<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="https://devzone.nordicsemi.com/cfs-file/__key/system/syndication/rss.xsl" media="screen"?><rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Signing mcuboot, b0n and applications with custom private key on the nRF5340</title><link>https://devzone.nordicsemi.com/f/nordic-q-a/112648/signing-mcuboot-b0n-and-applications-with-custom-private-key-on-the-nrf5340</link><description>Hi, 
 I used the default keys while developing my application. But for production, we want to use our proprietary key for the bootloader(s) and signing the application. 
 Our project uses mcuboot without TFM (CONFIG_BOOTLOADER_MCUBOOT=y, CONFIG_BUILD_WITH_TFM</description><dc:language>en-US</dc:language><generator>Telligent Community 13</generator><lastBuildDate>Wed, 03 Jul 2024 11:24:27 GMT</lastBuildDate><atom:link rel="self" type="application/rss+xml" href="https://devzone.nordicsemi.com/f/nordic-q-a/112648/signing-mcuboot-b0n-and-applications-with-custom-private-key-on-the-nrf5340" /><item><title>RE: Signing mcuboot, b0n and applications with custom private key on the nRF5340</title><link>https://devzone.nordicsemi.com/thread/492043?ContentTypeID=1</link><pubDate>Wed, 03 Jul 2024 11:24:27 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:5ef65943-5c0a-4d15-8840-209be4b331f2</guid><dc:creator>Vidar Berg</dc:creator><description>[quote user="puz_md"]No key information is needed in the main application[/quote]
&lt;p&gt;Your understanding is correct, just wnat to add that the build system will use the MCUBoot key to sign the application update image. This happens automatically has a part of the build process with the help of &amp;#39;imgtool&amp;#39;.&lt;/p&gt;
[quote user="puz_md"]And if you use two different files for signing, does this mean that the NET core app is signed twice (one time with the SB_SIGNING_KEY for b0n and one time with the mcuboot signing key)?[/quote]
&lt;p&gt;Yes, MCUBOOT metadata&amp;nbsp;such as the image hash, etc is not transferred to the netcore.&amp;nbsp;&lt;/p&gt;
[quote user="puz_md"]Also thanks for the hint with CMakeLists.txt. I didn&amp;#39;t know you could configure settings for child projects there. It seems like it does the same as creating chld_image/mcuboot.conf and hci_rpmsg.conf with the mentioned information.[/quote]
&lt;p&gt;Yes, the end result is the same. You can check the generated configs to confirm that the path to the signature file is set correctly. E.g. in build/hci_rpmsg/zephyr/.config.&lt;/p&gt;
&lt;p&gt;Best regards,&lt;/p&gt;
&lt;p&gt;Vidar&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Signing mcuboot, b0n and applications with custom private key on the nRF5340</title><link>https://devzone.nordicsemi.com/thread/492021?ContentTypeID=1</link><pubDate>Wed, 03 Jul 2024 09:18:52 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:2d1d60bd-bd19-419e-8998-3fc479d21908</guid><dc:creator>puz_md</dc:creator><description>&lt;p&gt;Hi Vidar,&lt;/p&gt;
&lt;p&gt;thanks for the information. From your reply, I understand that I need the following configuration artefacts for using mcuboot without the secure immutable bootloader on the APP core, and the automatically generated hci_rpmsg&amp;nbsp; with b0n for Bluetooth on the NET core:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;CONFIG_SB_SIGNING_KEY_FILE for the hci_rpmsg child project&lt;/li&gt;
&lt;li&gt;CONFIG_BOOT_SIGNATURE_KEY_FILE for the mcuboot child project&lt;/li&gt;
&lt;li&gt;No key information is needed in the main application&lt;/li&gt;
&lt;li&gt;The NET core checks its application&amp;#39;s signature during each startup because it&amp;#39;s an automatic feature from b0n which cannot be turned off. This is what SB_SIGNING_KEY_FILE is for.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Can you please confirm?&lt;/p&gt;
&lt;p&gt;And if you use two different files for signing, does this mean that the NET core app is signed twice (one time with the SB_SIGNING_KEY for b0n and one time with the mcuboot signing key)?&lt;/p&gt;
&lt;p&gt;Also thanks for the hint with CMakeLists.txt. I didn&amp;#39;t know you could configure settings for child projects there. It seems like it does the same as creating chld_image/mcuboot.conf and hci_rpmsg.conf with the mentioned information.&lt;/p&gt;
&lt;p&gt;Best regards,&lt;br /&gt;Michael&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Signing mcuboot, b0n and applications with custom private key on the nRF5340</title><link>https://devzone.nordicsemi.com/thread/491952?ContentTypeID=1</link><pubDate>Wed, 03 Jul 2024 05:04:21 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:e4e57238-de5b-4099-9902-55ad5d209d67</guid><dc:creator>Vidar Berg</dc:creator><description>&lt;p&gt;Hi,&lt;/p&gt;
&lt;p&gt;I tend to set the CONFIG_SB_SIGNING_KEY_FILE and CONFIG_BOOT_SIGNATURE_KEY_FILE symbols&amp;nbsp;in the&amp;nbsp;project&amp;#39;s CMakeLists.txt file rather than using Kconfig fragments. It&amp;#39;s more convenient if you want to reference the key files relative to the project source directory instead of using an absolute path.&lt;/p&gt;
&lt;p&gt;Below&amp;nbsp;is an example where I have selected a custom signing&amp;nbsp;key for each bootloader. Note: The variables must be set&amp;nbsp;right after the cmake_minimum_required() line to ensure they are applied early enough in the build process.&lt;/p&gt;
&lt;p&gt;&lt;pre class="ui-code" data-mode="text"&gt;cmake_minimum_required(VERSION 3.20.0)

# Set signature key for network core bootloader (B0n).
set(hci_rpmsg_CONFIG_SB_SIGNING_KEY_FILE \&amp;quot;${CMAKE_CURRENT_SOURCE_DIR}/keys/nsib.pem\&amp;quot;)

# Set signature key for MCUBoot
set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \&amp;quot;${CMAKE_CURRENT_SOURCE_DIR}/keys/mcuboot.pem\&amp;quot;)

...&lt;/pre&gt;&lt;/p&gt;
&lt;p&gt;&amp;lt;project directory&amp;gt;/keys&lt;br /&gt;├── mcuboot.pem&lt;br /&gt;└── nsib.pem&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Signing mcuboot, b0n and applications with custom private key on the nRF5340</title><link>https://devzone.nordicsemi.com/thread/491864?ContentTypeID=1</link><pubDate>Tue, 02 Jul 2024 13:36:51 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:93bd78ee-efc8-4c6d-add3-330cf215f1f9</guid><dc:creator>puz_md</dc:creator><description>&lt;p&gt;Hi Vidar,&lt;/p&gt;
&lt;p&gt;thanks for the details. Please let me ask one final question:&lt;/p&gt;
&lt;p&gt;Assuming that I do not use the nRF Secure Immutable Bootloader (CONFIG_SECURE_BOOT=n). Just mcuboot (and b0n on the NET core which appears to be mandatory). Which options in which (child and main) projects do I need to replace all the default keys from the nRF Connect SDK? Just a simple list of configuration files and the CONFIG_* options I have to set in them would be nice..&lt;/p&gt;
&lt;p&gt;Best regards,&lt;br /&gt;Michael&lt;/p&gt;
&lt;p&gt;PS: I edited my first comment with two updates, the problem was caused by enabling secure boot with my pm_static.yml which did not leave room for the new components.&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Signing mcuboot, b0n and applications with custom private key on the nRF5340</title><link>https://devzone.nordicsemi.com/thread/491829?ContentTypeID=1</link><pubDate>Tue, 02 Jul 2024 12:15:00 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:74f04d3c-acb8-439e-97da-910f01c69bfc</guid><dc:creator>Vidar Berg</dc:creator><description>&lt;p&gt;Hello,&lt;/p&gt;
[quote user=""]Question 1: CONFIG_SECURE_BOOT[/quote]
&lt;p&gt;With this symbol selected, the&amp;nbsp;&lt;a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/bootloader/README.html"&gt;nRF Secure Immutable Bootloader&lt;/a&gt;&amp;nbsp;will become included in the build and causing MCUBoot to be included as a second-stage bootloader on the application core, see&amp;nbsp;&lt;a href="https://docs.nordicsemi.com/bundle/ncs-2.6.1/page/nrf/config_and_build/bootloaders/bootloader.html"&gt;Secure bootloader chain&lt;/a&gt;. Enabling secure boot is optional and is not needed for supporting DFU of the main app.&lt;/p&gt;
&lt;p&gt;&lt;span&gt;The CONFIG_SB_SIGNING_KEY_FILE&amp;nbsp;symbol specifies the signing key to be used by the&amp;nbsp;&lt;a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/bootloader/README.html"&gt;nRF Secure Immutable Bootloader&lt;/a&gt;&amp;nbsp;to validate the mcuboot image, which&amp;nbsp;will be the next image in the bootchain, see&amp;nbsp;&lt;a href="https://docs.nordicsemi.com/bundle/ncs-2.6.1/page/nrf/config_and_build/bootloaders/bootloader_adding.html"&gt;Adding a custom signature key file&lt;/a&gt;.&lt;/span&gt;&lt;/p&gt;
[quote user=""]Question 2: Key error for hci_rpmsg[/quote]
&lt;p&gt;&amp;nbsp;The&amp;nbsp;&lt;a href="https://docs.nordicsemi.com/bundle/ncs-2.6.1/page/nrf/samples/nrf5340/netboot/README.html"&gt;Network core bootloader&lt;/a&gt;&amp;nbsp;should also be provisioned with an unique key. This is done with the same&amp;nbsp;CONFIG_SB_SIGNING_KEY_FILE symbol. This thread disucusses how you can configure this symbol for you hci_rpmsg child image:&lt;/p&gt;
&lt;p&gt;&amp;nbsp;&lt;a href="https://devzone.nordicsemi.com/f/nordic-q-a/97930/how-to-use-config_sb_signing_key_file-as-a-relative-path"&gt;How to use CONFIG_SB_SIGNING_KEY_FILE as a relative path&lt;/a&gt;&amp;nbsp;&amp;nbsp;&lt;/p&gt;
[quote user=""]&lt;p&gt;&lt;span style="text-decoration:underline;"&gt;Question 3: Understanding key usage&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;Please help me understand the process of deployment. As far as I know:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;mcuboot on the APP core needs the private key to recognize correctly signed images.&lt;/li&gt;
&lt;li&gt;mcuboot checks both the app_update.bin and net_core_app_update.bin for correct signatures&lt;/li&gt;
&lt;li&gt;both APP core and NET core binaries must be signed at the end of the build process. I assumed that CONFIG_SB_SIGNING_KEY_FILE in my prj.con would be used by the build system to sign both images, as signing is a separate action at the end of the build process and not during child image building. Is my assumption here wrong?&lt;/li&gt;
&lt;li&gt;&lt;span style="text-decoration:underline;"&gt;Big question:&lt;/span&gt; Is the signature for firmware updates checked exclusively by mcuboot, and b0n is not aware of the signature? Or will I have to add the private key information also to b0n when I use dual core MCU&amp;#39;s like the nRF5340? (If so, how do I do it correctly?)&lt;/li&gt;&lt;/ul&gt;[/quote]
&lt;p&gt;The public key from your private/public keypair is included the bootloader and used to verify that the app was signed with the corresponding private key. The private is not distributed with the FW.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;MCUBOOT will validate both netcore and app core images during DFU. But the netcore bootloader (B0n) will be responsible for doing subsequent boot validation of the netcore image after the DFU has been completed with the &lt;span&gt;CONFIG_SB_SIGNING_KEY_FILE key provided to the hci_rpmsg build&lt;/span&gt;. You may use the same&amp;nbsp;&lt;span&gt;CONFIG_SB_SIGNING_KEY_FILE key for the application core and network core.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span&gt;b0n is not aware of the MCUBoot signature that was verified during the DFU process.&amp;nbsp;&lt;/span&gt;&lt;/p&gt;
[quote user=""]Question 4: Multiple keys for mcuboot[/quote]
&lt;p&gt;This is correct. To revoke an old key, you would need to update to a new mcuboot image with a different key-pair.&lt;/p&gt;
[quote user=""]Question 5: Handling of invalid images by mcuboot[/quote]
&lt;p&gt;The correct behaviour is that it falls back to the previous version if the validation failed. The long processing time suggests that the swap alghoritm is enabled in MCUBOOT. I.e.,&amp;nbsp;BOOT_UPGRADE_ONLY is not enabled in build/mcuboot/zephyr/.config.&amp;nbsp;&lt;/p&gt;
[quote user="puz_md"]One more question... if I configure my project as described above, it compiles without any problem, but I cannot flash merged_domains.hex anymore. It tries to access an invalid memory location. Any ideas?[/quote]
&lt;p&gt;I have not seen this error before. But the failing address is in the &lt;a href="https://docs.nordicsemi.com/bundle/ps_nrf5340/page/chapters/uicr/doc/uicr.html#ariaid-title11"&gt;UICR.&lt;/a&gt;&lt;span&gt;&lt;a href="https://docs.nordicsemi.com/bundle/ps_nrf5340/page/chapters/uicr/doc/uicr.html#ariaid-title11"&gt;KEYSLOT.CONFIG&lt;/a&gt; range for the application core. Do you see the same error if you try to program the merged_domains.hex with nrfjprog directly (note: this requires an up to date version of nrfjprog installed)?&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span&gt;&lt;pre class="ui-code" data-mode="text"&gt;nrfjprog --program merged_domains.hex --chiperase --verify --fast -r&lt;/pre&gt;&amp;nbsp;&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span&gt;Best regards,&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span&gt;Vidar&lt;/span&gt;&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Signing mcuboot, b0n and applications with custom private key on the nRF5340</title><link>https://devzone.nordicsemi.com/thread/491812?ContentTypeID=1</link><pubDate>Tue, 02 Jul 2024 10:53:49 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:4b86c47d-e945-4426-82ca-aa51fd1a1cfd</guid><dc:creator>puz_md</dc:creator><description>&lt;p&gt;One more question... if I configure my project as described above, it compiles without any problem, but I cannot flash merged_domains.hex anymore. It tries to access an invalid memory location. Any ideas?&lt;/p&gt;
&lt;p&gt;&lt;pre class="ui-code" data-mode="text"&gt;-- runners.nrfjprog: Flashing file: c:\svn\TecnoBasicDigital\Prototyp\Source\_trunk_\TecnoBasicDigital\build\zephyr\merged_domains.hex
-- runners.nrfjprog: c:\svn\TecnoBasicDigital\Prototyp\Source\_trunk_\TecnoBasicDigital\build\zephyr\merged_domains.hex targets both nRF53 coprocessors; splitting it into: c:\svn\TecnoBasicDigital\Prototyp\Source\_trunk_\TecnoBasicDigital\build\zephyr\GENERATED_CP_NETWORK_merged_domains.hex and c:\svn\TecnoBasicDigital\Prototyp\Source\_trunk_\TecnoBasicDigital\build\zephyr\GENERATED_CP_APPLICATION_merged_domains.hex
[ #################### ]  12.468s | Erase file - Done erasing                                                          
[ #################### ]   1.302s | Program file - Done programming                                                    
[ #################### ]   1.305s | Verify file - Done verifying                                                       
[error] [ Client] - Encountered error -173: Command erase_file executed for 35 milliseconds with result -173
[error] [ Worker] - Address 0x00FF8424 does not map to a known memory.                                                 
ERROR: The file specified is not a valid hex file, has data outside valid areas
ERROR: or does not have data in valid areas.&lt;/pre&gt;&lt;/p&gt;
&lt;p&gt;This strange section at 0xFF8424 (just before the NET core flash) is added to merged_domains.hex now...&lt;/p&gt;
&lt;p&gt;&lt;pre class="ui-code" data-mode="text"&gt;:10752000BEA6FC690552B186829B9B8651604FCBFB
:107530007DEC913192C0EE23707C7B70C1DBDB204F
:0C7540006681C60F3265076BE652A17F22
:0200000400FFFB
:10842400000202000041050001000000FFFFFFFF01
:10843400C7770375F2E3FC2E99D83C4E6840DE936F
:108444000100010001001400FFFFFFFFFFFFFFFF19
:10845400FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF28
:10846400FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF18
:020000040100F9
:10000000A00D0021E116000187420001B516000194
:10001000B5160001B5160001B5160001000000007C&lt;/pre&gt;&lt;/p&gt;
&lt;p&gt;Update 1: Found it in the Memory report, is&amp;#39;s a provision partition...:&lt;/p&gt;
&lt;p&gt;&lt;img style="max-height:240px;max-width:320px;" src="https://devzone.nordicsemi.com/resized-image/__size/640x480/__key/communityserver-discussions-components-files/4/pastedimage1719920342367v1.png" alt=" " /&gt;&lt;/p&gt;
&lt;p&gt;Instead of only mcuboot, the build system now also includes b0, s0 and s1 (including image slots) in my primary APP space. This was not epected/intendet, I already created my static oatririon file with mcuboot only... I guess it&amp;#39;s the CONFIG_SECURE_BOOT option.&lt;/p&gt;
&lt;p&gt;Update 2: Today, I could strangely build with CONFIG_SECURE_BOOT disabled...&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item></channel></rss>