• State Verified Answer
  • Replies 4 replies
  • Subscribers 87 subscribers
  • Views 331 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 354810
Options

Single-bank DFU bare metal - image verification

tdfilip

Hello

I played with the mcuboot_recovery_entry bare metal dfu sample. I noticed that if I sign an application image with an invalid key (invalid on purpose), the firmware loader still downloads the application and overwrites the old one. Then after a reboot, the MCUBoot verifies the image, rejects it and start the firmware loader again. 

Is there a possibility for firmware loader to verify the image signature before overwriting the current image? If no, isn't there a possibility that anyone could start dfu with an invalid image which would remove the current image?

Regards,
Filip

Parents
  • +1

    Hi Filip, 
    Sorry for not getting back earlier. So on NCS baremetal the signature checking is done on the Bootloader/MCUboot side not on the FW loader . This explain why the original image is erased before signature is checked. 

    But the device will not be bricked as the image will not be activated due to wrong signature when MCUBoot check that. It will stay in DFU mode and wait for a valid image. 

    As mentioned earlier, it doesn't matter much if you check the signature before or after receiving the image, one can get a valid hash and signature combine with an invalid image to get the same effect. 

Reply
  • +1

    Hi Filip, 
    Sorry for not getting back earlier. So on NCS baremetal the signature checking is done on the Bootloader/MCUboot side not on the FW loader . This explain why the original image is erased before signature is checked. 

    But the device will not be bricked as the image will not be activated due to wrong signature when MCUBoot check that. It will stay in DFU mode and wait for a valid image. 

    As mentioned earlier, it doesn't matter much if you check the signature before or after receiving the image, one can get a valid hash and signature combine with an invalid image to get the same effect. 

Children
  • 0 in reply to Hung Bui

    So this is a logical limitation with single bank DFUs.

    1: you check the signature to validate this is an update for you and it is signed correctly

    2: you delete the original image to make space for the new

    3: you download the new image

    4: you validate that the new image is actually what you was promised to get

    5a: image is OK, start using

    5b: image is fake, restart in bootloader mode as original image is gone.

    You can't validate the image before downloading as you don't have the space to store it. If this is a requrement then you have to use a dual bank solution. This is part of what you gain when giving away memory to the dual bank.

    To improve resilience against spoofing you should restrict what devices can trigger an DFU, if you only allow this to happen from securely bonded devices then this means you won't be spoofed by non-connected devices.

Related
Terms of service