• State Not Answered
  • Replies 8 replies
  • Subscribers 74 subscribers
  • Views 93 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 345688
Options

Guide to build and test NSIB, MCUboot as upgradable bootloader and application

Nilesh

Hi All,

In reference to my earlier ticket(https://devzone.nordicsemi.com/f/nordic-q-a/120183/question-on-immutable-bootloader-support-for-nrf54l15), I see SDK version 3.0 and latest version of SDK has experimental support of NSIB for nrf54l15.

Reference link: nRF Secure Immutable Bootloader

I am trying to build it as per the steps given in Enabling a bootloader chain using sysbuild and I am able to build the code. And able to see multiple hex files. 

I tried to flash merged.hex and checked logs on console, however not able to see anything and looks like issue with the boot process. I am trying to debug it by enabling some logs.

Till the time, can anyone help on this, if I am missing in build, flash and test the code? 

Thanks,

Nilesh

Parents
  • 0

    Hello,

    I see SDK version 3.0 and latest version of SDK has experimental support of NSIB for nrf54l15.

    Correct

    I am trying to build it as per the steps given in Enabling a bootloader chain using sysbuild and I am able to build the code. And able to see multiple hex files. 

    Could you share the configuration files you've set up i.e sysbuild and prj.conf? Any build and/or device logs is also helpful

    Kind regards,
    Andreas

  • 0 in reply to AHaug

    Hello Andreas,

    Please find below configs which I am using

    sysbuild.conf:

    SB_CONFIG_BOOTLOADER_MCUBOOT=y
SB_CONFIG_SECURE_BOOT_APPCORE=y
#SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y

SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APP_DIR}/mcuboot_priv_key_ed25519.pem"
SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE="\${APP_DIR}/b0_private_key_ed25519.pem"
     
    prj.conf:
    # Nothing is there
    bo/prj.conf
    CONFIG_IS_SECURE_BOOTLOADER=y
CONFIG_MULTITHREADING=n
CONFIG_GPIO=n
CONFIG_ARM_MPU=n
CONFIG_TICKLESS_KERNEL=n
CONFIG_ERRNO=n
CONFIG_SYS_CLOCK_EXISTS=y
CONFIG_FPROTECT=y
CONFIG_FW_INFO=y
CONFIG_SECURE_BOOT_CRYPTO=y
CONFIG_SECURE_BOOT_VALIDATION=y
CONFIG_SECURE_BOOT_STORAGE=y
CONFIG_PCD_NET=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_LOG=y
    mcuboot/prj.conf
    CONFIG_MCUBOOT_LOG_LEVEL_WRN=y
CONFIG_BOOT_UPGRADE_ONLY=y
CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y
     
    used below command to flash the code
    west flash --recover
    terminal logs:
    Fprotect disabled. No protection applied.Attempting to boot slot 0.Attempting to boot from address 0x8800.I: Trying to get Firmware version
E: Firmware validation failed with error -102.
E: Failed to validate signature.
Failed to validate, permanently invalidating!Attempting to boot slot 1.Attempting to boot from address 0x16800.I: Trying to get Firmware version
E: Firmware validation failed with error -102.
E: Failed to validate signature.
Failed to validate, permanently invalidating!No bootable image found. Aborting boot.Fprotect disabled. No protection applied.Attempting to boot slot 0.Attempting to boot from address 0x8800.E: Firmware has been invalidated: 0xffff0000.
Failed to validate, permanently invalidating!Attempting to boot slot 1.Attempting to boot from address 0x16800.E: Firmware has been invalidated: 0xffff0000.
Failed to validate, permanentl
  • 0 in reply to Nilesh

    Small update on top of this message, I used ECDSA key as well.

    As in one of the page it was mentioned to use ECDSA. However, result was same.

    Then at one place I read for nrf54l15 ed25519 algo is required and for other SoC's ECDSA. So, I enabled same.

    Also, I tried with default keys as well. No luck.

    I compared public key by exporting from private key using imgtool.py and one which is generated and available at build\nrf\subsys\bootloader\generated\public.pem

    public keys are same.

    Not sure whether this info will help. Just thought to share with you.

  • 0 in reply to Nilesh

    Hello Andreas,

    I further debug the scenario and found one area from where I am getting "E: Firmware validation failed with error -102.",

    Actually, due to LIB_KMU_ERROR verification is failing.

    Below is the call flow

    bl_validate_firmware_local->validate_firmware->validate_signature->root_of_trust_verify->verify_signature->bl_ed25519_validate->
psa_verify_message->get_key_buffer->cracen_kmu_get_key_slot->get_kmu_slot_id_and_metadata->read_primary_slot_metadata()

    Now, not sure why I am getting the error with this. If you can suggest anything on this will be a great help. 

    Thanks,

    Nilesh

  • 0 in reply to Nilesh

    Hi,

    I will have to spend some time trying to recreate this from the guides. NSIB should have experimental support but your testing could indicate that there's something faulty with the sample.

    Unfortunately I won't be able to do the exercise myself before early next week, but I will get to it.

    For now

    1. I've assumed you're using a DK, but could you verify if this is the case? Or if it's a custom board/module?
    2. Could you verify which SoC revision you're working with? ref https://docs.nordicsemi.com/bundle/comp_matrix_nrf54l15/page/COMP/nrf54l15/nrf54l15_ic_revision_overview.html 
    3. Lastly while waiting for an update from me, could you retrace the steps starting at the NSIB sample you initially referred to?

    Kind regards,
    Andreas

Reply Children
  • 0 in reply to AHaug

    Hello Andreas,

    Thank you so much for your input.

    I also came to same link. I again went through DFU dev academy class Exercise 2 - DFU with custom keys - Nordic Developer Academy

    And come to know we need to manually provision the key to KMU.

    With this I am able to see the code is booting.

    Just a summary and please correct me here, I followed below steps and with which I am able to see bootloader validating mcuboot, and then my application is running and getting below console log

    I: Firmware signature verified.
Firmware version 1I: Setting monotonic counter (version: 1, slot: 0)
Booting (0x8800).

*** Booting MCUboot v2.1.0-dev-ae1ee57f3906 ***
*** Using nRF Connect SDK v3.0.1-9eb5615da66b ***
*** Using Zephyr OS v4.0.99-77f865b8f8d0 ***
*** Booting My Application v0.1.99-1dc24a14c5b1 ***
*** Using nRF Connect SDK v3.0.1-9eb5615da66b ***
*** Using Zephyr OS v4.0.99-77f865b8f8d0 ***
Address of sample 0x24800
Hello sysbuild with mcuboot! nrf54l15dk

    Steps I followed

    Steps:
#Build code with sysbuild.
#It should generate b0, S0, S1, App images
#Then flash merged hex by erasing complete flash followed by programming merged hex
nrfjprog -e
nrfjprog --program build/merged.hex --sectorerase --verify

#Then provision key using below command
#This step is must to work
west ncs-provision upload -s nrf54l15 -k b0_private_key_ed25519.pem --keyname BL_PUBKEY

#Please note last option in above command. keyname should be BL_PUBKEY
#If we use UROT_PUBKEY then it does not work.

    I'll revert all my debug logs and code and will recheck it multiple times to be sure.

    By the time if you get chance to review this then please suggest if any better way or correction to it.

    I am feeling Slight smile at the moment. And sorry for causing you trouble.

    Thanks & Best Regards,

    Nilesh 

  • 0 in reply to Nilesh

    Great! 

    The device log looks correct and as far as I can see from the description this does also look correct! 

    Happy to help! :) 

    Let me know if this answers your questions related to this case, if you have any followups related to this topic and feel free to open new cases for new topics and we'll help you out as best as we can!

    Kind regards,
    Andreas

Related
Terms of service