https://devzone.nordicsemi.com/f/nordic-q-a/125945/single-bank-dfu-bare-metal---image-verificationHello I played with the mcuboot_recovery_entry bare metal dfu sample. I noticed that if I sign an application image with an invalid key (invalid on purpose), the firmware loader still downloads the application and overwrites the old one. Then afteren-USTelligent Community 13Thu, 18 Dec 2025 11:08:32 GMThttps://devzone.nordicsemi.com/thread/557307?ContentTypeID=1Thu, 18 Dec 2025 11:08:32 GMT137ad170-7792-4731-bb38-c0d22fbe4515:de3ec4d9-b276-4069-9bc7-a0fe274841b5PaKa<p>So this is a logical limitation with single bank DFUs.</p> <p>1: you check the signature to validate this is an update for you and it is signed correctly</p> <p>2: you delete the original image to make space for the new</p> <p>3: you download the new image</p> <p>4: you validate that the new image is actually what you was promised to get</p> <p>5a: image is OK, start using</p> <p>5b: image is fake, restart in bootloader mode as original image is gone.</p> <p>You can&#39;t validate the image before downloading as you don&#39;t have the space to store it. If this is a requrement then you have to use a dual bank solution. This is part of what you gain when giving away memory to the dual bank.</p> <p>To improve resilience against spoofing you should restrict what devices can trigger an DFU, if you only allow this to happen from securely bonded devices then this means you won&#39;t be spoofed by non-connected devices.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/557236?ContentTypeID=1Wed, 17 Dec 2025 14:22:28 GMT137ad170-7792-4731-bb38-c0d22fbe4515:8117be94-26ba-4506-8141-c2d0c8c31ee3Hung Bui<p>Hi Filip,&nbsp;<br />Sorry for not getting back earlier. So on NCS baremetal the signature checking is done on the Bootloader/MCUboot side not on the FW loader . This explain why the original image is erased before signature is checked.&nbsp;</p> <p>But the device will not be bricked as the image will not be activated due to wrong signature when MCUBoot check that. It will stay in DFU mode and wait for a valid image.&nbsp;<br /><br />As mentioned earlier, it doesn&#39;t matter much if you check the signature before or after receiving the image, one can&nbsp;get a valid hash and signature combine with an invalid image to get the same effect.&nbsp;</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/557162?ContentTypeID=1Wed, 17 Dec 2025 07:49:15 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ee6c186e-e588-426a-9b7d-c482d69aee58tdfilip<p>Hello, is there any update from the NCS Bare Metal team?</p> <p>Regards,<br />Filip</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/556108?ContentTypeID=1Wed, 03 Dec 2025 12:49:13 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f7ad460e-1e8f-414c-aa07-515d14397093Hung Bui<p>Hi Filip,&nbsp;</p> <p>So the hash and signature is located at the image trailer. From what you described, seems that the trailer is not sent before the image is received. So you have a point here that one with an invalid image (and a way to put the device to DFU mode) can brick the device with an invalid image.&nbsp;<br /><br />However, even if the signature and hash is sent before the image, one can still spoof a valid signature and hash (copy from a valid DFU package) combine with an invalid image. If you want to have a secure authentication, I guess it has to be implemented before the device enter DFU mode.&nbsp;<br /><br />Anyway, I have forwarded your question internally to NCS Bare Metal team, let&#39;s see what their take on this.&nbsp;</p><div style="clear:both;"></div>