I'm working with NSIB (nRF Secure Immutable Bootloader) and trying to manually sign an application image that is built separately — without using SB_CONFIG_SECURE_BOOT_APPCORE=y.
My goal is to ensure the signed image includes the required firmware validation info so that NSIB can correctly boot it. I'm facing two issues and need clarification:
1. fw_info Check
The NSIB check: !fw_info_check((uint32_t)fwinfo)
is satisfied by manually placing the fw_info struct at the expected location.
Question: Is there a preferred or supported way to handle this placement, or is it automatically handled during image signing with Nordic tooling?
2. validation_info_find Check
The check: fw_val_info = validation_info_find(fw_src_address + fwinfo->size, 4);
fails when I sign the image using imgtool. The magic word is not found at the expected offset.
When the image is compiled with SB_CONFIG_SECURE_BOOT_APPCORE=y, the combined output includes a valid validation info section and boots correctly via NSIB.
Question: Is there a Nordic toolchain-supported method or format to manually sign a precompiled image such that:
The correct validation_info structure is appended,
And the resulting image is bootable by NSIB?
Any documentation, tools, or guidance for manually creating a valid NSIB-compatible signed image would be greatly appreciated.
