• State Not Answered
  • Replies 17 replies
  • Subscribers 69 subscribers
  • Views 461 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 337464
Options

How can the bin file be encrypted and signed?

SunHuang

Hi,

The SDK version I am using is 2.6.1 and the example is "matter lock".

I wrote the following configuration into \child_image\mcuboot\prj.conf.

CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n
CONFIG_BOOT_ENCRYPT_IMAGE=y
 

And add the code to CMakeLists.txt. Are these steps correct?

Is app_update.bin a generated encrypted file?

set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/priv.pem\")
set(mcuboot_CONFIG_BOOT_ENCRYPTION_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/encryption_key.pem\")

Parents
  • 0

    Hi,

    This configuration is not present in NCS v2.6.1, meaning that encrypted DFU is not supported.

     

    But this unofficial sample which should work for 2.5.x and 2.6.x should give you a pointer for how to add it. Note that it does not support the nRF5340 https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption 

    But it is present in 2.9.0-rc1 as far as I can see.

    Is app_update.bin a generated encrypted file?

    In the latest version of https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/config_and_build/output_build_files.html#common_output_build_files it describes that zephyr.signed.encrypted.bin is used to  create dfu_application.zip for encrypted multi-core DFU updates.

    Since 2.9.0-rc1 is just a release candidate, I'm not too familiar with this feature, but I will have a look.

    Kind regards,
    Andreas

  • 0 in reply to AHaug

    Hi,

    After I configured CONFIG_BOOT_ENCRYPT_IMAGE=y, mcuboot did not have enough memory space.

    I modified the "pm_static_dfu.yml" file. There seems to be a problem with my program.

    How to solve the problems?

    pm_static_dfu.7z

  • 0 in reply to SunHuang

    My bad, you are right since you had also modified the start.

    Could you upload the build errors you're getting when trying to build with this configuration.

    Kind regards,
    Andreas

  • 0 in reply to AHaug

    Hi,

    The current problem is the previous reply.

  • 0 in reply to SunHuang

    That is not the log I'm referring to, but I'm sure the issue is where you're pointing. Could you please enable logging and 

    1) Upload the build log

    2) Upload the device logs from both bootloader and application

    Kind regards,
    Andreas

  • 0 in reply to AHaug

    Hi,

    The attachment is BUILD LOG, the device will not send any messagebuild log.7z

    Can you confirm it for me first?

    SunHuang said:
    If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?
  • 0 in reply to SunHuang

    Thank you,

    SunHuang said:

    Can you confirm it for me first?

    If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?

    MCUboot supports encrypted DFU, but there's not support for it in the SDK v2.6.1 out of the box.

    The sample in the unofficial repository you refer to shows how you can modify the firmware to have encrypted DFU (https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption) in NCS v2.6.1.

    warning: MBEDTLS (defined at soc/arm/nxp_imx\rt5xx\Kconfig.defconfig.series:63,
soc/arm/nxp_imx\rt6xx\Kconfig.defconfig.series:64, soc/arm/nxp_imx\rt\Kconfig.defconfig.series:117,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.mbedtls_minimal.defconfig:7,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.psa.defconfig:1,
C:/ncs/v2.6.1/zephyr/modules/mbedtls/Kconfig:17, modules\mbedtls\Kconfig:17) was assigned the value
'y' but got the value 'n'. See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS
and/or look up MBEDTLS in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: PM (defined at soc/arm/silabs_exx32\efr32bg22\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32bg27\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32mg24\Kconfig.defconfig.series:19,
soc/arm/st_stm32\stm32f4\Kconfig.defconfig.series:20, subsys/pm/Kconfig:13) was assigned the value
'y' but got the value 'n'. Check these unsatisfied dependencies: ((SOC_SERIES_EFR32BG22 &&
SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32BG27 && SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32MG24 &&
SOC_FAMILY_EXX32) || SOC_SERIES_STM32F4X || (SYS_CLOCK_EXISTS && HAS_PM)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_PM and/or look up PM in the
menuconfig/guiconfig interface. The Application Development Primer, Setting Configuration Values,
and Kconfig - Tips and Best Practices sections of the manual might be helpful too.


warning: BT_CTLR_SDC_PERIPHERAL_COUNT (defined at
C:/ncs/v2.6.1/nrf\subsys\bluetooth\controller/Kconfig:123) was assigned the value '3' but got the
value ''. Check these unsatisfied dependencies: BT_LL_SOFTDEVICE (=n), BT_CTLR (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_BT_CTLR_SDC_PERIPHERAL_COUNT and/or look up
BT_CTLR_SDC_PERIPHERAL_COUNT in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.


warning: Experimental symbol GPIO_ENABLE_DISABLE_INTERRUPT is enabled.

    There's 4 warnings in the build configuration that is not present when building the default lock sample in the SDK. I recommend you to clear these up to reduce the possibility that this is an XY problem.

    And have you managed to get this working on a sample that is less complex than the Matter door lock? I understand that your end goal is to get it up and running for this app, but I would suggest you verify that it works on a minimal sample first to avoid any XY situations

    Kind regards,
    Andreas

Reply
  • 0 in reply to SunHuang

    Thank you,

    SunHuang said:

    Can you confirm it for me first?

    If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?

    MCUboot supports encrypted DFU, but there's not support for it in the SDK v2.6.1 out of the box.

    The sample in the unofficial repository you refer to shows how you can modify the firmware to have encrypted DFU (https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption) in NCS v2.6.1.

    warning: MBEDTLS (defined at soc/arm/nxp_imx\rt5xx\Kconfig.defconfig.series:63,
soc/arm/nxp_imx\rt6xx\Kconfig.defconfig.series:64, soc/arm/nxp_imx\rt\Kconfig.defconfig.series:117,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.mbedtls_minimal.defconfig:7,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.psa.defconfig:1,
C:/ncs/v2.6.1/zephyr/modules/mbedtls/Kconfig:17, modules\mbedtls\Kconfig:17) was assigned the value
'y' but got the value 'n'. See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS
and/or look up MBEDTLS in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: PM (defined at soc/arm/silabs_exx32\efr32bg22\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32bg27\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32mg24\Kconfig.defconfig.series:19,
soc/arm/st_stm32\stm32f4\Kconfig.defconfig.series:20, subsys/pm/Kconfig:13) was assigned the value
'y' but got the value 'n'. Check these unsatisfied dependencies: ((SOC_SERIES_EFR32BG22 &&
SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32BG27 && SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32MG24 &&
SOC_FAMILY_EXX32) || SOC_SERIES_STM32F4X || (SYS_CLOCK_EXISTS && HAS_PM)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_PM and/or look up PM in the
menuconfig/guiconfig interface. The Application Development Primer, Setting Configuration Values,
and Kconfig - Tips and Best Practices sections of the manual might be helpful too.


warning: BT_CTLR_SDC_PERIPHERAL_COUNT (defined at
C:/ncs/v2.6.1/nrf\subsys\bluetooth\controller/Kconfig:123) was assigned the value '3' but got the
value ''. Check these unsatisfied dependencies: BT_LL_SOFTDEVICE (=n), BT_CTLR (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_BT_CTLR_SDC_PERIPHERAL_COUNT and/or look up
BT_CTLR_SDC_PERIPHERAL_COUNT in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.


warning: Experimental symbol GPIO_ENABLE_DISABLE_INTERRUPT is enabled.

    There's 4 warnings in the build configuration that is not present when building the default lock sample in the SDK. I recommend you to clear these up to reduce the possibility that this is an XY problem.

    And have you managed to get this working on a sample that is less complex than the Matter door lock? I understand that your end goal is to get it up and running for this app, but I would suggest you verify that it works on a minimal sample first to avoid any XY situations

    Kind regards,
    Andreas

Children
  • 0 in reply to AHaug

    Hi,

    I have solved 3 warnings, "GPIO_ENABLE_DISABLE_INTERRUPT" I have to use, otherwise it will affect the interrupt function.

    pm_static has not been solved yet. Which example do you recommend for testing?

  • 0 in reply to SunHuang

    Hi,

    The issues seems to be devicetree related, and not strictly related to your static partitioning yaml. The setup of the external flash seems to be having some issues with some of the items in the flash device. Could you share your overlay/board files showing how you've set up the external flash?

    Kind regards,
    Andreas

  • 0 in reply to AHaug

    Hi,

    Is this what you want?

    &spi3
{
    compatible = "nordic,nrf-spim";
    status = "okay";
    cs-gpios = <&gpio0 18 GPIO_ACTIVE_LOW>;
    pinctrl-0 = <&spi3_default>;
    pinctrl-1 = <&spi3_sleep>;
    pinctrl-names = "default", "sleep";
    mx25r64: mx25r6435f@0
    {
        compatible = "jedec,spi-nor";
        status = "okay";
        reg = <0>;
        spi-max-frequency = <8000000>;
        label = "MX25R64";
        jedec-id = [20 00 16];
        sfdp-bfp =
        [
            53 46 44 50  08 01 00 FF  00 08 01 14  10 00 00 FF
            F5 20 C1 FF  FF FF FF 01  00 00 08 6B  08 3B 00 00
            EE FF FF FF  FF FF 00 00  FF FF 00 00  09 DB 0C 20
            10 D8 00 00  04 08 0C 00  90 F3 0E 00  00 00 00 80
        ];
        size = <67108864>;
        has-dpd;                                                                       // deep power
        t-enter-dpd = <10000>;
        t-exit-dpd = <35000>;
        wp-gpios = <&gpio0 15 (GPIO_ACTIVE_HIGH)>;
    };
};

  • 0 in reply to SunHuang

    Hi,

    Yes, I believe so. In line 15 you see that you have a "label" property. This is marked as "deprecated", i.e its not required or has changed.

    The second item that I believe might be present in the same file and/or elsewhere in your definition is the "vendor prefix" that is unknown. Do you know if building works if you don't have this vendor prefix "sunion"?

    Kind regards,
    Andreas

Related