AnsweredAssumed Answered

HABv4 CST size of encripted data

Question asked by valentinsitdikov on Mar 26, 2020
Latest reply on Mar 30, 2020 by valentinsitdikov

Hello, I am trying to sign and encrypt imx6`s linux + initramfs image by cst. cst crashes during data encryption.

I also tried to play with len of encrypted data, it worked till some kind of limit:

 

cfs script which does not work:

# The syntax for this file is documented in the HAB Code-Signing Tool
# User's Guide which is included in the CST package distributed by NXP
[Header]
    Version = 4.1
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS
    Engine = CAAM

 

[Install SRK]
    File = "./SRK_table.bin"
    Source index = 0

 

[Install CSFK]
    File = "./security/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate CSF]

 

[Install Key]
    Verification index = 0
    Target index = 2
    File = "./security/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate Data]
    Verification index = 2
    Blocks = 312844288 10854400 0x20 "zImage.initramfs.signed"

 

[Authenticate Data]
    Verification index = 2
    Blocks = 301990144 0x100 0x20 "zImage.initramfs.signed"

 

[Authenticate Data]
    Verification index = 2
    Blocks = 0x12000000 0x0 0x40 "zImage.initramfs.signed"

 

[Install Secret Key]
    Verification index = 0
    Target index = 0
    Key = "./security/dek.bin"
    Key Length = 256
    Blob address = 301989632

 

[Decrypt Data]
    Verification index = 0
    Mac Bytes = 16
    Blocks = 301989952 0x40 192 "zImage.initramfs.signed", \
             301990176 288 10854112 "zImage.initramfs.signed"

csf script which still works:

 

# The syntax for this file is documented in the HAB Code-Signing Tool
# User's Guide which is included in the CST package distributed by NXP
[Header]
    Version = 4.1
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS
    Engine = CAAM

 

[Install SRK]
    File = "./SRK_table.bin"
    Source index = 0

 

[Install CSFK]
    File = "./security/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate CSF]

 

[Install Key]
    Verification index = 0
    Target index = 2
    File = "./security/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate Data]
    Verification index = 2
    Blocks = 312844288 10854400 0x20 "zImage.initramfs.signed"

 

[Authenticate Data]
    Verification index = 2
    Blocks = 301990144 0x100 0x20 "zImage.initramfs.signed"

 

[Authenticate Data]
    Verification index = 2
    Blocks = 0x12000000 0x0 0x40 "zImage.initramfs.signed"

 

[Install Secret Key]
    Verification index = 0
    Target index = 0
    Key = "./security/dek.bin"
    Key Length = 256
    Blob address = 301989632

 

[Decrypt Data]
    Verification index = 0
    Mac Bytes = 16
    Blocks = 301989952 0x40 192 "zImage.initramfs.signed", \
             301990176 288 8300000 "zImage.initramfs.signed"

 

cst version is :

 

~/work/mel11-imx6/workspace/build/tmp/work/nitrogen6x_mel-mel-linux-gnueabi/linux-mel/4.14.78-nitrogen6x-mel+gitAUTOINC+b87a171d5c-r0/recipe-sysroot-native/usr/bin/cst -v
Code Signing Tool release version 3.1.0

 

Could you please guide how to fix the issue?

Outcomes