I have created my secure boot demo project on STM32H563ZI using the link below.
https://wiki.st.com/stm32mcu/wiki/Security:How_to_start_with_STM32CubeMX_OEMiRoT_Boot_path_on_STM32H563
During provisioning, the secure image is signed by the TPC (STM32TrustedPackageCreator) tool. TPC supports the standard MCUboot signing process: calculating SHA256, generating the firmare image signature TLV (e.g., ECDSA256 0x22) using the specified private key, and adding standard TLVs. All these work just fine with the TPC tool.
Now, I need to append a full public key (IMAGE_TLV_PUBKEY 0x02) as an additional TLV into the image. And one more layer of TLV (IMAGE_TLV_ECDSA256 0x22) for the signature of this pub key. Does TPC support custom TLVs by changing its config file (e.g., OEMiROT_S_Code_Image.xml)?
I acually couldn't find ways to do that via TPC, so I switched to use imgtool.
imgtool sign --key "C:/Work/nucleo_h563zi/Secure/ROT_Provisioning/OEMiROT/Keys/OEMiROT_Authentication_S.pem" --header-size 0x400 --pad-header --align 16 --slot-size 0x6000 --version 1.0.0 --security-counter auto --overwrite-only secure_app.bin signed_imgtool_only.bin
All the above config for imgtool is the same as described in the TPC config (OEMiROT_S_Code_Image.xml) file. But still, I compared the two signed image, the one TPC generated is different from the imgtool hex file. Also, provision the imgtool signed secure app, it failed to boot up. Debugger shows the app's memory address was empty.
But if I provision the TPC signed image, once burned into the flash, read memory from the Debugger shows the hex value is then the same as the imgtool version hex.
So, does the TPC tool signing process change the payload of the image when encryption disabled?
What is the recommended way to add custom TLVs?
