Does MB1 or MEM BCT depends on whether the device is secured (SBK/PKC) or not?

During intergration of server signing process I came to a concept of pipeline like “generate, decrypt, encrypt and sign” which allows signing server to abstract over internal binary generation process:

  1. Generate encrypted and signed binaries by ./ --no-flash -u ... -v ... ...
  2. Decrypt signed binaries back to get plaintext versions
  3. Sign and re-encrypt binaries on server with keys of actual target device (this process is repeated for every device and runs much faster than full

It turns out that MB1 BCT is different between insecure flashing (when no keys are specified in and secure flashing (after decryption). The difference is really small (~300 bytes scattered across the file), but insecure device does not boot with MB1 BCT intended for secure device.

So, the question is: how information about whether device is in secured state affects the generation of MB1 BCT? What difference does it encode?

here’s similar discussion thread, Format of mb1_t194_prod.bin OEM signature header you’ve filed, and we’re tracking this internally.

This is a bit different, I would say.

That topic is about the format of NVDA signature header. This topic is about BCT content, and not about any signature formats.