Signature calculation of application image for secure boot

Ian Hall from Renesas put a sample secure bootloader project ("YASB") on github.  Ian's python program prepends a 0x100-byte signature header to the application image and then performs the hash calculation starting from inside the header, rather than from the start of the application image.  It would seem the most straightforward way would be to calculate the hash based solely on the application image, generate the signature from it, and prepend the header to the image.

I'm sure there must be a good reason for including part of the header in the hash calculation so I'd appreciate understanding why it was done this way.

Thanks

tom

Parents
  • I think you are refering to imgtool.py from MCUBoot

    https://github.com/mcu-tools/mcuboot/blob/master/docs/design.md

    The hash covers both hdr and body

    #define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */

    The hdr contains info such as version, load address, image size(exclude header) which must be integrity checked.
    e.g. I change version and a previous image with known vulnerability could be reloaded.

    Such info could have been embedded in application image. mcuboot would need to know where it is located, when it
    perform checks for downgrade prevention. It can be done but from mcuboot perspective, an external header is
    easier to manage. IMHO.
Reply
  • I think you are refering to imgtool.py from MCUBoot

    https://github.com/mcu-tools/mcuboot/blob/master/docs/design.md

    The hash covers both hdr and body

    #define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */

    The hdr contains info such as version, load address, image size(exclude header) which must be integrity checked.
    e.g. I change version and a previous image with known vulnerability could be reloaded.

    Such info could have been embedded in application image. mcuboot would need to know where it is located, when it
    perform checks for downgrade prevention. It can be done but from mcuboot perspective, an external header is
    easier to manage. IMHO.
Children
No Data