• State Verified Answer
  • Replies 9 replies
  • Subscribers 74 subscribers
  • Views 1086 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 332437
Options

Custom Signing Function

Roedy

NCS v2.7.0 and sysbuild system.

I'm looking for some clarification about Secure Boot and implementing a custom signing command.

What is the difference between secure boot and the signing that happens when you just set BOOT_SIGNATURE_KEY_FILE="/path/to/key.pem"? 

Examining the scripts in `nrf/scripts/bootloaders/` it appears that all of the signing and verification functions are expecting ECDSA keys, which I was unable to find anywhere in the documentation.  Is there a way to get this to work with RSA keys? or is ECDSA my only option?

The documentation (https://github.com/nrfconnect/sdk-nrf/blob/a8ea23813b59e40e5999636063b15d629eea373f/sysbuild/Kconfig.secureboot#L73) says that the output of the signing function should be in DER format.  

When I ran this signing command that output an actual DER formatted signature, the build system threw an error that it was expecting a 64 byte signature, i.e. just the R and S values of the signature.  When I modified the code to write the R and S values it worked as expected.

    signature = private_key.sign(data, ec.ECDSA(hashes.SHA256()))
    
    # This is the der formatted signature. It would be 70 bytes
    # sys.stdout.buffer.write(signature)
    
    # Instead, extract the R and S values and print them to stdout

    r, s = decode_dss_signature(signature)

    r_bytes = r.to_bytes(32, "big")
    s_bytes = s.to_bytes(32, "big")
    sig = bytearray(r_bytes)
    sig.extend(s_bytes)

    sys.stdout.buffer.write(sig)
    sys.stdout.flush()

Parents
  • 0

    Hi,

    We got two different bootloaders:
    MCUboot and Nordic Secure Immutable Bootloader (NSIB).
    Which one of these do you refer to?

    How many bootloaders do you plan to use?

    For general info, see our bootloader docs.

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    Ahh, okay I see where the confusion is.  I was under the impression that I was using MCUboot, but I see that enabling CONFIG_SECURE_BOOT is enabling the NSIB.  I think I just saw the custom signing script and jumped to implementation.

    I don't need two bootloader necessarily, but my current implementation is relying on mcuboot style image headers for updates and I'm running code in direct XIP mode with a primary and secondary slot from internal flash only.

    I do require a custom signing command, as my code is signed by a HSM and I don't have access to the private key.

    I'm pretty flexible at the moment, so with those requirements in mind, can you suggest a path forward?

Reply
  • 0 in reply to Sigurd Hellesvik

    Ahh, okay I see where the confusion is.  I was under the impression that I was using MCUboot, but I see that enabling CONFIG_SECURE_BOOT is enabling the NSIB.  I think I just saw the custom signing script and jumped to implementation.

    I don't need two bootloader necessarily, but my current implementation is relying on mcuboot style image headers for updates and I'm running code in direct XIP mode with a primary and secondary slot from internal flash only.

    I do require a custom signing command, as my code is signed by a HSM and I don't have access to the private key.

    I'm pretty flexible at the moment, so with those requirements in mind, can you suggest a path forward?

Children
Related
Terms of service