Questions about SDFU implentation and security

RE: Questions about SDFU implentation and security

i_4556 — Wed, 31 Jan 2024 21:53:37 GMT

And just like that its working! Thanks for all your help!

RE: Questions about SDFU implentation and security

Amanda Hsieh — Wed, 31 Jan 2024 19:23:32 GMT

[quote user="i_4556"]And in the nrf mouse example that worked fine.[/quote]

Good. Seems the CmakeList works as expected.

[quote user="i_4556"]Instead, it reverts to the keys in the NRF folder.[/quote]

That means it cannot find the key as the path in the CmakeList.

Please check if the key file exists or if the key path is correct.

RE: Questions about SDFU implentation and security

i_4556 — Wed, 31 Jan 2024 18:37:27 GMT

Interesting but mixed results.

I started by making the changes in the sandbox, basically the nrf mouse example we have been playing around with. I change the CMakeLists to include

if (EXISTS "K/path_to_key/key_priv.pem")
set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"K/path_to_key/key_priv.pem\")
set(mcuboot_CONFIG_BOOT_ENCRYPTION_KEY_FILE \"K/path_to_key/key_priv.pem\")
else()
add_compile_definitions(USING_DEV_KEY)
set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/keys/dev_ec256_priv.pem\")
set(mcuboot_CONFIG_BOOT_ENCRYPTION_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/keys/dev_ec256_priv.pem\")
endif()

And in the nrf mouse example that worked fine.

I then tried moving everything to my main project with all the real code, and its not working.

Here is my entire CmakeList from the main project:

cmake_minimum_required(VERSION 3.20.0)
find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
project(none)

#check for key file
if (EXISTS "K/release_key/key.pem")
set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"K/release_key/key.pem\")
set(mcuboot_CONFIG_BOOT_ENCRYPTION_KEY_FILE \"K/release_key/key.pem\")
else()
add_compile_definitions(USING_DEV_KEY)
set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/keys/dev_ec256_priv.pem\")
set(mcuboot_CONFIG_BOOT_ENCRYPTION_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/keys/dev_ec256_priv.pem\")
endif()

ADD_CUSTOM_COMMAND(TARGET app
   PRE_BUILD
   COMMAND python ${CMAKE_CURRENT_SOURCE_DIR}/version_control_hook.py
)

FILE(GLOB app_sources src/*.c*)

target_sources(app PRIVATE ${app_sources})

Instead, it reverts to the keys in the NRF folder.

Do you have any suggestions for what im doing wrong?

RE: Questions about SDFU implentation and security

i_4556 — Wed, 31 Jan 2024 14:32:25 GMT

Everything seems to now be working; I can successfully do an update with the correct key, and it rejects attempts to update with an incorrect key.

Thank you so much for all your help.

I have one last little question: right now in the mcuboot proj.config file I have

CONFIG_BOOT_SIGNATURE_KEY_FILE="enc-ec256-priv.pem"

Could I instead define it in cmakelists.txt, that way I can make it easier to swap between the dev key and the release key? Something like:

set(CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/child_image/mcuboot/enc-ec256-priv.pem\")

RE: Questions about SDFU implentation and security

i_4556 — Tue, 30 Jan 2024 21:38:20 GMT

Hello,

Thank you for all your support. Per your suggestion, I added the two Configs. This has resulted in some strange behaviour from the build in visual studio. Please take a look at the error message below, I have bolded the relevant portion, and then underlined the paths to the key files:

FAILED: zephyr/app_update.bin
cmd.exe /C "cd /D C:\Users\Isaac\Documents\peripheral_hids_mouse\build\modules\mcuboot && C:\ncs\toolchains\c57af46cb7\opt\zephyr-sdk\arm-zephyr-eabi\bin\arm-zephyr-eabi-objcopy.exe --input-target=ihex --output-target=binary --gap-fill=0xff C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/mcuboot_primary_app.hex C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_to_sign.bin && C:\ncs\toolchains\c57af46cb7\opt\bin\python.exe C:/ncs/v2.5.0/bootloader/mcuboot/scripts/imgtool.py sign --key C:/ncs/v2.5.0/bootloader/mcuboot/mcubootenc-ec256-priv.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --encrypt mcubootenc-ec256-priv.pem --slot-size 0x74000 C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_to_sign.bin C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_update.bin"
Traceback (most recent call last):

As you can see, the path to the key file is wrong, and has somehow set itself to the location of the default key files that come with NRF SDK.

Where did it get this path from, and how do I correct it?

Earlier in the build it correctly located the key files:

MCUBoot bootloader key file: C:/Users/Isaac/Documents/peripheral_hids_mouse/child_image/mcuboot/enc-ec256-priv.pem
MCUBoot bootloader encryption key file: C:/Users/Isaac/Documents/peripheral_hids_mouse/child_image/mcuboot/enc-ec256-priv.pem

EDIT: It seems to have worked, let me do a little more testing but somehow doing a second clean build seems to have worked.

RE: Questions about SDFU implentation and security

Amanda Hsieh — Tue, 30 Jan 2024 21:14:34 GMT

Hi,

Not sure if this is what you ask for VS Code or not.

You could add the following configs to child_image/mcuboot/prj.conf to encrypt the image

CONFIG_BOOT_ENCRYPT_IMAGE=y
CONFIG_BOOT_ENCRYPTION_KEY_FILE="enc-ec256-priv.pem"

-Amanda H.

RE: Questions about SDFU implentation and security

i_4556 — Tue, 30 Jan 2024 20:51:57 GMT

Hello, and thanks for your constant support.

When I get it to work I manually invoke imgtool.py from windows command prompt with the command

C:\ncs\v2.5.0\bootloader\mcuboot>python scripts/imgtool.py sign --key C:/Users/Isaac/Documents/peripheral_hids_mouse/enc-ec256-priv.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --encrypt C:/Users/Isaac/Documents/peripheral_hids_mouse/enc-ec256-priv.pem --slot-size 0x74000 C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_to_sign.bin C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_update.bin"

RE: Questions about SDFU implentation and security

Amanda Hsieh — Tue, 30 Jan 2024 20:49:52 GMT

Hi,

I am trying to reproduce it with the Visual Studio. Could you provide the details on how you encrypt?

-Amanda H.

RE: Questions about SDFU implentation and security

i_4556 — Tue, 30 Jan 2024 19:56:32 GMT

Hello,

Thank you for your reply. I dont think the issue is path length.

I tried invoking the imgtool.py tool in the windows terminal, using the exact same command as the visual studio build, and the problem becomes evident:

C:/ncs/v2.5.0/bootloader/mcuboot/scripts/imgtool.py sign --key C:/Users/Isaac/Documents/peripheral_hids_mouse/child_image/mcuboot/enc-ec256-priv.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --encrypt C:/Users/Isaac/Documents/peripheral_hids_mouse/child_image/mcuboot/ --slot-size 0x74000 C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_to_sign.bin C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_update.bin"

Notice that after the --encrypt it points to a directory and not a file.

I dont know how to fix this in the Visual Studio configs, but I tried fixing it in the terminal by simply adding the location of the key file, making the command

scripts/imgtool.py sign --key C:/Users/Isaac/Documents/peripheral_hids_mouse/enc-ec256-priv.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --encrypt C:/Users/Isaac/Documents/peripheral_hids_mouse/enc-ec256-priv.pem --slot-size 0x74000 C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_to_sign.bin C:/Users/Isaac/Documents/peripheral_hids_mouse/build/zephyr/app_update.bin"

And now it seems to be working. How do I make that change in the config files for the project?

RE: Questions about SDFU implentation and security

Amanda Hsieh — Tue, 30 Jan 2024 19:27:03 GMT

Hi,

Try to shorter the path, for example: C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/

Windows has character limitations with the executed path, so too many characters in the path would cause unexpected errors.

-Amanda H.

RE: Questions about SDFU implentation and security

i_4556 — Tue, 30 Jan 2024 18:51:38 GMT

Hello,

Thank you for your continued assistance. Per your suggestion, I tried starting with the base case (no security) with the NRF Connect Device Manager app, and that has worked with my iPhone, and every other phone I have tried.

I am having a problem with the encryption however, in that it wont build. It fails during the signing/encrypting phase, with the following error:

PermissionError: [Errno 13] Permission denied: 'C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/child_image/mcuboot/'

The code embed tool has suddenly stopped working, but here is the relevant terminal message

[3/12] Generating ../../zephyr/app_update.bin
FAILED: zephyr/app_update.bin
cmd.exe /C "cd /D C:\Users\Isaac\Downloads\peripheral_hids_mouse\peripheral_hids_mouse\build\modules\mcuboot && C:\ncs\toolchains\c57af46cb7\opt\zephyr-sdk\arm-zephyr-eabi\bin\arm-zephyr-eabi-objcopy.exe --input-target=ihex --output-target=binary --gap-fill=0xff C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/build/zephyr/mcuboot_primary_app.hex C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/build/zephyr/app_to_sign.bin && C:\ncs\toolchains\c57af46cb7\opt\bin\python.exe C:/ncs/v2.5.0/bootloader/mcuboot/scripts/imgtool.py sign --key C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/child_image/mcuboot/enc-ec256-priv.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --encrypt C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/child_image/mcuboot/ --slot-size 0x74000 C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/build/zephyr/app_to_sign.bin C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/build/zephyr/app_update.bin"
Traceback (most recent call last):

File "C:/ncs/v2.5.0/bootloader/mcuboot/scripts/imgtool.py", line 22, in <module>

    main.imgtool()

File "C:\ncs\toolchains\c57af46cb7\opt\bin\Lib\site-packages\click\core.py", line 1128, in __call__

    return self.main(*args, **kwargs)

File "C:\ncs\toolchains\c57af46cb7\opt\bin\Lib\site-packages\click\core.py", line 1053, in main

    rv = self.invoke(ctx)

File "C:\ncs\toolchains\c57af46cb7\opt\bin\Lib\site-packages\click\core.py", line 1659, in invoke

    return _process_result(sub_ctx.command.invoke(sub_ctx))

File "C:\ncs\toolchains\c57af46cb7\opt\bin\Lib\site-packages\click\core.py", line 1395, in invoke

    return ctx.invoke(self.callback, **ctx.params)

File "C:\ncs\toolchains\c57af46cb7\opt\bin\Lib\site-packages\click\core.py", line 754, in invoke

    return __callback(*args, **kwargs)

File "C:\ncs\v2.5.0\bootloader\mcuboot\scripts\imgtool\main.py", line 425, in sign

    enckey = load_key(encrypt) if encrypt else None

File "C:\ncs\v2.5.0\bootloader\mcuboot\scripts\imgtool\main.py", line 91, in load_key

    key = keys.load(keyfile)

File "C:\ncs\v2.5.0\bootloader\mcuboot\scripts\imgtool\keys\__init__.py", line 49, in load

    with open(path, 'rb') as f:

PermissionError: [Errno 13] Permission denied: 'C:/Users/Isaac/Downloads/peripheral_hids_mouse/peripheral_hids_mouse/child_image/mcuboot/'

The error seems related to a path issue, where instead of pointing to the key file it only points to the directory with the key file. I have the same problem with my code, where I have basically copied your work related to SDFU.

I am using 2.5.0 if that matters in some way.

Thanks again for all your help!

EDIT: I tried invoking the tool in standalone mode, using the exact same command as the visual studio build, and the problem becomes evident:

Notice that after the --encrypt it points to a directory and not a file.

I dont know how to fix this in the Visual Studio configs, but I tried fixing it in the terminal, and that led to another interesting error:

TypeError: ECPrivateKey.sign() got an unexpected keyword argument 'signature_algorithm'

A quick google search shows this is a known issue from basically last week that has already been patched, so im going to apply the patch and report back. github.com/.../10237

RE: Questions about SDFU implentation and security

Amanda Hsieh — Mon, 29 Jan 2024 17:24:10 GMT

Hi,

Here is my example devzone.nordicsemi.com/.../peripheral_5F00_hids_5F00_mouse.7z. After uploading with the update_image/nRF53_HID_app_update.bin, it would show "build time: Jan 29 2024 09:51:56"

Beware that this code/configuration is not fully tested or qualified and should be considered provided “as-is”. Please test it with your application and let me know if you find any issues.

[quote user="i_4556"]EDIT: Tested the base case with no signature on my other coworker's iphone 13 and that works fine. Not sure if its all Iphone12 or just mine it doesnt work on...[/quote]

Could you try to use the nRF Connect Device Manager App https://apps.apple.com/us/app/nrf-connect-device-manager/id1519423539? Please make sure it's the latest version v1.5.3.

The minimum required iOS version is 9.0, originally released in Fall of 2015.

[quote user="i_4556"]EDIT2: Tested with my old android phone running Android 7.0 and once again app crashes when trying to perform DFU. It doesnt crash on my Android 9.0 but also doesnt work, just flashes through the screens like above.[/quote]

Please try to use the nRF Connect Device Manager app https://play.google.com/store/apps/details?id=no.nordicsemi.android.nrfconnectdevicemanager&hl=en_US

The minimum required Android version is 5.0 (Android Lollipop) due to a requirement for high MTU.

-Amanda H.

RE: Questions about SDFU implentation and security

i_4556 — Thu, 25 Jan 2024 18:40:42 GMT

Hello, thank you for your reply.

I look forward to the IOS issues being fixed, as it would be nice to be able to update the firmware from my phone (and to return my coworker's phone to him).

In the meantime, I am still having issues with the DFU when I try to implement keys. In the app on android it seems to rapidly flash through the connecting/uploading/validating (too fast to actually see them), and on the firmware side I get the following message in the terminal "I: Image index: 0, Swap type: none" and then nothing has actually happened.

Could the problem be as simple as the key being somehow wrong?

Here is my prj.config file:

#
# Copyright (c) 2019 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
CONFIG_NCS_SAMPLES_DEFAULTS=y

CONFIG_BT=y
CONFIG_BT_DEBUG_LOG=y
CONFIG_BT_MAX_CONN=2
CONFIG_BT_MAX_PAIRED=2
CONFIG_BT_L2CAP_TX_BUF_COUNT=5
CONFIG_BT_PERIPHERAL=y
CONFIG_BT_DEVICE_NAME="HIDS_mouse"
CONFIG_BT_DEVICE_APPEARANCE=962

CONFIG_BT_BAS=y
CONFIG_BT_HIDS=y
CONFIG_BT_HIDS_MAX_CLIENT_COUNT=2
CONFIG_BT_GATT_UUID16_POOL_SIZE=40
CONFIG_BT_GATT_CHRC_POOL_SIZE=20

CONFIG_BT_CONN_CTX=y

CONFIG_BT_DIS=y
CONFIG_BT_DIS_PNP=y
CONFIG_BT_DIS_MANUF="NordicSemiconductor"
CONFIG_BT_DIS_PNP_VID_SRC=2
CONFIG_BT_DIS_PNP_VID=0x1915
CONFIG_BT_DIS_PNP_PID=0xEEEE
CONFIG_BT_DIS_PNP_VER=0x0100

CONFIG_MAIN_STACK_SIZE=1536
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048

CONFIG_DK_LIBRARY=y

#DFU settings
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUMGR=y
#changed for BT instead of UART
CONFIG_MCUMGR_TRANSPORT_BT=y
#changed, dont want to require a passcode to send dfu image
CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=n

CONFIG_MCUMGR_GRP_IMG=y
CONFIG_BASE64=y
CONFIG_FLASH=y
CONFIG_IMG_MANAGER=y
CONFIG_STREAM_FLASH=y
CONFIG_NET_BUF=y
CONFIG_ZCBOR=y
CONFIG_FLASH_MAP=y

And my CMakeLists

#
# Copyright (c) 2019 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
cmake_minimum_required(VERSION 3.20.0)

set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/custom_key_dir/custom_priv.pem\")

find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
project(peripheral_hids_mouse)

FILE(GLOB app_sources src/*.c)
# NORDIC SDK APP START
target_sources(app PRIVATE ${app_sources})
# NORDIC SDK APP END

zephyr_library_include_directories(${ZEPHYR_BASE}/samples/bluetooth)

And finally in my child_image folder I have an mcuboot file with CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y

I followed the instructions exactly like here for the keyfile:

${NCS_PATH}/bootloader/mcuboot/scripts/imgtool.py keygen -k custom_priv.pem -t ecdsa-p256

Do you have any suggestions for what could be wrong, why I cant seem to use DFU in signed mode? Do I still upload the app_update.bin file like with the insecure mode?

Thank you!

EDIT: Tested the base case with no signature on my other coworker's iphone 13 and that works fine. Not sure if its all Iphone12 or just mine it doesnt work on...

EDIT2: Tested with my old android phone running Android 7.0 and once again app crashes when trying to perform DFU. It doesnt crash on my Android 9.0 but also doesnt work, just flashes through the screens like above.

RE: Questions about SDFU implentation and security

Amanda Hsieh — Thu, 25 Jan 2024 16:50:57 GMT

It's good to know it works with the Android phone now. Please be aware that the mcuboot will not do anything if you upload an unmodified file.

I can reproduce the issue with iOS and check with the team now. I will be back if I have any updates from the team.

RE: Questions about SDFU implentation and security

i_4556 — Wed, 24 Jan 2024 20:54:10 GMT

Hello and thank you for your reply. I have made no real progress in trying to get this to work. As a workaround I have tried installing the DFU app on my iphone. That also doesnt work; when I try to select the .zip package, I get an "invalid manifest" error.

I figured at this point I might as well try to advance the project on my own, and implemented the code from this example: https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_custom_key this way only our company will be able to push new firmware to our device. I have added the example's .config and CMakeLists changes, and the mcuboot.conf changes.

I then tried using my coworker's android phone. This also doesnt work; although it doesnt crash immediately like on my iphone, it also doesnt work. It tries to update and gets stuck on the "Connecting" stage.

I cannot provide my entire project, but I can provide the .config files and other files like that if that helps.

I will test with the LBS and report back.

EDIT: tested with the LBS and just adding the two CONFIGs from the first example, and did not work with android or iphone, With iphone I still have the crash to the home-screen, and with android it looks like it worked but nothing actually happens on the device, the firmware is not updated.

EDIT2: I re-tested with the peripheral hids mouse sample, as I have already gotten this working on my device, and the OTA update in the simplest case worked on android. I will re-test on IOS, and then we just need to get signed keys working, and figure out why it doesnt seem to want to work on my main app.

EDIT3: Still broken with IOS, app crashes when I try to update.

RE: Questions about SDFU implentation and security

Amanda Hsieh — Wed, 24 Jan 2024 16:32:08 GMT

Hi,

[quote user="i_4556"]Thank you for your reply. I am using an Iphone 12 running IOS 16.6. I am using the NRF connect app on the phone. I am using SDK 2.5.0, and per the example simply added[/quote]

Does it work with your iPhone now? Could you test with peripheral_lbs? Does peripheral_lbs also make the app crash or does it only happen with your code? Could you provide the project?

[quote user="i_4556"]If the firmware just swaps the images, what is to stop a malicious actor uploading firmware that then dumps the old code out the serial port or otherwise bypasses readback protections? I assume the only solution is, as described in your second link, I need to add keys or something to block those uploads in the first place?[/quote]

That's true.

[quote user="i_4556"]Regarding the second link, is there anything special I need to know because I am using the nrf5340 with its seperate BLE processor, or will I still be able to use the code broadly as shown?[/quote]

The setting is the same as other chips to set the configs in child_image/mcuboot.conf

-Amanda H.

RE: Questions about SDFU implentation and security

i_4556 — Tue, 23 Jan 2024 20:29:50 GMT

Thank you for your reply. I am using an Iphone 12 running IOS 16.6. I am using the NRF connect app on the phone. I am using SDK 2.5.0, and per the example simply added

CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_NCS_SAMPLE_MCUMGR_BT_OTA_DFU=y

to my proj.config file for my existing codebase.

If the firmware just swaps the images, what is to stop a malicious actor uploading firmware that then dumps the old code out the serial port or otherwise bypasses readback protections? I assume the only solution is, as described in your second link, I need to add keys or something to block those uploads in the first place?

Regarding the second link, is there anything special I need to know because I am using the nrf5340 with its seperate BLE processor, or will I still be able to use the code broadly as shown?

Thank you!

RE: Questions about SDFU implentation and security

Amanda Hsieh — Tue, 23 Jan 2024 20:00:23 GMT

Hi,

[quote user=""]I have not yet been able to fully test DFU, because every time I try the app crashes to the homescreen. This is unfortunate; it looks to me like a problem with the mobile app, hopefully it gets fixed soon.[/quote]

Which phone are you using?

Are you using the nRF Connect Device Manager app?

Which NCS version and sample are you using?

In NCS v2.5.1, you could enable the DFU function with "CONFIG_NCS_SAMPLE_MCUMGR_BT_OTA_DFU=y" in the peripheral_lbs sample.

[quote user=""]Firstly, does the bootloader perform a full chip erase when new firmware is loaded?[/quote]

No, it would swap the image with the current and new image. See my colleague's explanation in https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/smp#firmware-update

[quote user=""]Secondly, is there any way to tell the NRF to only accept firmware images that are signed or otherwise authenticated?[/quote]

See my colleague's explanation in https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures

Regards,
Amanda H.