• State Not Answered
  • Replies 13 replies
  • Subscribers 75 subscribers
  • Views 3845 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 242007
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Immutable bootloader private key in zephyr

Chris Burns

In trying to use a private key file to sign the application image I'm running into an issue with the PEM file. I created a PEM file using the following command:

openssl ecparam -name prime256v1 -genkey -noout -out priv.pem

as documented here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/bootloader/README.html

Then I modified my application's prj.conf file by adding these lines:

# Bootloader
CONFIG_SECURE_BOOT=y
CONFIG_SB_SIGNING_KEY_FILE="priv.pem"

The build output generates this error:

-- Using application from 'C:/Users/me/Repos/myproject'
Zephyr version: 2.0.99
-- Found PythonInterp: C:/Python37/python.exe (found suitable version "3.7.3", minimum required is "3.4")
-- Selected BOARD nrf9160_pca10090ns
-- Found west: C:/Python37/Scripts/west.exe (found suitable version "0.6.3", minimum required is "0.6.0")
-- Cache files will be written to: C:\Users\me\AppData\Local/.cache/zephyr
-- Loading C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090ns.dts as base
-- Overlaying C:/Users/me/Repos/ncs/zephyr/dts/common/common.dts
-- Overlaying C:/Users/me/Repos/myproject/nrf9160_pca10090ns.overlay
Devicetree configuration written to C:/Users/me/Repos/myproject/build/zephyr/include/generated/generated_dts_board.conf

warning: TEST_RANDOM_GENERATOR (defined at subsys/random/Kconfig:8) was assigned the value 'y' but
got the value 'n'. You can check symbol information (including dependencies) in the 'menuconfig'
interface (see the Application Development Primer section of the manual), or in the Kconfig
reference at
http://docs.zephyrproject.org/latest/reference/kconfig/CONFIG_TEST_RANDOM_GENERATOR.html (which is
updated regularly from the master branch). See the 'Setting configuration values' section of the
Board Porting Guide as well.
Parsing Kconfig tree in C:/Users/me/Repos/myproject/Kconfig
Loaded configuration 'C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090ns_defconfig'
Merged configuration 'C:/Users/me/Repos/myproject/prj.conf'
Configuration saved to 'C:/Users/me/Repos/myproject/build/zephyr/.config'
-- The C compiler identification is GNU 7.3.1
-- The CXX compiler identification is GNU 7.3.1
-- The ASM compiler identification is GNU
-- Found assembler: C:/gnuarmemb/bin/arm-none-eabi-gcc.exe
-- Using application from 'C:/Users/me/Repos/ncs/nrf/samples/nrf9160/spm'
Zephyr version: 2.0.99
Changed board to secure nrf9160_pca10090 (NOT NS)
USING OUT OF TREE BOARD
-- Loading C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090.dts as base
-- Overlaying C:/Users/me/Repos/ncs/zephyr/dts/common/common.dts
-- Overlaying C:/Users/me/Repos/ncs/nrf/samples/nrf9160/spm/nrf9160_pca10090.overlay
Devicetree configuration written to C:/Users/me/Repos/myproject/build/spm/zephyr/include/generated/generated_dts_board.conf
Parsing Kconfig tree in C:/Users/me/Repos/ncs/zephyr/Kconfig
Loaded configuration 'C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090_defconfig'
Merged configuration 'C:/Users/me/Repos/ncs/nrf/samples/nrf9160/spm/prj.conf'
Configuration saved to 'C:/Users/me/Repos/myproject/build/spm/zephyr/.config'
-- Using application from 'C:/Users/me/Repos/ncs/nrf/samples/bootloader'
Zephyr version: 2.0.99
Changed board to secure nrf9160_pca10090 (NOT NS)
-- Loading C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090.dts as base
-- Overlaying C:/Users/me/Repos/ncs/zephyr/dts/common/common.dts
Devicetree configuration written to C:/Users/me/Repos/myproject/build/b0/zephyr/include/generated/generated_dts_board.conf
Parsing Kconfig tree in C:/Users/me/Repos/ncs/zephyr/Kconfig
Loaded configuration 'C:/Users/me/Repos/ncs/zephyr/boards/arm/nrf9160_pca10090/nrf9160_pca10090_defconfig'
Merged configuration 'C:/Users/me/Repos/ncs/nrf/samples/bootloader/prj.conf'
Configuration saved to 'C:/Users/me/Repos/myproject/build/b0/zephyr/.config'
CMake Error at C:/Users/me/Repos/ncs/nrf/subsys/bootloader/cmake/debug_keys.cmake:57 (message):
  Config points to non-existing PEM file 'priv.pem'
Call Stack (most recent call first):
  C:/Users/me/Repos/ncs/nrf/subsys/bootloader/image/CMakeLists.txt:67 (include)


-- Configuring incomplete, errors occurred!
See also "C:/Users/me/Repos/myproject/build/CMakeFiles/CMakeOutput.log".
See also "C:/Users/me/Repos/myproject/build/CMakeFiles/CMakeError.log".

The priv.pem file is in the same directory as my prj.conf file. What am I doing wrong that the build tools can't find it?

  • 0 in reply to shibshab

    You are correct, i haven't enabled MCUBoot boot, only secured boot was enabled

    # Bootloader
CONFIG_SECURE_BOOT=y

    the question is do we need mcuboot, can't b0+app(including spm) suffice? ya i do do agree the the application upgrade wont be possible if we dont have mcuboot.

    regards

    kk

  • 0 in reply to kk2mkk

    That configuration is currently not supported. Is it so that you only want secure boot, no firmware upgrade functionality?

  • 0 in reply to shibshab

    I do need firmware upgrade functionality, but if i start providing my self generated private key i end up in this booting issue.

    2020-10-13T11:26:59.824Z DEBUG modem << *** Booting Zephyr OS build v2.3.0-rc1-ncs1-3614-ga4ead9805140  ***
2020-10-13T11:26:59.844Z DEBUG modem << Attempting to boot slot 0.
2020-10-13T11:26:59.856Z DEBUG modem << Attempting to boot from address 0x8200.
2020-10-13T11:26:59.860Z DEBUG modem << Firwmare has been invalidated: 0x91020000.
2020-10-13T11:26:59.860Z DEBUG modem << Failed to validate, permanently invalidating!
2020-10-13T11:26:59.860Z DEBUG modem << Attempting to boot slot 1.
2020-10-13T11:26:59.861Z DEBUG modem << No fw_info struct found.
2020-10-13T11:26:59.861Z DEBUG modem << No bootable image found. Aborting boot.

    Build log

    C:\Data\GIT\ncs\master\zephyr\samples\hello_world\build>ninja rom_report
[0/1] Re-running CMake...
Including boilerplate (Zephyr base (cached)): C:/Data/GIT/ncs/master/zephyr/cmake/app/boilerplate.cmake
-- Application: C:/Data/GIT/ncs/master/zephyr/samples/hello_world
-- Using NCS Toolchain 1.3.0 for building. (C:/Data/GIT/ncs/master/toolchain/cmake)
-- Zephyr version: 2.4.0 (C:/Data/GIT/ncs/master/zephyr)
-- Found west (found suitable version "0.7.3", minimum required is "0.7.1")
-- Board: nrf9160dk_nrf9160ns
-- Cache files will be written to: C:/Data/GIT/ncs/master/zephyr/.cache
-- Found dtc: C:/Data/GIT/ncs/master/toolchain/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found toolchain: gnuarmemb (C:/Data/GIT/ncs/master/toolchain/opt)
-- Found BOARD.dts: C:/Data/GIT/ncs/master/zephyr/boards/arm/nrf9160dk_nrf9160/nrf9160dk_nrf9160ns.dts
-- Generated zephyr.dts: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/zephyr/zephyr.dts
-- Generated devicetree_unfixed.h: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/zephyr/include/generated/devicetree_unfixed.h
Parsing C:/Data/GIT/ncs/master/zephyr/Kconfig
Loaded configuration 'C:/Data/GIT/ncs/master/zephyr/boards/arm/nrf9160dk_nrf9160/nrf9160dk_nrf9160ns_defconfig'
Merged configuration 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/prj.conf'
Configuration saved to 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/zephyr/.config'
Kconfig header saved to 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/zephyr/include/generated/autoconf.h'
Changed board to secure nrf9160dk_nrf9160 (NOT NS)

=== child image spm -  begin ===
Including boilerplate (Zephyr base (cached)): C:/Data/GIT/ncs/master/zephyr/cmake/app/boilerplate.cmake
-- Application: C:/Data/GIT/ncs/master/nrf/samples/spm
-- Using NCS Toolchain 1.3.0 for building. (C:/Data/GIT/ncs/master/toolchain/cmake)
-- Zephyr version: 2.4.0 (C:/Data/GIT/ncs/master/zephyr)
-- Found west (found suitable version "0.7.3", minimum required is "0.7.1")
-- Board: nrf9160dk_nrf9160
-- Cache files will be written to: C:/Data/GIT/ncs/master/zephyr/.cache
-- Found dtc: C:/Data/GIT/ncs/master/toolchain/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found toolchain: gnuarmemb (C:/Data/GIT/ncs/master/toolchain/opt)
-- Found BOARD.dts: C:/Data/GIT/ncs/master/zephyr/boards/arm/nrf9160dk_nrf9160/nrf9160dk_nrf9160.dts
-- Found devicetree overlay: C:/Data/GIT/ncs/master/nrf/samples/spm/nrf9160dk_nrf9160.overlay
-- Generated zephyr.dts: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/spm/zephyr/zephyr.dts
-- Generated devicetree_unfixed.h: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/spm/zephyr/include/generated/devicetree_unfixed.h
Parsing C:/Data/GIT/ncs/master/zephyr/Kconfig
Loaded configuration 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/spm/zephyr/.config'
No change to configuration in 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/spm/zephyr/.config'
No change to Kconfig header in 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/spm/zephyr/include/generated/autoconf.h'
-- Configuring done
-- Generating done
-- Build files have been written to: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/spm
=== child image spm -  end ===

Changed board to secure nrf9160dk_nrf9160 (NOT NS)

=== child image b0 -  begin ===
Including boilerplate (Zephyr base (cached)): C:/Data/GIT/ncs/master/zephyr/cmake/app/boilerplate.cmake
-- Application: C:/Data/GIT/ncs/master/nrf/samples/bootloader
-- Using NCS Toolchain 1.3.0 for building. (C:/Data/GIT/ncs/master/toolchain/cmake)
-- Zephyr version: 2.4.0 (C:/Data/GIT/ncs/master/zephyr)
-- Found west (found suitable version "0.7.3", minimum required is "0.7.1")
-- Board: nrf9160dk_nrf9160
-- Cache files will be written to: C:/Data/GIT/ncs/master/zephyr/.cache
-- Found dtc: C:/Data/GIT/ncs/master/toolchain/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found toolchain: gnuarmemb (C:/Data/GIT/ncs/master/toolchain/opt)
-- Found BOARD.dts: C:/Data/GIT/ncs/master/zephyr/boards/arm/nrf9160dk_nrf9160/nrf9160dk_nrf9160.dts
-- Generated zephyr.dts: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/b0/zephyr/zephyr.dts
-- Generated devicetree_unfixed.h: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/b0/zephyr/include/generated/devicetree_unfixed.h
Parsing C:/Data/GIT/ncs/master/zephyr/Kconfig
Loaded configuration 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/b0/zephyr/.config'
No change to configuration in 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/b0/zephyr/.config'
No change to Kconfig header in 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/b0/zephyr/include/generated/autoconf.h'
CMake Warning at ../../subsys/bootloader/CMakeLists.txt:21 (message):


        --------------------------------------------------------
        --- WARNING: When using the immutable bootloader on  ---
        --- this SoC, the UICR must be erased when flashing. ---
        --- E.g. by calling 'west flash --erase'             ---
        --------------------------------------------------------


CMake Warning at C:/Data/GIT/ncs/master/zephyr/kernel/CMakeLists.txt:54 (message):
  Single threaded mode (CONFIG_MULTITHREADING=n) is deprecated


-- Configuring done
-- Generating done
-- Build files have been written to: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/b0
=== child image b0 -  end ===

Changed board to secure nrf9160dk_nrf9160 (NOT NS)

=== child image mcuboot -  begin ===
Including boilerplate (Zephyr base (cached)): C:/Data/GIT/ncs/master/zephyr/cmake/app/boilerplate.cmake
-- Application: C:/Data/GIT/ncs/master/bootloader/mcuboot/boot/zephyr
-- Using NCS Toolchain 1.3.0 for building. (C:/Data/GIT/ncs/master/toolchain/cmake)
-- Zephyr version: 2.4.0 (C:/Data/GIT/ncs/master/zephyr)
-- Found west (found suitable version "0.7.3", minimum required is "0.7.1")
-- Board: nrf9160dk_nrf9160
-- Cache files will be written to: C:/Data/GIT/ncs/master/zephyr/.cache
-- Found dtc: C:/Data/GIT/ncs/master/toolchain/opt/bin/dtc.exe (found suitable version "1.4.7", minimum required is "1.4.6")
-- Found toolchain: gnuarmemb (C:/Data/GIT/ncs/master/toolchain/opt)
-- Found BOARD.dts: C:/Data/GIT/ncs/master/zephyr/boards/arm/nrf9160dk_nrf9160/nrf9160dk_nrf9160.dts
-- Found devicetree overlay: C:/Data/GIT/ncs/master/bootloader/mcuboot/boot/zephyr/dts.overlay
-- Found devicetree overlay: C:/Data/GIT/ncs/master/bootloader/mcuboot/boot/zephyr/dts.overlay
-- Generated zephyr.dts: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/mcuboot/zephyr/zephyr.dts
CMake Warning at C:/Data/GIT/ncs/master/zephyr/kernel/CMakeLists.txt:54 (message):
-- Generated devicetree_unfixed.h: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/mcuboot/zephyr/include/generated/devicetree_unfixed.h
Parsing C:/Data/GIT/ncs/master/bootloader/mcuboot/boot/zephyr/Kconfig
Loaded configuration 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/mcuboot/zephyr/.config'
No change to configuration in 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/mcuboot/zephyr/.config'
No change to Kconfig header in 'C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/mcuboot/zephyr/include/generated/autoconf.h'
-- Configuring done
-- Generating done
-- Build files have been written to: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/mcuboot
  Single threaded mode (CONFIG_MULTITHREADING=n) is deprecated


MCUBoot bootloader key file: C:/Data/GIT/ncs/master/bootloader/mcuboot/root-rsa-2048.pem
=== child image mcuboot -  end ===

CMake Warning at C:/Data/GIT/ncs/master/nrf/cmake/mcuboot.cmake:115 (message):


        ---------------------------------------------------------
        --- WARNING: Using default MCUBoot key, it should not ---
        --- be used for production.                           ---
        ---------------------------------------------------------


Call Stack (most recent call first):
  C:/Data/GIT/ncs/master/bootloader/mcuboot/zephyr/CMakeLists.txt:1 (include)


-- Configuring done
-- Generating done
-- Build files have been written to: C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build
[0/157] Performing build step for 'spm_subimage'
[149/153] Linking C executable zephyr\zephyr_prebuilt.elf
Memory region         Used Size  Region Size  %age Used
           FLASH:       32256 B        48 KB     65.63%
            SRAM:        5520 B        64 KB      8.42%
        IDT_LIST:          40 B         2 KB      1.95%
[153/153] Linking C executable zephyr\zephyr.elf
[2/153] Performing build step for 'b0_subimage'
[105/109] Linking C executable zephyr\zephyr_prebuilt.elf
Memory region         Used Size  Region Size  %age Used
           FLASH:       26200 B        32 KB     79.96%
            SRAM:       38824 B        64 KB     59.24%
        IDT_LIST:          40 B         2 KB      1.95%
[109/109] Linking C executable zephyr\zephyr.elf
[129/153] Linking C executable zephyr\zephyr_prebuilt.elf
Memory region         Used Size  Region Size  %age Used
           FLASH:       15396 B     392704 B      3.92%
            SRAM:        4040 B       128 KB      3.08%
        IDT_LIST:          56 B         2 KB      2.73%
[132/151] Creating public key from private key used for signing
[139/151] Performing build step for 'mcuboot_subimage'
[118/122] Linking C executable zephyr\zephyr_prebuilt.elf
Memory region         Used Size  Region Size  %age Used
           FLASH:       40588 B        48 KB     82.58%
            SRAM:       24724 B        64 KB     37.73%
        IDT_LIST:          88 B         2 KB      4.30%
[122/122] Linking C executable zephyr\zephyr.elf
[144/149] Creating signature of application
[145/149] Creating validation for zephyr.hex, storing to
[148/149] cmd.exe /C "cd /D C:\Data\GIT\ncs\master\zephyr\samples\hello_world\build\...t.py --input C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/partitions.yml"
 (0x100000 - 1024kB):
+------------------------------------------+
+---0x0: b0 (0x8000)-----------------------+
| 0x0: b0_image (0x8000)                   |
+---0x8000: s0 (0xc200)--------------------+
| 0x8000: s0_pad (0x200)                   |
+---0x8200: s0_image (0xc000)--------------+
| 0x8200: mcuboot (0xc000)                 |
| 0x14200: EMPTY_0 (0xe00)                 |
+---0x15000: s1 (0xc200)-------------------+
| 0x15000: s1_pad (0x200)                  |
| 0x15200: EMPTY_1 (0x6e00)                |
| 0x1c000: s1_image (0xc000)               |
+---0x28000: mcuboot_primary (0x6c000)-----+
| 0x28000: mcuboot_pad (0x200)             |
+---0x28200: mcuboot_primary_app (0x6be00)-+
+---0x28200: spm_app (0x6be00)-------------+
| 0x28200: spm (0xc000)                    |
| 0x34200: app (0x5fe00)                   |
| 0x94000: mcuboot_secondary (0x6c000)     |
+------------------------------------------+
[148/149] cmd.exe /C "cd /D C:\Data\GIT\ncs\master\zephyr\samples\hello_world\build\...d/build --json C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/rom.json rom"
Traceback (most recent call last):
  File "C:/Data/GIT/ncs/master/zephyr/scripts/footprint/size_report", line 643, in <module>
    main()
  File "C:/Data/GIT/ncs/master/zephyr/scripts/footprint/size_report", line 605, in main
    print("WARN: Symbol '{0}' is not in RAM or ROM".format(sym['name']))
TypeError: string indices must be integers
FAILED: zephyr/cmake/reports/CMakeFiles/rom_report
cmd.exe /C "cd /D C:\Data\GIT\ncs\master\zephyr\samples\hello_world\build\zephyr\cmake\reports && C:\Data\GIT\ncs\master\toolchain\opt\bin\python.exe C:/Data/GIT/ncs/master/zephyr/scripts/footprint/size_report -k C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/zephyr/zephyr.elf -z C:/Data/GIT/ncs/master/zephyr -o C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build --json C:/Data/GIT/ncs/master/zephyr/samples/hello_world/build/rom.json rom"
ninja: build stopped: subcommand failed.

C:\Data\GIT\ncs\master\zephyr\samples\hello_world\build>west flash

    openssl ecparam -name prime256v1 -genkey -noout -out priv.pem

    # b0 Bootloader
CONFIG_SECURE_BOOT=y
CONFIG_SB_SIGNING_KEY_FILE="C:/Data/GIT/ncs/master/zephyr/samples/hello_world/priv.pem"

# MCUboot as upgradable bootloader
CONFIG_BOOTLOADER_MCUBOOT=y

Related
Terms of service