• State Verified Answer
  • Replies 6 replies
  • Subscribers 64 subscribers
  • Views 828 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 308594
Options

Adding mcuboot to tfm provisioning sample

Anthony Ambuehl

I'm working on a project where its desired to use an initial provisioning image with capability to update firmware after the completion of the provisioning step.  For this purpose I am adding secure boot and mcuboot to the cpuapp.  My builds are successful with original project and with CONFIG_SECURE_BOOT=y, but when I add CONFIG_BOOTLOADER_MCUBOOT=y I get an error:

A domain may only have a single child image.Current domain image is:
empty_net_core, `empty_net_core` is a domain parent image, so you may add
`cpunet` as a child inside `empty_net_core`

How do I workaround this error? 

Is the tfm provisioning sample app built without hci in the cpunet? 

If I want to utilize ble during provisioning, how should I modify the configuration?

Also I have noticed this worrisome message at the end of the cmake generation step:

Dropping partition 'hw_unique_key_partition' since its size is 0.

Is this expected or does it indicate something is missing from the configuration? 

  • +1 in reply to Anthony Ambuehl

    Hi,

    Anthony Ambuehl said:

    1) Is the code to disable the debug port enabled by:

          a) a kconfig variable

          b) code in sample source

         c) both

    2) The provisioning sample says it used the empty cpunet to disable the debug port.  Do I need to do this for both cores, the cpunet core only or either?

    For understanding access port protection, I would recomend taking a look at the CTRL-AP - Control access port section in the product specification. The key points is that the debug port is locked by default, but can be opened in two different ways. One is with an ERASEALL operation, and the other is if a persistent UICR register unlocks it as well as firmware by writing to a volatile register during startup (APPROTECT.DISABLE / SECUREAPPROTECT.DISABLE). Another important point here, is that this is separate for the network core and for the application core, and for secure and non secure on the application core.

    The tools will unlock the access port by default. For instance, with "nrfjprog --recover" the debug port is opened up in the UICR, and a small firwmare image that unlocks it runtime is flashed. The part that unlocks it runtime (implemented by nrf53_handle_approtect() in modules/hal/nordic/nrfx/mdk/system_nrf53_approtect.h) is also included by default in nRF Connect SDK applications. To don't unlock, add CONFIG_NRF_APPROTECT_LOCK /CONFIG_NRF_SECURE_APPROTECT_LOCK). You may also want to write to UICR to remove the magic word that enabled debugger access if that was set by nrfjprog or other tools.

    Anthony Ambuehl said:
    3) Any thoughts on the dropping hw unique key partition?  Is this dropped because the nrf5340 stores the keys in the KMU which uses the UICR instead of a dedicated flash partition?

    Yes, this is only relevant for devices without a KMU.

    Anthony Ambuehl said:
    4) its understandable that the samples don't fulfill all end-user requirements, is there any checklist or guidelines for building production ready apps?   Stuff like setting up pre-generated signing keys, disabling debug ports, validating maximum size DFU of all updatable components..

    We are working on this, but we do not have guidelines at the moment, unfortunately. At the moment, we mostly provide a toolbox an some samples (which you see in the SDK).

    Anthony Ambuehl said:
    Is there any way to add this code into the hci_rpmsg cpunet image.  Maybe something like a module that just runs some code at startup?

    Yes. The hci_rpmsg is automatically included as a child image, but you are free to modify it (this is the sample found under zephyr/samples/bluetooth/hci_rpmsg). You can also modify just the config by putting a child_image/hci_rpmsg.conf file under your application directory, and configure it to disable the access port by adding CONFIG_NRF_APPROTECT_LOCK=y. Then the code I mentioned earlier in this post is run, and access port protection is disabled. You also want to disable i in the UICR during production programming (typically by writing all zeros) to the APPROTECT register in the network core UICR. If you want to write to the UICR programatically instead of direclty from a debugger you will need to add code for that by modifying hci_rpmsg.

Related