Cryptocell and usb

Hi, 

I would appreciate additional information and some clarifications.

Do you use a custom board with nrf52840?

I was building the "console" sample code found in zephyr for my custom nrf52840 board and I managed to get it to work. But as soon as cryptocell gets enabled, it doesn't work anymore.

Which console sample did you use? Is it maybe console over USB?
How did you enable CryptoCell?
What happens when it does not work anymore, is there any error?

Q1:  Why doesn't the devicetree find "nordic,cryptocell"? I get a warning like this: Unknown node type "nordic,cryptocell"

Did you get this warning on your custom board? Have you tried on nrf52840-dk?
"nordic,cryptocell" unknown type is probably related to some devicetree error. Can you show where and how you added "nordic,cryptocell" configuration?

Q2: Cryptocell is enabled by default in nrf52840 devicetree which gets applied to all the boards (like nrf52840dongle and nrf52840dk and my custom board which uses nrf52840dongle as template). But this breaks the usb communication with the "console" sample on my custom board (It does build though).

Can you provide information in which way is USB communication broken, what exactly happens?
Is USB communication functional on nrf52840-dk board?

Q3: The acl node has also a warning: Address range collides with flash-controller@4001e000 (both start at 0x4001e000)

This also indicates devicetree configuration issue.

But it still works with it enabled.

Can you rephrase this - what works when what is enabled? Can you show what is enabled and what happens when it works?

What is shown in provided screenshot?

Best regards,
Dejan

Hi,

dejans said:

Do you use a custom board with nrf52840?

Yes, my custom board has nrf52840.

dejans said:

Which console sample did you use? Is it maybe console over USB?

It was the USB subsys sample called "console"

dejans said:

How did you enable CryptoCell?

CryptoCell is enabled by default here.

dejans said:

What happens when it does not work anymore, is there any error?

It does build without any errors, but the usb does not get initialized or recognized by my PC. It's hard to say what happens there without debugger.

dejans said:

Did you get this warning on your custom board? Have you tried on nrf52840-dk?
"nordic,cryptocell" unknown type is probably related to some devicetree error. Can you show where and how you added "nordic,cryptocell" configuration?

This warning is also shown in the nrf52840.dsti. Nrf52840-dk includes the same file. "nordic,cryptocell" is configured there and I only disabled it in my board files to make the usb code work.

dejans said:

Can you provide information in which way is USB communication broken, what exactly happens?
Is USB communication functional on nrf52840-dk board?

The only way I know it's broken is that it no longer gets recognized as a usb serial device and it is not found with NRF Connect or any other serial terminal software. I do not have access to nrf52840-dk board.

dejans said:

This also indicates devicetree configuration issue.

This I already knew. The question was why? Both of the nodes have the default configuration that come with the SDK.

dejans said:

Can you rephrase this - what works when what is enabled? Can you show what is enabled and what happens when it works?

This sample code and other codes still work when acl is enabled regarding the warning.

dejans said:

What is shown in provided screenshot?

The device configuration part of the devicetree.

BR

Apparently cryptocell only works with debugger attached. Whats up with that?

Great, this place removes posts...

and now the ****** board is bricked...

1. Why did the debugger erase my bootloader even though the app was built for it?

2. How did the debugger(NRF52dk) brick the board even though the code was running before bricking it?

Well, I managed to get it unbricked by messing around with gpio registers from JLinkExe. Apparently it needs to be connected with JLinkExe every time it disappears. So theres something funky going on with nrfutil...

But now I can't get the mcuboot to work and I don't have the original mcuboot config which we managed to get to work after a long battle...

Hi,

Regarding "1. Why did the debugger erase my bootloader even though the app was built for it?", I do not know how you used it, but if you do a full erase / erase all (which you often do when programming or debugging), that will erase the whole flash, includign any bootlaoders and the UICR. If you just want to re-flash the application you can seelct to use sector erase. If you are using nRF Connect for VS code for programming you can select if you want to do a full erase or not when flashing, as explaind in this post.

Regarding "2. How did the debugger(NRF52dk) brick the board even though the code was running before bricking it?" I do not know which state it what in when  you refer to it as "bricked" nor how it got there. If you can share details about how it behaved when you define it as "bricked", how it ended up in that state and hwo it receoverd, we may be able to understand more.

Generally, there is no need to use a debugger to get CrytpoCell to work, and also no conflict between CryptoCell and USB. So I suspect there are other more fundamental issues with your device or setup. I am also not able to understand the comments about debugger bricking your device. I kindly ask that you elaborate much more and provide exact details if you want specific feedback.

It seems to me that you are seeing a significant number of seemingly unrelated issues that are difficult to explain. I would suggest that you try to reduce the numer fo unkowns in the beginning by obtaining a DK so tha that you have known good hardware and test parts of your firmware on that. Then you can gradually move to your custom HW. Alternatively, there is an absolute requierment that you are able to debug your hardware.

To the first part:

The problem is that in vscode the "flash", "erase and flash" and "debug" all use "merged.hex" and not the APP. Meaning everytime I flash my app with the debugger I replace my working bootloader with the non working one. This is a terrible way of doing things if bootloader and app are developed by different people or departments. This means I HAVE to have the bootloader on my computer when I want to debug an app for it.

The second part:

I consider the device bricked when it does not show up in the programming app. The weird part about it was that vscode and nrf connect app did not find the device, but JLinkExe did. And after connecting through JLinkExe, vscode and nrf connect app found it.

And yes, the problem is that cryptocell doesn't work without debugger attached. This was the same problem which "deleted" my bootloader since the APP also enabled cryptocell in the bootloader and overwrote it and thus bootloader didn't work anymore. This is the jankiest MCU I've ever used...

And why would I need DK to run the sample codes? I still havent been able to start writing the actual FW to this, because theres still something wrong with the config and that's what Im trying to figure out.

So, why is cryptocell only working with debugger?

Without debugger, the cryptocell app doesnt even reach main.

Im running the board in normal mode and DCDC is NOT enabled.

Hi,

AintMina said:

The problem is that in vscode the "flash", "erase and flash" and "debug" all use "merged.hex" and not the APP. Meaning everytime I flash my app with the debugger I replace my working bootloader with the non working one. This is a terrible way of doing things if bootloader and app are developed by different people or departments. This means I HAVE to have the bootloader on my computer when I want to debug an app for it.

That is a good point. The reason we do it like this is that it makes the most common use case working out of the box. Whenever you try to flash or debug, you will get all images in case of multi image projects. But this is not always wat you want. An alternative could be to get the hex file you want to use, and point to that using CONFIG_MCUBOOT_BUILD_STRATEGY_USE_HEX_FILE. See here for more details on that.

AintMina said:

the problem is that cryptocell doesn't work without debugger attached. This was the same problem which "deleted" my bootloader since the APP also enabled cryptocell in the bootloader and overwrote it and thus bootloader didn't work anymore.

I see. This is what we must focus on. However, I have not been able to reproduce this which is why I have been asking for more information.

AintMina said:

And why would I need DK to run the sample codes? I still havent been able to start writing the actual FW to this, because theres still something wrong with the config and that's what Im trying to figure out.

There are a few good reasons for having a DK. First of all, it is a known good piece of hardware, and as such a good platform for prototying and debugging specific issues. It is also a platform we in Nordic tech support has access to, so if you were able to reproduce the issue on that, you could let us know how we can reproduce on our end. It can also be used to debug your custom board (which you described early on that you did not want to do or were not able to do).

AintMina said:

So, why is cryptocell only working with debugger?

Without debugger, the cryptocell app doesnt even reach main.

Im running the board in normal mode and DCDC is NOT enabled.

That what we need to figure out. Can you share your full set of board files in a zip so that I get the full picure and have better hops of being able to reproduce the issue? (I want to start with simply building for your board and running that on my DK as that seems like the best option at this point).

Hi,

AintMina said:

The problem is that in vscode the "flash", "erase and flash" and "debug" all use "merged.hex" and not the APP. Meaning everytime I flash my app with the debugger I replace my working bootloader with the non working one. This is a terrible way of doing things if bootloader and app are developed by different people or departments. This means I HAVE to have the bootloader on my computer when I want to debug an app for it.

That is a good point. The reason we do it like this is that it makes the most common use case working out of the box. Whenever you try to flash or debug, you will get all images in case of multi image projects. But this is not always wat you want. An alternative could be to get the hex file you want to use, and point to that using CONFIG_MCUBOOT_BUILD_STRATEGY_USE_HEX_FILE. See here for more details on that.

AintMina said:

the problem is that cryptocell doesn't work without debugger attached. This was the same problem which "deleted" my bootloader since the APP also enabled cryptocell in the bootloader and overwrote it and thus bootloader didn't work anymore.

I see. This is what we must focus on. However, I have not been able to reproduce this which is why I have been asking for more information.

AintMina said:

And why would I need DK to run the sample codes? I still havent been able to start writing the actual FW to this, because theres still something wrong with the config and that's what Im trying to figure out.

There are a few good reasons for having a DK. First of all, it is a known good piece of hardware, and as such a good platform for prototying and debugging specific issues. It is also a platform we in Nordic tech support has access to, so if you were able to reproduce the issue on that, you could let us know how we can reproduce on our end. It can also be used to debug your custom board (which you described early on that you did not want to do or were not able to do).

AintMina said:

So, why is cryptocell only working with debugger?

Without debugger, the cryptocell app doesnt even reach main.

Im running the board in normal mode and DCDC is NOT enabled.

That what we need to figure out. Can you share your full set of board files in a zip so that I get the full picure and have better hops of being able to reproduce the issue? (I want to start with simply building for your board and running that on my DK as that seems like the best option at this point).

Don't mind the mess, it's a work in progress still.

6747.boards.zip

Hi,

I built the console sample (zephyr/samples/subsys/usb/console/) using your unmodified board files (which include cryptocell in the device tree), and the sample works as expected when I test on a DK also when I am not debugging (I even power-cycled the device). I get the expected output in the CDC terminal.

Do you need to do anything else to trigger the issue? As mentionned before I am not able to see a link between USB and CryptoCell so honestly I am not very suprised about this result. Could it be that you have also made other changes at the same time, and that the problem was something else?

I though we already established this that it's not USB and CryptoCell, it's just CryptoCell.

There is no need to trigger anything and no, CC(CryptoCell) is the only change.

Hmm...

Are there some HW requirements for CC?

Does it require external 32k clock?

Did you use sdk-zephyr or zephyr? the board files do differ between these. I used sdk-zephyr since thats what vscode automatically uses.

Is there some specific config I need in the mcuboot to upload CC software? though it did also break the bootloader when CC was enabled...

Hi,

I thought the problem was running the usb console sample with CryptoCell defined in your board files? I tested that with nRF Connect SDK v2.6.1 as that is what you descibed. (So that is using the saple from sdk-zephyr in that nRF Connect SDK release).

AintMina said:

Is there some specific config I need in the mcuboot to upload CC software? though it did also break the bootloader when CC was enabled...

No. But as the bootloader normally does crypto operations (validating images on activation and on boot), there may be a difference depending on if CryptoCell is enabled or not if you configure the bootloder to use cryptocell fro crypto operations. Is the issue here in the bootloader? If so we need to look into that. And if so, can we start with if you are using MCUboot, NSIB, both, or some custom bootloader? And also if using the bootloaders we provide in the SDK, which changes have you made and can you share the configuration etc?

Einar Thorsrud said:

I thought the problem was running the usb console sample with CryptoCell defined in your board files?

No, the problem is that CC breaks ANY sample code. I remembered that I tested the bluetooth function to work WITH debugger not without.

Einar Thorsrud said:

And if so, can we start with if you are using MCUboot, NSIB, both, or some custom bootloader?

Im using MCUboot from the SDK with this config and CC disabled:

CONFIG_PM=n

CONFIG_MAIN_STACK_SIZE=10240
CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"

CONFIG_BOOT_SWAP_SAVE_ENCTLV=n
CONFIG_BOOT_ENCRYPT_IMAGE=n

CONFIG_BOOT_UPGRADE_ONLY=n
CONFIG_BOOT_BOOTSTRAP=n

### mbedTLS has its own heap
# CONFIG_HEAP_MEM_POOL_SIZE is not set

### We never want Zephyr's copy of tinycrypt.  If tinycrypt is needed,
### MCUboot has its own copy in tree.
# CONFIG_TINYCRYPT is not set
# CONFIG_TINYCRYPT_ECC_DSA is not set
# CONFIG_TINYCRYPT_SHA256 is not set

CONFIG_FLASH=y
CONFIG_FPROTECT=y

### Various Zephyr boards enable features that we don't want.
# CONFIG_BT is not set
# CONFIG_BT_CTLR is not set
# CONFIG_I2C is not set

CONFIG_LOG=y
CONFIG_LOG_MODE_MINIMAL=y # former CONFIG_MODE_MINIMAL
### Ensure Zephyr logging changes don't use more resources
CONFIG_LOG_DEFAULT_LEVEL=0
### Use info log level by default
CONFIG_MCUBOOT_LOG_LEVEL_INF=y
### Decrease footprint by ~4 KB in comparison to CBPRINTF_COMPLETE=y
CONFIG_CBPRINTF_NANO=y
### Use the minimal C library to reduce flash usage
CONFIG_MINIMAL_LIBC=y
CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0



# IS BOOTLOADER?
CONFIG_IS_BOOTLOADER=y
CONFIG_BOOTLOADER_SRAM_SIZE=256
CONFIG_MCUBOOT_INDICATION_LED=y

# Required by USB
CONFIG_MULTITHREADING=y

# USB
CONFIG_USB_DEVICE_STACK=y
CONFIG_USB_DFU_CLASS=y
CONFIG_USB_DEVICE_REMOTE_WAKEUP=n

#### MAY FUCK UP YOUR DAY 
#CONFIG_USB_DFU_REBOOT=y

CONFIG_USB_DEVICE_PRODUCT="MCUBOOT"
CONFIG_USB_DEVICE_VID=0x1915
CONFIG_USB_DEVICE_PID=0x520F

CONFIG_BOOT_USB_DFU_GPIO=y
CONFIG_BOOT_SERIAL_PIN_RESET=y


# Serial
CONFIG_CONSOLE=n
CONFIG_SERIAL=y
CONFIG_UART_INTERRUPT_DRIVEN=y
CONFIG_UART_LINE_CTRL=y

# MCUBoot serial
CONFIG_GPIO=y
CONFIG_MCUBOOT_SERIAL=y
CONFIG_BOOT_SERIAL_CDC_ACM=y
CONFIG_NORDIC_QSPI_NOR=n

Also to add here, the same code works with CC disabled and uploaded through MCUboot.