MCUBoot software based security count download protection not working

MCUboot supports software security count based download protection. But it is found that it is not exposed by nRF SDK. It adds the "--security-counter" argument only if

CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION is enabled.

Why this is not exposed ?

Parents

0 Kazi Afroza Sultana 3 hours ago

Hello,

Which application you are working on?

''But it is found that it is not exposed by nRF SDK.'' Could you please elaborate this?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ligo George 3 hours ago in reply to Kazi Afroza Sultana

I am taking about MCUBoot image generation by nRF SDK (e.g. : nrf/cmake/sysbuild/image_signing.cmake).

MCUboot supports software based security counter for downgrade protection. But nRF SDK doesn't allow this, as it sets security counter only if CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION.

We don't want to use hardware based downgrade protection, as it needs more OTP/UICR region.

I have posted the screenshot of image_signing*.cmake file above. I am asking whether this is done on purpose ? or just missed to handle ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Ligo George 3 hours ago in reply to Kazi Afroza Sultana

I am taking about MCUBoot image generation by nRF SDK (e.g. : nrf/cmake/sysbuild/image_signing.cmake).

MCUboot supports software based security counter for downgrade protection. But nRF SDK doesn't allow this, as it sets security counter only if CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION.

We don't want to use hardware based downgrade protection, as it needs more OTP/UICR region.

I have posted the screenshot of image_signing*.cmake file above. I am asking whether this is done on purpose ? or just missed to handle ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data