• State Not Answered
  • Replies 2 replies
  • Subscribers 74 subscribers
  • Views 183 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 339069
Options

Mcuboot - checking whether firmware matches hardware

m5k8

Hi,

Legacy SDK bootloader and dfu preparation workflow had the following option:

nrfutil pkg generate --hw-version ...

hw_option allowed for checks, whether supplied firmware matches given hardware. So firmware for device A won't get programmed into device B.

How about mcuboot?

I'm reading mcuboot design document: https://docs.mcuboot.com/design.html#integrity-check and here are some conditions:

IMAGE_MAGIC - harcoded into sources, so no.

"Image must contain an image_tlv_info struct, identified by its magic (IMAGE_TLV_PROT_INFO_MAGIC or IMAGE_TLV_INFO_MAGIC" - described rather vaguely, can't see any options that would allow me to set some MAGIC values that would be checked for match by mcuboot.

"Image may contain a signature TLV" - so generating unique signing key for given hardware type looks like the only way to disallow foreign firmware.

Is this the only way, or am I missing something that would match "--hw-version" from legacy sdk bootloader?

Parents
  • 0

    Hi,

    From what I can see you are right, there is no concept of hardare version in MCUboot (and not corresponding field in the image trailer or other metadata), so the way to solve this is by uding different signing keys. (That has the added advantage that in the unlikely event that the private key used for one version is compromized, it would not affect other versions).

  • 0 in reply to Einar Thorsrud

    OK, I also didn't find anything like hardware compatibility check, so using the keys looks like the only way.

    But that's far from perfect.

    Let's say you have hardware V1 and matching firmware V1. Then hardware V2 happens, there are some changes. Previous firmware V1 didn't know the future and doesn't work with new hardware, but firmware V2 knows how to work with both hardware V1 and V2. We want to allow loading fw1 to hw1 only, and allow fw2 to load to both hw1 and hw2. Different keys won't allow that.

    Hardware compatibility level or list of compatible hardware versions embedded in firmware and checked by bootloader would solve this.

    Or multiple keys. There's hope in mcuboot docs:

    "Image may contain a signature TLV. If it does, it must also have a KEYHASH TLV with the hash of the key that was used to sign. The list of keys will then be iterated over looking for the matching key, which then will then be used to verify the image contents."

    Slightly vague, first "signature" is mentioned as singular, then "list of keys" is introduced as plural, but it's light on the details.

    And finally:

    "Currently, the Zephyr RTOS port limits its support to one keypair at the time, although MCUboot’s key management infrastructure supports multiple keypairs."

    So, as I can see, the answer for hardware versions compatibility checks is "not possible".

Reply
  • 0 in reply to Einar Thorsrud

    OK, I also didn't find anything like hardware compatibility check, so using the keys looks like the only way.

    But that's far from perfect.

    Let's say you have hardware V1 and matching firmware V1. Then hardware V2 happens, there are some changes. Previous firmware V1 didn't know the future and doesn't work with new hardware, but firmware V2 knows how to work with both hardware V1 and V2. We want to allow loading fw1 to hw1 only, and allow fw2 to load to both hw1 and hw2. Different keys won't allow that.

    Hardware compatibility level or list of compatible hardware versions embedded in firmware and checked by bootloader would solve this.

    Or multiple keys. There's hope in mcuboot docs:

    "Image may contain a signature TLV. If it does, it must also have a KEYHASH TLV with the hash of the key that was used to sign. The list of keys will then be iterated over looking for the matching key, which then will then be used to verify the image contents."

    Slightly vague, first "signature" is mentioned as singular, then "list of keys" is introduced as plural, but it's light on the details.

    And finally:

    "Currently, the Zephyr RTOS port limits its support to one keypair at the time, although MCUboot’s key management infrastructure supports multiple keypairs."

    So, as I can see, the answer for hardware versions compatibility checks is "not possible".

Children
No Data
Related
Terms of service