Migrating child/parent image to sysbuild - MCUBoot with different keys for different board

Hi.

We are using NCS v2.6.0 in our application and migrating it to v2.7.0.

In v2.6.0 we have used child/parent image for MCUBoot. We are using the same application firmware for different hardware (custom board) and each board has its own private_key.pem.

Our child/parent structure for v2.6.0 is as below,

application
├── CMakeLists.txt
├── prj.conf
├── boards
    └── arm
        └── board_A
        └── board_B
├── child_image
    └── mcuboot
        ├── prj.conf
        └── boards
            ├── board_A.conf
            ├── board_B.conf
            └── keys
                ├── board_A.pem
                └── board_B.pem
├── src

In above board_A.conf contains the signature key path.

CONFIG_BOOT_SIGNATURE_KEY_FILE="keys/board_A.pem"

When we build the application for the different boards, the correct signature key file is selected for the particular board. (building application for board_A, board_A.pem key file used to sign the image). 

Now we are migrating the child/parent image to sysbuild. We have changed the structure as below, but in this case, when we build the application, the toolchain selects the default key file from Zephyr root directory. (..\v2.7.0\bootloader\mcuboot\root-xx-xyz.pem)

application
├── CMakeLists.txt
├── prj.conf
├── sysbuild.conf
├── boards
    └── arm
        └── board_A
        └── board_B
├── sysbuild
    └── mcuboot
        ├── prj.conf
        └── boards
            ├── board_A.conf
            ├── board_B.conf
            └── keys
                ├── board_A.pem
                └── board_B.pem
├── src

following is the sysbuid.conf file 

SB_CONFIG_BOOTLOADER_MCUBOOT=y
SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y

SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=n
SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=n

Will you please help us to fix this issue.? How we can select different key files for different boards?

Best regards,

Narendra

Parents
  • Hi,

    The first thing I want to verify with you is if you're certain that you're using the key that is within the relative path or if you're signing your application with the default key in the SDK. Could you check this?

    I'm uncertain if relative paths work as intended, and instead you should use absolute paths. 

    I will have a closer look at this myself, but in the meanwhile please have a look and see if this is the case

    Kind regards,
    Andreas

Reply
  • Hi,

    The first thing I want to verify with you is if you're certain that you're using the key that is within the relative path or if you're signing your application with the default key in the SDK. Could you check this?

    I'm uncertain if relative paths work as intended, and instead you should use absolute paths. 

    I will have a closer look at this myself, but in the meanwhile please have a look and see if this is the case

    Kind regards,
    Andreas

Children
Related