Generating and using secure DFU keys under Linux

RE: Generating and using secure DFU keys under Linux

bjorn-spockeli — Thu, 27 Oct 2016 11:37:14 GMT

Great! Glad to hear that everything is working as it should! Could you mark the answer as correct/accepted (click the checkmark to the left of the answer) so that its easer for other users to find the answer.

RE: Generating and using secure DFU keys under Linux

Visti Andresen — Thu, 27 Oct 2016 11:04:13 GMT

I can confirm that my issue was also the missing C flags:

-DuECC_ENABLE_VLI_API -DuECC_VLI_NATIVE_LITTLE_ENDIAN=1 -DuECC_SQUARE_FUNC=1 -DuECC_SUPPORTS_secp256r1=1 -DuECC_SUPPORT_COMPRESSED_POINT=0 -DuECC_OPTIMIZATION_LEVEL=3

After adding the flags to my cflags I can now upload valid packages created with both the git version of nrfutil as well as the pip installed one. Invalid packages (created with the wrong secret key) are rejected as expected.

Thanks a lot for your answer.

RE: Generating and using secure DFU keys under Linux

bjorn-spockeli — Thu, 27 Oct 2016 09:07:34 GMT

How are you compiling the micro-ecc library? Could you check that you're not running into this issue?

RE: Generating and using secure DFU keys under Linux

Visti Andresen — Tue, 25 Oct 2016 09:05:02 GMT

Minor update:

I originally used a nrfutil version that was compiled from the git sources.

I have now also tried to 'pip install nrfutil' and use this version to generate a new set of public and private keys as well as a new application package.

The DFU still fails during 'nrf_crypto_verify' using the pip installed nfrutil

RE: Generating and using secure DFU keys under Linux

Visti Andresen — Tue, 25 Oct 2016 07:44:43 GMT

With regard to the app version I have yet to initialize the bootloader settings by flashing its hex.

The check for this is done earlier in dfu_req_handling.c and --applocation-version 0 did not cause any problems if I commented out the failure on the crypto verification.

I have however tried setting the version to 0xFF for completeness.

The DFU update still fails for the crypto verification.

Btw. the NRF_LOG_INFO data also seems to indicated that at least in my case app version 0 would also have been accepted:

 :INFO:Req version: 255, Present: 0

RE: Generating and using secure DFU keys under Linux

bjorn-spockeli — Tue, 25 Oct 2016 07:40:53 GMT

Have you tried setting the --application-version to 0xFF?

RE: Generating and using secure DFU keys under Linux

Visti Andresen — Tue, 25 Oct 2016 07:37:38 GMT

Yes and no to replacing the data in the pk array.

I'm not linking with dfu_public_key.c instead I'm linking with the generated public key code file generated by nrfutil.

I have verified that the data in the the "pk" array is the same bytes as in the generated .c file by calling:

NRF_LOG_HEXDUMP_INFO(crypto_key_pk.p_le_data, crypto_key_pk.len);

Earlier in dfu_req_handling.c crypto_key_pk is defined as

static const nrf_crypto_key_t crypto_key_pk =
{
    .p_le_data = (uint8_t *) pk,
    .len = sizeof(pk)
};

RE: Generating and using secure DFU keys under Linux

bjorn-spockeli — Tue, 25 Oct 2016 06:54:11 GMT

You have removed the debug public key and replaced it with a public key that corresponds to your private key in dfu_public_key.c right?

Have you generated a bootloader settings hex file? If not then I think you have to set the application-version to 0xFF, i.e.

nrfutil pkg generate <name of zip pkg >.zip --application <name of application hex>.hex --application-version 0xFF  --hw-version 52 --sd-req 0x8C --key-file <name of key file>.pem