• State Verified Answer
  • Replies 2 replies
  • Subscribers 74 subscribers
  • Views 840 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 317003
Options

WARNING: To maintain the integrity of secure boot, enable CONFIG_DISABLE_FLASH_PATCH in production on ncs v2.4.2

snowuyl

Procedures to reproduce this issue are as follows.

1. cd C:\ncs\v2.4.2\nrf\applications\nrf_desktop

2. west build -b nrf52833dk_nrf52833

C:\ncs\v2.4.2\nrf\applications\nrf_desktop>west build -b nrf52833dk_nrf52833
-- west build: generating a build system
Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v2.4.2/nrf/applications/nrf_desktop
-- CMake version: 3.20.5
-- Using NCS Toolchain 2.4.0 for building. (C:/ncs/toolchains/31f4403e35/cmake)
-- Found Python3: C:/ncs/toolchains/31f4403e35/opt/bin/python.exe (found suitable exact version "3.8.2") found components: Interpreter
-- Cache files will be written to: C:/ncs/v2.4.2/zephyr/.cache
-- Zephyr version: 3.3.99 (C:/ncs/v2.4.2/zephyr)
-- Found west (found suitable version "1.0.0", minimum required is "0.7.1")
-- Board: nrf52833dk_nrf52833
-- Found host-tools: zephyr 0.16.0 (C:/ncs/toolchains/31f4403e35/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.16.0 (C:/ncs/toolchains/31f4403e35/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/31f4403e35/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v2.4.2/zephyr/boards/arm/nrf52833dk_nrf52833/nrf52833dk_nrf52833.dts
-- Found devicetree overlay: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/configuration/nrf52833dk_nrf52833/app.overlay
-- Generated zephyr.dts: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/zephyr/zephyr.dts
-- Generated devicetree_generated.h: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/zephyr/include/generated/devicetree_generated.h

-- Including generated dts.cmake file: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/zephyr/dts.cmake
Parsing C:/ncs/v2.4.2/nrf/applications/nrf_desktop/Kconfig
Loaded configuration 'C:/ncs/v2.4.2/zephyr/boards/arm/nrf52833dk_nrf52833/nrf52833dk_nrf52833_defconfig'
Merged configuration 'C:/ncs/v2.4.2/nrf/applications/nrf_desktop/configuration/nrf52833dk_nrf52833/prj.conf'
Configuration saved to 'C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/zephyr/.config'
Kconfig header saved to 'C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/zephyr/include/generated/autoconf.h'
-- Found GnuLd: c:/ncs/toolchains/31f4403e35/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd.exe (found version "2.38")
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/ncs/toolchains/31f4403e35/opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-gcc.exe
-- Found Python3: C:/ncs/toolchains/31f4403e35/opt/bin/python.exe (found version "3.8.2") found components: Interpreter

=== child image mcuboot -  begin ===
loading initial cache file C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot/child_image_preload.cmake
Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v2.4.2/bootloader/mcuboot/boot/zephyr
-- CMake version: 3.20.5
-- Using NCS Toolchain 2.4.0 for building. (C:/ncs/toolchains/31f4403e35/cmake)
-- Found Python3: C:/ncs/toolchains/31f4403e35/opt/bin/python.exe (found suitable exact version "3.8.2") found components: Interpreter
-- Cache files will be written to: C:/ncs/v2.4.2/zephyr/.cache
-- Zephyr version: 3.3.99 (C:/ncs/v2.4.2/zephyr)
-- Found west (found suitable version "1.0.0", minimum required is "0.7.1")
-- Board: nrf52833dk_nrf52833
-- Found host-tools: zephyr 0.16.0 (C:/ncs/toolchains/31f4403e35/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.16.0 (C:/ncs/toolchains/31f4403e35/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/31f4403e35/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v2.4.2/zephyr/boards/arm/nrf52833dk_nrf52833/nrf52833dk_nrf52833.dts
-- Found devicetree overlay: C:/ncs/v2.4.2/nrf/modules/mcuboot/usb.overlay
-- Generated zephyr.dts: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot/zephyr/zephyr.dts
-- Generated devicetree_generated.h: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot/zephyr/include/generated/devicetree_generated.h
-- Including generated dts.cmake file: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot/zephyr/dts.cmake
Parsing C:/ncs/v2.4.2/bootloader/mcuboot/boot/zephyr/Kconfig
Loaded configuration 'C:/ncs/v2.4.2/zephyr/boards/arm/nrf52833dk_nrf52833/nrf52833dk_nrf52833_defconfig'
Merged configuration 'C:/ncs/v2.4.2/nrf/applications/nrf_desktop/configuration/nrf52833dk_nrf52833/child_image/mcuboot/prj.conf'
Merged configuration 'C:/ncs/v2.4.2/nrf/subsys/partition_manager/partition_manager_enabled.conf'
Merged configuration 'C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot/zephyr/misc/generated/extra_kconfig_options.conf'
Configuration saved to 'C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot/zephyr/.config'
Kconfig header saved to 'C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot/zephyr/include/generated/autoconf.h'
-- Found GnuLd: c:/ncs/toolchains/31f4403e35/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd.exe (found version "2.38")
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/ncs/toolchains/31f4403e35/opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-gcc.exe
CMake Warning at C:/ncs/v2.4.2/nrf/lib/flash_patch/CMakeLists.txt:8 (message):


        ----------------------------------------------------------
        --- WARNING: To maintain the integrity of secure boot, ---
        --- enable CONFIG_DISABLE_FLASH_PATCH in production.   ---
        ----------------------------------------------------------


CMake Warning at C:/ncs/v2.4.2/zephyr/CMakeLists.txt:839 (message):
  No SOURCES given to Zephyr library: lib__libc__common

  Excluding target from build.


CMake Warning at C:/ncs/v2.4.2/zephyr/CMakeLists.txt:839 (message):
  No SOURCES given to Zephyr library: drivers__console

  Excluding target from build.


MCUBoot bootloader key file: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/configuration/nrf52833dk_nrf52833/child_image/mcuboot/mcuboot_private.pem
-- Configuring done
-- Generating done
-- Build files have been written to: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build/mcuboot
=== child image mcuboot -  end ===

CMake Warning at C:/ncs/v2.4.2/zephyr/CMakeLists.txt:839 (message):
  No SOURCES given to Zephyr library: lib__libc__common

  Excluding target from build.


CMake Warning at C:/ncs/v2.4.2/zephyr/CMakeLists.txt:1865 (message):
  __ASSERT() statements are globally ENABLED


-- Found partition manager static configuration: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/configuration/nrf52833dk_nrf52833/pm_static.yml
Partition 'mcuboot' is not included in the dynamic resolving since it is statically defined.
Partition 'mcuboot_pad' is not included in the dynamic resolving since it is statically defined.
Partition 'mcuboot_primary' is not included in the dynamic resolving since it is statically defined.
Partition 'mcuboot_primary_app' is not included in the dynamic resolving since it is statically defined.
Partition 'settings_storage' is not included in the dynamic resolving since it is statically defined.
-- Configuring done
-- Generating done
-- Build files have been written to: C:/ncs/v2.4.2/nrf/applications/nrf_desktop/build
-- west build: building application
[1/309] Generating include/generated/version.h
-- Zephyr version: 3.3.99 (C:/ncs/v2.4.2/zephyr), build: v3.3.99-ncs1-1
[6/309] Performing build step for 'mcuboot_subimage'
[1/314] Generating include/generated/version.h
-- Zephyr version: 3.3.99 (C:/ncs/v2.4.2/zephyr), build: v3.3.99-ncs1-1
[304/314] Linking C executable zephyr\zephyr_pre0.elf

[308/314] Linking C executable zephyr\zephyr_pre1.elf

[314/314] Linking C executable zephyr\zephyr.elf
Memory region         Used Size  Region Size  %age Used
           FLASH:       62648 B        64 KB     95.59%
             RAM:       34560 B       128 KB     26.37%
        IDT_LIST:          0 GB         2 KB      0.00%
[288/309] Linking C executable zephyr\zephyr_pre0.elf

[292/309] Linking C executable zephyr\zephyr_pre1.elf

[301/309] Linking C executable zephyr\zephyr.elf
Memory region         Used Size  Region Size  %age Used
           FLASH:      361040 B     450048 B     80.22%
             RAM:       46320 B       128 KB     35.34%
        IDT_LIST:          0 GB         2 KB      0.00%
[304/309] Generating ../../zephyr/app_update.bin
image.py: sign the payload
[306/309] Generating ../../zephyr/app_signed.hex
image.py: sign the payload
[307/309] Generating ../../zephyr/app_test_update.hex
image.py: sign the payload
[309/309] Generating zephyr/merged.hex

Parents
  • +1

    Hello,

    and thank you for contacting DevZone at NordicSemi.

    As the warning mentions that to maintain the integrity of the secure boot, you must enable the CONFIG_DISABLE_FLASH_PATCH in the project configurations.

    As the flash patch can be used by malicious code to circumvent secure boot checks, this config would disable the Flash Patch and Breakpoint (FPB) unit of Cortex-M4 processor. 

    This would also disable breakpoints.

    Regards,

    Naeem

Reply
  • +1

    Hello,

    and thank you for contacting DevZone at NordicSemi.

    As the warning mentions that to maintain the integrity of the secure boot, you must enable the CONFIG_DISABLE_FLASH_PATCH in the project configurations.

    As the flash patch can be used by malicious code to circumvent secure boot checks, this config would disable the Flash Patch and Breakpoint (FPB) unit of Cortex-M4 processor. 

    This would also disable breakpoints.

    Regards,

    Naeem

Children
Related
Terms of service