Using zephyr and MCUboot without image signatures

RE: Using zephyr and MCUboot without image signatures

mstriegel — Wed, 24 Apr 2024 10:44:57 GMT

Hi,

the challenge here is that things are intertwined: Essentially the magic happens in two files:

1. nrf/modules/mcuboot/CMakeLists.txt

2. bootloader/mcuboot/boot/zephyr/CMakeLists.txt

(1.) contains the function(sign), which creates all the desired build artifacts, i.e., app_update.bin, app_to_sign.bin _but only_ if CONFIG_SIGN_IMAGES=y. It further checks if CONFIG_BOOT_SIGNATURE_KEY_FILE has been provided. If so, it uses the private key contained in the provided .pem file to sign the build artifacts. If CONFIG_BOOT_SIGNATURE_KEY_FILE has not been set, it uses the default key root-ec-p256.pem provided by mcuboot and shows the well known warning banner (I suppose if you set CONFIG_BOOT_SIGNATURE_TYPE_RSA or CONFIG_BOOT_SIGNATURE_TYPE_ED25519 it would use the default key for those).

Next, it tries to extract the pubkey from the .PEM file (line 332) and if this causes an error (if(${ret_val} EQUAL 2)), it warns you that the .PEM file does not contain a valid _private_ key (???) and suggests you set CONFIG_SIGN_IMAGES=n.

Then it uses the private key contained in the .PEM file to sign the build artefacts.

(2.) uses CONFIG_BOOT_SIGNATURE_KEY_FILE to extract the public key portion from it, create the file build/zephyr/autogen-pubkey.h which is then compiled into the bootloader.

(2.) will also consider CONFIG_BOOT_SIGNATURE_TYPE_NONE but in my nrf connect SDK v0.2.5 this will only modify some library includes.

I could confirm that setting

CONFIG_SIGN_IMAGES=n @prj.conf

CONFIG_BOOT_SIGNATURE_TYPE_NONE=y @mcuboot.conf

results in only merged.hex build artifact.

So to solve your problem, I suppose you need to modify (1.) and potentially (2.) such that functionality is disentangled and that (1.) still creates the build artifacts but does not try to sign them.

You might find inspiration in [1], as this post made me understand how the Kconfig symbols are used in the two CMakelists.txt files.

[1] devzone.nordicsemi.com/.../decouple-mcuboot-public-key-storage-and-image-signing-nrf9160-mcuboot

RE: Using zephyr and MCUboot without image signatures

Menon — Thu, 04 Apr 2024 10:52:52 GMT

Hello,

That's strange. Then, I guess, you need to manually set the MCUboot build to not use a signature. I believe this feature will be included in the next release of NCS with the inclusion of Sysbuild as the new multi-image build system.

Kind Regards,

Abhijith

RE: Using zephyr and MCUboot without image signatures

JoshK — Wed, 27 Mar 2024 20:36:19 GMT

I tried that, it does actually finish the build with no issues, but it no longer generates a binary file for application updates, which is the output that I need. app_update.bin.

Maybe I am missing something there?

RE: Using zephyr and MCUboot without image signatures

Menon — Wed, 27 Mar 2024 17:34:29 GMT

Hello,

[quote user="JoshK"]The problem is that setting MCUboot to not require a key seems to result in build errors from the nrf connect sdk, which is attempting to sign the image as part of the build process (using then nonexistent resources).[/quote]

Yes, the NCS release until version V2.6.0 does not support the not-checking signature feature. Most of these will be included in the upcoming release, but I cannot provide you with a timeline for this.

Can you include the configuration CONFIG_SIGN_IMAGES=n in the project configuration (prj.config) and CONFIG_BOOT_SIGNATURE_TYPE_NONE=y inside the mcuboot configuration (childimage/mcuboot/mcuboot.config)? Let me know if this works or not.

Please expect some delay after this response as it is Easter vacation here in Norway. You can expect a response after the 2nd of April. Sorry if this creates any inconvenience for your development.

Kind Regards,

Abhijith

RE: Using zephyr and MCUboot without image signatures

JoshK — Mon, 25 Mar 2024 14:47:18 GMT

I understand that is the cause of the warning. I can avoid it by using a custom key, but would prefer to use no key whatsoever.

The problem is that setting MCUboot to not require a key seems to result in build errors from the nrf connect sdk, which is attempting to sign the image as part of the build process (using then nonexistent resources).

RE: Using zephyr and MCUboot without image signatures

Menon — Mon, 25 Mar 2024 09:07:48 GMT

Hello,

The warning message you're seeing is indicating that the default MCUBoot key is being used. This key is intended for development or debug use only and should not be used for production.

It might not be possible to avoid the warning without setting your custom key for MCUboot, as this warning is a built-in feature of MCUboot to ensure the security of the application when it comes to production. I think you can just ignore the warning if you are using some other method for verification.

Kind Regards,

Abhijith