Cannot enable SECURE_BOOTLOADER in matter project

RE: Cannot enable SECURE_BOOTLOADER in matter project

AHaug — Mon, 02 Oct 2023 08:38:55 GMT

Hi,

Apologies for the long response time.

[quote user="Hugo.Dev"]Do you know what I am missing?[/quote]

What SDK are you using? If these configurations are fetched from any of the signing samples, there could be changes in between the NCS version you're using and the samples version

This case is somewhat old but I think relevant for the undefined references: Undefined reference to rsa_pub_key when CONFIG_BOOT_SIGNATURE_KEY_FILE is defined Were you able to get the samples to work before adding them to your Matter project?

Kind regards,
Andreas

RE: Cannot enable SECURE_BOOTLOADER in matter project

Hugo.Dev — Fri, 29 Sep 2023 14:34:16 GMT

Hi, any update?
I just went back to it.

Trying a different approach, I have added these lines to mcuboot/prj.conf:

CONFIG_BOOT_SIGNATURE_TYPE_RSA=n
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="levelboot.pem"

but in this case I am getting these compiling errors:

undefined reference to `ecdsa_pub_key'

undefined reference to `ecdsa_pub_key_len'

Do you know what I am missing?

RE: Cannot enable SECURE_BOOTLOADER in matter project

Hugo.Dev — Mon, 25 Sep 2023 14:53:13 GMT

Hi, I´ll take a look.
Here are the configuration files i am using:

overlay-common.conf

# ===========================
# Interal Flash Configuration
# ===========================
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_MPU_ALLOW_FLASH_WRITE=y

# =====================
# Settings Configuration
# =====================
CONFIG_NVS=y
CONFIG_SETTINGS=y
CONFIG_SETTINGS_NVS=y
CONFIG_SETTINGS_NVS_SECTOR_SIZE_MULT=1
CONFIG_SETTINGS_NVS_SECTOR_COUNT=8

# ====================
# Crypto Configuration
# ====================
CONFIG_MBEDTLS_AES_C=y
CONFIG_MBEDTLS_CIPHER_MODE_CBC=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_OPENTHREAD_SOURCES=y
CONFIG_MBEDTLS_GCM_C=y
# required for ED25519 patches
CONFIG_MBEDTLS_SHA512_C=y

# ================
# Power Management
# ================
# Eric: I am disabling this for now since we have an issue with external flash power management
#CONFIG_PM=y
#CONFIG_PM_DEVICE=y
#CONFIG_PM_DEVICE_RUNTIME=y

# =============
# Miscellaneous
# =============
# CONFIG_HEAP_MEM_POOL_SIZE=1024
CONFIG_ASSERT=n
CONFIG_REBOOT=y
CONFIG_MAIN_THREAD_PRIORITY=7
CONFIG_OPENTHREAD_SHELL=n

# =====
# Stacks
# =====
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
CONFIG_LOW_PRIORITY_WORKQUEUE_STACK_SIZE=6144
CONFIG_SHELL_STACK_SIZE=2048
CONFIG_OPENTHREAD_THREAD_STACK_SIZE=4096

# ====================
# Memory Optimizations
# ====================
CONFIG_SIZE_OPTIMIZATIONS=y
CONFIG_BOOT_BANNER=n

# ================
# WatchDog Support
# ================
# CONFIG_WATCHDOG=n
# CONFIG_WDT_LOG_LEVEL_DBG=n
# CONFIG_WDT_DISABLE_AT_BOOT=n

# =================
# Bluetooth Support
# =================
# CONFIG_BT=y
# CONFIG_BT_SMP=n
# CONFIG_BT_GATT_SERVICE_CHANGED=y
# CONFIG_BT_PHY_UPDATE=y
# CONFIG_BT_SETTINGS=n
# CONFIG_BT_DIS=n
# CONFIG_BT_ATT_PREPARE_COUNT=0

# CONFIG_BT_MAX_CONN=2
# CONFIG_BT_MAX_PAIRED=0
# CONFIG_BT_PERIPHERAL=y
# CONFIG_BT_CENTRAL=y

# CONFIG_BT_SHELL=n
# CONFIG_BT_DEBUG_LOG=y
# CONFIG_BT_HCI=y
# CONFIG_BT_L2CAP_TX_MTU=247
# CONFIG_BT_BUF_ACL_RX_SIZE=251
# CONFIG_BT_BUF_ACL_TX_COUNT=3
# CONFIG_BT_BUF_ACL_TX_SIZE=251
# CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
# CONFIG_BT_CTLR_TX_PWR_DYNAMIC_CONTROL=y
# CONFIG_BT_GATT_CLIENT=y
# CONFIG_BT_GATT_DYNAMIC_DB=y

# BLE device configs
# CONFIG_BT_COMPANY_ID=0xFDBF
# CONFIG_BT_DEVICE_APPEARANCE=1793
# CONFIG_BT_DEVICE_NAME_DYNAMIC=y
# CONFIG_BT_DEVICE_NAME_MAX=15

# Extended Advertising for multiple Adv Set support
# CONFIG_BT_EXT_ADV=y
# CONFIG_BT_CTLR_ADV_DATA_LEN_MAX=31
# CONFIG_BT_EXT_ADV_MAX_ADV_SET=2

# BLE Threads Stacks Sizes
CONFIG_BT_HCI_TX_STACK_SIZE_WITH_PROMPT=y
CONFIG_BT_HCI_TX_STACK_SIZE=1024
CONFIG_BT_RX_STACK_SIZE=1024

# ============================
# Necessary Peripheral Support
# ============================
CONFIG_I2C=y
CONFIG_I2S=y
CONFIG_PWM=y
CONFIG_GPIO=y
CONFIG_NRFX_COMP=y
CONFIG_NRFX_PPI=y

# Enable ADC
CONFIG_ADC=y
CONFIG_ADC_SHELL=n
CONFIG_ADC_ASYNC=y

# Temperature Sensor
CONFIG_SENSOR=y
CONFIG_SENSOR_SHELL=n
CONFIG_TEMP_NRF5_MPSL=y

# Hardware Info Support
CONFIG_HWINFO=y
CONFIG_HWINFO_NRF=y

# Pinctrl Support
# CONFIG_PINCTRL=y

# For trig functions and other necessary for DSP
CONFIG_NEWLIB_LIBC=y
CONFIG_FPU=y
CONFIG_FPU_SHARING=y

# ==============
# Zigbee Support
# ==============
# CONFIG_ZIGBEE=n
# CONFIG_ZIGBEE_APP_UTILS=n
# CONFIG_ZIGBEE_SHELL=n
# CONFIG_ZIGBEE_ROLE_END_DEVICE=n
# CONFIG_ZIGBEE_CHANNEL_SELECTION_MODE_MULTI=n

# ZBOSS configuration (for Zigbee thread)
#CONFIG_ZBOSS_DEFAULT_THREAD_PRIORITY=20
#CONFIG_ZBOSS_TRACE_LOG_LEVEL_INF=y
#CONFIG_PM_PARTITION_SIZE_ZBOSS_NVRAM=0x4000

# Networking configs for Zigbee
# CONFIG_NET_IPV6_MLD=n
# CONFIG_NET_IPV6_NBR_CACHE=n
# CONFIG_NET_IPV6_RA_RDNSS=n
# CONFIG_NET_IP_ADDR_CHECK=n

# Cryptography support for Zigbee
# CONFIG_TINYCRYPT=y
# CONFIG_CTR_DRBG_CSPRNG_GENERATOR=y
# CONFIG_ZIGBEE_USE_SOFTWARE_AES=y

# ==============
# Matter Support
# ==============
CONFIG_CHIP=y
CONFIG_CHIP_QSPI_NOR=y
CONFIG_CHIP_PROJECT_CONFIG="src/MatterLock/chip_project_config.h"
CONFIG_CHIP_NFC_COMMISSIONING=n
CONFIG_STD_CPP14=y

# Bluetooth Low Energy configuration
CONFIG_BT_DEVICE_NAME="MatterLock"

prj.conf

# =======================
# Enable bootloaded image
# =======================
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE=y

# Default to an internal (development) build
CONFIG_BUILD_TYPE_INTERNAL=y

# ================
# Enable Debugging
# ================
#CONFIG_DEBUG_OPTIMIZATIONS=y
#CONFIG_DEBUG_THREAD_INFO=y
#CONFIG_THREAD_NAME=y
CONFIG_DEBUG=n

CONFIG_SHELL=y
CONFIG_CONSOLE_SUBSYS=y
CONFIG_CLI=y

# ==============
# Enable logging
# ==============
CONFIG_LOG=y
CONFIG_LOG_SPEED=y
CONFIG_LOG_PRINTK=y
CONFIG_LOG_MODE_DEFERRED=y
CONFIG_LOG_PROCESS_THREAD_STACK_SIZE=1024
CONFIG_LOG_BUFFER_SIZE=2048

# turn off functions names in the logging messages
CONFIG_LOG_FUNC_NAME_PREFIX_ERR=n
CONFIG_LOG_FUNC_NAME_PREFIX_WRN=n
CONFIG_LOG_FUNC_NAME_PREFIX_INF=n

CONFIG_MATTER_LOG_LEVEL_INF=y

RE: Cannot enable SECURE_BOOTLOADER in matter project

AHaug — Mon, 25 Sep 2023 09:05:22 GMT

Noted, thank you for clarifying

[quote user="Hugo.Dev"]4. I was reading these resources:[/quote]

Could you verify in which of the projects configuration files you've added the configurations?

Could you upload all of your projects configuration and overlay files and name them?

I would also recommend you to have a look at this repository created by a colleague of mine where he explains signatures to some extent in addition to the documentation referred to: https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures as well as https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/security/security.html

Kind regards,
Andreas

RE: Cannot enable SECURE_BOOTLOADER in matter project

Hugo.Dev — Thu, 21 Sep 2023 12:08:24 GMT

Hi.

1. I am performing OTA over matter. And it is already working ok.

2. yes, only app update. But I am interested in adding some image signature.

3. yes i´ve seen that guide

4. I was reading these resources:

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/config_and_build/bootloaders_and_dfu/bootloader_adding.html

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/config_and_build/bootloaders_and_dfu/fw_update.html

I short, I only want to add a signature to the OTA image, and want the bootloader to check that signature.

RE: Cannot enable SECURE_BOOTLOADER in matter project

AHaug — Thu, 21 Sep 2023 11:57:00 GMT

Hi,

I'm going to need some more information before

You state that you're aiming to do OTA, but over what protocol?
1. Is it Matter OTA update protocol or SMP over BLE?
Are you only going to do application update? If so, you don't need Nordic Secure Immutable Bootloader (NSIB) and you only need MCUboot
Have you seen the guide for adding DFU support to the door lock sample? https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/matter/lock/README.html#device-firmware-upgrade-support
1. CONFIG_IS_SECURE_BOOTLOADER=y AFAIK this only sets that the device with this configuration IS the bootloader, not that you enable NSIB. In which part of the projects configuration has this been set? Is it in the applications prj.conf?
Could you post links to what resources you've been following? Do note that the links I've posted is for the latest release of NCS. Which version do you use?

Kind regards,
Andreas