bootloader singeing and encryption.

I am trying to use MCUBoot . Followed this Add DFU support to your application , and this works.

I generated key.pem files, and try to sign the file with

CONFIG_SB_SIGNING_KEY_FILE= <path to *pem file>

it builds, but the I do it with a different key file, and I am still able to upload the new file via mobile device manager.

So, what am I missing?

Actually, I understand that signing the file just adds the signature as meta data to the file, but does not encrypt it. So everyone that has the file can use it with his version of MCUBoot?

I would like to have a way to encrypt the whole bin file, and let the bootloader decrypt it, so only my bootloader can be used. How can this be done?

Johanan

0 Johan.h over 2 years ago in reply to Amanda Hsieh

Thank you for this project.

I am using same v2.3.0 SDK

It looks like I have a big misunderstanding.

in your project, you have a child image, in which you have another prj.conf file, and there you set the key file.

I have no child image in my project at all. In order to make a bootable bin file, I just added the MCUBoot enable in my prj.conf.

Please explain in short step by step, adding MCUboot with a key to a sample project.

BR

Johanan
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 2 years ago in reply to Johan.h

Hi,

Since the mcuboot is built as child_image, it can be set with the configuration under the child_image folder. See Image-specific variables doc.

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ben_R831 over 2 years ago in reply to Amanda Hsieh

Hello,

Amanda Hsieh said:
Unfortunately, encrypted DFU is a feature we do not officially support in our SDK.

I just had a question about this. I've been looking around at other forum posts and they say the same thing, that encrypted DFU is not supported. See here and here.

However, it seems like there are other posts where people possibly got it working. See here and here. In my own testing I haven't gotten it to work. Also, from what it seems like, those two other posts are much more complicated and not "easily implemented" like the signing feature in the SDK. Is this what not "officially supporting" it means?

It is strange though that it can be found in the docs here in Nordic Connect SDK despite lacking support (although from what I found the docs do not give an example of it working from start to finish).

So, in short, is the feature completely unsupported, or is there a work-around in the meantime?

I'm brand new in all the Nordic stuff, so kind of confused. This was the most recent discussion on encryption too.

Thank you very much,

Ben

Did find this post too which gave details on both sides. I have not tried its solution yet.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 2 years ago in reply to Ben_R831

Hi,

The reason and workaround are explained in this post by my colleague.

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel