WARNING: Using generated NSIB public/private key-pair.

D:\ncs\v2.4.0\bootloader\mcuboot\samples\zephyr\hello-world>west build -b nrf5340dk_nrf5340_cpuapp
-- west build: generating a build system

...

-- Configuring done
-- Generating done
-- Build files have been written to: D:/ncs/v2.4.0/bootloader/mcuboot/samples/zephyr/hello-world/build/b0
=== child image b0 - end ===

CMake Warning at D:/ncs/v2.4.0/nrf/subsys/bootloader/cmake/debug_keys.cmake:36 (message):

--------------------------------------------------------------
--- WARNING: Using generated NSIB public/private key-pair. ---
--- It should not be used for production. ---
--- See CONFIG_SB_SIGNING_KEY_FILE ---
--------------------------------------------------------------

Procedures to reproduce this issue is as follows.

1. Unzipping hello-world.zip to D:\ncs\v2.4.0\bootloader\mcuboot\samples\zephyr folder.

2. cd D:\ncs\v2.4.0\bootloader\mcuboot\samples\zephyr\hello-world

3. west build -b nrf5340dk_nrf5340_cpuapp

Parents

0 Sigurd over 1 year ago

Hi,

You need to set CONFIG_SB_SIGNING_KEY_FILE when using your own key.

See the documentation here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/config_and_build/bootloaders_and_dfu/bootloader_adding.html#adding-a-custom-signature-key-file

Based on your sample, try setting this in prj.conf:

CONFIG_SB_SIGNING_KEY_FILE="custom_key_dir/custom_priv.pem"
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Daniel K over 1 year ago in reply to Sigurd
I ran into this problem too. The source of it is here in nrf/subsys/bootloader/cmake/debug_keys.cmake:

if(IS_ABSOLUTE ${CONFIG_SB_SIGNING_KEY_FILE}) set(SIGNATURE_PRIVATE_KEY_FILE ${CONFIG_SB_SIGNING_KEY_FILE}) else() set(SIGNATURE_PRIVATE_KEY_FILE ${APPLICATION_CONFIG_DIR}/${CONFIG_SB_SIGNING_KEY_FILE}) endif()

So the only way to make it use relative paths is to change APPLICATION_CONFIG_DIR, but then I have to duplicate prj.conf from the sample image.

For mcuboot, it is possible to change the signing key directory by supplying mcuboot_CONF_DIR only (not mcuboot_CONF_FILE); this causes it to use prj.conf from mcuboot SDK directory as the base configuration and then look into the directory I've defined for the key file.

It would be great if debug_keys.cmake also supported the same logic to allow getting the key from hci_rpmsg_CONF_DIR.

PS: Also I found that the logic in here is broken in other ways; if you try to pass the key via "SB_SIGNING_KEY_FILE" environment variable or CMake command line argument, it is always overridden by the config file setting.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Daniel K over 1 year ago in reply to Sigurd
I ran into this problem too. The source of it is here in nrf/subsys/bootloader/cmake/debug_keys.cmake:

if(IS_ABSOLUTE ${CONFIG_SB_SIGNING_KEY_FILE}) set(SIGNATURE_PRIVATE_KEY_FILE ${CONFIG_SB_SIGNING_KEY_FILE}) else() set(SIGNATURE_PRIVATE_KEY_FILE ${APPLICATION_CONFIG_DIR}/${CONFIG_SB_SIGNING_KEY_FILE}) endif()

So the only way to make it use relative paths is to change APPLICATION_CONFIG_DIR, but then I have to duplicate prj.conf from the sample image.

For mcuboot, it is possible to change the signing key directory by supplying mcuboot_CONF_DIR only (not mcuboot_CONF_FILE); this causes it to use prj.conf from mcuboot SDK directory as the base configuration and then look into the directory I've defined for the key file.

It would be great if debug_keys.cmake also supported the same logic to allow getting the key from hci_rpmsg_CONF_DIR.

PS: Also I found that the logic in here is broken in other ways; if you try to pass the key via "SB_SIGNING_KEY_FILE" environment variable or CMake command line argument, it is always overridden by the config file setting.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data