• State Not Answered
  • Replies 8 replies
  • Subscribers 88 subscribers
  • Views 651 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 354007
Options

MCUboot external signing script - SIGNING_SCRIPT Variable Bug in nRF

martin_k

Hi All,

I am currently working on an project with the nRF9151 using the nRF SDK v3.1.1 and MCUboot and I need to sign my application images using an external HSM.
I am using sysbuild and set -Dapplication_SIGNING_SCRIPT (my image is called application) as defined by https://docs.nordicsemi.com/bundle/ncs-3.1.1/page/zephyr/build/signing/index.html#extending_signing_externally.
My script was never called and after some testing I found out, that in "sysbuild/CMakeLists.txt" the variable is always overwritten to the default without checking if a custom signing script is selected. See CMakeLists.txt on Github. Is this the expected behavior or is there a workaround or different solution? I do not like to modify the nRF SDK directly.

If this is the problem it may also help to solve RE: Signing script not working as expected and RE: Application with MCUBoot and external signature.

Best regards,
Martin

Parents
  • 0

    Hello,

    Can you please upload your application project, so that I can have a look, and try to replicate the issue that you are seeing? If you need to, you can strip out sensitive information, and provide a strip down application that will still reproduce the issue that you are seeing.

    Best regards,

    Edvin

  • 0 in reply to Edvin

    Hi Edvin,

    I have used "with_mcuboot" sample from SDK 3.1.1 for nrf9151dk/nrf9151/ns board (please find the complete project attached) to demonstrate the issue. The project activates image signing by adding 

    SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
    to the sysbuild.conf file, and also adds a custom signing script in the "Extra CMake arguments" of the build configuration as follows 
    -DSIGNING_SCRIPT=C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake
    this points the build system to my_hsm_signing.cmake file located in the project root folder(please adjust the path if your location is different). The file just prints "************** Signing script call *********************" message to terminal.
    Here is part of the log of the build:
    Executing task: nRF Connect: Build [pristine]: with_mcuboot/build (active)

Building with_mcuboot
west build --build-dir c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot --pristine --board nrf9151dk/nrf9151/ns --sysbuild -- -DCONF_FILE="prj.conf" -DSIGNING_SCRIPT=C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake

-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151/ns
Parsing C:/ncs/v3.1.1/zephyr/share/sysbuild/Kconfig
Loaded configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/_sysbuild/empty.conf'
Merged configuration 'c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/sysbuild.conf'
Configuration saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/zephyr/.config'
Kconfig header saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/_sysbuild/autoconf.h'
--
*****************************
* Running CMake for mcuboot *
*****************************

Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr
-- CMake version: 3.21.0
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Zephyr version: 4.1.99 (C:/ncs/v3.1.1/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151
-- Found host-tools: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/c1a76fddb2/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151.dts
-- Found devicetree overlay: C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/app.overlay
-- Generated zephyr.dts: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h
Parsing C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/Kconfig
Loaded configuration 'C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151_defconfig'
Merged configuration 'C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/prj.conf'
Merged configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/sysbuild/mcuboot.conf'
Merged configuration 'C:/ncs/v3.1.1/nrf/modules/mcuboot/tfm.conf'
Merged configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/.config.sysbuild'
Configuration saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/.config'
Kconfig header saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/include/generated/zephyr/autoconf.h'
-- Found GnuLd: c:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk/arm-zephyr-eabi/arm-zephyr-eabi/bin/ld.bfd.exe (found version "2.38")
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-gcc.exe
-- Found gen_kobject_list: C:/ncs/v3.1.1/zephyr/scripts/build/gen_kobject_list.py
-- Including signing script: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake
************** Signing script call *********************
MCUBoot bootloader key file: C:/ncs/v3.1.1/bootloader/mcuboot/root-ec-p256.pem
CMake Warning at CMakeLists.txt:412 (message):
WARNING: Using default MCUboot signing key file, this file is for debug use
only and is not secure!


-- Configuring done
-- Generating done
-- Build files have been written to: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot
--
**********************************
* Running CMake for with_mcuboot *
**********************************

Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot
-- CMake version: 3.21.0
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Zephyr version: 4.1.99 (C:/ncs/v3.1.1/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151/ns
-- Found host-tools: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/c1a76fddb2/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151_ns.dts
-- Generated zephyr.dts: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h
    it contains the  "************** Signing script call *********************" message only once, in the "Running CMake for mcuboot" section. But according to the documentation, it should be called for all images in the build.
    Best regards, Valerii

     7331.with_mcuboot.zip

Reply
  • 0 in reply to Edvin

    Hi Edvin,

    I have used "with_mcuboot" sample from SDK 3.1.1 for nrf9151dk/nrf9151/ns board (please find the complete project attached) to demonstrate the issue. The project activates image signing by adding 

    SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
    to the sysbuild.conf file, and also adds a custom signing script in the "Extra CMake arguments" of the build configuration as follows 
    -DSIGNING_SCRIPT=C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake
    this points the build system to my_hsm_signing.cmake file located in the project root folder(please adjust the path if your location is different). The file just prints "************** Signing script call *********************" message to terminal.
    Here is part of the log of the build:
    Executing task: nRF Connect: Build [pristine]: with_mcuboot/build (active)

Building with_mcuboot
west build --build-dir c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot --pristine --board nrf9151dk/nrf9151/ns --sysbuild -- -DCONF_FILE="prj.conf" -DSIGNING_SCRIPT=C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake

-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151/ns
Parsing C:/ncs/v3.1.1/zephyr/share/sysbuild/Kconfig
Loaded configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/_sysbuild/empty.conf'
Merged configuration 'c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/sysbuild.conf'
Configuration saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/zephyr/.config'
Kconfig header saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/_sysbuild/autoconf.h'
--
*****************************
* Running CMake for mcuboot *
*****************************

Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr
-- CMake version: 3.21.0
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Zephyr version: 4.1.99 (C:/ncs/v3.1.1/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151
-- Found host-tools: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/c1a76fddb2/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151.dts
-- Found devicetree overlay: C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/app.overlay
-- Generated zephyr.dts: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h
Parsing C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/Kconfig
Loaded configuration 'C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151_defconfig'
Merged configuration 'C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/prj.conf'
Merged configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/sysbuild/mcuboot.conf'
Merged configuration 'C:/ncs/v3.1.1/nrf/modules/mcuboot/tfm.conf'
Merged configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/.config.sysbuild'
Configuration saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/.config'
Kconfig header saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/include/generated/zephyr/autoconf.h'
-- Found GnuLd: c:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk/arm-zephyr-eabi/arm-zephyr-eabi/bin/ld.bfd.exe (found version "2.38")
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-gcc.exe
-- Found gen_kobject_list: C:/ncs/v3.1.1/zephyr/scripts/build/gen_kobject_list.py
-- Including signing script: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake
************** Signing script call *********************
MCUBoot bootloader key file: C:/ncs/v3.1.1/bootloader/mcuboot/root-ec-p256.pem
CMake Warning at CMakeLists.txt:412 (message):
WARNING: Using default MCUboot signing key file, this file is for debug use
only and is not secure!


-- Configuring done
-- Generating done
-- Build files have been written to: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot
--
**********************************
* Running CMake for with_mcuboot *
**********************************

Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot
-- CMake version: 3.21.0
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Zephyr version: 4.1.99 (C:/ncs/v3.1.1/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151/ns
-- Found host-tools: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/c1a76fddb2/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151_ns.dts
-- Generated zephyr.dts: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h
    it contains the  "************** Signing script call *********************" message only once, in the "Running CMake for mcuboot" section. But according to the documentation, it should be called for all images in the build.
    Best regards, Valerii

     7331.with_mcuboot.zip

Children
Related
Terms of service