How can the bin file be encrypted and signed?

Hi,

The SDK version I am using is 2.6.1 and the example is "matter lock".

I wrote the following configuration into \child_image\mcuboot\prj.conf.

1
2
3
CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n
CONFIG_BOOT_ENCRYPT_IMAGE=y
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n
CONFIG_BOOT_ENCRYPT_IMAGE=y

And add the code to CMakeLists.txt. Are these steps correct?

Is app_update.bin a generated encrypted file?

Fullscreen

1
2
set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/priv.pem\")
set(mcuboot_CONFIG_BOOT_ENCRYPTION_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/encryption_key.pem\")
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/priv.pem\")
set(mcuboot_CONFIG_BOOT_ENCRYPTION_KEY_FILE \"${CMAKE_CURRENT_SOURCE_DIR}/encryption_key.pem\")

Top Replies

AHaug 1 month ago in reply to SunHuang +1 verified

Hi, SunHuang said: After the project has been successfully compiled, I noticed that the bin file in the dfu_application directory has the suffix .signed.encrypted . Does this mean that my bin file has…

Parents

0 AHaug 3 months ago

Hi,

This configuration is not present in NCS v2.6.1, meaning that encrypted DFU is not supported.

But this unofficial sample which should work for 2.5.x and 2.6.x should give you a pointer for how to add it. Note that it does not support the nRF5340 https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption

But it is present in 2.9.0-rc1 as far as I can see.

Is app_update.bin a generated encrypted file?

In the latest version of https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/config_and_build/output_build_files.html#common_output_build_files it describes that zephyr.signed.encrypted.bin is used to create dfu_application.zip for encrypted multi-core DFU updates.

Since 2.9.0-rc1 is just a release candidate, I'm not too familiar with this feature, but I will have a look.

Kind regards,
Andreas
0 SunHuang 3 months ago in reply to AHaug

Hi,

After I configured CONFIG_BOOT_ENCRYPT_IMAGE=y, mcuboot did not have enough memory space.

I modified the "pm_static_dfu.yml" file. There seems to be a problem with my program.

How to solve the problems?

pm_static_dfu.7z
0 AHaug 3 months ago in reply to SunHuang

That is not the log I'm referring to, but I'm sure the issue is where you're pointing. Could you please enable logging and

1) Upload the build log

2) Upload the device logs from both bootloader and application

Kind regards,
Andreas
0 SunHuang 3 months ago in reply to AHaug

Hi,

The attachment is BUILD LOG, the device will not send any messagebuild log.7z

Can you confirm it for me first?

SunHuang said:
If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?
0 AHaug 3 months ago in reply to SunHuang
Thank you,

SunHuang said:
Can you confirm it for me first?

SunHuang said:
If version 2.6.1 does not support "CONFIG_BOOT_ENCRYPT_IMAGE", is bin file encrypted by default?

MCUboot supports encrypted DFU, but there's not support for it in the SDK v2.6.1 out of the box.

The sample in the unofficial repository you refer to shows how you can modify the firmware to have encrypted DFU (https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption) in NCS v2.6.1.

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
warning: MBEDTLS (defined at soc/arm/nxp_imx\rt5xx\Kconfig.defconfig.series:63,
soc/arm/nxp_imx\rt6xx\Kconfig.defconfig.series:64, soc/arm/nxp_imx\rt\Kconfig.defconfig.series:117,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.mbedtls_minimal.defconfig:7,
C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.psa.defconfig:1,
C:/ncs/v2.6.1/zephyr/modules/mbedtls/Kconfig:17, modules\mbedtls\Kconfig:17) was assigned the value
'y' but got the value 'n'. See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS
and/or look up MBEDTLS in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.
warning: PM (defined at soc/arm/silabs_exx32\efr32bg22\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32bg27\Kconfig.defconfig.series:18,
soc/arm/silabs_exx32\efr32mg24\Kconfig.defconfig.series:19,
soc/arm/st_stm32\stm32f4\Kconfig.defconfig.series:20, subsys/pm/Kconfig:13) was assigned the value
'y' but got the value 'n'. Check these unsatisfied dependencies: ((SOC_SERIES_EFR32BG22 &&
SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32BG27 && SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32MG24 &&
SOC_FAMILY_EXX32) || SOC_SERIES_STM32F4X || (SYS_CLOCK_EXISTS && HAS_PM)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_PM and/or look up PM in the
menuconfig/guiconfig interface. The Application Development Primer, Setting Configuration Values,
and Kconfig - Tips and Best Practices sections of the manual might be helpful too.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
warning: MBEDTLS (defined at soc/arm/nxp_imx\rt5xx\Kconfig.defconfig.series:63, soc/arm/nxp_imx\rt6xx\Kconfig.defconfig.series:64, soc/arm/nxp_imx\rt\Kconfig.defconfig.series:117, C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.mbedtls_minimal.defconfig:7, C:/ncs/v2.6.1/nrf\modules/trusted-firmware-m/Kconfig.psa.defconfig:1, C:/ncs/v2.6.1/zephyr/modules/mbedtls/Kconfig:17, modules\mbedtls\Kconfig:17) was assigned the value 'y' but got the value 'n'. See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS and/or look up MBEDTLS in the menuconfig/guiconfig interface. The Application Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful too. warning: PM (defined at soc/arm/silabs_exx32\efr32bg22\Kconfig.defconfig.series:18, soc/arm/silabs_exx32\efr32bg27\Kconfig.defconfig.series:18, soc/arm/silabs_exx32\efr32mg24\Kconfig.defconfig.series:19, soc/arm/st_stm32\stm32f4\Kconfig.defconfig.series:20, subsys/pm/Kconfig:13) was assigned the value 'y' but got the value 'n'. Check these unsatisfied dependencies: ((SOC_SERIES_EFR32BG22 && SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32BG27 && SOC_FAMILY_EXX32) || (SOC_SERIES_EFR32MG24 && SOC_FAMILY_EXX32) || SOC_SERIES_STM32F4X || (SYS_CLOCK_EXISTS && HAS_PM)) (=n). See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_PM and/or look up PM in the menuconfig/guiconfig interface. The Application Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful too. warning: BT_CTLR_SDC_PERIPHERAL_COUNT (defined at C:/ncs/v2.6.1/nrf\subsys\bluetooth\controller/Kconfig:123) was assigned the value '3' but got the value ''. Check these unsatisfied dependencies: BT_LL_SOFTDEVICE (=n), BT_CTLR (=n). See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_BT_CTLR_SDC_PERIPHERAL_COUNT and/or look up BT_CTLR_SDC_PERIPHERAL_COUNT in the menuconfig/guiconfig interface. The Application Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful too. warning: Experimental symbol GPIO_ENABLE_DISABLE_INTERRUPT is enabled.

There's 4 warnings in the build configuration that is not present when building the default lock sample in the SDK. I recommend you to clear these up to reduce the possibility that this is an XY problem.

And have you managed to get this working on a sample that is less complex than the Matter door lock? I understand that your end goal is to get it up and running for this app, but I would suggest you verify that it works on a minimal sample first to avoid any XY situations

Kind regards,
Andreas
0 SunHuang 2 months ago in reply to AHaug

Hi,

I have solved 3 warnings, "GPIO_ENABLE_DISABLE_INTERRUPT" I have to use, otherwise it will affect the interrupt function.

pm_static has not been solved yet. Which example do you recommend for testing?
0 AHaug 2 months ago in reply to SunHuang

Hi,

The issues seems to be devicetree related, and not strictly related to your static partitioning yaml. The setup of the external flash seems to be having some issues with some of the items in the flash device. Could you share your overlay/board files showing how you've set up the external flash?

Kind regards,
Andreas

Reply

0 AHaug 2 months ago in reply to SunHuang

Hi,

The issues seems to be devicetree related, and not strictly related to your static partitioning yaml. The setup of the external flash seems to be having some issues with some of the items in the flash device. Could you share your overlay/board files showing how you've set up the external flash?

Kind regards,
Andreas

Children

0 SunHuang 2 months ago in reply to AHaug

Hi,

Is this what you want?

Fullscreen

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
&spi3
{
    compatible = "nordic,nrf-spim";
    status = "okay";
    cs-gpios = <&gpio0 18 GPIO_ACTIVE_LOW>;
    pinctrl-0 = <&spi3_default>;
    pinctrl-1 = <&spi3_sleep>;
    pinctrl-names = "default", "sleep";
    mx25r64: mx25r6435f@0
    {
        compatible = "jedec,spi-nor";
        status = "okay";
        reg = <0>;
        spi-max-frequency = <8000000>;
        label = "MX25R64";
        jedec-id = [20 00 16];
        sfdp-bfp =
        [
            53 46 44 50  08 01 00 FF  00 08 01 14  10 00 00 FF
            F5 20 C1 FF  FF FF FF 01  00 00 08 6B  08 3B 00 00
            EE FF FF FF  FF FF 00 00  FF FF 00 00  09 DB 0C 20
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

&spi3
{
    compatible = "nordic,nrf-spim";
    status = "okay";
    cs-gpios = <&gpio0 18 GPIO_ACTIVE_LOW>;
    pinctrl-0 = <&spi3_default>;
    pinctrl-1 = <&spi3_sleep>;
    pinctrl-names = "default", "sleep";
    mx25r64: mx25r6435f@0
    {
        compatible = "jedec,spi-nor";
        status = "okay";
        reg = <0>;
        spi-max-frequency = <8000000>;
        label = "MX25R64";
        jedec-id = [20 00 16];
        sfdp-bfp =
        [
            53 46 44 50  08 01 00 FF  00 08 01 14  10 00 00 FF
            F5 20 C1 FF  FF FF FF 01  00 00 08 6B  08 3B 00 00
            EE FF FF FF  FF FF 00 00  FF FF 00 00  09 DB 0C 20
            10 D8 00 00  04 08 0C 00  90 F3 0E 00  00 00 00 80
        ];
        size = <67108864>;
        has-dpd;                                                                       // deep power
        t-enter-dpd = <10000>;
        t-exit-dpd = <35000>;
        wp-gpios = <&gpio0 15 (GPIO_ACTIVE_HIGH)>;
    };
};

0 AHaug 2 months ago in reply to SunHuang

Hi,

Yes, I believe so. In line 15 you see that you have a "label" property. This is marked as "deprecated", i.e its not required or has changed.

The second item that I believe might be present in the same file and/or elsewhere in your definition is the "vendor prefix" that is unknown. Do you know if building works if you don't have this vendor prefix "sunion"?

Kind regards,
Andreas
0 SunHuang 1 month ago in reply to AHaug

Hi,

Sorry for the delayed response. To avoid other issues, I have already updated the SDK to version 2.9.0 during this time.

Could you provide the correct encryption and signing method? I would prefer the official approach.

As for the "vendor prefix" issue, please ignore it since I will be using it in the APP code later. Its functionality is working as expected.
0 AHaug 1 month ago in reply to SunHuang

Hi,

No problem, here's some relevant resources

https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/mcuboot/encrypted_images.html

https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_mcuboot_nsib.html

https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_signature_keys.html

Kind regards,
Andreas
0 SunHuang 1 month ago in reply to AHaug
Hi,

After the project has been successfully compiled, I noticed that the bin file in the dfu_application directory has the suffix .signed.encrypted. Does this mean that my bin file has been successfully signed and encrypted?

Will the bootloader verify my key after performing the OTA update? I'm a bit concerned because I still see the following message in the compilation log.

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
CMake Warning at C:/ncs/v2.9.0/nrf/cmake/sysbuild/debug_keys.cmake:21 (message):
--------------------------------------------------------------
--- WARNING: Using generated NSIB public/private key-pair. ---
--- It should not be used for production. ---
--- See SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE ---
--------------------------------------------------------------
Call Stack (most recent call first):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CMake Warning at C:/ncs/v2.9.0/nrf/cmake/sysbuild/debug_keys.cmake:21 (message): -------------------------------------------------------------- --- WARNING: Using generated NSIB public/private key-pair. --- --- It should not be used for production. --- --- See SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE --- -------------------------------------------------------------- Call Stack (most recent call first):