cst tool releases backward compatibility

Ivan144 · ‎01-11-2021

I'd like to know if CSTTool releases have backward compatibility?

I've set up a solution and successfully signed a u-boot image for my imx6 board with CSTTool 3.1.0

Then I tried CSTTool 3.2.0 which I have built from source. And now my board reports HAB Events during boot, although my certs, keys and csf-templates are exact same. The only thing that changed is cst binary itself.

Secure boot enabled

HAB Configuration: 0x33, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x18 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x00 0x00
0x00 0x00 0x0d 0xe4

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x02 0xf0

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04

Earlier I have burned FIELD_RETURN bit, because I wanted to test that feature. I don't know if this is relevant.

Ivan144 · ‎01-18-2021

I built cst on another machine and successfully signed u-boot binaries with it. the 4 bytes are in place. Still dont know exactly what caused the problem, but it is definetely in my environment and not in cst code.

Closing

View solution in original post

Ivan144 · ‎01-18-2021

I built cst on another machine and successfully signed u-boot binaries with it. the 4 bytes are in place. Still dont know exactly what caused the problem, but it is definetely in my environment and not in cst code.

Closing

Ivan144 · ‎01-14-2021

After some search I have found sort of a clue.

I compared csf.bin files produced by cst 3.1.0 precompiled, cst 3.2.0 precompiled and cst 3.2.0 built by me. And I've found that there's slight difference in the signature of CSF key and IMG key, that is added after the "Authenticate CSF" and "Authenticate Data" commands.

Prebuilt versions put 4 bytes in the very beginning of the signature equal to 30 82 02 F9. Self built version puts there 00 00 00 00. I can't figure out yet what is the purpose of these bytes because I'm not familiar with the signature structure. But I know that it is the result of the call to gen_sig_data_cms() defined in code/cst/code/back_end/src/adapt_layer_openssl.c

Also I noticed that prebuilt versions have no dependency against libcrypto and readelf doesn't show some external symbols (like i2d_CMS_bio_stream which is called downstack). Does it mean that the prebuilt versions are linked against openssl libraries statically or use some alternative signature realisation? I'm not yet ready for disasming the cst binary.

Also I tried to patch the csf.bin produced by my self-built cst with these 4 bytes from prebuilt cst produced csf.bin. And !voila! the board loaded with no HAB Events!

So what are these 4 bytes? And what exactly needs to be fixed in my setup?

IvanRuiz · ‎01-14-2021

Hello,

There is no backward compatibility since the security procedures may be improved, but the improvements are confidential for which the recommendation is to use the correct version of the tool for the corresponding generated files.

BR,

Ivan.