MCUBoot - Firmware signature looks different at each build

Question

Hi, 
 We are developing on an NRF9160 using the NRF Connect SDK v1.6.1. (The project started two years earlier). We have set up a CI to ensure the integrity of the generated firmwares. 
 We use MCUBoot (v1.7.99) as a bootloader and we noticed that two builds of the same firmware generate two different firmware signatures. Indeed, during two builds: - `app_to_sign.bin` are identical on both builds - `app_update.bin` and `app_signed.hex` differ. 
 Analyzing the two `app_signed.hex`, we realize that the area in question is the TLV zone that includes the signature keys and firmware hashes, which is attached to the end of the firmwares. The below screenshot highlight the differences between both `app_signed.hex`. 
 We don't understand the reasons for this behavior and we wish to fix it to allow us to regenerate an identical binary if there is a need to replay a pipeline from the CI. 
 Could you explain this to us and possibly see how to limit it? 
 Thank you in advance, Regards, 
 Benjamin V.

Amanda Hsieh · Answer

Hi, 
 The signature schemes are non-deterministic, so this is to be expected. 
 Given the signature is non-deterministic, one way to ensure two builds have created the same firmware is to do these two steps: 
 1. strip the signature and hash before comparing the firmware itself. 
 2. use the imgtool verify command to check that the signature of both images can be verified with the same key. 
 Regards, Amanda H.

Benjamin V. · Answer

Thank you for your response and promptness. Indeed, what you said makes sense. I just checked the app_to_sign.bin files and they are indeed identical. I just ran imgtool verify --key app_update.bin on my two builds and both returned the same thing. imgtool verify --key build/zephyr/app_update.bin Image was correctly validated Image version: 1.12.0+0 Image digest: 8f1d53663ec5c[...]836fb96bfc Thanks again and have a great day,

MCUBoot - Firmware signature looks different at each build

Top Replies