• State Not Answered
  • Replies 13 replies
  • Subscribers 75 subscribers
  • Views 4115 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 242007
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Immutable bootloader private key in zephyr

Chris Burns

In trying to use a private key file to sign the application image I'm running into an issue with the PEM file. I created a PEM file using the following command:

openssl ecparam -name prime256v1 -genkey -noout -out priv.pem

as documented here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/bootloader/README.html

Then I modified my application's prj.conf file by adding these lines:

# Bootloader
CONFIG_SECURE_BOOT=y
CONFIG_SB_SIGNING_KEY_FILE="priv.pem"

The build output generates this error:

-- Using application from 'C:/Users/me/Repos/myproject'
Zephyr version: 2.0.99
-- Found PythonInterp: C:/Python37/python.exe (found suitable version "3.7.3", minimum required is "3.4")
-- Selected BOARD nrf9160_pca10090ns
-- Found west: C:/Python37/Scripts/west.exe (found suitable version "0.6.3", minimum required is "0.6.0")
-- Cache files will be written to: C:\Users\me\AppData\Local/.cache/zephyr
-- Loading C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090ns.dts as base
-- Overlaying C:/Users/me/Repos/ncs/zephyr/dts/common/common.dts
-- Overlaying C:/Users/me/Repos/myproject/nrf9160_pca10090ns.overlay
Devicetree configuration written to C:/Users/me/Repos/myproject/build/zephyr/include/generated/generated_dts_board.conf

warning: TEST_RANDOM_GENERATOR (defined at subsys/random/Kconfig:8) was assigned the value 'y' but
got the value 'n'. You can check symbol information (including dependencies) in the 'menuconfig'
interface (see the Application Development Primer section of the manual), or in the Kconfig
reference at
http://docs.zephyrproject.org/latest/reference/kconfig/CONFIG_TEST_RANDOM_GENERATOR.html (which is
updated regularly from the master branch). See the 'Setting configuration values' section of the
Board Porting Guide as well.
Parsing Kconfig tree in C:/Users/me/Repos/myproject/Kconfig
Loaded configuration 'C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090ns_defconfig'
Merged configuration 'C:/Users/me/Repos/myproject/prj.conf'
Configuration saved to 'C:/Users/me/Repos/myproject/build/zephyr/.config'
-- The C compiler identification is GNU 7.3.1
-- The CXX compiler identification is GNU 7.3.1
-- The ASM compiler identification is GNU
-- Found assembler: C:/gnuarmemb/bin/arm-none-eabi-gcc.exe
-- Using application from 'C:/Users/me/Repos/ncs/nrf/samples/nrf9160/spm'
Zephyr version: 2.0.99
Changed board to secure nrf9160_pca10090 (NOT NS)
USING OUT OF TREE BOARD
-- Loading C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090.dts as base
-- Overlaying C:/Users/me/Repos/ncs/zephyr/dts/common/common.dts
-- Overlaying C:/Users/me/Repos/ncs/nrf/samples/nrf9160/spm/nrf9160_pca10090.overlay
Devicetree configuration written to C:/Users/me/Repos/myproject/build/spm/zephyr/include/generated/generated_dts_board.conf
Parsing Kconfig tree in C:/Users/me/Repos/ncs/zephyr/Kconfig
Loaded configuration 'C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090_defconfig'
Merged configuration 'C:/Users/me/Repos/ncs/nrf/samples/nrf9160/spm/prj.conf'
Configuration saved to 'C:/Users/me/Repos/myproject/build/spm/zephyr/.config'
-- Using application from 'C:/Users/me/Repos/ncs/nrf/samples/bootloader'
Zephyr version: 2.0.99
Changed board to secure nrf9160_pca10090 (NOT NS)
-- Loading C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090.dts as base
-- Overlaying C:/Users/me/Repos/ncs/zephyr/dts/common/common.dts
Devicetree configuration written to C:/Users/me/Repos/myproject/build/b0/zephyr/include/generated/generated_dts_board.conf
Parsing Kconfig tree in C:/Users/me/Repos/ncs/zephyr/Kconfig
Loaded configuration 'C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090_defconfig'
Merged configuration 'C:/Users/me/Repos/ncs/nrf/samples/bootloader/prj.conf'
Configuration saved to 'C:/Users/me/Repos/myproject/build/b0/zephyr/.config'
CMake Error at C:/Users/me/Repos/ncs/nrf/subsys/bootloader/cmake/debug_keys.cmake:57 (message):
  Config points to non-existing PEM file 'priv.pem'
Call Stack (most recent call first):
  C:/Users/me/Repos/ncs/nrf/subsys/bootloader/image/CMakeLists.txt:67 (include)


-- Configuring incomplete, errors occurred!
See also "C:/Users/me/Repos/myproject/build/CMakeFiles/CMakeOutput.log".
See also "C:/Users/me/Repos/myproject/build/CMakeFiles/CMakeError.log".

The priv.pem file is in the same directory as my prj.conf file. What am I doing wrong that the build tools can't find it?

Parents
  • 0

    I performed the following steps, and did not see any issue. Please let me know what you have done differently:

    1. Jump to latest master (you should be able to do this on older commits as well)
    2. West update <- The warning about the 'TEST_RANDOM_GENERATOR' might indicate that this step is not done properly
    3. Use BOARD nrf9160_pca10090ns
    4. Jump to zephyr/samples/hello_world
    5. Run your openssl command
    6. modify zephyr/samples/hello_world prj.conf by adding the two lines you mention above
    7. cmake -GNinja -DBOARD=nrf9160_pca10090ns && ninja flash
    8. Verify that hello world boots.

    Also, the help text for the 'SB_SIGNING_KEY_FILE' explicitly states that the path shall be absolute. Note that for this case, the relative path provided by you also worked for me. 

    Try to follow those steps, and let me know if/when it fails.

    Edit: I see now that you are on windows. Please try to use the absolute path :)

  • 0 in reply to shibshab

    Hi shibshab,

    I tried the above steps on nrf master, by specifying the private in absolute and relative path but the applicant failed to boot, with following error message.

    # Bootloader
CONFIG_SECURE_BOOT=y
#CONFIG_SB_SIGNING_KEY_FILE="priv.pem"
CONFIG_SB_SIGNING_KEY_FILE="C:/Data/GIT/ncs/master/zephyr/samples/hello_world/priv.pem"
     

    2020-10-12T13:50:30.809Z DEBUG modem << *** Booting Zephyr OS build v2.3.0-rc1-ncs1-3614-ga4ead9805140  ***
2020-10-12T13:50:30.817Z DEBUG modem << Attempting to boot slot 0.
2020-10-12T13:50:30.819Z DEBUG modem << Attempting to boot from address 0x8000.
2020-10-12T13:50:30.820Z DEBUG modem << Firwmare has been invalidated: 0x91020000.
2020-10-12T13:50:30.822Z DEBUG modem << Failed to validate, permanently invalidating!
2020-10-12T13:50:30.825Z DEBUG modem << Attempting to boot slot 1.
2020-10-12T13:50:30.827Z DEBUG modem << No fw_info struct found.
2020-10-12T13:50:30.831Z DEBUG modem << No bootable image found. Aborting boot.

    thanks and regards

    KK

  • 0 in reply to kk2mkk

    I think its nothing to do with the private key, even just enabling CONFIG_SECURE_BOOT=y doesn't work either

    regards

    KK

  • 0 in reply to kk2mkk

    Have performed a chip erase before flashing b0? `nrfjprog -e` 

Reply Children
  • 0 in reply to kk2mkk

    Are you building for a non-secure board? If so you should use MCUBoot as the single stage bootloader instead. B0 does not support non-secure apps as the next step in the bootloader chain.

  • 0 in reply to shibshab

    To my understanding when you build the application(with NS) with secure boot and mcuoot support the child images are build automatically with their respective secure or NS configuration, no need to specify explicitly.

    Lets us consider an application on which i am presently working on i.e ncs\master\nrf\applications\serial_lte_modem, by adding the following config lines to the my application builds the b0 and mcuboo(NS) automatically

    # b0 Bootloader
CONFIG_SECURE_BOOT=y

# MCUboot as upgradable bootloader
CONFIG_BOOTLOADER_MCUBOOT=y
     

    ROM map

    terminal o/p

    -------------------------------b0 -------------------------------------------------
2020-10-13T06:54:51.280Z DEBUG modem << *** Booting Zephyr OS build v2.3.0-rc1-ncs1-3614-ga4ead9805140  ***
2020-10-13T06:54:51.284Z DEBUG modem << Attempting to boot slot 0.
2020-10-13T06:54:51.289Z DEBUG modem << Attempting to boot from address 0x8200.
2020-10-13T06:54:51.291Z DEBUG modem << Verifying signature against key 0.
2020-10-13T06:54:51.298Z DEBUG modem << Hash: 0x8e...d7
2020-10-13T06:54:51.316Z DEBUG modem << Firmware signature verified.
2020-10-13T06:54:51.318Z DEBUG modem << Firmware version 1
2020-10-13T06:54:51.324Z DEBUG modem << Setting monotonic counter (version: 1, slot: 0)
2020-10-13T06:54:51.325Z DEBUG modem << Booting (0x8200).
-------------------------------mcuboot -------------------------------------------------
2020-10-13T06:54:51.334Z DEBUG modem << *** Booting Zephyr OS build v2.3.0-rc1-ncs1-3614-ga4ead9805140  ***
2020-10-13T06:54:51.337Z DEBUG modem << [00:00:00.006,042] [0m<inf> mcuboot: Starting bootloader[0m
2020-10-13T06:54:51.350Z DEBUG modem << [00:00:00.012,359] [0m<inf> mcuboot: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3[0m
2020-10-13T06:54:51.353Z DEBUG modem << [00:00:00.022,491] [0m<inf> mcuboot: Boot source: none[0m
2020-10-13T06:54:51.357Z DEBUG modem << [00:00:00.028,015] [0m<inf> mcuboot: Swap type: none[0m
2020-10-13T06:54:51.374Z DEBUG modem << [00:00:00.033,691] [0m<inf> mcuboot: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3[0m
2020-10-13T06:54:51.376Z DEBUG modem << [00:00:00.043,792] [0m<inf> mcuboot: Boot source: none[0m
2020-10-13T06:54:51.386Z DEBUG modem << [00:00:00.049,346] [0m<inf> mcuboot: Swap type: none[0m
2020-10-13T06:54:51.652Z DEBUG modem << [00:00:00.319,702] [0m<inf> mcuboot: Bootloader chainload address offset: 0x28000[0m
2020-10-13T06:54:51.664Z DEBUG modem << [00:00:00.327,514] [0m<inf> mcuboot: Jumping to the first image slot[0m
-------------------------------app---------------------------------------------
2020-10-13T06:54:52.037Z DEBUG modem << Ready
2020-10-13T06:54:55.659Z DEBUG modem >> AT
2020-10-13T06:54:55.675Z DEBUG modem << OK
2020-10-13T06:54:56.153Z DEBUG modem >> AT
2020-10-13T06:54:56.168Z DEBUG modem << OK

    regrads

    kk

  • 0 in reply to kk2mkk

    You are correct in that the bootloaders (both b0 and mcuboot) are automatically built for the secure variant of the board. In the case of your issue, I'm wondering if you have enabled MCUBoot or not (when you saw the issue about missing validation info)

  • 0 in reply to shibshab

    You are correct, i haven't enabled MCUBoot boot, only secured boot was enabled

    # Bootloader
CONFIG_SECURE_BOOT=y

    the question is do we need mcuboot, can't b0+app(including spm) suffice? ya i do do agree the the application upgrade wont be possible if we dont have mcuboot.

    regards

    kk

Related
Terms of service