• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 20 replies
  • Subscribers 65 subscribers
  • Views 9719 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 122374
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

DFU firmware encryption

Jonathan

Hi,

I would like to implement DFU with firmware encryption. I'm aware this isn't present in SDK 12 and would like to modify the secured bootloader to implement it.

As far as I understand, a DFU package is a zip file containing a manifest, and sets of 2 files, a .dat and a .bin . Is it right that the .bin is pure image, and .dat is the header/init packet?

My plan was to encrypt the .bin file, then, in the DFU bootloader, decrypt just before writing to flash. Does this sound like a good approach?

Thanks for your help!

Parents
  • 0

    I don't see any problem with this.

    And you are correct, .bin file is the pure image, and .data is the init packet.

    If you going to encrypt the .bin file and decrypt it after you receive it on the bootloader, you need to modify the bootloader so that hash and signature is only validated after the image is decrypted.

  • 0 in reply to Hung Bui

    Response was too long for one comment:

    Something to be aware of, the bootloader stores DFU progress in bootloader settings to allow DFU to continue in case of power loss, which will need to be modified if you are using a stream cipher for decryption (i.e., include decryption state in progress data). This feature can be disabled by making the following change in dfu_req_handling:

    case NRF_DFU_OBJECT_OP_SELECT:
            NRF_LOG_INFO("Valid Command: NRF_DFU_OBJECT_OP_SELECT\r\n");
            p_res->crc = 0; //s_dfu_settings.progress.command_crc;
            p_res->offset = 0;  //s_dfu_settings.progress.command_offset;
            p_res->max_size = INIT_COMMAND_MAX_SIZE;
            break;

    Also, in case you are not aware of it, nrfutil has an option for viewing init packets in a more readable format:

    nrfutil pkg display app_dfu_package.zip
Reply
  • 0 in reply to Hung Bui

    Response was too long for one comment:

    Something to be aware of, the bootloader stores DFU progress in bootloader settings to allow DFU to continue in case of power loss, which will need to be modified if you are using a stream cipher for decryption (i.e., include decryption state in progress data). This feature can be disabled by making the following change in dfu_req_handling:

    case NRF_DFU_OBJECT_OP_SELECT:
            NRF_LOG_INFO("Valid Command: NRF_DFU_OBJECT_OP_SELECT\r\n");
            p_res->crc = 0; //s_dfu_settings.progress.command_crc;
            p_res->offset = 0;  //s_dfu_settings.progress.command_offset;
            p_res->max_size = INIT_COMMAND_MAX_SIZE;
            break;

    Also, in case you are not aware of it, nrfutil has an option for viewing init packets in a more readable format:

    nrfutil pkg display app_dfu_package.zip
Children
No Data
Related