• State Verified Answer
  • Replies 10 replies
  • Subscribers 74 subscribers
  • Views 935 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 334140
Options

sysbuild NCS 2.7 #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"

JMA

Hi there, I-m trying to compile a hello world sample with an encrypted bootloader

# Sysbuild configuration file.
#see C:\D\dev\nordicsemi\v2.7.0\nrf\doc\nrf\releases_and_maturity\migration\migration_sysbuild.rst    
#inmutable secure bootloader
SB_CONFIG_SECURE_BOOT_APPCORE=y

#inmutable secure bootloader for netcore
#SB_CONFIG_SECURE_BOOT_NETCORE=y

# Enable MCUboot per default for this sample.
SB_CONFIG_BOOTLOADER_MCUBOOT=y

#signing images
SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE="../key15_2_ecdsa-p256.pem"

#first key is automatically added, adding future ones
SB_CONFIG_SECURE_BOOT_PUBLIC_KEY_FILES="../key15_3_pub_ecdsa-p256.pem,../key15_4_pub_ecdsa-p256.pem"

#signature & encryption keys for images
SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="../NCS27_ecdsa-p256.pem"
#enable encryption
SB_CONFIG_BOOT_ENCRYPTION=y
SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE="../NCS27_1_SK_ecdsa-p256.pem"
SB_CONFIG_MCUBOOT_MODE_SINGLE_APP=n
SB_CONFIG_MCUBOOT_MODE_SWAP_SCRATCH=y
SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=n
SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=n
SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION=y

#allow netcore HCI
SB_CONFIG_NETCORE_HCI_IPC=y



System build: Use sysbuild

I'm getting these errors:

In file included from C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:33,
                 from C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/src/image_validate.c:44:
C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/aes_ctr.h:19:6: error: #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
   19 |     #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"

C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:45:5: error: unknown type name 'bootutil_aes_ctr_context'
   45 |     bootutil_aes_ctr_context aes_ctr;

and

C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/ext/tinycrypt/lib/source/hmac.c:33:10: fatal error: tinycrypt/hmac.h: No such file or directory
   33 | #include <tinycrypt/hmac.h>

I also tried all these settings  in sysbuild/mcuboot.conf without success:

# Example of sample specific Kconfig changes when building sample with MCUboot
# when using sysbuild.
#CONFIG_MCUBOOT_LOG_LEVEL_WRN=y
#CONFIG_BOOT_UPGRADE_ONLY=n
#CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y
#CONFIG_BOOT_ENCRYPT_IMAGE=y
#CONFIG_SINGLE_APPLICATION_SLOT=n
#CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
#CONFIG_BOOT_ECDSA_TINYCRYPT=y

edit: I've got autogen-enckey.c & autogen-pubkey.c at build/mcuboot/zephyr

I also have zephyr.bin, zephyr.signed.bin & zephyr.signed.encrypted.bin at build/myapp/zephyr

I have not more configutration except for custom board, can you help?, thanks in advance.

Running nrf connect SDK 2.7.0 and toolchain 2.7.0, VSC 1.93.1, nRF Connect for VS Code v2024.9.87,nRF Connect for VS Code Extension Pack v2024.9.5

Parents Reply Children
  • 0 in reply to dejans

    Sure, this is with nrf5340dk board.

    That I have is this:

    -- Zephyr version: 3.6.99 (C:/D/dev/nordicsemi/v2.7.0/zephyr), build: v3.6.99-ncs2
    [152/201] Building C object CMakeFiles/app.dir/C_/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/src/image_validate.c.obj
    FAILED: CMakeFiles/app.dir/C_/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/src/image_validate.c.obj

    In file included from C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:33,
                     from C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/src/image_validate.c:44:
    C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/aes_ctr.h:19:6: error: #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
       19 |     #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
          |      ^~~~~
    C:/D/dev/nordicsemi/v2.7.0/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:45:5: error: unknown type name 'bootutil_aes_ctr_context'
       45 |     bootutil_aes_ctr_context aes_ctr;
          |     ^~~~~~~~~~~~~~~~~~~~~~~~

    aaaaaaa

    sysbuild.conf

    # Sysbuild configuration file.
    #see C:\D\dev\nordicsemi\v2.7.0\nrf\doc\nrf\releases_and_maturity\migration\migration_sysbuild.rst    
    #inmutable secure bootloader
    SB_CONFIG_SECURE_BOOT_APPCORE=y
    # Enable MCUboot per default for this sample.
    SB_CONFIG_BOOTLOADER_MCUBOOT=y
    #signing images
    SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE="../key15_2_ecdsa-p256.pem"
    #first key is automatically added, adding future ones
    SB_CONFIG_SECURE_BOOT_PUBLIC_KEY_FILES="../key15_3_ecdsa-p256.pem,../key15_4_ecdsa-p256.pem"
    #signature & encryption keys for images
    SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
    SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="../NCS27_ecdsa-p256.pem"
    #enable encryption
    SB_CONFIG_BOOT_ENCRYPTION=y
    SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE="../NCS27_1_SK_ecdsa-p256.pem"
    SB_CONFIG_MCUBOOT_MODE_SINGLE_APP=n
    SB_CONFIG_MCUBOOT_MODE_SWAP_SCRATCH=y
    SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=n
    SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=n
    SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION=y
    SB_CONFIG_SECURE_BOOT_MCUBOOT_VERSION="0.0.0+4"
    #allow netcore HCI
    SB_CONFIG_NETCORE_HCI_IPC=y

    prj.conf

    CONFIG_FLASH=y
    CONFIG_GPIO=y
    CONFIG_BOARD_ENABLE_CPUNET=y

    sysbuild/mcuboot.conf

    CONFIG_NRF53_UPGRADE_NETWORK_CORE=y

    main.c

    #include <zephyr/kernel.h>

    #include <zephyr/drivers/gpio.h>
    #include <zephyr/logging/log.h>
    LOG_MODULE_REGISTER( mainthr,LOG_LEVEL_DBG);

    int main(void)
    {
            int SLEEP_TIME_MS = 10;
            while(1){
    LOG_PRINTK(".");
                   k_msleep(SLEEP_TIME_MS);
            }
    }

    I have autogen-enckey.c & autogen-pubkey.c at build/mcuboot/zephyr

    I also have zephyr.binzephyr.hex, zephyr.signed.bin, zephyr.signed.hex, zephyr.signed.encrypted.hex & zephyr.signed.encrypted.bin at build/myapp/zephyr

    Tested on Boards: nrf5340dk/nrf5340/cpuapp & nrf5340dk/nrf5340/cpuapp/ns

    Choosing: Use sysbuild.

    Running nrf connect SDK 2.7.0 and toolchain 2.7.0, VSC 1.93.1, nRF Connect for VS Code v2024.9.87,nRF Connect for VS Code Extension Pack v2024.9.5

  • 0 in reply to JMA

    Hi,

    Can you provide your build command and complete build log?
    you can upload build log in a separate file by clicking on Insert -> Image/Video/File -> Upload.

    Best regards,
    Dejan

  • 0 in reply to JMA

    Hi,

    Thank you for the log. 

    Can you elaborate what you try to achieve with regard to bootloader?

    Which keys have you used? Did you generate them yourself? Where did you put them?

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi Dejan, I try to encrypt the images in order to be upgraded by OTA DFU

    I used the keys that  u can see in the prev messages TYPE_ECDSA_P256

    Yes I make them by myself with imgtool and are the same we are using with our released product and working for more than 50000 users with SDK 2.3.

    I've put them in a folder in the SSD , same unit as the project

    Bets,

    JMA

Related
Terms of service