nRF5340: net core application image signed by another key is booted

RE: nRF5340: net core application image signed by another key is booted

Sigurd Hellesvik — Tue, 28 May 2024 13:47:40 GMT

Then we take a step back:

The issue is that verification of network core image does not work, right?

I think we need logs from the bootloaders in this case.
Can you get those logs, from both cores?

RE: nRF5340: net core application image signed by another key is booted

yuk — Tue, 28 May 2024 02:15:42 GMT

Thank you for your support.

I checked with "west -vvv build ..." and its result was "keys were set as I expected".

Build log of the base firmware with key name image_sign.pem;

[392/402] cd /D C:\Users\yuk\dev\git\firmware\zigbee_cli\build_1\modules\mcuboot && C:\ncs\toolchains\31f4403e35\opt\zephyr-sdk\arm-zephyr-eabi\bin\arm-zephyr-eabi-objcopy.exe --input-target=ihex --output-target=binary --gap-fill=0xff C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/802154_rpmsg/zephyr/signed_by_b0_app.hex C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/zephyr/net_core_app_to_sign.bin && C:\Users\yuk\AppData\Local\Programs\Python\Python312\python.exe C:/Users/yuk/ncs/v2.4.2/bootloader/mcuboot/scripts/imgtool.py sign --key C:/Users/yuk/dev/git/firmware/zigbee_cli/custom_key_dir/image_sign.pem --header-size 0x200 --align 4 --version 1.1.0+4 --pad-header --slot-size 0x74000 C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/zephyr/net_core_app_to_sign.bin C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/zephyr/net_core_app_update.bin

Build log of the test firmware for image verification with key test_image_sign.pem;

[386/402] cd /D C:\Users\yuk\dev\git\firmware\zigbee_cli\build_1\modules\mcuboot && C:\ncs\toolchains\31f4403e35\opt\zephyr-sdk\arm-zephyr-eabi\bin\arm-zephyr-eabi-objcopy.exe --input-target=ihex --output-target=binary --gap-fill=0xff C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/802154_rpmsg/zephyr/signed_by_b0_app.hex C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/zephyr/net_core_app_to_sign.bin && C:\Users\yuk\AppData\Local\Programs\Python\Python312\python.exe C:/Users/yuk/ncs/v2.4.2/bootloader/mcuboot/scripts/imgtool.py sign --key C:/Users/yuk/dev/git/firmware/zigbee_cli/custom_key_dir/test_image_sign.pem --header-size 0x200 --align 4 --version 1.1.0+6 --pad-header --slot-size 0x74000 C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/zephyr/net_core_app_to_sign.bin C:/Users/yuk/dev/git/firmware/zigbee_cli/build_1/zephyr/net_core_app_update.bin

Thank you

RE: nRF5340: net core application image signed by another key is booted

Sigurd Hellesvik — Fri, 24 May 2024 13:38:09 GMT

Check with "west -vvv build ..." that the keys were really set as you expected.

If they are set as expected, then we will take a step back, un-assume that this is related to keys and apply some generic debugging to your issue.

RE: nRF5340: net core application image signed by another key is booted

yuk — Fri, 24 May 2024 05:39:34 GMT

Thank you for your reply.

I set the key with 802154_rpmsg_CONFIG_SB_SIGNING_KEY_FILE, because i'm using Zigbee not BT.

Now my CMakeList has

set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/custom_key_dir/image_sign.pem\")
set(802154_rpmsg_CONFIG_SB_SIGNING_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/custom_key_dir/image_sign.pem\")

I tried DFU same as before with this version.

However, the behavior remains the same. The net core app is able to start after DFU. This is not my expectation...

Is there something else I'm missing?

Thank you.

RE: nRF5340: net core application image signed by another key is booted

Sigurd Hellesvik — Tue, 21 May 2024 11:17:02 GMT

Hi,

Yes, the network core image is also signed.

If I build with "west -vvv build ...", I get the following log:

[227/236] cd /home/bruk/hdd/nrf_connect_sdk/zephyr/samples/hello_world/build/modules/mcuboot && /opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-objcopy --input-target=ihex --output-target=binary --gap-fill=0xff /home/bruk/hdd/nrf_connect_sdk/zephyr/samples/hello_world/build/hci_ipc/zephyr/signed_by_b0_app.hex /home/bruk/hdd/nrf_connect_sdk/zephyr/samples/hello_world/build/zephyr/net_core_app_to_sign.bin && /home/bruk/hdd/nrf_connect_sdk/venv/bin/python /home/bruk/hdd/nrf_connect_sdk/bootloader/mcuboot/scripts/imgtool.py sign --key /home/bruk/hdd/nrf_connect_sdk/bootloader/mcuboot/root-rsa-2048.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --slot-size 0x78000 /home/bruk/hdd/nrf_connect_sdk/zephyr/samples/hello_world/build/zephyr/net_core_app_to_sign.bin /home/bruk/hdd/nrf_connect_sdk/zephyr/samples/hello_world/build/zephyr/net_core_app_update.bin

As you can see, it is signed with the MCUboot key, and with the key of the network core bootloader.

Try to set the key for the network core bootloader as well, with hci_ipc_CONFIG_SB_SIGNING_KEY_FILE

Regards,
Sigurd Hellesvik