• State Not Answered
  • Replies 8 replies
  • Subscribers 88 subscribers
  • Views 651 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 354007
Options

MCUboot external signing script - SIGNING_SCRIPT Variable Bug in nRF

martin_k

Hi All,

I am currently working on an project with the nRF9151 using the nRF SDK v3.1.1 and MCUboot and I need to sign my application images using an external HSM.
I am using sysbuild and set -Dapplication_SIGNING_SCRIPT (my image is called application) as defined by https://docs.nordicsemi.com/bundle/ncs-3.1.1/page/zephyr/build/signing/index.html#extending_signing_externally.
My script was never called and after some testing I found out, that in "sysbuild/CMakeLists.txt" the variable is always overwritten to the default without checking if a custom signing script is selected. See CMakeLists.txt on Github. Is this the expected behavior or is there a workaround or different solution? I do not like to modify the nRF SDK directly.

If this is the problem it may also help to solve RE: Signing script not working as expected and RE: Application with MCUBoot and external signature.

Best regards,
Martin

Parents
  • 0

    Hello,

    Can you please upload your application project, so that I can have a look, and try to replicate the issue that you are seeing? If you need to, you can strip out sensitive information, and provide a strip down application that will still reproduce the issue that you are seeing.

    Best regards,

    Edvin

  • 0 in reply to Edvin

    Hi Edvin,

    I have used "with_mcuboot" sample from SDK 3.1.1 for nrf9151dk/nrf9151/ns board (please find the complete project attached) to demonstrate the issue. The project activates image signing by adding 

    SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
    to the sysbuild.conf file, and also adds a custom signing script in the "Extra CMake arguments" of the build configuration as follows 
    -DSIGNING_SCRIPT=C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake
    this points the build system to my_hsm_signing.cmake file located in the project root folder(please adjust the path if your location is different). The file just prints "************** Signing script call *********************" message to terminal.
    Here is part of the log of the build:
    Executing task: nRF Connect: Build [pristine]: with_mcuboot/build (active)

Building with_mcuboot
west build --build-dir c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot --pristine --board nrf9151dk/nrf9151/ns --sysbuild -- -DCONF_FILE="prj.conf" -DSIGNING_SCRIPT=C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake

-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151/ns
Parsing C:/ncs/v3.1.1/zephyr/share/sysbuild/Kconfig
Loaded configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/_sysbuild/empty.conf'
Merged configuration 'c:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/sysbuild.conf'
Configuration saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/zephyr/.config'
Kconfig header saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/_sysbuild/autoconf.h'
--
*****************************
* Running CMake for mcuboot *
*****************************

Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr
-- CMake version: 3.21.0
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Zephyr version: 4.1.99 (C:/ncs/v3.1.1/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151
-- Found host-tools: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/c1a76fddb2/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151.dts
-- Found devicetree overlay: C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/app.overlay
-- Generated zephyr.dts: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h
Parsing C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/Kconfig
Loaded configuration 'C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151_defconfig'
Merged configuration 'C:/ncs/v3.1.1/bootloader/mcuboot/boot/zephyr/prj.conf'
Merged configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/sysbuild/mcuboot.conf'
Merged configuration 'C:/ncs/v3.1.1/nrf/modules/mcuboot/tfm.conf'
Merged configuration 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/.config.sysbuild'
Configuration saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/.config'
Kconfig header saved to 'C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot/zephyr/include/generated/zephyr/autoconf.h'
-- Found GnuLd: c:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk/arm-zephyr-eabi/arm-zephyr-eabi/bin/ld.bfd.exe (found version "2.38")
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-gcc.exe
-- Found gen_kobject_list: C:/ncs/v3.1.1/zephyr/scripts/build/gen_kobject_list.py
-- Including signing script: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/my_hsm_signing.cmake
************** Signing script call *********************
MCUBoot bootloader key file: C:/ncs/v3.1.1/bootloader/mcuboot/root-ec-p256.pem
CMake Warning at CMakeLists.txt:412 (message):
WARNING: Using default MCUboot signing key file, this file is for debug use
only and is not secure!


-- Configuring done
-- Generating done
-- Build files have been written to: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/mcuboot
--
**********************************
* Running CMake for with_mcuboot *
**********************************

Loading Zephyr default modules (Zephyr base).
-- Application: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot
-- CMake version: 3.21.0
-- Found Python3: C:/ncs/toolchains/c1a76fddb2/opt/bin/python.exe (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: C:/ncs/v3.1.1/zephyr/.cache
-- Zephyr version: 4.1.99 (C:/ncs/v3.1.1/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf9151dk, qualifiers: nrf9151/ns
-- Found host-tools: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (C:/ncs/toolchains/c1a76fddb2/opt/zephyr-sdk)
-- Found Dtc: C:/ncs/toolchains/c1a76fddb2/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found BOARD.dts: C:/ncs/v3.1.1/zephyr/boards/nordic/nrf9151dk/nrf9151dk_nrf9151_ns.dts
-- Generated zephyr.dts: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: C:/ncs/v3.1.1/zephyr/samples/sysbuild/with_mcuboot/build/with_mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h
    it contains the  "************** Signing script call *********************" message only once, in the "Running CMake for mcuboot" section. But according to the documentation, it should be called for all images in the build.
    Best regards, Valerii

     7331.with_mcuboot.zip

  • 0 in reply to valerii7

    Hello,

    Apparently, HSM is not supported in MCUBOOT at this point in time. Please see my colleague, Sigurd's reply in this post:

     RE: Using MCUboot with secure private key 

    Together with the rest of that post.

    Best regards,

    Edvin

Reply Children
  • 0 in reply to Edvin

    Hallo Edvin,

    thank you for the answer.
    I know, that there is currently no direct support for HSM in mcuboot, that is why I tried to implement it on my own using a custom signing script.
    There I found the problem, that the SIGNING_SCRIPT variable, that in my understanding is exactly for that use case does not work because it is overwritten by the nrf SDK. This makes it impossible to add a custom signing script without modifying the nrf SDK and seems to be a bug, because it does not work as described by the documentation.
    As for the linked post it is great that mcuboot (imgtool) seems to get support for HSM, but I am not sure if we can wait for that because we need to comply to RED and exposing private keys in the build pipeline seems to not work with that. 

    Best regards,
    Martin

  • 0 in reply to martin_k

    I just want to make sure that you are aware that when you are using NCS and building with, the images are automatically signed using the default key (which you, of course, can change)? I suspect this is why the behavior differs from the Zephyr documentation. I can also recommend our DevAcademy course on DFU/FOTA, if you want to add DFU to your custom application:

    https://academy.nordicsemi.com/courses/nrf-connect-sdk-intermediate/lessons/lesson-9-bootloaders-and-dfu-fota/

    Best regards,

    Edvin

  • 0 in reply to Edvin

    Hi Edvin,

    sorry for my late answer.
    Yes I understand that the images are signed using a keyfile, but as for security reasons I am not allowed to expose this private key even in the build pipeline.
    Also when using a HSM I do not have access to this key because this makes it secure.
    I think I will wait for the full support for HSMs from mcuboot.

    Best regards, Martin

Related
Terms of service