Hi,
I have an encrypted bootloader that is signed, and HAB is enabled but not sealed. When flashed via NXP’s Secure Provisioning Tool, it works fine. Similarly, when I concatenate the FCB + Padding + Signed and encrypted bootloader + key blob (where the key blob is generated by executing the following command in the terminal):
blhost -t 5000 -u 0x15A2,0x0073 -j -- generate-key-blob "dek.bin" "blob.bin"it also works. However, if I run this process using custom firmware in a debug session (which is only used to generate the key blob), the resulting blob file is not accepted and the bootloader fails to execute. The DEK remains unchanged in both scenarios.
Both generated .bin files differ only at the blob offset address.
Is there any difference between the flashloader.bin provided by the Secure Provisioning Tool and the publicly available source code (MCU boot)?
The "stock" flashloader reports this version:
blhost -u 0x15A2,0x0073 -- get-property 1 Response status = 0
(0x0) Success. Response word 1 = 1258424320 (0x4b020800)
Current Version = K2.8.0Based on the bl_version.h, the source should be consistent, and the Secure Provisioning Tool version is 25.09.
The custom firmware uses code snippets from the flashloader source (specifically found in bl_keyblob_dcp.c), and all dependencies are taken from the same source. This implementation will only be used internally, so extracting the DEK from the firmware is not a concern.
Thank you for your time.
Hi @JordanSt ,
May I understand you have tested with iMXRT1052 as below?
1. Load the flashloader from NXP’s Secure Provisioning Tool and use the following command to have dek.bin and blob.bin
blhost -t 5000 -u 0x15A2,0x0073 -j -- generate-key-blob "dek.bin" "blob.bin"
2. Run a custom firmware with code from the sdk demo of flashloader on iMXRT1052 and use the same command as above to have the dek.bin and blob.bin.
3. The generated dek.bin files are the same, but the blob.bin files are not.
If my understanding is correct , have you tried the flashloader from the sdk in step 2? Was the result the same?
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi @Kan_Li ,
Thank you for your support.
Regarding:
1. Load the flashloader from NXP’s Secure Provisioning Tool and use the following command to have dek.bin and blob.bin
- Yes, to get the key blob.
2. Run a custom firmware with code from the sdk demo of flashloader on iMXRT1052 and use the same command as above to have the dek.bin and blob.bin.
- Yes, I did, test with demo flashloader from the SDK, also a custom-custom firmware.
Not sure if important, but the main difference is that the flashloader from the SPT is executed from internal SRAM, the custom firmware or the demo from SDK is not, they are configured and build for External (on board) SDRAM.
3. The generated dek.bin files are the same, but the blob.bin files are not.
- Yes, the DEK used in both scenarios stays the same (it make sense). From the resulted key blob, headers are the same, only bk and dek sections differ, mac section is all zeros.
Have a great day
Jordan