• State Verified Answer
  • Replies 8 replies
  • Subscribers 75 subscribers
  • Views 316 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 345688
Options

Guide to build and test NSIB, MCUboot as upgradable bootloader and application

Nilesh

Hi All,

In reference to my earlier ticket(https://devzone.nordicsemi.com/f/nordic-q-a/120183/question-on-immutable-bootloader-support-for-nrf54l15), I see SDK version 3.0 and latest version of SDK has experimental support of NSIB for nrf54l15.

Reference link: nRF Secure Immutable Bootloader

I am trying to build it as per the steps given in Enabling a bootloader chain using sysbuild and I am able to build the code. And able to see multiple hex files. 

I tried to flash merged.hex and checked logs on console, however not able to see anything and looks like issue with the boot process. I am trying to debug it by enabling some logs.

Till the time, can anyone help on this, if I am missing in build, flash and test the code? 

Thanks,

Nilesh

  • 0

    Hello,

    I see SDK version 3.0 and latest version of SDK has experimental support of NSIB for nrf54l15.

    Correct

    I am trying to build it as per the steps given in Enabling a bootloader chain using sysbuild and I am able to build the code. And able to see multiple hex files. 

    Could you share the configuration files you've set up i.e sysbuild and prj.conf? Any build and/or device logs is also helpful

    Kind regards,
    Andreas

  • 0 in reply to AHaug

    Hello Andreas,

    Please find below configs which I am using

    sysbuild.conf:

    SB_CONFIG_BOOTLOADER_MCUBOOT=y
SB_CONFIG_SECURE_BOOT_APPCORE=y
#SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y

SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APP_DIR}/mcuboot_priv_key_ed25519.pem"
SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE="\${APP_DIR}/b0_private_key_ed25519.pem"
     
    prj.conf:
    # Nothing is there
    bo/prj.conf
    CONFIG_IS_SECURE_BOOTLOADER=y
CONFIG_MULTITHREADING=n
CONFIG_GPIO=n
CONFIG_ARM_MPU=n
CONFIG_TICKLESS_KERNEL=n
CONFIG_ERRNO=n
CONFIG_SYS_CLOCK_EXISTS=y
CONFIG_FPROTECT=y
CONFIG_FW_INFO=y
CONFIG_SECURE_BOOT_CRYPTO=y
CONFIG_SECURE_BOOT_VALIDATION=y
CONFIG_SECURE_BOOT_STORAGE=y
CONFIG_PCD_NET=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_LOG=y
    mcuboot/prj.conf
    CONFIG_MCUBOOT_LOG_LEVEL_WRN=y
CONFIG_BOOT_UPGRADE_ONLY=y
CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y
     
    used below command to flash the code
    west flash --recover
    terminal logs:
    Fprotect disabled. No protection applied.Attempting to boot slot 0.Attempting to boot from address 0x8800.I: Trying to get Firmware version
E: Firmware validation failed with error -102.
E: Failed to validate signature.
Failed to validate, permanently invalidating!Attempting to boot slot 1.Attempting to boot from address 0x16800.I: Trying to get Firmware version
E: Firmware validation failed with error -102.
E: Failed to validate signature.
Failed to validate, permanently invalidating!No bootable image found. Aborting boot.Fprotect disabled. No protection applied.Attempting to boot slot 0.Attempting to boot from address 0x8800.E: Firmware has been invalidated: 0xffff0000.
Failed to validate, permanently invalidating!Attempting to boot slot 1.Attempting to boot from address 0x16800.E: Firmware has been invalidated: 0xffff0000.
Failed to validate, permanentl
  • 0 in reply to Nilesh

    Small update on top of this message, I used ECDSA key as well.

    As in one of the page it was mentioned to use ECDSA. However, result was same.

    Then at one place I read for nrf54l15 ed25519 algo is required and for other SoC's ECDSA. So, I enabled same.

    Also, I tried with default keys as well. No luck.

    I compared public key by exporting from private key using imgtool.py and one which is generated and available at build\nrf\subsys\bootloader\generated\public.pem

    public keys are same.

    Not sure whether this info will help. Just thought to share with you.

  • 0 in reply to Nilesh

    Hello Andreas,

    I further debug the scenario and found one area from where I am getting "E: Firmware validation failed with error -102.",

    Actually, due to LIB_KMU_ERROR verification is failing.

    Below is the call flow

    bl_validate_firmware_local->validate_firmware->validate_signature->root_of_trust_verify->verify_signature->bl_ed25519_validate->
psa_verify_message->get_key_buffer->cracen_kmu_get_key_slot->get_kmu_slot_id_and_metadata->read_primary_slot_metadata()

    Now, not sure why I am getting the error with this. If you can suggest anything on this will be a great help. 

    Thanks,

    Nilesh

  • 0 in reply to Nilesh

    Hi,

    I will have to spend some time trying to recreate this from the guides. NSIB should have experimental support but your testing could indicate that there's something faulty with the sample.

    Unfortunately I won't be able to do the exercise myself before early next week, but I will get to it.

    For now

    1. I've assumed you're using a DK, but could you verify if this is the case? Or if it's a custom board/module?
    2. Could you verify which SoC revision you're working with? ref https://docs.nordicsemi.com/bundle/comp_matrix_nrf54l15/page/COMP/nrf54l15/nrf54l15_ic_revision_overview.html 
    3. Lastly while waiting for an update from me, could you retrace the steps starting at the NSIB sample you initially referred to?

    Kind regards,
    Andreas

Related
Terms of service