• State Not Answered
  • Replies 14 replies
  • Subscribers 88 subscribers
  • Views 1660 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 350046
Options

MCUBoot+sysbuild+ns-variant: E: Protect mcuboot flash failed, cancel startup.

Erlend Isachsen

Hi.

Goal
I am creating a new application for the nRF54l15 and want to follow the latest recommendations for project configuration. I need to do DFU over BLE, so I'm trying to add MCUBoot in the chain-of-trust regime, using sysbuild. To get there, I used the zephyr/samples/sysbuild/with_mcuboot as a starting point.

Problem
The sample in question does not explicitly support any of the nordic boards with secure/non-secure regime, and I haven't found any samples that combine all these criteria. So I have tried to build the zephyr/sysbuild/with_mcuboot sample for nrf54l15dk/nrf54l15/ns. After erase+flash to my nRF54l15-PDK, I get the following error:

*** Booting MCUboot v2.1.0-dev-2b69d93e75bc ***
*** Using nRF Connect SDK v3.1.0-6c6e5b32496e ***
*** Using Zephyr OS v4.1.99-1612683d4010 ***
E: Protect mcuboot flash failed, cancel startup.

How to recreate
Open zephyr/sysbuild/with_mcuboot and build for zephyr/sysbuild/with_mcuboot sample for nrf54l15dk/nrf54l15/ns. My first build failed, but after doing a pristine build it built successfully and I was able to flash (VSCode build output is attached). Finally, flash to the DK and it should produce the error message shown above.

My setup
Support information is attached. I'm using SDK and toolchain version 3.1.0 with VSCode for windows 10, and nRF54L15-PDK (0.8.1, 2024.38).

Solutions?
I don't have to be able to run this exact sample, but what is causing this error and how do I best resolve it?

vscode_build_log.txt 

Fullscreen nrf-connect-support-20250818091511.json Download 
// IMPORTANT: The following data can contain sensitive or confidential information about your environment.
// If you do not want others to see this information, make sure to remove it before sharing the data.

// For help and support, visit Nordic Semiconductor's DevZone at https://devzone.nordicsemi.com/.

{
  "platform": {
    "os": "win32",
    "osVersion": "Windows 10 Pro",
    "osKernel": "10.0.19045",
    "vscode": "1.103.0",
    "electron": "37.2.3",
    "node": "v22.17.0"
  },
  "system": {
    "date": "2025-08-18T09:15:11.091Z",
    "vscodeRoot": "c:\\Program Files\\Microsoft VS Code\\resources\\app",
    "nrfConnectForDesktopInstalled": true,
    "vscodeUptime": "00:47:59",
    "osUptime": "129:28:11",
    "cpu": "Intel(R) Core(TM) i7-10700T CPU @ 2.00GHz"
  },
  "workspace": {
    "name": "with_mcuboot",
    "workspaceFile": null,
    "folders": [
      "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot"
    ]
  },
  "sdks": [
    {
      "version": "v3.1.0",
      "path": "c:\\ncs\\v3.1.0"
    },
    {
      "version": "v3.0.0",
      "path": "c:\\ncs\\v3.0.0"
    },
    {
      "version": "v2.9.0",
      "path": "c:\\ncs\\v2.9.0"
    },
    {
      "version": "v2.7.0",
      "path": "c:\\ncs\\v2.7.0"
    },
    {
      "version": "v2.6.1",
      "path": "c:\\ncs\\v2.6.1"
    },
    {
      "version": "v2.5.1",
      "path": "c:\\ncs\\v2.5.1"
    },
    {
      "version": "v2.4.2",
      "path": "c:\\project\\saferoad"
    },
    {
      "version": "v2.4.0",
      "path": "c:\\ncs\\v2.4.0"
    },
    {
      "version": "v2.3.0",
      "path": "c:\\ncs\\v2.3.0"
    },
    {
      "version": "v2.2.0",
      "path": "c:\\ncs\\v2.2.0"
    },
    {
      "version": "v1.9.1",
      "path": "c:\\ncs\\v1.9.1"
    },
    {
      "version": "v1.5.1",
      "path": "c:\\ncs\\v1.5.1"
    }
  ],
  "activeBuild": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot\\build_1",
  "apps": [
    {
      "workspace": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot",
      "uri": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot",
      "buildConfigurations": [
        {
          "id": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot\\build",
          "name": "build",
          "boardId": "nrf54l15dk/nrf54l15/cpuapp/ns",
          "type": "Sysbuild",
          "isChild": false,
          "isStale": false,
          "taskBindings": {
            "build": [],
            "pristineBuild": [],
            "flash": [],
            "eraseAndFlash": []
          },
          "sdk": "c:\\ncs\\v3.1.0",
          "toolchain": "nRF Connect SDK Toolchain v3.1.0"
        },
        {
          "id": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot\\build_1",
          "name": "build_1",
          "boardId": "nrf54l15dk/nrf54l15/cpuapp/ns",
          "type": "Zephyr",
          "isChild": false,
          "isStale": false,
          "taskBindings": {
            "build": [],
            "pristineBuild": [],
            "flash": [],
            "eraseAndFlash": []
          },
          "sdk": "c:\\ncs\\v3.1.0",
          "toolchain": "nRF Connect SDK Toolchain v3.1.0"
        }
      ]
    }
  ],
  "toolchains": [
    {
      "version": "3.1.0",
      "path": "c:\\ncs\\toolchains\\b8b84efebd"
    },
    {
      "version": "3.0.0",
      "path": "c:\\ncs\\toolchains\\0b393f9e1b"
    },
    {
      "version": "2.9.0",
      "path": "c:\\ncs\\toolchains\\b620d30767"
    },
    {
      "version": "2.7.0",
      "path": "c:\\ncs\\toolchains\\ce3b5ff664"
    },
    {
      "version": "2.6.1",
      "path": "c:\\ncs\\toolchains\\cf2149caf2"
    },
    {
      "version": "2.5.1",
      "path": "c:\\ncs\\toolchains\\c57af46cb7"
    },
    {
      "version": "2.4.0",
      "path": "c:\\ncs\\toolchains\\31f4403e35"
    },
    {
      "version": "2.3.0",
      "path": "c:\\ncs\\toolchains\\v2.3.0"
    },
    {
      "version": "2.2.0",
      "path": "c:\\ncs\\toolchains\\v2.2.0"
    },
    {
      "version": "2.0.0",
      "path": "c:\\ncs\\toolchains\\v2.0.0"
    },
    {
      "version": "1.9.1",
      "path": "c:\\ncs\\v1.9.1\\toolchain"
    },
    {
      "version": "1.9.1",
      "path": "c:\\ncs\\toolchains\\v1.9.1"
    },
    {
      "version": "1.5.1",
      "path": "c:\\ncs\\v1.5.1\\toolchain"
    }
  ],
  "connectedDevices": [
    {
      "serialNumber": "000203200665"
    },
    {
      "serialNumber": "001057760695"
    }
  ],
  "tools": {
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\arm-zephyr-eabi\\bin\\arm-zephyr-eabi-gcc.exe": "0.17.0",
    "C:\\Program Files\\SEGGER\\JLink_V818\\JLink.exe": "8.18",
    "C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\nrfjprog.exe": "10.24.2",
    "C:\\ncs\\toolchains\\b8b84efebd\\nrfutil": "8.1.0",
    "C:\\ncs\\toolchains\\b8b84efebd\\cmake": "3.21.0",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Scripts\\west.exe": "1.4.0",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\python.exe": "3.12.4",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\ninja.exe": "1.10.2",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\gperf.exe": "3.1",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\dtc.exe": "1.4.7",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\gn.exe": "2223",
    "C:\\ncs\\toolchains\\b8b84efebd\\mingw64\\bin\\git.exe": "2.37.3.windows.1",
    "arm-gdbPath": "c:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\arm-zephyr-eabi\\bin\\arm-zephyr-eabi-gdb.exe",
    "riscv-gdbPath": "C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\riscv64-zephyr-elf\\bin\\riscv64-zephyr-elf-gdb.exe"
  },
  "nrfutil": {
    "nrfutil-device": {
      "version": "2.7.2",
      "binPath": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64\\platform\\nrfutil\\bin\\nrfutil-device",
      "jlinkInfo": {
        "description": "This version of SEGGER J-Link is different from the J-Link version that was used to test nrfutil device commands",
        "expectedVersion": {
          "version": "JLink_V7.94i",
          "versionFormat": "string"
        },
        "name": "JlinkARM",
        "version": "JLink_V8.18 ",
        "versionFormat": "string"
      }
    },
    "nrfutil-toolchain-manager": {
      "version": "0.14.4",
      "binPath": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64\\platform\\nrfutil\\bin\\nrfutil-toolchain-manager"
    }
  },
  "environment": {
    "westEnv": {
      "HOME": "C:\\SPB_Data",
      "HOMEDRIVE": "C:",
      "HOMEPATH": "\\Users\\ErlendEliasIsachsen",
      "PATH": "C:\\ncs\\toolchains\\b8b84efebd;C:\\ncs\\toolchains\\b8b84efebd\\mingw64\\bin;C:\\ncs\\toolchains\\b8b84efebd\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Scripts;c:/ncs/toolchains/b8b84efebd\\opt/nanopb/generator-bin;C:\\ncs\\toolchains\\b8b84efebd\\nrfutil\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\arm-zephyr-eabi\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\riscv64-zephyr-elf\\bin;c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64\\platform\\nrfutil\\lib\\nrfutil-toolchain-manager;C:\\Program Files (x86)\\NVIDIA Corporation\\PhysX\\Common;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Microchip\\xc8\\v2.31\\bin;C:\\Program Files\\PuTTY\\;C:\\Program Files\\WinMerge;C:\\Program Files\\dotnet\\;C:\\Program Files\\Wolfram Research\\WolframScript\\;C:\\Program Files (x86)\\Windows Kits\\8.1\\Windows Performance Toolkit\\;C:\\Program Files\\Git\\cmd;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Program Files\\LLVM\\bin;C:\\Program Files\\TortoiseSVN\\bin;C:\\Program Files\\otii;C:\\Program Files\\doxygen\\bin;C:\\Program Files\\Graphviz\\bin;C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\;C:\\Program Files\\CMake\\bin;C:\\ncs\\nrfutil;C:\\gnuarmemb\\9_2019-q4-major\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\ErlendEliasIsachsen\\.dotnet\\tools;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\GitHubDesktop\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Programs\\MiKTeX\\miktex\\bin\\x64\\;",
      "ZEPHYR_BASE": "c:\\ncs\\v3.1.0\\zephyr",
      "ZEPHYR_TOOLCHAIN_VARIANT": "zephyr",
      "ZEPHYR_SDK_INSTALL_DIR": "C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk",
      "PYTHONPATH": "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Lib;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Lib\\site-packages"
    },
    "inherited": {
      "HOME": "C:\\SPB_Data",
      "HOMEDRIVE": "C:",
      "HOMEPATH": "\\Users\\ErlendEliasIsachsen",
      "Path": "C:\\Program Files (x86)\\NVIDIA Corporation\\PhysX\\Common;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Microchip\\xc8\\v2.31\\bin;C:\\Program Files\\PuTTY\\;C:\\Program Files\\WinMerge;C:\\Program Files\\dotnet\\;C:\\Program Files\\Wolfram Research\\WolframScript\\;C:\\Program Files (x86)\\Windows Kits\\8.1\\Windows Performance Toolkit\\;C:\\Program Files\\Git\\cmd;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Program Files\\LLVM\\bin;C:\\Program Files\\TortoiseSVN\\bin;C:\\Program Files\\otii;C:\\Program Files\\doxygen\\bin;C:\\Program Files\\Graphviz\\bin;C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\;C:\\Program Files\\CMake\\bin;C:\\ncs\\nrfutil;C:\\gnuarmemb\\9_2019-q4-major\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\ErlendEliasIsachsen\\.dotnet\\tools;C:\\Program Files\\TortoiseSVN\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\GitHubDesktop\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Programs\\MiKTeX\\miktex\\bin\\x64\\;",
      "PATH": "C:\\Program Files (x86)\\NVIDIA Corporation\\PhysX\\Common;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Microchip\\xc8\\v2.31\\bin;C:\\Program Files\\PuTTY\\;C:\\Program Files\\WinMerge;C:\\Program Files\\dotnet\\;C:\\Program Files\\Wolfram Research\\WolframScript\\;C:\\Program Files (x86)\\Windows Kits\\8.1\\Windows Performance Toolkit\\;C:\\Program Files\\Git\\cmd;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Program Files\\LLVM\\bin;C:\\Program Files\\TortoiseSVN\\bin;C:\\Program Files\\otii;C:\\Program Files\\doxygen\\bin;C:\\Program Files\\Graphviz\\bin;C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\;C:\\Program Files\\CMake\\bin;C:\\ncs\\nrfutil;C:\\gnuarmemb\\9_2019-q4-major\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\ErlendEliasIsachsen\\.dotnet\\tools;C:\\Program Files\\TortoiseSVN\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\GitHubDesktop\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Programs\\MiKTeX\\miktex\\bin\\x64\\;"
    }
  },
  "terminal": {
    "defaultProfile": null
  },
  "config": {
    "nordic-semiconductor.nrf-connect": {
      "topdir": "",
      "toolchain": {
        "path": ""
      },
      "ozonePath": "",
      "applications": [],
      "applicationOptions": {},
      "kconfig": {
        "interface": "kconfig"
      },
      "west": {
        "env": {
          "$base": "terminal"
        }
      },
      "boardRoots": [],
      "taskBindings": {},
      "buildTerminal": {
        "condensedProgress": true
      },
      "debugging": {
        "flash": true,
        "bindings": {},
        "justMyCode": false
      },
      "activeAppFollowActiveEditor": true,
      "flash": {
        "softreset": false,
        "erase": false,
        "recover": false
      },
      "enableTelemetry": true,
      "thirdpartyIntegration": {},
      "toolchainManager": {
        "indexURL": null,
        "installDirectory": null
      },
      "nrfutil": {
        "home": null
      },
      "defaultOpenAction": "ask",
      "terminalProfile": {
        "shell": null
      }
    },
    "nordic-semiconductor.nrf-terminal": {
      "terminalMode": "character"
    },
    "marus25.cortex-debug": {
      "variableUseNaturalFormat": true,
      "liveWatchRefreshRate": "300",
      "armToolchainPath": null,
      "armToolchainPrefix": "arm-none-eabi",
      "gdbPath": null,
      "objdumpPath": null,
      "JLinkGDBServerPath": null,
      "openocdPath": null,
      "pyocdPath": null,
      "PEGDBServerPath": null,
      "stutilPath": null,
      "stlinkPath": null,
      "stm32cubeprogrammer": null,
      "enableTelemetry": true,
      "dbgServerLogfile": null
    }
  },
  "extensions": {
    "internal": {
      "nordic-semiconductor.nrf-connect": {
        "version": "2024.12.55",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64",
        "isActive": true
      },
      "nordic-semiconductor.nrf-terminal": {
        "version": "2024.9.14",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-terminal-2024.9.14",
        "isActive": true
      },
      "nordic-semiconductor.nrf-devicetree": {
        "version": "2025.4.22",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-devicetree-2025.4.22",
        "isActive": true
      },
      "nordic-semiconductor.nrf-kconfig": {
        "version": "2025.4.26",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-kconfig-2025.4.26",
        "isActive": true
      }
    },
    "external": {
      "marus25.cortex-debug": "1.12.1",
      "ms-vscode.cpptools": "1.27.0",
      "ms-vscode.js-debug": "1.102.0",
      "ms-vscode.js-debug-companion": "1.1.3",
      "ms-vscode.vscode-js-profile-table": "1.0.10",
      "bbenoist.Doxygen": "1.0.0",
      "cschlosser.doxdocgen": "1.4.0",
      "GitHub.copilot": "1.350.0",
      "GitHub.copilot-chat": "0.30.1",
      "josetr.cmake-language-support-vscode": "0.0.9",
      "mcu-debug.debug-tracker-vscode": "0.0.15",
      "mcu-debug.memory-view": "0.0.25",
      "mcu-debug.peripheral-viewer": "1.4.6",
      "mcu-debug.rtos-views": "0.0.7",
      "ms-dotnettools.vscode-dotnet-runtime": "2.3.7",
      "ms-python.vscode-python-envs": "1.2.0",
      "ms-vscode-remote.remote-containers": "0.422.1",
      "ms-vscode.cpptools-extension-pack": "1.3.1",
      "ms-vscode.cpptools-themes": "2.0.0",
      "tomoki1207.pdf": "1.2.2",
      "trond-snekvik.gnu-mapfiles": "1.1.0",
      "xaver.clang-format": "1.9.0"
    }
  }
}

  • 0

    Hello,

    Sorry for the delayed response. I have been working on this and was able to see the issue here. It’s not related to your setup. The error you’re seeing is coming from here, and I believe it’s caused by the fprotect backend. The sample works fine with the build configuration nrf54l15dk/nrf54l15dk/cpuapp.

    Kind regards,
    Abhijith

  • 0 in reply to Menon

    Hi Menon, thank you for your answer.

    The problem seems to be that the size of MCUboot and TFM NVS storage (mcuboot, tfm_its, tfm_otp_nv_counters) shifts the MCUboot primary as far back as 0x16000, which is beyond what fprotect can handle. This is similar to what is discussed in this thread.

    I also figured out that the "hello world TFM" sample actually supports nrf54l15dk/nrf54l14/cpuapp/ns, and had some extra KConfig fragments for sysbuild and the application that handle MCUboot with TFM. While the fragments in that sample are meant for a two-stage bootloader, I noticed the prj_bootloaders.conf had the option CONFIG_TFM_PROFILE_TYPE_MINIMAL=y. I tried to take that over to the "with_mcuboot" sample which made the sample boot with FPROTECT enabled (see attached image for the working build configuration, if anyone else encounters the same problem). With the reduced size, mcuboot_primary ends up at 0xe000 which is just within the limit for FPROTECT on nRF54l15.

    So from this I believe I will be able to extract a pm_static.yml that I can use for my application, and build it with MCUboot and TFM.

    However, searching through this raised another question. Do you know if there is a reason why the "hello world TFM" has options for NSIB+MCUboot two stage bootloader, and not just MCUboot as immutable bootloader? Are there any benefits to using NSIB+MCUboot as opposed to only MCUboot (appart from being able to upgrade MCUboot). I'm thinking especially with regards to security, KMU etc.

  • 0 in reply to Erlend Isachsen

    Hello,

    Good to hear that you figured out the partition side correctly.

    Erlend Isachsen said:
    However, searching through this raised another question. Do you know if there is a reason why the "hello world TFM" has options for NSIB+MCUboot two stage bootloader, and not just MCUboot as immutable bootloader? Are there any benefits to using NSIB+MCUboot as opposed to only MCUboot (appart from being able to upgrade MCUboot). I'm thinking especially with regards to security, KMU etc.

    The reason the hello_world_tfm sample on nRF54L uses NSIB + MCUboot is because NSIB anchors the Root of Trust in hardware by storing the boot verification keys in the Key Management Unit (KMU) instead of inside the bootloader binary. See the documentation here.

    This ensures the keys cannot be modified by software and can even be rotated or revoked securely if needed. See the section Revoking private keys

    NSIB is very small and fixed, so its main function is to verify that MCUboot is genuine using the KMU keys, and then hand over control. This design allows MCUboot to be updated later if bugs or security issues are discovered, while the trust foundation remains protected in hardware.

    Using only MCUboot would still work, but it would rely only on flash protection, which is not as strong as KMU based security.

    Kind Regards,

    Abhijith

  • 0 in reply to Menon

    Thank you for your detailed answer, it does seem quite challenging to fit NSIB+2xMCUBoot+TFM within the first 64 kiB though, so until I have fully resolved the FPROTECT issue I think I might have to stick with MCUBoot. Regardless I suppose:

    Menon said:
    This design allows MCUboot to be updated later if bugs or security issues are discovered

    is the core of the it. I have currently configured MCUBoot to use KMU with 3 slots and key revocation, and provision 3 keys during programming, so I would guess that would give most of the other benefits you mentioned using MCUBoot as immutable bootloader?

    Returning to my original issue, it seems it isn't fully resolved after all. As soon as I enable bluetooth and want to have a secure connection, I get the following error:

    <err> bt_ecc: Failed to generate ECC key -134
<wrn> bt_smp: Public key not available

    And if I try to initialize a pairing, I get:

    <err> bt_ecc: psa_import_key() returned status -134
<wrn> bt_smp: Received invalid public key
<err> app: Security change failed for [xx:xx:xx:xx:xx:xx (random)]. Error: [1]

    Which appears to be the same issue experienced here and here. The proposed solution in both cases is to ensure that CONFIG_TFM_PROFILE_TYPE_MINIMAL is not set.

    Is there a way to get around this? Any options I can enable to only get the cryptography I need, or provision the keys required?

  • 0

    Hello,

    Sorry for the delay in getting back to you. This issue has been reported internally, and we are working on it. I will update you once we have a resolution. The error seems to occur because FPROTECT couldn’t protect the MCUBoot partition for some reason.

    There is a similar case, but the customer there is apparently fine running without the _ns version of the build configuration.

    Kind regards,
    Abhijith

Related
Terms of service