Adding a custom signature key file with ${APPLICATION_CONFIG_DIR} does not work

I try to add a custom signature key to the nrf5340_audio application from NCS2.7.0. I cannot use an absolute path because the project must be build-able by different people on different machines where the project root is not the same.

According to Adding a custom signature key file there should be the possibility to use ${APPLICATION_CONFIG_DIR}. I added therefore the following option to the west build command:

-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"${APPLICATION_CONFIG_DIR}/keys/signing_secret.pem\"

With that mcuboot builds and the generated mcuboot .config file contains CONFIG_BOOT_SIGNATURE_KEY_FILE with the correct absolute path to the key file. But later on the signing process fails with the error:

FileNotFoundError: [Errno 2] No such file or directory: '/keys/signing_secret.pem'

The reason is that when the build process invokes the imgtool.py script, its -k parameter only gets the value of SB_CONFIG_BOOT_SIGNATURE_KEY_FILE with ${APPLICATION_CONFIG_DIR} expanded to the empty string resulting in /keys/signing_secret.pem which of curse does not exist.

How can I get this to work?

Parents

0 Amanda Hsieh 9 days ago

Hi,

It is not escaped properly, \"\${APPLICATION_CONFIG_DIR, notice the \ before the $.

Regards,
Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Amanda Hsieh 9 days ago

Hi,

It is not escaped properly, \"\${APPLICATION_CONFIG_DIR, notice the \ before the $.

Regards,
Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Benno Trutmann 9 days ago in reply to Amanda Hsieh

Hi.

I tested first with single-quote (') and got the following error:

$ west build -d build/test -p -b nrf5340_audio_dk/nrf5340/cpuapp --sysbuild -- -DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\'\${APPLICATION_CONFIG_DIR/keys/signing_secret.pem\'
-- west build: making build dir C:\nrf5340_audio\build\test pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe (found suitable version "3.9.13", minimum required is "3.8") found components: Interpreter 
-- Cache files will be written to: C:/Data/Nordic/ncs/v2.7.0/zephyr/.cache
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf5340_audio_dk, qualifiers: nrf5340/cpuapp

C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf:2: warning: malformed string literal in assignment to BOOT_SIGNATURE_KEY_FILE (defined at C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild\images\bootloader/Kconfig:58). Assignment ignored.Parsing C:/nrf5340_audio/Kconfig.sysbuild
Loaded configuration 'C:/nrf5340_audio/build/test/_sysbuild/empty.conf'
Merged configuration 'C:/nrf5340_audio/sysbuild_fota.conf'
Merged configuration 'C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf'


error: Aborting due to Kconfig warnings

CMake Error at C:/Data/Nordic/ncs/v2.7.0/zephyr/cmake/modules/kconfig.cmake:392 (message):
  command failed with return code: 1
Call Stack (most recent call first):
  cmake/modules/sysbuild_kconfig.cmake:101 (include)
  cmake/modules/sysbuild_default.cmake:17 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "C:/nrf5340_audio/build/test/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: 'C:\Data\Nordic\ncs\toolchains\ce3b5ff664\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe '-BC:\nrf5340_audio\build\test' -GNinja -DBOARD=nrf5340_audio_dk/nrf5340/cpuapp 
-DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota '-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE='"'"'${APPLICATION_CONFIG_DIR/keys/signing_secret.pem'"'"'' '-SC:\Data\Nordic\ncs\v2.7.0\zephyr\share\sysbuild' '-DAPP_DIR:PATH=C:\nrf5340_audio'

Then I tested with double-quote ("), here I got another error:

$ west build -d build/test -p -b nrf5340_audio_dk/nrf5340/cpuapp --sysbuild -- -DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"\${APPLICATION_CONFIG_DIR/keys/signing_secret.pem\"
-- west build: making build dir C:\nrf5340_audio\build\test pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe (found suitable version "3.9.13", minimum required is "3.8") found components: Interpreter 
-- Cache files will be written to: C:/Data/Nordic/ncs/v2.7.0/zephyr/.cache
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf5340_audio_dk, qualifiers: nrf5340/cpuapp

C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf:2: warning: malformed string literal in assignment to BOOT_SIGNATURE_KEY_FILE (defined at C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild\images\bootloader/Kconfig:58). Assignment ignored.Parsing C:/nrf5340_audio/Kconfig.sysbuild
Loaded configuration 'C:/nrf5340_audio/build/test/_sysbuild/empty.conf'
Merged configuration 'C:/nrf5340_audio/sysbuild_fota.conf'
Merged configuration 'C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf'


error: Aborting due to Kconfig warnings

CMake Error at C:/Data/Nordic/ncs/v2.7.0/zephyr/cmake/modules/kconfig.cmake:392 (message):
  command failed with return code: 1
Call Stack (most recent call first):
  cmake/modules/sysbuild_kconfig.cmake:101 (include)
  cmake/modules/sysbuild_default.cmake:17 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "C:/nrf5340_audio/build/test/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: 'C:\Data\Nordic\ncs\toolchains\ce3b5ff664\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe '-BC:\nrf5340_audio\build\test' -GNinja -DBOARD=nrf5340_audio_dk/nrf5340/cpuapp 
-DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota '-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE='"'"'${APPLICATION_CONFIG_DIR/keys/signing_secret.pem'"'"'' '-SC:\Data\Nordic\ncs\v2.7.0\zephyr\share\sysbuild' '-DAPP_DIR:PATH=C:\nrf5340_audio'



$ west build -d build/test -p -b nrf5340_audio_dk/nrf5340/cpuapp --sysbuild -- -DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"\${APPLICATION_CONFIG_DIR/keys/signing_secret.pem\"
633;C-- west build: making build dir C:\nrf5340_audio\build\test pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe (found suitable version "3.9.13", minimum required is "3.8") found components: Interpreter 
-- Cache files will be written to: C:/Data/Nordic/ncs/v2.7.0/zephyr/.cache
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf5340_audio_dk, qualifiers: nrf5340/cpuapp
Parsing C:/nrf5340_audio/Kconfig.sysbuild
Loaded configuration 'C:/nrf5340_audio/build/test/_sysbuild/empty.conf'
Merged configuration 'C:/nrf5340_audio/sysbuild_fota.conf'
Merged configuration 'C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf'
Configuration saved to 'C:/nrf5340_audio/build/test/zephyr/.config'
Kconfig header saved to 'C:/nrf5340_audio/build/test/_sysbuild/autoconf.h'
-- 
   *****************************
   * Running CMake for mcuboot *
   *****************************

CMake Error at cmake/modules/sysbuild_extensions.cmake:471 (string):
  Syntax error in cmake code at

    C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild/cmake/modules/sysbuild_extensions.cmake:472

  when parsing string

    # sysbuild controlled configuration settings


  CONFIG_BOOT_SIGNATURE_KEY_FILE="${APPLICATION_CONFIG_DIR/keys/signing_secret.pem"


  CONFIG_BOOT_ENCRYPT_IMAGE=n

  CONFIG_PARTITION_MANAGER_ENABLED=y

  CONFIG_BUILD_OUTPUT_BIN=y

  CONFIG_BUILD_OUTPUT_HEX=y

  CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=y

  CONFIG_UPDATEABLE_IMAGE_NUMBER=2

  CONFIG_SINGLE_APPLICATION_SLOT=n

  CONFIG_BOOT_SWAP_USING_MOVE=n

  CONFIG_BOOT_SWAP_USING_SCRATCH=n

  CONFIG_BOOT_UPGRADE_ONLY=y

  CONFIG_BOOT_DIRECT_XIP=n

  CONFIG_BOOT_DIRECT_XIP_REVERT=n

  CONFIG_BOOT_FIRMWARE_LOADER=n

  CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION=n

  CONFIG_PCD_APP=y

  CONFIG_BOOT_SIGNATURE_TYPE_NONE=n

  CONFIG_BOOT_SIGNATURE_TYPE_RSA=y

  CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n

  CONFIG_BOOT_SIGNATURE_TYPE_ED25519=n



  Invalid character ('"') in a variable name:
  'APPLICATION_CONFIG_DIR/keys/signing_secret.pem'
Call Stack (most recent call first):
  cmake/modules/sysbuild_images.cmake:20 (ExternalZephyrProject_Cmake)
  cmake/modules/sysbuild_default.cmake:19 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "C:/nrf5340_audio/build/test/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: 'C:\Data\Nordic\ncs\toolchains\ce3b5ff664\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe '-BC:\nrf5340_audio\build\test' -GNinja -DBOARD=nrf5340_audio_dk/nrf5340/cpuapp 
-DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota '-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE="${APPLICATION_CONFIG_DIR/keys/signing_secret.pem"' '-SC:\Data\Nordic\ncs\v2.7.0\zephyr\share\sysbuild' '-DAPP_DIR:PATH=C:\nrf5340_audio'

0 Amanda Hsieh 8 days ago in reply to Benno Trutmann

Hi,

With that mcuboot builds and the generated mcuboot .config file contains CONFIG_BOOT_SIGNATURE_KEY_FILE with the correct absolute path to the key file. But later on the signing process fails with the error:

FileNotFoundError: [Errno 2] No such file or directory: '/keys/signing_secret.pem'

We saw the error while singing the b0n image and found the issue was not the $ has to be escaped or not.

The b0 signing there is a missing string expansion, and this PR https://github.com/nrfconnect/sdk-nrf/pull/16894 is for fixing.

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel