Custom Signing Function

Hi,

We got two different bootloaders:
MCUboot and Nordic Secure Immutable Bootloader (NSIB).
Which one of these do you refer to?

How many bootloaders do you plan to use?

For general info, see our bootloader docs.

Regards,
Sigurd Hellesvik

Ahh, okay I see where the confusion is.  I was under the impression that I was using MCUboot, but I see that enabling CONFIG_SECURE_BOOT is enabling the NSIB.  I think I just saw the custom signing script and jumped to implementation.

I don't need two bootloader necessarily, but my current implementation is relying on mcuboot style image headers for updates and I'm running code in direct XIP mode with a primary and secondary slot from internal flash only.

I do require a custom signing command, as my code is signed by a HSM and I don't have access to the private key.

I'm pretty flexible at the moment, so with those requirements in mind, can you suggest a path forward?

I recommend using only MCUboot if you want just one bootloader.

MCUboot does not have a feature to input the public key, so this must be done manually. It is not an issue, just a bit finicky.

I did a sample for it here:

MCUBoot sample using SMP Server and manually signed images.

Is this what you need?

PS: The sample uses the old multi-image build system, and thus the configuration method will be some changes with sysbuild.
I beleive that for the most part, you can just rename the child_image/ folder to sysbuild/, and then move some stuff from prj.conf to sysbuild.conf. See Sysbuild migration guide for more in depth info, and this other sample where I have converted one of my samples to sysbuild so far.

I think I will need to write my own image signing script, because the pub/priv keys are stored in a cloud HSM.  This just popped up the related section, so it seems like others are trying to do this as well.  
AWS Key Management System - DFU Package Signing

It would be nice to include a feature to imgtool where a user can implement custom `get_pub_key` and `sign` functions

The post you found is for the old SDK, so it is not as relevant.
But yes, this is something other users have asked about earlier as well.

That being said, I find it a bit strange that you are unable to get the public key out of your system. It is after all public.

But oh well, you work with what you got.
To make your own signing functionality, imgtool is open source, so you can have a look at its source code.

To understand the MCUboot image layout which you need to achieve, see https://www.youtube.com/watch?v=qMMD0WcKShc.

I can get the public key out of the system and store it as a file.  The issue is that when I actually need to do the signature from an HSM it isn't just a file that I can load.  We're using a cloud based HSM, so I need to make an API call to my cloud service to generate the signature. 

If we were using a local HSM (like a yubi key, for instance) we'd still need to use some sort of library to load the key reference, for example https://python-pkcs11.readthedocs.io/en/latest/index.html

The way that you guys included the SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND option for the nordic bootloader is wonderful, and is exactly what I was looking for, but I think I'm stuck with mcuboot at the moment so I'll probably just modify the imgtool to do what I need it to do.

Thank you!

Roedy said:

I can get the public key out of the system and store it as a file.  The issue is that when I actually need to do the signature from an HSM it isn't just a file that I can load.  We're using a cloud based HSM, so I need to make an API call to my cloud service to generate the signature. 

If we were using a local HSM (like a yubi key, for instance) we'd still need to use some sort of library to load the key reference, for example https://python-pkcs11.readthedocs.io/en/latest/index.html

Right, that makes it harder then.

Roedy said:

The way that you guys included the SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND option for the nordic bootloader is wonderful, and is exactly what I was looking for, but I think I'm stuck with mcuboot at the moment so I'll probably just modify the imgtool to do what I need it to do.

I agree that this seems like the way.
Thanks for the feedback on this though; I will forward it to our bootloader team.

Roedy said:

I can get the public key out of the system and store it as a file.  The issue is that when I actually need to do the signature from an HSM it isn't just a file that I can load.  We're using a cloud based HSM, so I need to make an API call to my cloud service to generate the signature. 

If we were using a local HSM (like a yubi key, for instance) we'd still need to use some sort of library to load the key reference, for example https://python-pkcs11.readthedocs.io/en/latest/index.html

Right, that makes it harder then.

Roedy said:

The way that you guys included the SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND option for the nordic bootloader is wonderful, and is exactly what I was looking for, but I think I'm stuck with mcuboot at the moment so I'll probably just modify the imgtool to do what I need it to do.

I agree that this seems like the way.
Thanks for the feedback on this though; I will forward it to our bootloader team.

Mentioning this to the devs, they agree that modifying imgtool is the best way. But to give you a possible alternative, they say:

"

for mcuboot they can use a custom signing script, they'd want to base it off whichever one they are using (which depends on the mode of their application) https://github.com/nrfconnect/sdk-nrf/tree/main/cmake/sysbuild one of the image_signing files, they would need to set this from sysbuild, doing so is a bit convoluted... Modifying imgtool is probably what they would want anyway

"

Thanks Sigurd, I appreciate all of the insight.