How can the bin file be encrypted and signed?

Hi,

This configuration is not present in NCS v2.6.1, meaning that encrypted DFU is not supported.

But this unofficial sample which should work for 2.5.x and 2.6.x should give you a pointer for how to add it. Note that it does not support the nRF5340 https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption 

But it is present in 2.9.0-rc1 as far as I can see.

Is app_update.bin a generated encrypted file?

In the latest version of https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/config_and_build/output_build_files.html#common_output_build_files it describes that zephyr.signed.encrypted.bin is used to  create dfu_application.zip for encrypted multi-core DFU updates.

Since 2.9.0-rc1 is just a release candidate, I'm not too familiar with this feature, but I will have a look.

Kind regards,
Andreas

Hi,

After I configured CONFIG_BOOT_ENCRYPT_IMAGE=y, mcuboot did not have enough memory space.

I modified the "pm_static_dfu.yml" file. There seems to be a problem with my program.

How to solve the problems?

pm_static_dfu.7z

Hi,

Is this what you want?

&spi3
{
    compatible = "nordic,nrf-spim";
    status = "okay";
    cs-gpios = <&gpio0 18 GPIO_ACTIVE_LOW>;
    pinctrl-0 = <&spi3_default>;
    pinctrl-1 = <&spi3_sleep>;
    pinctrl-names = "default", "sleep";
    mx25r64: mx25r6435f@0
    {
        compatible = "jedec,spi-nor";
        status = "okay";
        reg = <0>;
        spi-max-frequency = <8000000>;
        label = "MX25R64";
        jedec-id = [20 00 16];
        sfdp-bfp =
        [
            53 46 44 50  08 01 00 FF  00 08 01 14  10 00 00 FF
            F5 20 C1 FF  FF FF FF 01  00 00 08 6B  08 3B 00 00
            EE FF FF FF  FF FF 00 00  FF FF 00 00  09 DB 0C 20
            10 D8 00 00  04 08 0C 00  90 F3 0E 00  00 00 00 80
        ];
        size = <67108864>;
        has-dpd;                                                                       // deep power
        t-enter-dpd = <10000>;
        t-exit-dpd = <35000>;
        wp-gpios = <&gpio0 15 (GPIO_ACTIVE_HIGH)>;
    };
};

Hi,

Yes, I believe so. In line 15 you see that you have a "label" property. This is marked as "deprecated", i.e its not required or has changed.

The second item that I believe might be present in the same file and/or elsewhere in your definition is the "vendor prefix" that is unknown. Do you know if building works if you don't have this vendor prefix "sunion"?

Kind regards,
Andreas

Hi,

Sorry for the delayed response. To avoid other issues, I have already updated the SDK to version 2.9.0 during this time.

Could you provide the correct encryption and signing method? I would prefer the official approach.

As for the "vendor prefix" issue, please ignore it since I will be using it in the APP code later. Its functionality is working as expected.

Hi,

No problem, here's some relevant resources

https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/mcuboot/encrypted_images.html 

https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_mcuboot_nsib.html 

https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_signature_keys.html 

Kind regards,
Andreas

Hi,

After the project has been successfully compiled, I noticed that the bin file in the dfu_application directory has the suffix .signed.encrypted. Does this mean that my bin file has been successfully signed and encrypted?

Will the bootloader verify my key after performing the OTA update? I'm a bit concerned because I still see the following message in the compilation log.

CMake Warning at C:/ncs/v2.9.0/nrf/cmake/sysbuild/debug_keys.cmake:21 (message):


      --------------------------------------------------------------
      --- WARNING: Using generated NSIB public/private key-pair. ---
      --- It should not be used for production.                  ---
      --- See SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE             ---
      --------------------------------------------------------------


Call Stack (most recent call first):

Hi,

After the project has been successfully compiled, I noticed that the bin file in the dfu_application directory has the suffix .signed.encrypted. Does this mean that my bin file has been successfully signed and encrypted?

Will the bootloader verify my key after performing the OTA update? I'm a bit concerned because I still see the following message in the compilation log.

CMake Warning at C:/ncs/v2.9.0/nrf/cmake/sysbuild/debug_keys.cmake:21 (message):


      --------------------------------------------------------------
      --- WARNING: Using generated NSIB public/private key-pair. ---
      --- It should not be used for production.                  ---
      --- See SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE             ---
      --------------------------------------------------------------


Call Stack (most recent call first):

Hi,

SunHuang said:

After the project has been successfully compiled, I noticed that the bin file in the dfu_application directory has the suffix .signed.encrypted. Does this mean that my bin file has been successfully signed and encrypted?

From https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/nrf/app_dev/config_and_build/output_build_files.html 

"zephyr.signed.encrypted.hex is the HEX file variant of the <file_name>.signed.encrypted.bin file. Can also be used standalone for a single-image DFU. Contains the signed and encrypted version of the application. Compatible with MCUboot. zephyr is the value of CONFIG_KERNEL_BIN_NAME. The file is located in the build/<your_application_name>/zephyr directory."

SunHuang said:

Will the bootloader verify my key after performing the OTA update? I'm a bit concerned because I still see the following message in the compilation log.

https://academy.nordicsemi.com/courses/nrf-connect-sdk-intermediate/lessons/lesson-9-bootloaders-and-dfu-fota/ and exercise 2 regarding DFU with custom keys explains application verification and signing using keys.

Kind regards,
Andreas

Hi,

Based on the document you provided, I believe that as long as "encrypted" appears, it means my BIN file has been successfully encrypted. I just need a definite answer. Thank you for your assistance.