• State Verified Answer
  • Replies 4 replies
  • Subscribers 75 subscribers
  • Views 346 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 340743
Options

Issue with CONFIG_BOOT_SIGNATURE_KEY_FILE configuration

AntonZ

Hi,

I'm implementing the DFU for the nRF5340 MCU and now need to set my private keys to be able to sign firmware files.

The issue is related to the Signature key file specification with the relative path.
There are similar tickets here (for instance, this one), but unfortunately I coudn't find any solution to this.

The most confusing thing is that the suggestions on using relative paths for the private key proposed on DevAcademy do not work as well.

I'm using the following configuration in my CMakeLists.txt:

set(BOOT_SIGNATURE_KEY_FILE
    ${CMAKE_CURRENT_SOURCE_DIR}/Resources/FirmwareSign/PrivateKey.pem
)

if(DEFINED BOOT_SIGNATURE_KEY_FILE)
    set(CONFIG_BOOT_SIGNATURE_KEY_FILE \"${BOOT_SIGNATURE_KEY_FILE}\")
    set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE 
      ${CONFIG_BOOT_SIGNATURE_KEY_FILE}
    )
    set(hci_ipc_CONFIG_SB_SIGNING_KEY_FILE
      ${CONFIG_BOOT_SIGNATURE_KEY_FILE}
    )
    message("Signing Key is applied: ${mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
endif()

find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})

And after the build process fails with thesame issue as here.

NCS and toolchain versions I use: v2.6.2.

That post is 2 years old, so I assume there should be some solution that I can't find.
Would be glad if someone pushed me to it.

Thanks,
Anton

Parents Reply Children
  • 0 in reply to Vidar Berg

    Hello Vidar,

    The path is correct there:

    #
# MCUboot-specific configuration options
#
# CONFIG_BOOT_USE_MIN_PARTITION_SIZE is not set
CONFIG_PM_PARTITION_SIZE_MCUBOOT_SCRATCH=0x1e000
CONFIG_PM_PARTITION_SIZE_MCUBOOT_PAD=0x200
CONFIG_PM_PARTITION_SIZE_MCUBOOT=0xc000
CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL=y
# CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM is not set
CONFIG_BOOT_SIGNATURE_KEY_FILE="D:/XXX/XXX/XXX/XXX/XXX/XXX/Resources/FirmwareSign/PrivateKey.pem"
# CONFIG_BOOT_NRF_EXTERNAL_CRYPTO is not set
CONFIG_BOOT_ERASE_PROGRESSIVELY=y
# CONFIG_BOOT_IMAGE_ACCESS_HOOKS is not set
CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY=y
CONFIG_MCUBOOT=y
CONFIG_BOOT_USE_TINYCRYPT=y
CONFIG_NRFXLIB_CRYPTO=y
# CONFIG_NRF_CC310_BL is not set

.....


    But the build fails due to the wrong path to the key (inside Python script):

    Traceback (most recent call last):
  File "C:\ncs\v2.6.2\bootloader\mcuboot\scripts\imgtool.py", line 22, in <module>
    main.imgtool()
  File "C:\ncs\toolchains\cf2149caf2\opt\bin\Lib\site-packages\click\core.py", line 1128, in __call__
    return self.main(*args, **kwargs)
  File "C:\ncs\toolchains\cf2149caf2\opt\bin\Lib\site-packages\click\core.py", line 1053, in main
    rv = self.invoke(ctx)
  File "C:\ncs\toolchains\cf2149caf2\opt\bin\Lib\site-packages\click\core.py", line 1659, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "C:\ncs\toolchains\cf2149caf2\opt\bin\Lib\site-packages\click\core.py", line 1395, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "C:\ncs\toolchains\cf2149caf2\opt\bin\Lib\site-packages\click\core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "C:\ncs\v2.6.2\bootloader\mcuboot\scripts\imgtool\main.py", line 425, in sign
    key = load_key(key) if key else None
  File "C:\ncs\v2.6.2\bootloader\mcuboot\scripts\imgtool\main.py", line 91, in load_key
    key = keys.load(keyfile)
  File "C:\ncs\v2.6.2\bootloader\mcuboot\scripts\imgtool\keys\__init__.py", line 49, in load
    with open(path, 'rb') as f:
OSError: [Errno 22] Invalid argument: 'C:/ncs/v2.6.2/bootloader/mcuboot/D:/XXX/XXX/XXX/XXX/XXX/XXX/Resources/FirmwareSign/PrivateKey.pem'
ninja: build stopped: subcommand failed.
FATAL ERROR: command exited with status 1: 'C:\ncs\toolchains\cf2149caf2\opt\bin\cmake.EXE' --build 'd:\XXX\XXX\XXX\XXX\XXX\XXX\build'


    And the warning is also here (meanwhile the path reported during bootloader child image build is correct):


    Regards,
    Anton

  • +1 in reply to AntonZ

    Hi Anton, 

    It looks like setting the CONFIG_BOOT_SIGNATURE_KEY_FILE symbol in the parent image confuses the cmake build script for the signing mechanism (causes the key path to also include the path to the default key). Please try to only set the symbol in the mcuboot child image as shown below (same as in the devacademy course).

    if(DEFINED BOOT_SIGNATURE_KEY_FILE)
    set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE 
      \"${BOOT_SIGNATURE_KEY_FILE}\"
    )
    set(hci_ipc_CONFIG_SB_SIGNING_KEY_FILE
      ${CONFIG_BOOT_SIGNATURE_KEY_FILE}
    )

    message("Signing Key is applied: ${mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
endif()

  • 0 in reply to Vidar Berg

    Hi Vidar,

    Thanks for your response. You were right, so I was able to resolve the issue!
    I didn't even notice that I set "CONFIG_BOOT_SIGNATURE_KEY_FILE" for the parent application.

    But I have to mention that "hci_ipc_CONFIG_SB_SIGNING_KEY_FILE" variable setting should also be modified, so I post the following code for those who may face the same issue in the future:

    set(BOOT_SIGNATURE_KEY_FILE
    ${CMAKE_CURRENT_SOURCE_DIR}/Resources/FirmwareSign/PrivateKey.pem
)

if(DEFINED BOOT_SIGNATURE_KEY_FILE)
    set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE 
      \"${BOOT_SIGNATURE_KEY_FILE}\"
    )
    set(hci_ipc_CONFIG_SB_SIGNING_KEY_FILE
      \"${BOOT_SIGNATURE_KEY_FILE}\"
    )

    message("Signing Key is applied: ${mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
endif()


    Thanks,
    Anton

Related
Terms of service