Hello,
Setup
- MCU : nRF52840
- SDK : nRF5 17.1.0
- Transport : Secure Bootloader (UART)
- No SoftDevice
- Custom HW
The Problem:
I am experiencing two conflicting behaviors regarding App Boot Validation during the initial factory flash (using merged HEX files) and subsequent DFU updates.
1. The ECDSA Security Issue:
When I set --app-boot-validation VALIDATE_ECDSA_P256_SHA256 in nrfutil settings generate, the bootloader successfully boots the application. However, it also accepts and installs an update.zip signed with the wrong private key.
NRF_BL_APP_SIGNATURE_CHECK_REQUIRED is set to 1 in sdk_config.h.
The public key in dfu_public_key.c is verified to match my production private key.
2. The CRC/SHA256 Boot Failure:
If I change the validation to --app-boot-validation VALIDATE_GENERATED_CRC or VALIDATE_GENERATED_SHA256 using the exact same app hex, the bootloader refuses to start the application (stays in DFU mode).
To generate the factory flash I do the following steps :
- Use mergehex to combine MBR + Bootloader into "system.hex"
- Use nrfutil to generate the settings from the app using my private key and a --app-boot-validation option
- Merge the app.hex + settings.hex into "package.hex"
- Merge package.hex + system.hex into final.hex
- Use nrfjprog to program final.hex
Here is my sdk_config.h 70624.sdk_config.h
Question
Why would ECDSA validation permit an app to boot and be updated with a mismatched key when signature check is required and why does the 2 other option just straight up don't work ?
