NCS v2.7.0 and sysbuild system.
I'm looking for some clarification about Secure Boot and implementing a custom signing command.
What is the difference between secure boot and the signing that happens when you just set BOOT_SIGNATURE_KEY_FILE="/path/to/key.pem"?
Examining the scripts in `nrf/scripts/bootloaders/` it appears that all of the signing and verification functions are expecting ECDSA keys, which I was unable to find anywhere in the documentation. Is there a way to get this to work with RSA keys? or is ECDSA my only option?
The documentation (https://github.com/nrfconnect/sdk-nrf/blob/a8ea23813b59e40e5999636063b15d629eea373f/sysbuild/Kconfig.secureboot#L73) says that the output of the signing function should be in DER format.
When I ran this signing command that output an actual DER formatted signature, the build system threw an error that it was expecting a 64 byte signature, i.e. just the R and S values of the signature. When I modified the code to write the R and S values it worked as expected.
signature = private_key.sign(data, ec.ECDSA(hashes.SHA256()))
# This is the der formatted signature. It would be 70 bytes
# sys.stdout.buffer.write(signature)
# Instead, extract the R and S values and print them to stdout
r, s = decode_dss_signature(signature)
r_bytes = r.to_bytes(32, "big")
s_bytes = s.to_bytes(32, "big")
sig = bytearray(r_bytes)
sig.extend(s_bytes)
sys.stdout.buffer.write(sig)
sys.stdout.flush()
