This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Immutable bootloader private key in zephyr

In trying to use a private key file to sign the application image I'm running into an issue with the PEM file. I created a PEM file using the following command:

Fullscreen
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

as documented here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/bootloader/README.html

Then I modified my application's prj.conf file by adding these lines:

Fullscreen
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The build output generates this error:

Fullscreen
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The priv.pem file is in the same directory as my prj.conf file. What am I doing wrong that the build tools can't find it?

Parents
  • I performed the following steps, and did not see any issue. Please let me know what you have done differently:

    1. Jump to latest master (you should be able to do this on older commits as well)
    2. West update <- The warning about the 'TEST_RANDOM_GENERATOR' might indicate that this step is not done properly
    3. Use BOARD nrf9160_pca10090ns
    4. Jump to zephyr/samples/hello_world
    5. Run your openssl command
    6. modify zephyr/samples/hello_world prj.conf by adding the two lines you mention above
    7. cmake -GNinja -DBOARD=nrf9160_pca10090ns && ninja flash
    8. Verify that hello world boots.

    Also, the help text for the 'SB_SIGNING_KEY_FILE' explicitly states that the path shall be absolute. Note that for this case, the relative path provided by you also worked for me. 

    Try to follow those steps, and let me know if/when it fails.

    Edit: I see now that you are on windows. Please try to use the absolute path :)

  • Hi shibshab,

    I tried the above steps on nrf master, by specifying the private in absolute and relative path but the applicant failed to boot, with following error message.

    Fullscreen
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
     

    Fullscreen
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    thanks and regards

    KK

  • I think its nothing to do with the private key, even just enabling CONFIG_SECURE_BOOT=y doesn't work either

    regards

    KK

  • Have performed a chip erase before flashing b0? `nrfjprog -e` 

Reply Children
  • Yes i put extra caution in doing that step

  • Are you building for a non-secure board? If so you should use MCUBoot as the single stage bootloader instead. B0 does not support non-secure apps as the next step in the bootloader chain.

  • To my understanding when you build the application(with NS) with secure boot and mcuoot support the child images are build automatically with their respective secure or NS configuration, no need to specify explicitly.

    Lets us consider an application on which i am presently working on i.e ncs\master\nrf\applications\serial_lte_modem, by adding the following config lines to the my application builds the b0 and mcuboo(NS) automatically

    Fullscreen
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
     

    ROM map

    terminal o/p

    Fullscreen
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    regrads

    kk

  • You are correct in that the bootloaders (both b0 and mcuboot) are automatically built for the secure variant of the board. In the case of your issue, I'm wondering if you have enabled MCUBoot or not (when you saw the issue about missing validation info)

  • You are correct, i haven't enabled MCUBoot boot, only secured boot was enabled

    Fullscreen
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    the question is do we need mcuboot, can't b0+app(including spm) suffice? ya i do do agree the the application upgrade wont be possible if we dont have mcuboot.

    regards

    kk