• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 7 replies
  • Subscribers 64 subscribers
  • Views 5786 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 249037
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

signing zephyr images - west sign

Vojislav

Currently, I am following guide of zephyr sample: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/README.html

But when I build an app with: west build -b nrf52_pca10040
and then try to sign the build: west sign -t imgtool -- --key root-rsa-2048.pem
like explained in the west sign doc:
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/west/sign.html

I get an error:

=== image configuration:
partition offset: 49152 (0xc000)
partition size: 204800 (0x32000)
text section offset: 0 (0x0)
=== signed binaries:
bin: /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.signed.bin
Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Error: Invalid value for "-H" / "--header-size": Minimum value for -H/--header-size is 32
FATAL ERROR: command exited with status 2: /home/voja/.virtualenvs/zephyenv/bin/imgtool sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 204800 --key root-rsa-2048.pem /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.bin /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.signed.bin

This is happening also with other apps. For example, tried doing it with hello_world sample, and got the same result. Before compiling I added CONFIG_BOOTLOADER_MCUBOOT=y to the prj.conf file.

my system:
zephyr version: Booting Zephyr OS build v2.1.99-ncs1
nRF-Connect-SDK version v1.2.0 on the Ubuntu 18.04LTS


Do you know what might be a problem?

Best regards,
Vojislav.

Parents Reply Children
  • 0 in reply to Einar Thorsrud

    Hi Einar,

    Thank you for the answer. I see the app_signed.hex in the build folder. I did not know it is done automatically. 
    My next question is with which key (.pem) file is this app file signed? 
    And if I flash merged.hex using jLink is that also signed with the same key?
    Can you recommend me a please where I can read more about this? 

  • 0 in reply to Einar Thorsrud

    Also, I would like to know more about what each bin and hex means:
    app_signed.hex (signed application ready for update)
    app_test_update.hex
    app_to_sign.bin
    app_update.bin
    app_moved_test_update.hex

    For me problem with the current build is that I can not use app_signed.hex with nRF Connect Android App because this app requires .bin format. I am able to do an update using app_update.bin file, but I cannot use app_signed.hex


  • 0 in reply to Einar Thorsrud

    And regarding west sign command you recommended this is the output I get:

    === image configuration:
partition offset: 49152 (0xc000)
partition size: 204800 (0x32000)
text section offset: 0 (0x0)
=== signed binaries:
bin: /home/voja/Documents/irnas/zephyr_tests/peripheral_uart/build/zephyr/zephyr.signed.bin
Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Error: Header padding was not requested and image does not start with zeros
FATAL ERROR: command exited with status 2: /home/voja/.virtualenvs/zephyenv/bin/imgtool sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 204800 --key root-rsa-2048.pem -H 32 /home/voja/Documents/irnas/zephyr_tests/peripheral_uart/build/zephyr/zephyr.bin /home/voja/Documents/irnas/zephyr_tests/peripheral_uart/build/zephyr/zephyr.signed.bin


    Aldo this is not that important if it is done automatically as you explained.

    Best regards,
    Vojislav.

  • +1 in reply to Einar Thorsrud
    Vojislav said:
    Also, I would like to know more about what each bin and hex means:
    app_signed.hex (signed application ready for update)
    app_test_update.hex
    app_to_sign.bin
    app_update.bin
    app_moved_test_update.hex

    These are all described here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs 
    Most importantly, app_update.bin is the signed version of the application that should be used for DFU/FOTA purposes.

    "My next question is with which key (.pem) file is this app file signed?"

    The pem file used is the file configured in mcuboot. This file is specified by the kconfig option BOOT_SIGNATURE_KEY_FILE in the mcuboot image (note that you have to invoke "ninja mcuboot_menuconfig" to reach the configuration of the mcuboot image instead of your normal application menuconfig.

    "And if I flash merged.hex using jLink is that also signed with the same key?"

    Yes, all bootable images (only the app in your case) inside merged.hex are signed with that key. MCUBoot only support one key.

    "Can you recommend me a please where I can read more about this?"

    As already mentioned - https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs
    Also you have https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/scripts/partition_manager/partition_manager.html#hex-files explaining how merging of files work.

    "For me problem with the current build is that I can not use app_signed.hex with nRF Connect Android App because this app requires .bin format. I am able to do an update using app_update.bin file, but I cannot use app_signed.hex"

    As stated above, the slightly badly named app_update.bin is the correct signed version.

    To avoid problems you should stick to using the automatically signed binaries/hexes and avoid using the west sign command as this is only useful for non-NCS users which does not have the benefit of automatic signing.

  • 0 in reply to shibshab

    Hi shibshab,

    Thank you for clearing all up. Now it is much more clear how everything fits together. 
    I was able to do all of this with try/fail methodology on nrf52832 and with your explanation and ref links, it is all much clearer. 

    Unfortunately, it seems that I can not fit everything on nrf52811 which is my preferred platform at the moment.
     https://devzone.nordicsemi.com/f/nordic-q-a/61313/nrf52811-zephyr-with-mcuboot

    Best regards,
    Vojislav

Related