• State Not Answered
  • Replies 9 replies
  • Subscribers 76 subscribers
  • Views 2044 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 308996
Options

bootloader singeing and encryption.

Johan.h

I am trying to use MCUBoot . Followed this Add DFU support to your application , and this works.

I generated key.pem files, and try to sign the file with 

CONFIG_SB_SIGNING_KEY_FILE= <path to *pem file>

it builds, but the I do it with a different key file, and I am still able to upload the new file via mobile device manager.

So, what am I missing?

Actually, I understand that signing the file just adds the signature as meta data to the file, but does not encrypt it. So everyone that has the file can use it with his version of MCUBoot?

I would like to have a way to encrypt the whole bin file, and let the bootloader decrypt it, so only my bootloader can be used. How can this be done?

BR

Johanan

Parents
  • 0

    Hi, 

    CONFIG_SB_SIGNING_KEY_FILE= <path to *pem file>

    Are you using nRF Secure Immutable Bootloader (NSIB) by enabling CONFIG_SECURE_BOOTCONFIG_SB_SIGNING_KEY_FILE is used for signing the NSIB firmware image. To sign the mcuboot image, it should use CONFIG_BOOT_SIGNATURE_KEY_FILE. Here is the example

    So everyone that has the file can use it with his version of MCUBoot?

    You have two keys: A Private Key and a Public Key. The firmware image is signed with the Private Key, and the bootloader has the Public Key. The bootloader can use the Public Key to verify that the firmware image is signed with the Private Key. Only you have the Private Key to sign the firmware image.

    I would like to have a way to encrypt the whole bin file, and let the bootloader decrypt it, so only my bootloader can be used. How can this be done?

    Unfortunately, encrypted DFU is a feature we do not officially support in our SDK. 

    Regards,
    Amanda H.

  • 0 in reply to Amanda Hsieh

    Hello,

    Amanda Hsieh said:
    Unfortunately, encrypted DFU is a feature we do not officially support in our SDK. 

    I just had a question about this. I've been looking around at other forum posts and they say the same thing, that encrypted DFU is not supported. See here and here.

    However, it seems like there are other posts where people possibly got it working. See here and here. In my own testing I haven't gotten it to work. Also, from what it seems like, those two other posts are much more complicated and not "easily implemented" like the signing feature in the SDK. Is this what not "officially supporting" it means?

    It is strange though that it can be found in the docs here in Nordic Connect SDK despite lacking support (although from what I found the docs do not give an example of it working from start to finish).

    So, in short, is the feature completely unsupported, or is there a work-around in the meantime?

    I'm brand new in all the Nordic stuff, so kind of confused. This was the most recent discussion on encryption too.

    Thank you very much,

    Ben

    Did find this post too which gave details on both sides. I have not tried its solution yet.

Reply
  • 0 in reply to Amanda Hsieh

    Hello,

    Amanda Hsieh said:
    Unfortunately, encrypted DFU is a feature we do not officially support in our SDK. 

    I just had a question about this. I've been looking around at other forum posts and they say the same thing, that encrypted DFU is not supported. See here and here.

    However, it seems like there are other posts where people possibly got it working. See here and here. In my own testing I haven't gotten it to work. Also, from what it seems like, those two other posts are much more complicated and not "easily implemented" like the signing feature in the SDK. Is this what not "officially supporting" it means?

    It is strange though that it can be found in the docs here in Nordic Connect SDK despite lacking support (although from what I found the docs do not give an example of it working from start to finish).

    So, in short, is the feature completely unsupported, or is there a work-around in the meantime?

    I'm brand new in all the Nordic stuff, so kind of confused. This was the most recent discussion on encryption too.

    Thank you very much,

    Ben

    Did find this post too which gave details on both sides. I have not tried its solution yet.

Children
Related
Terms of service