not work.
Thanks for your help.
Regards,
lorv
已解决! 转到解答。
Hello,
as I checked picture of your image, you're using "Plain Signed Load-to-RAM Image" on rt600. And I have to say that you found BUG in documentation.
So the "unknown" 32 bytes on offset 64 is injected HMAC value that is required for this type of image, but this injection doesn't change the certification block offset, because this HMAC value is handled by ROM code as a first and after that check the image is restored to original binary without this HMAC value.
So the original offset became again valid.
So my recommendation for you if you want to validate signature in your second stage bootloader is following:
- to find certification block, extend the offset from 0x28 by 32 bytes
- to validate signature, just omit the 32 bytes on offset 64. Just skip this HMAC value
Hope that helps
Petr
Hello,
as I checked picture of your image, you're using "Plain Signed Load-to-RAM Image" on rt600. And I have to say that you found BUG in documentation.
So the "unknown" 32 bytes on offset 64 is injected HMAC value that is required for this type of image, but this injection doesn't change the certification block offset, because this HMAC value is handled by ROM code as a first and after that check the image is restored to original binary without this HMAC value.
So the original offset became again valid.
So my recommendation for you if you want to validate signature in your second stage bootloader is following:
- to find certification block, extend the offset from 0x28 by 32 bytes
- to validate signature, just omit the 32 bytes on offset 64. Just skip this HMAC value
Hope that helps
Petr
