Signature on BL updated by DFU

Hi,

There doesn't seem to be any validation of the image when updating the bootloader by secure DFU. nrfutil has no switch to generate any crc or ecdsa_signature. The code uses VALIDATE_CRC, but the expected value is calculated on the received image in boot_validate_extract, so when this is later verified in nrf_dfu_validation_boot_validate the result is always success.

You are right that this is not used for the bootloader. That makes sense, though. The key point is that the validation in nrf_dfu_validation_boot_validate() is not done during the DFU upgrade, but for every boot. There are several ways the bootloader van check (or not check) the validity of the application before deciding to boot it. But there is no corresponding way for the bootloader to check itself, nor would it make much sense. The bootloader image is still checked and the signature must be valid for an update of the bootloader (same as for SoftDevice and application, unless you use the open bootloader).

There is also a bug in postvalidate_sd_bl causing the boot validation of BL to always fail for a combined SD+BL image. The second call to boot_validation_extract should have index=1 if there was also a SD in the image.

I do not see a problem with index=0, and also it works as expected. Can you elaborate? Note that the bl_start and bl_size variables are adjusted if there is a SD (line 892-893). Is that what you did not spot?

Hi,

There doesn't seem to be any validation of the image when updating the bootloader by secure DFU. nrfutil has no switch to generate any crc or ecdsa_signature. The code uses VALIDATE_CRC, but the expected value is calculated on the received image in boot_validate_extract, so when this is later verified in nrf_dfu_validation_boot_validate the result is always success.

You are right that this is not used for the bootloader. That makes sense, though. The key point is that the validation in nrf_dfu_validation_boot_validate() is not done during the DFU upgrade, but for every boot. There are several ways the bootloader van check (or not check) the validity of the application before deciding to boot it. But there is no corresponding way for the bootloader to check itself, nor would it make much sense. The bootloader image is still checked and the signature must be valid for an update of the bootloader (same as for SoftDevice and application, unless you use the open bootloader).

There is also a bug in postvalidate_sd_bl causing the boot validation of BL to always fail for a combined SD+BL image. The second call to boot_validation_extract should have index=1 if there was also a SD in the image.

I do not see a problem with index=0, and also it works as expected. Can you elaborate? Note that the bl_start and bl_size variables are adjusted if there is a SD (line 892-893). Is that what you did not spot?