SRK hash fuse burning

yosri_c · ‎08-08-2025

Hello,

i'm trying to burn SRK_hash.bin fuses in SRK_HASH[255-0] . we're using an RT1176 ccustom board.

it's mentioned that the fuses address is 0xB00-0xB70 , i want to know what is the correct offset when trying to fuse a 32 bytes key HASH using the OCOTP_WriteFuseShadowRegister :

is it : 4 bytes offset

Fuse Word[0] OCOTP Addr 0xB00 -> 0x5B31CBE9
Fuse Word[1] OCOTP Addr 0xB04 -> 0x6DE304C8
Fuse Word[2] OCOTP Addr 0xB08 -> 0x5B31CBE9
Fuse Word[3] OCOTP Addr 0xB0C -> 0x5B31CBE9
Fuse Word[4] OCOTP Addr 0xB10 -> 0x6DE304C8
Fuse Word[5] OCOTP Addr 0xB14 -> 0x6DE304C8
Fuse Word[6] OCOTP Addr 0xB18 -> 0x6DE304C8
Fuse Word[7] OCOTP Addr 0xB1C -> 0x5B31CBE9

or to match the fuses address in the RM :

Fuse Word[0] OCOTP Addr 0xB00 -> 0x5B31CBE9
Fuse Word[1] OCOTP Addr 0xB10 -> 0x6DE304C8
Fuse Word[2] OCOTP Addr 0xB20 ->x5B31CBE9
Fuse Word[3] OCOTP Addr 0xB30 -> x5B31CBE9
Fuse Word[4] OCOTP Addr 0xB40 ->0x6DE304C8
Fuse Word[5] OCOTP Addr 0xB50 -> 0x6DE304C8
Fuse Word[6] OCOTP Addr 0xB60 -> 0x6DE304C8
Fuse Word[7] OCOTP Addr 0xB70 -> 0x5B31CBE9

*hash values are dummy just for the example

Thank you

diego_charles · ‎08-18-2025

Hi @yosri_c

I am sorry for the delayed response.

Match the fuses address in the RM makes sense to me. As you ensure that the hash is written on the expected fuse word.

See how the MCUXpresso Secure Proviosining tool writes SRK Hash.

Best regards,

Diego

yosri_c · ‎08-19-2025

Hi @diego_charles

Thank you for the clarification , i have one more question about CST , code signing tool ,

i'm trying to use a /keys/hab4_pki_tree.bat script to generate a PKI tree and when i try to specify the key type (rsa , rsa-pss ,ecc ) , like for example i chose rsa but it askes then for ecc length ! same thing if i chose ecc it askes then for rsa length

this is important because i burning fuses with the hash of these certs and keys so i have to be 100% sure

"Key Type Options:"
Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521:

"Key Type Options:"
Select the key type (possible values: rsa, rsa-pss, ecc)?: ecc
Enter key length in bits for PKI tree:

Thank you

IsaulO

Hello @yosri_c ,

Thanks for reporting this issue, it seems to be just an error with the key type option, you can select ecc for rsa key option as a workaround or use a previous CST version instead (3.0.1).

These were the results when selecting ecc key type and 1024 length.

BR,
IsaulO.

yosri_c · ‎08-18-2025

Hello again,

anyone here can help ?