• State Not Answered
  • Replies 8 replies
  • Subscribers 68 subscribers
  • Views 315 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 334878
Options

-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE in comand line causes error due to malformated string

MTB

Hello

I would like to sign an image temporarily with west CMake options as described in Enabling a bootloader chain using sysbuild using the comand line: 

-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"priv.pem\"

In it's final state I would like to specify an absolute path, where the keyfile is stored. It seems as if I am not able to provide the proper format for the path value "D:\priv.pem".

I applied this also to the example "sysbuild\with_MCUboot" and use the nrf sdk v2.7.0. The result is still a malformat for the string. 

 

PS C:\Users\User1> west build --pristine  --sysbuild  -b nrf52840dk/nrf52840 with_mcuboot  -d with_mcuboot/build -- -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"D:\priv.pem\" 
-- west build: making build dir C:\Users\User1\with_mcuboot\build pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/ncs/toolchains/ce3b5ff664/opt/bin/python.exe (found suitable version "3.9.13", minimum required is "3.8") found components: Interpreter 
-- Cache files will be written to: C:/ncs/v2.7.0/zephyr/.cache
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf52840dk, qualifiers: nrf52840

C:/Users/User1/with_mcuboot/build/zephyr/misc/generated/extra_kconfig_options.conf:2: warning: malformed string literal in assignment to BOOT_SIGNATURE_KEY_FILE (defined at C:/ncs/v2.7.0/zephyr/share/sysbuild\images\bootloader/Kconfig:58). Assignment ignored.Parsing C:/ncs/v2.7.0/zephyr/share/sysbuild/Kconfig
Loaded configuration 'C:/Users/User1/with_mcuboot/build/_sysbuild/empty.conf'
Merged configuration 'C:/Users/User1/with_mcuboot/sysbuild.conf'
Merged configuration 'C:/Users/User1/with_mcuboot/build/zephyr/misc/generated/extra_kconfig_options.conf'


error: Aborting due to Kconfig warnings

CMake Error at C:/ncs/v2.7.0/zephyr/cmake/modules/kconfig.cmake:392 (message):
  command failed with return code: 1
Call Stack (most recent call first):
  cmake/modules/sysbuild_kconfig.cmake:101 (include)
  cmake/modules/sysbuild_default.cmake:17 (include)
  C:/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  C:/ncs/v2.7.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  C:/ncs/v2.7.0/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "C:/Users/User1/with_mcuboot/build/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: 'C:\ncs\toolchains\ce3b5ff664\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/ncs/toolchains/ce3b5ff664/opt/bin/python.exe '-BC:\Users\User1\with_mcuboot\build' -GNinja -DBOARD=nrf52840dk/nrf52840 '-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\E:\priv.pem\' '-SC:\ncs\v2.7.0\zephyr\share\sysbuild' '-DAPP_DIR:PATH=C:\Users\User1\with_mcuboot'

setting the absolut path in the sysbuild.conf (SB_CONFIG_BOOT_SIGNATURE_KEY_FILE) compiles without error. I tried a lot of combinations but don't seem to get this to work.Also placing the priv.pm in the west topdir and using the example =\"priv.pem\" os not working.

Any idea what I am doing wrong?

Parents
  • 0

    Hi,

    Just as a sanity check, could you retrace the steps in https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_adding_sysbuild.html and verify that you've seen the "note", i.e 

    "

    The public key string must contain a list of files where each item can be indicated as follows:

    • Using the relative path to a file from the application configuration directory. When not specified, it is assumed as the default application source directory.

    • Using the absolute path to a file.

    Environment variables (like $HOME, $PWD, or $USER) and the ~ character on Unix systems are not expanded when setting an absolute path from a sysbuild.conf file but are expanded correctly in key file paths from the command line that are not given as strings."

    I see that you've used the absolute path in  "D:\priv.pem". Could you verify if you mean that you've also tried it in-tree when you say "Also placing the priv.pm in the west topdir and using the example =\"priv.pem\" os not working."?

    Kind regards,
    Andreas

Reply
  • 0

    Hi,

    Just as a sanity check, could you retrace the steps in https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_adding_sysbuild.html and verify that you've seen the "note", i.e 

    "

    The public key string must contain a list of files where each item can be indicated as follows:

    • Using the relative path to a file from the application configuration directory. When not specified, it is assumed as the default application source directory.

    • Using the absolute path to a file.

    Environment variables (like $HOME, $PWD, or $USER) and the ~ character on Unix systems are not expanded when setting an absolute path from a sysbuild.conf file but are expanded correctly in key file paths from the command line that are not given as strings."

    I see that you've used the absolute path in  "D:\priv.pem". Could you verify if you mean that you've also tried it in-tree when you say "Also placing the priv.pm in the west topdir and using the example =\"priv.pem\" os not working."?

    Kind regards,
    Andreas

Children
  • 0 in reply to AHaug

    Yes, I have seen the "note" and think I adhere to it. I try to use an absolute path and I am not using environment variables.

    I tried both absolute path and in tree.

    Adding the following line to sysbuild.conf:

    SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="D:/priv.pem"

    will successfully build the application. However, I would like to be more flexible and specify the key to be used for signing during the west build comand in the comand line.

    My overall goal is to configure MCUboot as an immutable bootloader. If I build he application with the following comand: 

    west build --pristine  --sysbuild  -b nrf52840dk/nrf52840 .\  --build-dir build

    I would like the signing being done with the standard keys MCUboot ships with. Only if specified during the build process I would like to link the private key file "priv.pem". 

    However, adding the "-DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE="  option to the build comand, the build fails with the failure message in my initial post. 

    I tried several options, e.g. only specifiying the -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE in the comand line

    west build --pristine  --sysbuild  -b nrf52840dk/nrf52840 .\  --build-dir build -- -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"priv.pem\"

    or setting further options (like shown in the documentation):

    west build --pristine  --sysbuild  -b nrf52840dk/nrf52840 .\  --build-dir build -- -DSB_CONFIG_BOOTLOADER_MCUBOOT=y -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"priv-ecdsa256.pem\"   -DSB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y

    I also tried both in-tree key files as well as  the absolute path to these files.

    Placing the file into the  west topdir (or the application configuration directory) and using the example \"priv.pem\" is not working.

    Any ideas of what I am doing wrong?

    Two notes/questions on the documentation you cited Enabling a bootloader chain using sysbuild:

    • The article is regarding enabling bootloader with sysbuild, however, the "west build" commands  shown as examples neglect the "--sysbuild" option. This would  indeed successfully run the build process with the following warning:
      CMake Warning at C:/ncs/v2.7.0/zephyr/cmake/modules/extensions.cmake:3437 (message):
  Project 'with_mcuboot' is designed for sysbuild.

  For correct user-experiences, please build 'with_mcuboot' using sysbuild.
Call Stack (most recent call first):
  CMakeLists.txt:11 (test_sysbuild)


-- Configuring done
-- Generating done
CMake Warning:
  Manually-specified variables were not used by the project:

    SB_CONFIG_BOOT_SIGNATURE_KEY_FILE

      This would not build mcuboot as intended. 
      Is it intended to not use  "--sysbuild" in the shown examples?
    • The "note" box you cite speaks of a public key string, even though in the context I would assume it rather related to a private key?
Related