https://devzone.nordicsemi.com/f/nordic-q-a/111161/how-to-configure-so-that-both-immutable-and-upgradable-bootloader-are-mcubootHello, I&#39;m using the nrf5340 and nrf Connect SDK 2.6.1. Currently the MCUBoot is immutable and the cpuapp image is encrypted (it contains IP and secrets). The MCUBoot is kept confidential to not leak the private key. We now want the MCUBoot to be upgradableen-USTelligent Community 13Tue, 21 May 2024 13:37:27 GMThttps://devzone.nordicsemi.com/thread/485150?ContentTypeID=1Tue, 21 May 2024 13:37:27 GMT137ad170-7792-4731-bb38-c0d22fbe4515:93e2046b-2761-4d90-b2d1-2148fc17a483AHaug<p>Hi,</p> <p>It is as you state no documentation or samples for a second stage MCUboot on top of a first stage MCUboot due to there not being any support for this. It is not impossible to do, but you are 100% on your own w.r.t creating this and really not recommended due to all the considerations with security and <span>SPU regions</span>. MCUboot is originally created to be a first stage bootloader and NSIB is something Nordic has created to allow for MCUboot to be an uppgradable second stage bootlaoder.</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/484827?ContentTypeID=1Fri, 17 May 2024 14:29:33 GMT137ad170-7792-4731-bb38-c0d22fbe4515:730cd590-db88-446a-9a1d-46adf2e61e8afranchan<p>Hello Andreas,</p> <p>Thank you for your reply! For my deeper understanding, I have these additional question:</p> <p><em>... as we don&#39;t support FW decryption in <strong>NSIB</strong> ...</em><br />Thank you for confirming the NSIB cannot be used for such purpose (only checking signatures). Could you confirm that it is impossible to configure a 1st stage <span style="text-decoration:underline;"><strong>MCUBoot</strong></span> (instead of NSIB) image as immutable and a different 2nd stage mutable MCUBoot image? I did not find documentation nor a sample illustrating such use case.</p> <p>Kind&nbsp; regards, francis</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/483489?ContentTypeID=1Wed, 15 May 2024 11:57:12 GMT137ad170-7792-4731-bb38-c0d22fbe4515:dc6b0c92-7177-4d01-aaca-8a9eecff2f47AHaug<p>Hi,</p> <p>Here&#39;s a summary of the discussion I had with&nbsp;</p> <p>Upgradable MCUboot and keys in the firmware image is not supported as we don&#39;t support FW decryption in NSIB and any custom implementation will have to be a proprietary solution.&nbsp;NSIB only does signature validation of the second stage bootloader and chooses to boot into it if the signature is valid.&nbsp;</p> <p>So what we understand your motivation as is that you wish to do this because of an assumption (or custom implementation) that your private keys can not be a part of a MCUboot image, which is why you say you need to have encryption of the second stage bootloader as well. To encrypt MCUboot to be able to store a key in the FW image is not a secure solution and will only give you a false sense of security. The only keys that is recommended to keep within MCUBoot FW image which you send as FW upgrade are public keys.&nbsp;</p> <p>Instead we recommend that you use Key Management Unit (KMU) to securely handle your keys. This will also protect the keys from hostile accessing through the CPU.&nbsp;Symmetrical keys or private keys used for DFU needs to be placed on the device during production, and with the nRF5340 you have the option to put the keys within the KMU.&nbsp;</p> <p>Here&#39;s some samples and documentation that showcases and explains KMU some more:</p> <ul> <li><a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/tfm/provisioning_image/README.html">https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/tfm/provisioning_image/README.html</a>&nbsp;</li> <li><a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/keys/hw_unique_key/README.html">https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/keys/hw_unique_key/README.html</a>&nbsp;</li> <li>&nbsp;And the blogpost&nbsp;<a href="https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/persistent-storage-of-keys-and-data-using-the-nrf-connect-sdk">Persistent storage of keys and data using the nRF Connect SDK</a>&nbsp;&nbsp;</li> </ul> <p>Do also note that as a side note that MCUboot does also support symmetrical keys (AES KW) and private keys (ECIES, where a hybrid algorithm that uses ECC-keys does a handshake to set up symmetrical FW encryption keys. Both of the must under no circumstances be sent over the air.</p> <p>To summarize we recommend that you store the keys in KMU and use MCUboot as is with TF-M enabled. FW keys on a device without TF-M enabled will cause that anyone that has local access will be able to decrypt whatever they wish with the key or to do any other hostile actions.</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/483289?ContentTypeID=1Tue, 14 May 2024 12:44:49 GMT137ad170-7792-4731-bb38-c0d22fbe4515:e042e821-5bc9-4275-84a5-c119961c3743AHaug<p>Hi,</p> <p>I&#39;ve picked up your case and will ask the bootloader team for clarification on some of your question. I will write you a summary of the discussion when we have a conclusion, hopefully within tomorrow.</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>