• State Not Answered
  • Replies 7 replies
  • Subscribers 71 subscribers
  • Views 419 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 331553
Options

Adding a custom signature key file with ${APPLICATION_CONFIG_DIR} does not work

Benno Trutmann

I try to add a custom signature key to the nrf5340_audio application from NCS2.7.0. I cannot use an absolute path because the project must be build-able by different people on different  machines where the project root is not the same.

According to Adding a custom signature key file there should be the possibility to use ${APPLICATION_CONFIG_DIR}. I added therefore the following option to the west build command:

-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"${APPLICATION_CONFIG_DIR}/keys/signing_secret.pem\"

With that mcuboot builds and the generated mcuboot .config file contains CONFIG_BOOT_SIGNATURE_KEY_FILE with the correct absolute path to the key file. But later on the signing process fails with the error:

FileNotFoundError: [Errno 2] No such file or directory: '/keys/signing_secret.pem'

The reason is that when the build process invokes the imgtool.py script, its -k parameter only gets the value of SB_CONFIG_BOOT_SIGNATURE_KEY_FILE with ${APPLICATION_CONFIG_DIR} expanded to the empty string resulting in /keys/signing_secret.pem which of curse does not exist.

How can I get this to work?

 
Parents
  • 0

    Hi, 

    It is not escaped properly, \"\${APPLICATION_CONFIG_DIR, notice the \ before the $.

    Regards,
    Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi.

    I tested first with single-quote (') and got the following error:

    $ west build -d build/test -p -b nrf5340_audio_dk/nrf5340/cpuapp --sysbuild -- -DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\'\${APPLICATION_CONFIG_DIR/keys/signing_secret.pem\'
-- west build: making build dir C:\nrf5340_audio\build\test pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe (found suitable version "3.9.13", minimum required is "3.8") found components: Interpreter 
-- Cache files will be written to: C:/Data/Nordic/ncs/v2.7.0/zephyr/.cache
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf5340_audio_dk, qualifiers: nrf5340/cpuapp

C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf:2: warning: malformed string literal in assignment to BOOT_SIGNATURE_KEY_FILE (defined at C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild\images\bootloader/Kconfig:58). Assignment ignored.Parsing C:/nrf5340_audio/Kconfig.sysbuild
Loaded configuration 'C:/nrf5340_audio/build/test/_sysbuild/empty.conf'
Merged configuration 'C:/nrf5340_audio/sysbuild_fota.conf'
Merged configuration 'C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf'


error: Aborting due to Kconfig warnings

CMake Error at C:/Data/Nordic/ncs/v2.7.0/zephyr/cmake/modules/kconfig.cmake:392 (message):
  command failed with return code: 1
Call Stack (most recent call first):
  cmake/modules/sysbuild_kconfig.cmake:101 (include)
  cmake/modules/sysbuild_default.cmake:17 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "C:/nrf5340_audio/build/test/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: 'C:\Data\Nordic\ncs\toolchains\ce3b5ff664\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe '-BC:\nrf5340_audio\build\test' -GNinja -DBOARD=nrf5340_audio_dk/nrf5340/cpuapp 
-DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota '-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE='"'"'${APPLICATION_CONFIG_DIR/keys/signing_secret.pem'"'"'' '-SC:\Data\Nordic\ncs\v2.7.0\zephyr\share\sysbuild' '-DAPP_DIR:PATH=C:\nrf5340_audio'

    Then I tested with double-quote ("), here I got another error:

    $ west build -d build/test -p -b nrf5340_audio_dk/nrf5340/cpuapp --sysbuild -- -DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"\${APPLICATION_CONFIG_DIR/keys/signing_secret.pem\"
-- west build: making build dir C:\nrf5340_audio\build\test pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe (found suitable version "3.9.13", minimum required is "3.8") found components: Interpreter 
-- Cache files will be written to: C:/Data/Nordic/ncs/v2.7.0/zephyr/.cache
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf5340_audio_dk, qualifiers: nrf5340/cpuapp

C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf:2: warning: malformed string literal in assignment to BOOT_SIGNATURE_KEY_FILE (defined at C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild\images\bootloader/Kconfig:58). Assignment ignored.Parsing C:/nrf5340_audio/Kconfig.sysbuild
Loaded configuration 'C:/nrf5340_audio/build/test/_sysbuild/empty.conf'
Merged configuration 'C:/nrf5340_audio/sysbuild_fota.conf'
Merged configuration 'C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf'


error: Aborting due to Kconfig warnings

CMake Error at C:/Data/Nordic/ncs/v2.7.0/zephyr/cmake/modules/kconfig.cmake:392 (message):
  command failed with return code: 1
Call Stack (most recent call first):
  cmake/modules/sysbuild_kconfig.cmake:101 (include)
  cmake/modules/sysbuild_default.cmake:17 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "C:/nrf5340_audio/build/test/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: 'C:\Data\Nordic\ncs\toolchains\ce3b5ff664\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe '-BC:\nrf5340_audio\build\test' -GNinja -DBOARD=nrf5340_audio_dk/nrf5340/cpuapp 
-DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota '-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE='"'"'${APPLICATION_CONFIG_DIR/keys/signing_secret.pem'"'"'' '-SC:\Data\Nordic\ncs\v2.7.0\zephyr\share\sysbuild' '-DAPP_DIR:PATH=C:\nrf5340_audio'



$ west build -d build/test -p -b nrf5340_audio_dk/nrf5340/cpuapp --sysbuild -- -DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"\${APPLICATION_CONFIG_DIR/keys/signing_secret.pem\"
633;C-- west build: making build dir C:\nrf5340_audio\build\test pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe (found suitable version "3.9.13", minimum required is "3.8") found components: Interpreter 
-- Cache files will be written to: C:/Data/Nordic/ncs/v2.7.0/zephyr/.cache
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf5340_audio_dk, qualifiers: nrf5340/cpuapp
Parsing C:/nrf5340_audio/Kconfig.sysbuild
Loaded configuration 'C:/nrf5340_audio/build/test/_sysbuild/empty.conf'
Merged configuration 'C:/nrf5340_audio/sysbuild_fota.conf'
Merged configuration 'C:/nrf5340_audio/build/test/zephyr/misc/generated/extra_kconfig_options.conf'
Configuration saved to 'C:/nrf5340_audio/build/test/zephyr/.config'
Kconfig header saved to 'C:/nrf5340_audio/build/test/_sysbuild/autoconf.h'
-- 
   *****************************
   * Running CMake for mcuboot *
   *****************************

CMake Error at cmake/modules/sysbuild_extensions.cmake:471 (string):
  Syntax error in cmake code at

    C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild/cmake/modules/sysbuild_extensions.cmake:472

  when parsing string

    # sysbuild controlled configuration settings


  CONFIG_BOOT_SIGNATURE_KEY_FILE="${APPLICATION_CONFIG_DIR/keys/signing_secret.pem"


  CONFIG_BOOT_ENCRYPT_IMAGE=n

  CONFIG_PARTITION_MANAGER_ENABLED=y

  CONFIG_BUILD_OUTPUT_BIN=y

  CONFIG_BUILD_OUTPUT_HEX=y

  CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=y

  CONFIG_UPDATEABLE_IMAGE_NUMBER=2

  CONFIG_SINGLE_APPLICATION_SLOT=n

  CONFIG_BOOT_SWAP_USING_MOVE=n

  CONFIG_BOOT_SWAP_USING_SCRATCH=n

  CONFIG_BOOT_UPGRADE_ONLY=y

  CONFIG_BOOT_DIRECT_XIP=n

  CONFIG_BOOT_DIRECT_XIP_REVERT=n

  CONFIG_BOOT_FIRMWARE_LOADER=n

  CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION=n

  CONFIG_PCD_APP=y

  CONFIG_BOOT_SIGNATURE_TYPE_NONE=n

  CONFIG_BOOT_SIGNATURE_TYPE_RSA=y

  CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n

  CONFIG_BOOT_SIGNATURE_TYPE_ED25519=n



  Invalid character ('"') in a variable name:
  'APPLICATION_CONFIG_DIR/keys/signing_secret.pem'
Call Stack (most recent call first):
  cmake/modules/sysbuild_images.cmake:20 (ExternalZephyrProject_Cmake)
  cmake/modules/sysbuild_default.cmake:19 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  C:/Data/Nordic/ncs/v2.7.0/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "C:/nrf5340_audio/build/test/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: 'C:\Data\Nordic\ncs\toolchains\ce3b5ff664\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/Data/Nordic/ncs/toolchains/ce3b5ff664/opt/bin/python.exe '-BC:\nrf5340_audio\build\test' -GNinja -DBOARD=nrf5340_audio_dk/nrf5340/cpuapp 
-DCONFIG_TRANSPORT_BIS=y -DFILE_SUFFIX=fota '-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE="${APPLICATION_CONFIG_DIR/keys/signing_secret.pem"' '-SC:\Data\Nordic\ncs\v2.7.0\zephyr\share\sysbuild' '-DAPP_DIR:PATH=C:\nrf5340_audio'

  • 0 in reply to Benno Trutmann

    Hi, 

    With that mcuboot builds and the generated mcuboot .config file contains CONFIG_BOOT_SIGNATURE_KEY_FILE with the correct absolute path to the key file. But later on the signing process fails with the error:

    FileNotFoundError: [Errno 2] No such file or directory: '/keys/signing_secret.pem'

    We saw the error while singing the b0n image and found the issue was not the $ has to be escaped or not. 

    The b0 signing there is a missing string expansion, and this PR https://github.com/nrfconnect/sdk-nrf/pull/16894 is for fixing. 

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi,

    I have now NCS patched to get the build working wit relative paths to the key files. I had to patch some more/other files then mentioned in PR https://github.com/nrfconnect/sdk-nrf/pull/16894. Here is my patch

    ncs2.7.0-signing.patch

    Can you integrate that in the next NCS release?

    Regards,

    Benno

  • 0 in reply to Benno Trutmann

    Hi, thanks i encounter the same issue and i solve with your patch!

  • 0 in reply to Benno Trutmann

    Adding on to this answer, if you're using custom public keys and custom signing commands (e.g. for externally signing the B0n image), you'll need to also patch that part.

    We're now applying the above patch + those changes.
    3005.ncs2.7.0-signing.patch

    This effectively lets us properly do external signing as well, still using a local script file and a local key.

Reply Children
No Data
Related