Using MCUboot with secure private key

The current default and only recommended way to use MCUboot is to make the private key available as part of the build process.

There have been several questions about this previously, asking whether the private key can be kept private, and the answer always seems to be to point to a piece of sample code which is no longer maintained, which does everything manually.

github.com/.../mcuboot_manual_sign

As of 1 August 2025 we are required to meet the robust cyber security requirements of the Radio Equipment Directive if we want to sell in the EU with a CE mark.

Having the private key exposed in this way definitely does not meet these requirements. We are told that the private key must be locked away in a vault and not accessible to developers. We can request a signature but we can't access the private key, so the default build process is broken for any product targeting EU sales.

Does Nordic Semiconductor have any plans to help us out with this? It's great having an automated build system like Zephyr's but a nightmare if you ever want to do anything different from the default.

Simon

Top Replies

simonhwm 8 months ago in reply to Sigurd Hellesvik +1

Alas we are using the nRF52840. We would have picked from the nRF54L range, but at the time we started the project it was not yet available to buy. Provisioning the public key manually is absolutely…

Parents

0 Turbo J 8 months ago

What is the problem? Just have the secure machine generate/run the imgtool stuff that generates the signature for the "release" MCUboot.

Devs will work with a "devel" MCUBoot key that only work with the different dev/testing MCUBoot image.

Locked away in a vault seems stupid, you have to use it in order to generate the required firmware signatures. It has to have a method for you to put the hex to sign in and the finished image out. So its usually just another PC but one that is locked away physically when don't need to sign stuff.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Turbo J 8 months ago

What is the problem? Just have the secure machine generate/run the imgtool stuff that generates the signature for the "release" MCUboot.

Devs will work with a "devel" MCUBoot key that only work with the different dev/testing MCUBoot image.

Locked away in a vault seems stupid, you have to use it in order to generate the required firmware signatures. It has to have a method for you to put the hex to sign in and the finished image out. So its usually just another PC but one that is locked away physically when don't need to sign stuff.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data