RE: Mcuboot - checking whether firmware matches hardware

m5k8 — Thu, 23 Jan 2025 13:14:09 GMT

OK, I also didn't find anything like hardware compatibility check, so using the keys looks like the only way.

But that's far from perfect.

Let's say you have hardware V1 and matching firmware V1. Then hardware V2 happens, there are some changes. Previous firmware V1 didn't know the future and doesn't work with new hardware, but firmware V2 knows how to work with both hardware V1 and V2. We want to allow loading fw1 to hw1 only, and allow fw2 to load to both hw1 and hw2. Different keys won't allow that.

Hardware compatibility level or list of compatible hardware versions embedded in firmware and checked by bootloader would solve this.

Or multiple keys. There's hope in mcuboot docs:

"Image may contain a signature TLV. If it does, it must also have a KEYHASH TLV with the hash of the key that was used to sign. The list of keys will then be iterated over looking for the matching key, which then will then be used to verify the image contents."

Slightly vague, first "signature" is mentioned as singular, then "list of keys" is introduced as plural, but it's light on the details.

And finally:

"Currently, the Zephyr RTOS port limits its support to one keypair at the time, although MCUboot’s key management infrastructure supports multiple keypairs."

So, as I can see, the answer for hardware versions compatibility checks is "not possible".

RE: Mcuboot - checking whether firmware matches hardware

Einar Thorsrud — Thu, 16 Jan 2025 13:58:22 GMT

Hi,

From what I can see you are right, there is no concept of hardare version in MCUboot (and not corresponding field in the image trailer or other metadata), so the way to solve this is by uding different signing keys. (That has the added advantage that in the unlikely event that the private key used for one version is compromized, it would not affect other versions).