Hi Nordic
What is the best way to protect against downgrading the APP FW via DFU.
I seems that im able to downgrade even 2 config below are set.
I tested it on SDK 2.7.0 and here it was not possible to downgrade, but on latest it is
Im Using SDK 3.0.2 and 54L15
Can it be done with the config parameter, or are more needed
CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION=y
Hi Tommy,
SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION is now a sysbuild configuration and must be added as an argument to your build command or added to sysbuild.conf in your project root instead of being added to the project configuration file for mcuboot directly.
Also, CONFIG_BOOT_UPGRADE_ONLY=y is now the same as SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y. However, this is not directly related to downgrade protection but rather how the image is moved from the secondary slot to the primary slot : https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_main_config.html#operational_modes_of_mcuboot
Best regards,
Vidar
Hi Vidar
Thanks for the advice
I tried to put the SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION into the sysbuild config for the nrf54L15 project. But it is not enabled due to missing dependencies.
But it seems that is dependent of below defines that points to that the chip should be eather nrF5340 of nrF91x. SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION was undefined but figured out that SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION is defined in the project
Build error:
warning: MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION (defined at
C:/ncs/v3.0.2/nrf/sysbuild\Kconfig.mcuboot:15) was assigned the value 'y' but got the value 'n'.
Check these unsatisfied dependencies: (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X) (=n). See
docs.zephyrproject.org/.../kconfig.html
and/or look up MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION in the menuconfig/guiconfig interface. The
Application Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices
sections of the manual might be helpful too.
Best Regards
Tommy F Kristensen
Hi Tommy,
Not sure if that's the issue here, but please note that the CONFIG_PM_PARTITION_SIZE_MCUBOOT settings is ignored if you have a static partitioning file. Another thing is that the size has to be aligned to 0x1000 bytes. Could you post your prj.conf file, maybe there are some settings that can be adjusted to allow the bootloader to fit in the current region.
Best regards,
Vidar
Hi Vidar
I Have just succeded to compile the bootloader with SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION=y enabled in sysbuild, where I disabled logging in bootloader to make space.
Now the device will NOT startup.
Are im missing any config
Below prj.conf for mcuboot
CONFIG_PM=n CONFIG_MAIN_STACK_SIZE=10240 CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" CONFIG_BOOT_SWAP_SAVE_ENCTLV=n CONFIG_BOOT_ENCRYPT_IMAGE=n CONFIG_BOOT_UPGRADE_ONLY=y CONFIG_BOOT_BOOTSTRAP=n ### mbedTLS has its own heap # CONFIG_HEAP_MEM_POOL_SIZE is not set ### We never want Zephyr's copy of tinycrypt. If tinycrypt is needed, ### MCUboot has its own copy in tree. # CONFIG_TINYCRYPT is not set # CONFIG_TINYCRYPT_ECC_DSA is not set # CONFIG_TINYCRYPT_SHA256 is not set CONFIG_FLASH=y #fffCONFIG_FPROTECT=y CONFIG_FLASH_JESD216_API=y CONFIG_SPI_NOR_SFDP_MINIMAL=y ### Various Zephyr boards enable features that we don't want. # CONFIG_BT is not set # CONFIG_BT_CTLR is not set # CONFIG_I2C is not set CONFIG_LOG=n CONFIG_LOG_MODE_MINIMAL=y # former CONFIG_MODE_MINIMAL ### Ensure Zephyr logging changes don't use more resources CONFIG_LOG_DEFAULT_LEVEL=0 ### Use info log level by default CONFIG_MCUBOOT_LOG_LEVEL_INF=y ### Decrease footprint by ~4 KB in comparison to CBPRINTF_COMPLETE=y CONFIG_CBPRINTF_NANO=y ### Use the minimal C library to reduce flash usage CONFIG_MINIMAL_LIBC=y CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 # NCS boot banner CONFIG_NCS_APPLICATION_BOOT_BANNER_STRING="MCUboot" CONFIG_FW_INFO=n #CONFIG_FW_INFO_FIRMWARE_VERSION=1 #CONFIG_SECURE_BOOT_DEBUG_UART=n CONFIG_SAPHE=n CONFIG_INPUT_FT3168=n CONFIG_INPUT_FT3168_INTERRUPT=n CONFIG_SH8601Z=n CONFIG_SAPHE_LIS2DH=n CONFIG_I2S=n # Enable GPIO CONFIG_GPIO=n # Enable ADC CONFIG_ADC=n
This is my sysbuild config:
SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y SB_CONFIG_MCUBOOT_MODE_SWAP_WITHOUT_SCRATCH=y SB_CONFIG_DFU_MULTI_IMAGE_PACKAGE_BUILD=y SB_CONFIG_DFU_MULTI_IMAGE_PACKAGE_APP=y SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y # Settings required for external flash to be used for DFU SB_CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=y SB_CONFIG_PM_OVERRIDE_EXTERNAL_DRIVER_CHECK=y SB_CONFIG_PARTITION_MANAGER=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION=y
Best Regards
Tommy
Ps. I did try to remove the pm_static.conf, and let partion tool generate the partions, but then it failed allocating the external flash for for fat_fs. Below is my pm_static.yml
app:
address: 0xe800
end_address: 0x15f000
region: flash_primary
size: 0x150800
# https://docs.nordicsemi.com/bundle/ncs-2.9.0/page/nrf/scripts/partition_manager/partition_manager.html#configuration_file_format
fatfs_storage:
address: 0x151000
affiliation:
- disk
device: DT_CHOSEN(nordic_pm_ext_flash)
end_address: 0x800000
extra_params:
disk_cache_size: 0x1000
disk_name: NAND
disk_read_only: 0x0
disk_sector_size: 0x200
placement:
align:
start: 0x1000
before:
- end
region: external_flash
size: 0x6AF000
mcuboot:
address: 0x0
end_address: 0xe000
placement:
align:
end: 0x1000
before:
- mcuboot_primary
region: flash_primary
size: 0xe000
mcuboot_pad:
address: 0xe000
end_address: 0xe800
placement:
before:
- mcuboot_primary_app
region: flash_primary
size: 0x800
mcuboot_primary:
address: 0xe000
end_address: 0x15f000
orig_span: &id001
- mcuboot_pad
- app
region: flash_primary
size: 0x151000
span: *id001
mcuboot_primary_app:
address: 0xe800
end_address: 0x15f000
orig_span: &id002
- app
region: flash_primary
size: 0x150800
span: *id002
mcuboot_secondary:
address: 0x0
device: DT_CHOSEN(nordic_pm_ext_flash)
end_address: 0x151000
placement:
align:
start: 0x4
region: external_flash
share_size:
- mcuboot_primary
size: 0x151000
otp:
address: 0xffd500
end_address: 0xffd9fc
region: otp
size: 0x4fc
sram_primary:
address: 0x20000000
end_address: 0x2002f000
region: sram_primary
size: 0x2f000
zms_storage:
address: 0x15f000
end_address: 0x165000
placement:
after:
- app
before:
- end
region: flash_primary
size: 0x6000
Hi Tommy,
Thanks for the additional details. You may be able to keep logging enabled if you enable link time optimization, which we now have on by default for nrf54l bootloader builds (see https://github.com/nrfconnect/sdk-mcuboot/commit/671513cb7dad7598986fe3b4a4dd11e9edfb6c9a). Could you try this and see if the logs provide any clues?
Tommy F Kristensen said:Ps. I did try to remove the pm_static.conf, and let partion tool generate the partions, but then it failed allocating the external flash for for fat_fs. Below is my pm_static.yml
It's possible to remove everything but the fatfs_storage storage partition and let the other partitions be allocated dynamically.
Best regards,
Vidar
Hi Vidar
Sorry for the delayed answer, but I have had some other more critical bugs to fix.
I ended up gettting it to run with your fix and reducing the loglevel to warn.
Now I get log out
*** Booting MCUboot v2.1.0-dev-ae1ee57f3906 *** *** Using nRF Connect SDK v3.0.2-89ba1294ac9b *** *** Using Zephyr OS v4.0.99-f791c49f492c *** [00:16:30.780,660] ←[1;31m<err> mcuboot: Security counter update failed after image validation.←[0m [00:16:30.780,844] ←[1;31m<err> mcuboot: Unable to find bootable image←[0mI have been checking that there should be a OTP area to hold the counter i the partitions table.
Best Regards
Tommy F Kristensen
Hi Tommy,
Please check the return code from boot_update_security_counter() if you haven't already. It would also be good if you could quickly test the same with SDK v3.1.x or later.
Best regards,
Vidar
Hi Tommy,
Please check the return code from boot_update_security_counter() if you haven't already. It would also be good if you could quickly test the same with SDK v3.1.x or later.
Best regards,
Vidar