• State Not Answered
  • Replies 6 replies
  • Subscribers 65 subscribers
  • Views 140 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 329603
Options

BLE DFU with encrypted images in MCUBoot

Simen Eilevstjonn

We are trying to setup image encryption in our nRF build, for use with BLE DFU.

I see that this is not supported by Nordic, but that there is support for it in MCUBoot. There exists an example from Hellevik that we followed: https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption

Using this example, we get encryption to work, with the compiler reporting the correct key file, but when attempting DFU, it just reports as failed.

From my understanding, the encryption is done using an ephemeral AES key, which is encrypted with a public key. The bootloader should hence have the private key.

I could not find that key in merged.hex, so I suspect it is not included.

The example used UART DFU, is there a difference here that requires other configuration?

I also saw another question regarding using encrypted images with a two stage bootloader, which we are using. It was said that it is not supported, but is there a difference between that and using only MCUBoot?

Parents Reply Children
  • 0 in reply to Menon

    Hello,

    I still do not have an error message, but the observed behaviour is that if one attempts to do over the air DFU with an encrypted image (using CONFIG_BOOT_ECDSA_TINYCRYPT=y, CONFIG_BOOT_ENCRYPT_IMAGE=y in mcubooot.conf) while using both NSIB and MCUboot, then the process fails, and the old image is swapped back.

    However, I found a workaround by disabling NSIB. That is going to be okay for our use case, unless there exists some simple solution to get it to work with a two-stage bootloader.

Related