merged.hex file built from the same code base is different.

RE: merged.hex file built from the same code base is different.

AHaug — Mon, 11 Dec 2023 14:23:48 GMT

Hi,

[quote user="Learner"]Do you mean I manually strip the part of the output build files that show differences built from the same code base i.e merged.hex, app_update.bin and app_signed.hex?[/quote]

That is my understanding of it, yes

[quote user="Learner"]

I am not familiar with imgtool, so I had a look at the case you shared with me where Benjamin V used the command line below,

imgtool verify --key <key.pem> app_update.bin

[/quote]

I recommend that you have a look at https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures, https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/imgtool.html and https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/config_and_build/bootloaders_and_dfu/fw_update.html#ug-fw-update-keys-imgtool to familiarize yourself regarding imgtool

[quote user="Learner"]Where do I get the key.pem file from ?[/quote]

Some default keys can be found in <sdk version>/bootloader/mcuboot but we recommend that you generate your own keys following the documentation to do so https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/config_and_build/bootloaders_and_dfu/fw_update.html#generating-private-keys

If you have your own custom keys they are in CONFIG_BOOT_SIGNATURE_KEY_FILE

Kind regards,
Andreas

RE: merged.hex file built from the same code base is different.

Learner — Thu, 07 Dec 2023 13:34:14 GMT

Hi Andreas,

Thank you for all your efforts.

[quote userid="107683" url="~/f/nordic-q-a/106103/merged-hex-file-built-from-the-same-code-base-is-different/459357"]Strip the signature and hash before comparing the firmware itself.[/quote]

Do you mean I manually strip the part of the output build files that show differences built from the same code base i.e merged.hex, app_update.bin and app_signed.hex?

[quote userid="107683" url="~/f/nordic-q-a/106103/merged-hex-file-built-from-the-same-code-base-is-different/459357"]Use the imgtool verify command to check that the signature of both images can be verified with the same key.[/quote]

I am not familiar with imgtool, so I had a look at the case you shared with me where Benjamin V used the command line below,

imgtool verify --key <key.pem> app_update.bin

Where do I get the key.pem file from ?

[quote userid="107683" url="~/f/nordic-q-a/106103/merged-hex-file-built-from-the-same-code-base-is-different/459357"]The Merged.hex is also a composition of different files and we recommend that you compare it to zephyr.hex to look closer into where the difference occurs[/quote]

I compared the files merged.hex and zypher.hex from the same build and I am no wiser.

Thank you.

Kind regards

Mohamed

RE: merged.hex file built from the same code base is different.

AHaug — Thu, 07 Dec 2023 12:32:20 GMT

Hi,

First of apologies for the far too long response time. It took longer than expected to find an answer for the two questions

In the general case, the signature schemes are non-deterministic so the difference in the binary is to be expected.

In addition, if you're using development keys (for NSIB, MCUBoot uses the same key every time), the keys are also re-generated when building from scratch
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/config_and_build/bootloaders_and_dfu/fw_update.html#using-development-keys.

Given the signature is non-deterministic, one way to ensure two builds have created the same firmware is to do these two steps:

Strip the signature and hash before comparing the firmware itself.
Use the imgtool verify command to check that the signature of both images can be verified with the same key.

This option is also suggested in https://reproducible-builds.org/docs/embedded-signatures/

This case discusses the topic above and you can use that as a reference MCUBoot - Firmware signature looks different at each build

The Merged.hex is also a composition of different files and we recommend that you compare it to zephyr.hex to look closer into where the difference occurs

Once again, apologies for the long response time and I hope this answers your questions sufficiently

Kind regards,
Andreas

RE: merged.hex file built from the same code base is different.

Learner — Wed, 06 Dec 2023 16:04:56 GMT

Hi Andreas,

I am sorry to keep chasing you about the answers I am looking for.

I am stuck on this and I need help from someone from Nordic.

Thank you.

Kind regards

Mohamed

RE: merged.hex file built from the same code base is different.

Learner — Mon, 04 Dec 2023 09:27:32 GMT

Good Morning Andreas,

Any update on my two questions above?

Kind regards

Mohamed

RE: merged.hex file built from the same code base is different.

Learner — Tue, 28 Nov 2023 15:41:41 GMT

Hi Andreas,

Thank you for your reply.

I am looking forward to your answers to my other two questions.

Kind regards

Mohamed

RE: merged.hex file built from the same code base is different.

AHaug — Tue, 28 Nov 2023 15:03:35 GMT

[quote user=""]Q1/ Can you please explain why this is happening?[/quote]

It is as you said due to your firmware beeing modified since you have a timestamp that changes from build to build

[quote user=""]

Q2/ Could you please point me to a document detailing the format of the merged.hex file.

Q3/ Is there a utility that checks only the code content of the merged.hex without including timestamp, CRC, Signature etc...?

[/quote]

I will have to ask around some more to see if we have something for this

I will get back to you before the weekend.

Kind regards,
Andreas