• State Verified Answer
  • Replies 2 replies
  • Subscribers 86 subscribers
  • Views 610 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 351554
Options

Encrypted file with mcuboot

Aurele

Hello

I'm using NCS 3.1.0 and I’m able to use signed files for FOTA. However, I would now like to add encryption, but I can’t figure out what’s not working : 

app/
├── prj.conf
├── sysbuild.conf
├── sysbuild/
│         └── mcuboot.conf
└── keys/
           ├── priv.pem 
           ├── enc-key.pem 
           └── enc-pub.pem 

/app/prj.conf : 

CONFIG_PM_DEVICE=y
CONFIG_PM_DEVICE_RUNTIME=y
CONFIG_TICKLESS_KERNEL=y
CONFIG_GPIO=y
CONFIG_GPIO_AS_PINRESET=y
CONFIG_CRC=y
CONFIG_POWEROFF=y
CONFIG_HWINFO=y

CONFIG_NCS_SAMPLES_DEFAULTS=y
#CONFIG_DK_LIBRARY=y
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048

CONFIG_USE_SEGGER_RTT=y
CONFIG_RTT_CONSOLE=y
CONFIG_UART_CONSOLE=n

CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y

CONFIG_BT=y
CONFIG_BT_PERIPHERAL=y
CONFIG_BT_DEVICE_NAME="FREEDOM"
CONFIG_BT_MAX_CONN=2
CONFIG_BT_SMP=y
CONFIG_BT_MAX_PAIRED=8

CONFIG_BT_GATT_AUTO_SEC_REQ=y
CONFIG_BT_FIXED_PASSKEY=y

CONFIG_BT_CTLR_TX_PWR_DYNAMIC_CONTROL=y

# Enable bonding
CONFIG_BT_SETTINGS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y
CONFIG_SETTINGS_RUNTIME=y
CONFIG_SETTINGS_NVS=y

CONFIG_BT_DIS_SETTINGS=y
CONFIG_BT_DIS=y
CONFIG_BT_DIS_PNP=n
CONFIG_BT_DIS_MODEL_NUMBER=y
CONFIG_BT_DIS_MANUF_NAME=y
CONFIG_BT_DIS_SERIAL_NUMBER=y
CONFIG_BT_DIS_FW_REV=y
CONFIG_BT_DIS_HW_REV=y
CONFIG_BT_DIS_SW_REV=y
CONFIG_BT_DIS_MODEL_NUMBER_STR="FREEDOM"
CONFIG_BT_DIS_MANUF_NAME_STR="TELEDYNE"
CONFIG_BT_DIS_SERIAL_NUMBER_STR="123456789abcdef"
# CONFIG_BT_DIS_FW_REV_STR="0.0.0"
# CONFIG_BT_DIS_HW_REV_STR="0.0.0"
# CONFIG_BT_DIS_SW_REV_STR="0.0.0"
CONFIG_BT_PRIVACY=n
CONFIG_BT_CTLR_PRIVACY=n

# Enable MCUboot bootloader build in the application
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="keys/priv.pem"
CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE="keys/enc-pub.pem"
# Include MCUMGR and its dependencies in the build
CONFIG_NCS_SAMPLE_MCUMGR_BT_OTA_DFU=y
#CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=y

CONFIG_BT_EXT_ADV=y
CONFIG_BT_EXT_ADV_MAX_ADV_SET=2
CONFIG_BT_DEVICE_NAME_DYNAMIC=n
CONFIG_BT_CTLR_ADV_DATA_LEN_MAX=100

# CONFIG_BT_GATT_AUTO_UPDATE_MTU=y
CONFIG_BT_L2CAP_TX_MTU=247
#CONFIG_BT_CTLR_PHY_2M=y
#CONFIG_BT_USER_PHY_UPDATE=y

CONFIG_PARTITION_MANAGER_ENABLED=y

CONFIG_FILE_SYSTEM=y
CONFIG_FILE_SYSTEM_LITTLEFS=y
CONFIG_FS_LITTLEFS_BLK_DEV=y
#CONFIG_FS_LITTLEFS_FMP_DEV=n
CONFIG_FS_LITTLEFS_FC_HEAP_SIZE=8192
CONFIG_FS_LITTLEFS_CACHE_SIZE=512
#CONFIG_FS_LITTLEFS_LOOKAHEAD_SIZE=2048

CONFIG_DISK_ACCESS=y
CONFIG_DISK_DRIVERS=y
CONFIG_DISK_DRIVER_RAM=y

CONFIG_CLOCK_CONTROL_NRF_K32SRC_RC=y
CONFIG_CLOCK_CONTROL_NRF_K32SRC_XTAL=n
CONFIG_MULTITHREADING=y

CONFIG_HEAP_MEM_POOL_SIZE=30000

# Enable binary descriptors
#CONFIG_BINDESC=y

# Enable definition of binary descriptors
#CONFIG_BINDESC_DEFINE=y

# Enable default build time binary descriptors
#CONFIG_BINDESC_DEFINE_BUILD_TIME=y
#CONFIG_BINDESC_BUILD_DATE_TIME_STRING=y

##################################################
################ CONF TO CHECK ###################
################ TO BE REMOVED ###################
##################################################

# Enable file system commands
CONFIG_MCUMGR_GRP_FS=y
CONFIG_MCUMGR_GRP_FS_DL_CHUNK_SIZE_LIMIT=y
CONFIG_MCUMGR_GRP_FS_DL_CHUNK_SIZE=200

# Enable the storage erase command.
CONFIG_MCUMGR_GRP_ZBASIC=y
CONFIG_MCUMGR_GRP_ZBASIC_STORAGE_ERASE=y
# Optionally force the file system to be recreated
#CONFIG_APP_WIPE_STORAGE=y
# fs_dirent structures are big.
CONFIG_MAIN_STACK_SIZE=2500
CONFIG_BT_RX_STACK_SIZE=2500
#CONFIG_BT_HCI_TX_STACK_SIZE=4096
CONFIG_MCUMGR_TRANSPORT_WORKQUEUE_STACK_SIZE=6000

# Let __ASSERT do its job
CONFIG_DEBUG=y

CONFIG_INIT_STACKS=y
CONFIG_THREAD_STACK_INFO=y
# CONFIG_MPU_STACK_GUARD=n
# CONFIG_STACK_SENTINEL=y
CONFIG_THREAD_MONITOR=y
CONFIG_THREAD_NAME=y

# CONFIG_PM_SINGLE_IMAGE=y  # or CONFIG_PM_MULTI_IMAGE if you use MCUboot
CONFIG_PM_OVERRIDE_EXTERNAL_DRIVER_CHECK=y

#CONFIG_PM_PARTITION_REGION_LITTLEFS_EXTERNAL=y
#CONFIG_PM_PARTITION_REGION_SETTINGS_STORAGE_EXTERNAL=y
#CONFIG_PM_PARTITION_REGION_NVS_STORAGE_EXTERNAL=y

CONFIG_SPI=n                # We don’t use Zephyr’s abstraction
#CONFIG_SPI_NOR=y
#CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
#CONFIG_NORDIC_QSPI_NOR=y
#CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
#CONFIG_NRFX_SPIM=y         # Enables global use of SPIM (base for SPIM2)
#CONFIG_NRFX_SPIM1=y        # We want SPIM2 in low-level (NRFX)
CONFIG_NRFX_SPIM2=y         # We want SPIM2 in low-level (NRFX)
#CONFIG_NRFX_GPIOTE=y

#CONFIG_LOG_DEFAULT_LEVEL=4
#CONFIG_WATCHDOG=n

CONFIG_SERIAL=y
CONFIG_UART_ASYNC_API=y
CONFIG_UART_INTERRUPT_DRIVEN=n
# CONFIG_NRF_SW_LPUART=y

CONFIG_SYS_HEAP_RUNTIME_STATS=y      # required to get heap stats

##################################################
##################################################
##################################################
##################################################

CONFIG_BT_CTLR=y
CONFIG_BT_CTLR_ADVANCED_FEATURES=y
CONFIG_BT_CTLR_CONN_RSSI=y
CONFIG_BT_CTLR_TX_PWR_DYNAMIC_CONTROL=y
# CONFIG_BT_HCI_VS_EXT=y
CONFIG_BT_LL_SOFTDEVICE=y

CONFIG_RESET_ON_FATAL_ERROR=y
#CONFIG_FAULT_DUMP=2         # Print more info on exceptions
#CONFIG_EXCEPTION_DEBUG=y   # More verbose debug (useful in dev)

CONFIG_TINYCRYPT=y
CONFIG_TINYCRYPT_AES=y
CONFIG_TINYCRYPT_AES_CTR=y

CONFIG_MCUMGR_MGMT_NOTIFICATION_HOOKS=y
CONFIG_MCUMGR_GRP_FS_FILE_ACCESS_HOOK=y


/app/sysbuild/mcuboot.conf : 

CONFIG_GPIO=n

# CONFIG_MCUBOOT_LOG_LEVEL_WRN=y
# CONFIG_BOOT_UPGRADE_ONLY=y
# CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y



CONFIG_MBEDTLS=y

CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_MBEDTLS_ECDH_C=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_MBEDTLS_SHA256_C=y
CONFIG_MBEDTLS_AES_C=y

/app/sysbuild.conf

# Enable MCUboot
SB_CONFIG_BOOTLOADER_MCUBOOT=y
SB_CONFIG_PARTITION_MANAGER=y
SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="${APP_DIR}/keys/priv.pem"
SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
SB_CONFIG_BOOT_ENCRYPTION=y
SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE="${APP_DIR}/keys/enc-key.pem"

Here are my error : 

In file included from /home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:9:
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/zephyr/include/mcuboot_config/mcuboot_config.h:34:7: error: #error "One crypto library implementation allowed at a time."
   34 | #     error "One crypto library implementation allowed at a time."
      |       ^~~~~
In file included from /home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:26:
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/ecdh_p256.h:17:6: error: #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
   17 |     #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
      |      ^~~~~
In file included from /home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:36:
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/hmac_sha256.h:17:6: error: #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
   17 |     #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
      |      ^~~~~
In file included from /home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:33,
                 from /home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:43:
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/aes_ctr.h:19:6: error: #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT or PSA"
   19 |     #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT or PSA"
      |      ^~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:44:5: error: unknown type name 'bootutil_aes_ctr_context'
   44 |     bootutil_aes_ctr_context aes_ctr;
      |     ^~~~~~~~~~~~~~~~~~~~~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c: In function 'parse_ec256_enckey':
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:165:16: error: 'NUM_ECC_BYTES' undeclared (first use in this function)
  165 |     if (len != NUM_ECC_BYTES) {
      |                ^~~~~~~~~~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:165:16: note: each undeclared identifier is reported only once for each function it appears in
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c: In function 'hkdf':
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:245:5: error: unknown type name 'bootutil_hmac_sha256_context'; did you mean 'bootutil_sha_context'?
  245 |     bootutil_hmac_sha256_context hmac;
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_context
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:263:5: warning: implicit declaration of function 'bootutil_hmac_sha256_init'; did you mean 'bootutil_sha_init'? [-Wimplicit-function-declaration]
  263 |     bootutil_hmac_sha256_init(&hmac);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_init
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:266:10: warning: implicit declaration of function 'bootutil_hmac_sha256_set_key' [-Wimplicit-function-declaration]
  266 |     rc = bootutil_hmac_sha256_set_key(&hmac, salt, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:271:10: warning: implicit declaration of function 'bootutil_hmac_sha256_update'; did you mean 'bootutil_sha_update'? [-Wimplicit-function-declaration]
  271 |     rc = bootutil_hmac_sha256_update(&hmac, ikm, ikm_len);
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      |          bootutil_sha_update
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:276:10: warning: implicit declaration of function 'bootutil_hmac_sha256_finish'; did you mean 'bootutil_sha_finish'? [-Wimplicit-function-declaration]
  276 |     rc = bootutil_hmac_sha256_finish(&hmac, prk, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      |          bootutil_sha_finish
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:281:5: warning: implicit declaration of function 'bootutil_hmac_sha256_drop'; did you mean 'bootutil_sha_drop'? [-Wimplicit-function-declaration]
  281 |     bootutil_hmac_sha256_drop(&hmac);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_drop
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c: In function 'boot_decrypt_key':
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:392:5: error: unknown type name 'bootutil_ecdh_p256_context'; did you mean 'bootutil_sha_context'?
  392 |     bootutil_ecdh_p256_context ecdh_p256;
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_context
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:398:5: error: unknown type name 'bootutil_hmac_sha256_context'; did you mean 'bootutil_sha_context'?
  398 |     bootutil_hmac_sha256_context hmac;
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_context
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:399:5: error: unknown type name 'bootutil_aes_ctr_context'; did you mean 'bootutil_sha_context'?
  399 |     bootutil_aes_ctr_context aes_ctr;
      |     ^~~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_context
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:406:21: error: 'BOOT_ENC_BLOCK_SIZE' undeclared (first use in this function); did you mean 'BOOT_ENC_TLV_SIZE'?
  406 |     uint8_t counter[BOOT_ENC_BLOCK_SIZE];
      |                     ^~~~~~~~~~~~~~~~~~~
      |                     BOOT_ENC_TLV_SIZE
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:466:5: warning: implicit declaration of function 'bootutil_ecdh_p256_init'; did you mean 'bootutil_sha_init'? [-Wimplicit-function-declaration]
  466 |     bootutil_ecdh_p256_init(&ecdh_p256);
      |     ^~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_init
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:468:10: warning: implicit declaration of function 'bootutil_ecdh_p256_shared_secret' [-Wimplicit-function-declaration]
  468 |     rc = bootutil_ecdh_p256_shared_secret(&ecdh_p256, &buf[EC_PUBK_INDEX], private_key, shared);
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:469:5: warning: implicit declaration of function 'bootutil_ecdh_p256_drop'; did you mean 'bootutil_sha_drop'? [-Wimplicit-function-declaration]
  469 |     bootutil_ecdh_p256_drop(&ecdh_p256);
      |     ^~~~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_drop
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:556:5: warning: implicit declaration of function 'bootutil_aes_ctr_init'; did you mean 'bootutil_sha_init'? [-Wimplicit-function-declaration]
  556 |     bootutil_aes_ctr_init(&aes_ctr);
      |     ^~~~~~~~~~~~~~~~~~~~~
      |     bootutil_sha_init
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:558:9: warning: implicit declaration of function 'bootutil_aes_ctr_drop'; did you mean 'bootutil_sha_drop'? [-Wimplicit-function-declaration]
  558 |         bootutil_aes_ctr_drop(&aes_ctr);
      |         ^~~~~~~~~~~~~~~~~~~~~
      |         bootutil_sha_drop
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:562:10: warning: implicit declaration of function 'bootutil_aes_ctr_set_key' [-Wimplicit-function-declaration]
  562 |     rc = bootutil_aes_ctr_set_key(&aes_ctr, derived_key);
      |          ^~~~~~~~~~~~~~~~~~~~~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:569:10: warning: implicit declaration of function 'bootutil_aes_ctr_decrypt' [-Wimplicit-function-declaration]
  569 |     rc = bootutil_aes_ctr_decrypt(&aes_ctr, counter, &buf[EC_CIPHERKEY_INDEX], BOOT_ENC_KEY_SIZE, 0, enckey);
      |          ^~~~~~~~~~~~~~~~~~~~~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:406:13: warning: unused variable 'counter' [-Wunused-variable]
  406 |     uint8_t counter[BOOT_ENC_BLOCK_SIZE];
      |             ^~~~~~~
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c: In function 'boot_enc_encrypt':
/home/aurelien/ncs/v3.1.0/bootloader/mcuboot/boot/bootutil/src/encrypted.c:712:5: warning: implicit declaration of function 'bootutil_aes_ctr_encrypt' [-Wimplicit-function-declaration]
  712 |     bootutil_aes_ctr_encrypt(&enc->aes_ctr, nonce, buf, sz, blk_off, buf);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~
ninja: build stopped: subcommand failed.
FATAL ERROR: command exited with status 1: /home/aurelien/ncs/toolchains/c5be9c56c7/usr/local/bin/cmake --build /home/aurelien/Freelance/dpe_design/ngt-bluetooth/app/build/mcuboot

I suspect the bootloader compilation is missing information about which backend to use for encryption.

When I use the configuration file /child_image/mcuboot.conf, it is not applied when building MCUboot. Instead, I need to use /sysbuild/mcuboot.conf.

If you have any suggestion, feel free to share.

Regards

Aurélien

Parents Reply Children
Related
Terms of service