How can the bin file be encrypted and signed?

Hi,

This configuration is not present in NCS v2.6.1, meaning that encrypted DFU is not supported.

But this unofficial sample which should work for 2.5.x and 2.6.x should give you a pointer for how to add it. Note that it does not support the nRF5340 https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption 

But it is present in 2.9.0-rc1 as far as I can see.

Is app_update.bin a generated encrypted file?

In the latest version of https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/config_and_build/output_build_files.html#common_output_build_files it describes that zephyr.signed.encrypted.bin is used to  create dfu_application.zip for encrypted multi-core DFU updates.

Since 2.9.0-rc1 is just a release candidate, I'm not too familiar with this feature, but I will have a look.

Kind regards,
Andreas

Hi,

After I configured CONFIG_BOOT_ENCRYPT_IMAGE=y, mcuboot did not have enough memory space.

I modified the "pm_static_dfu.yml" file. There seems to be a problem with my program.

How to solve the problems?

pm_static_dfu.7z

Hi,

It seems that my configuration is also 0xF7000. What do you mean by  the gap of 0x4200?

If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?

My bad, you are right since you had also modified the start.

Could you upload the build errors you're getting when trying to build with this configuration.

Kind regards,
Andreas

Hi,

The current problem is the previous reply.

That is not the log I'm referring to, but I'm sure the issue is where you're pointing. Could you please enable logging and 

1) Upload the build log

2) Upload the device logs from both bootloader and application

Kind regards,
Andreas

Hi,

The attachment is BUILD LOG, the device will not send any messagebuild log.7z

Can you confirm it for me first?

SunHuang said:

If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?

Hi,

The attachment is BUILD LOG, the device will not send any messagebuild log.7z

Can you confirm it for me first?

SunHuang said:

If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?

Thank you,

SunHuang said:

Can you confirm it for me first?

SunHuang said:

If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?

MCUboot supports encrypted DFU, but there's not support for it in the SDK v2.6.1 out of the box.

The sample in the unofficial repository you refer to shows how you can modify the firmware to have encrypted DFU (https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption) in NCS v2.6.1.

warning: MBEDTLS (defined at soc/arm/nxp_imx\rt5xx\Kconfig.defconfig.series:63,
soc/arm/nxp_imx\rt6xx\Kconfig.defconfig.series:64, soc/arm/nxp_imx\rt\Kconfig.defconfig.series:117,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.mbedtls_minimal.defconfig:7,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.psa.defconfig:1,
C:/ncs/v2.6.1/zephyr/modules/mbedtls/Kconfig:17, modules\mbedtls\Kconfig:17) was assigned the value
'y' but got the value 'n'. See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS
and/or look up MBEDTLS in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: PM (defined at soc/arm/silabs_exx32\efr32bg22\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32bg27\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32mg24\Kconfig.defconfig.series:19,
soc/arm/st_stm32\stm32f4\Kconfig.defconfig.series:20, subsys/pm/Kconfig:13) was assigned the value
'y' but got the value 'n'. Check these unsatisfied dependencies: ((SOC_SERIES_EFR32BG22 &&
SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32BG27 && SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32MG24 &&
SOC_FAMILY_EXX32) || SOC_SERIES_STM32F4X || (SYS_CLOCK_EXISTS && HAS_PM)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_PM and/or look up PM in the
menuconfig/guiconfig interface. The Application Development Primer, Setting Configuration Values,
and Kconfig - Tips and Best Practices sections of the manual might be helpful too.


warning: BT_CTLR_SDC_PERIPHERAL_COUNT (defined at
C:/ncs/v2.6.1/nrf\subsys\bluetooth\controller/Kconfig:123) was assigned the value '3' but got the
value ''. Check these unsatisfied dependencies: BT_LL_SOFTDEVICE (=n), BT_CTLR (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_BT_CTLR_SDC_PERIPHERAL_COUNT and/or look up
BT_CTLR_SDC_PERIPHERAL_COUNT in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.


warning: Experimental symbol GPIO_ENABLE_DISABLE_INTERRUPT is enabled.

There's 4 warnings in the build configuration that is not present when building the default lock sample in the SDK. I recommend you to clear these up to reduce the possibility that this is an XY problem.

And have you managed to get this working on a sample that is less complex than the Matter door lock? I understand that your end goal is to get it up and running for this app, but I would suggest you verify that it works on a minimal sample first to avoid any XY situations

Kind regards,
Andreas

Hi,

I have solved 3 warnings, "GPIO_ENABLE_DISABLE_INTERRUPT" I have to use, otherwise it will affect the interrupt function.

pm_static has not been solved yet. Which example do you recommend for testing?

Hi,

The issues seems to be devicetree related, and not strictly related to your static partitioning yaml. The setup of the external flash seems to be having some issues with some of the items in the flash device. Could you share your overlay/board files showing how you've set up the external flash?

Kind regards,
Andreas

Hi,

Is this what you want?

&spi3
{
    compatible = "nordic,nrf-spim";
    status = "okay";
    cs-gpios = <&gpio0 18 GPIO_ACTIVE_LOW>;
    pinctrl-0 = <&spi3_default>;
    pinctrl-1 = <&spi3_sleep>;
    pinctrl-names = "default", "sleep";
    mx25r64: mx25r6435f@0
    {
        compatible = "jedec,spi-nor";
        status = "okay";
        reg = <0>;
        spi-max-frequency = <8000000>;
        label = "MX25R64";
        jedec-id = [20 00 16];
        sfdp-bfp =
        [
            53 46 44 50  08 01 00 FF  00 08 01 14  10 00 00 FF
            F5 20 C1 FF  FF FF FF 01  00 00 08 6B  08 3B 00 00
            EE FF FF FF  FF FF 00 00  FF FF 00 00  09 DB 0C 20
            10 D8 00 00  04 08 0C 00  90 F3 0E 00  00 00 00 80
        ];
        size = <67108864>;
        has-dpd;                                                                       // deep power
        t-enter-dpd = <10000>;
        t-exit-dpd = <35000>;
        wp-gpios = <&gpio0 15 (GPIO_ACTIVE_HIGH)>;
    };
};

Hi,

Yes, I believe so. In line 15 you see that you have a "label" property. This is marked as "deprecated", i.e its not required or has changed.

The second item that I believe might be present in the same file and/or elsewhere in your definition is the "vendor prefix" that is unknown. Do you know if building works if you don't have this vendor prefix "sunion"?

Kind regards,
Andreas