• State Not Answered
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 103 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 325487
Options

Problem with FW encryption

mackz

Hi i am trying to get fw encryption to work for my dfu with mcuboot for nRF9160DK.

I have created a child_image folder with a mcuboot.conf where i have put:

CONFIG_BOOT_ECDSA_TINYCRYPT=y
CONFIG_BOOT_ENCRYPT_EC256=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="/keys/priv.pem"
CONFIG_BOOT_ENCRYPTION_KEY_FILE="/custom_key_dir/ecdsa_private_key.pem"


# Logging
CONFIG_LOG=y
CONFIG_MCUBOOT_LOG_LEVEL_DBG=y

and then i have generated keys with:

openssl ecparam -name prime256v1 -genkey -noout -out ecdsa_private_key.pem

openssl ec -in ecdsa_private_key.pem -pubout -out ecdsa_public_key.pem

xxd -i ecdsa_public_key.pem > ecdsa_puclib_key.c

i put the result from edcsa_public_key.c in

ncs/v2.3.0/bootloader/mcuboot/boot/zephyr/keys.c but when i try to build i get 

 multiple definition of `enc_priv_key_len'; app/libapp.a(keys.c.obj):ncs/v2.3.0/bootloader/mcuboot/boot/zephyr/keys.c:206: first defined here
 /hello_world/build/mcuboot/zephyr/autogen-enckey.c:2: multiple definition of `enc_priv_key'; app/libapp.a(keys.c.obj):ncs/v2.3.0/bootloader/mcuboot/boot/zephyr/keys.c:189: first defined here
What do i need to change to get autogen-enckey.c to not generate enc keys?

  • 0

    I think i had some misstakes here with the key generation and the keys.c file, i removed what i added to keys.c, generated new keys with:

    openssl ecparam -name prime256v1 -genkey -noout -out ec_private_key.pem
openssl ec -in ec_private_key.pem -pubout -out ec_public_key.pem

    And changed my mcuboot.conf to

    CONFIG_BOOT_ENCRYPTION_KEY_FILE="/custom_key_dir/ec_private_key.pem"

    And now i can build and flash the program. But when i try to update the firmware via nrf cloud i get

    *** Booting Zephyr OS build v3.2.99-ncs2 ***I: 
Starting bootloaderI: 
Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3I: 
Secondary image: magic=good, swap_type=0x2, copy_done=0x3, image_ok=0x3I: 
Boot source: noneI: 
Swap type: testE: 
Image in the secondary slot is not valid!I: 
Bootloader chainload address offset: 0x18000I: 
Jumping to the first image slot
*** Booting Zephyr OS build v3.2.99-ncs2 ***

    I encrypt app_to_sign.bin with:

    ncs/v2.3.0/bootloader/mcuboot/scripts/imgtool.py --header-size 0x200 --align 4 --version 5.6.9+8 --pad-header --slot-size 0x74000 --encrypt /custom_key_dir/ec_public_key.pem /hello_world/build/zephyr/app_to_sign.bin /hello_world/build/zephyr/app_update_encrypted.bin

  • 0 in reply to mackz

    Hi,

    Happy to hear that you found a solution for building the firmware.

    What I believe is missing is that you've either not signed the new firmware with the same keys (i.e the bootloader can't validate the new image), or that you've not uploaded the correct update image. Could you state what image you've uploaded as image update?

    I also recommend that you have a closer look at https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures and https://academy.nordicsemi.com/courses/nrf-connect-sdk-intermediate/lessons/lesson-8-bootloaders-and-dfu-fota/ (more specifically the lessons and exercises regarding keys). I believe that these links should provide you a solution for what you need

    Kind regards,
    Andreas

Related