• State Suggested Answer
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 65 subscribers
  • Views 545 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 316611
Options

MCUBoot - Firmware signature looks different at each build

Benjamin V.

Hi,

We are developing on an NRF9160 using the NRF Connect SDK v1.6.1. (The project started two years earlier).
We have set up a CI to ensure the integrity of the generated firmwares.

We use MCUBoot (v1.7.99) as a bootloader and we noticed
that two builds of the same firmware generate two different firmware signatures.
Indeed, during two builds:
- `app_to_sign.bin` are identical on both builds
- `app_update.bin` and `app_signed.hex` differ.

Analyzing the two `app_signed.hex`, we realize that the area in question is the TLV zone that includes the signature keys and firmware hashes, which is attached to the end of the firmwares.
The below screenshot highlight the differences between both `app_signed.hex`.

We don't understand the reasons for this behavior and we wish to fix it to allow us to regenerate an identical binary if there is a need to replay a pipeline from the CI.

Could you explain this to us and possibly see how to limit it?

Thank you in advance,

Regards,

Benjamin V.

Parents
  • 0

    Hi, 

    The signature schemes are non-deterministic, so this is to be expected.

    Given the signature is non-deterministic, one way to ensure two builds have created the same firmware is to do these two steps:

    1. strip the signature and hash before comparing the firmware itself.

    2. use the imgtool verify command to check that the signature of both images can be verified with the same key.

    Regards,
    Amanda H.

  • 0 in reply to Amanda Hsieh

    Thank you for your response and promptness.

    Indeed, what you said makes sense.

    I just checked the app_to_sign.bin files and they are indeed identical.

    I just ran imgtool verify --key <key.pem> app_update.bin on my two builds and both returned the same thing.

    imgtool verify --key <key.pem> build/zephyr/app_update.bin
Image was correctly validated
Image version: 1.12.0+0
Image digest: 8f1d53663ec5c[...]836fb96bfc

    Thanks again and have a great day,

Reply
  • 0 in reply to Amanda Hsieh

    Thank you for your response and promptness.

    Indeed, what you said makes sense.

    I just checked the app_to_sign.bin files and they are indeed identical.

    I just ran imgtool verify --key <key.pem> app_update.bin on my two builds and both returned the same thing.

    imgtool verify --key <key.pem> build/zephyr/app_update.bin
Image was correctly validated
Image version: 1.12.0+0
Image digest: 8f1d53663ec5c[...]836fb96bfc

    Thanks again and have a great day,

Children
Related