signing zephyr images - west sign

RE: signing zephyr images - west sign

CW — Wed, 13 Jul 2022 06:31:46 GMT

Hi,
I have another question about signing a large zephyr.bin failed.

Why can't we sign successfully? but the signed-file app_update.bin will be generated successfully instead.

And we do DFU app_update.bin successfully, that doesn't make sense.

Very confused.

Please any master tell me, thank you so much.

Jason

RE: signing zephyr images - west sign

Vojislav — Wed, 13 May 2020 09:22:55 GMT

Hi shibshab,

Thank you for clearing all up. Now it is much more clear how everything fits together.
I was able to do all of this with try/fail methodology on nrf52832 and with your explanation and ref links, it is all much clearer.

Unfortunately, it seems that I can not fit everything on nrf52811 which is my preferred platform at the moment.
https://devzone.nordicsemi.com/f/nordic-q-a/61313/nrf52811-zephyr-with-mcuboot

Best regards,
Vojislav

RE: signing zephyr images - west sign

shibshab — Wed, 13 May 2020 09:11:17 GMT

[quote userid="80703" url="~/f/nordic-q-a/61048/signing-zephyr-images---west-sign/248923"]Also, I would like to know more about what each bin and hex means:
app_signed.hex (signed application ready for update)
app_test_update.hex
app_to_sign.bin
app_update.bin
app_moved_test_update.hex[/quote]

These are all described here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs
Most importantly, app_update.bin is the signed version of the application that should be used for DFU/FOTA purposes.

"My next question is with which key (.pem) file is this app file signed?"

The pem file used is the file configured in mcuboot. This file is specified by the kconfig option BOOT_SIGNATURE_KEY_FILE in the mcuboot image (note that you have to invoke "ninja mcuboot_menuconfig" to reach the configuration of the mcuboot image instead of your normal application menuconfig.

"And if I flash merged.hex using jLink is that also signed with the same key?"

Yes, all bootable images (only the app in your case) inside merged.hex are signed with that key. MCUBoot only support one key.

"Can you recommend me a please where I can read more about this?"

As already mentioned - https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs
Also you have https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/scripts/partition_manager/partition_manager.html#hex-files explaining how merging of files work.

"For me problem with the current build is that I can not use app_signed.hex with nRF Connect Android App because this app requires .bin format. I am able to do an update using app_update.bin file, but I cannot use app_signed.hex"

As stated above, the slightly badly named app_update.bin is the correct signed version.

To avoid problems you should stick to using the automatically signed binaries/hexes and avoid using the west sign command as this is only useful for non-NCS users which does not have the benefit of automatic signing.

RE: signing zephyr images - west sign

Vojislav — Fri, 08 May 2020 12:11:05 GMT

And regarding west sign command you recommended this is the output I get:

=== image configuration:
partition offset: 49152 (0xc000)
partition size: 204800 (0x32000)
text section offset: 0 (0x0)
=== signed binaries:
bin: /home/voja/Documents/irnas/zephyr_tests/peripheral_uart/build/zephyr/zephyr.signed.bin
Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Error: Header padding was not requested and image does not start with zeros
FATAL ERROR: command exited with status 2: /home/voja/.virtualenvs/zephyenv/bin/imgtool sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 204800 --key root-rsa-2048.pem -H 32 /home/voja/Documents/irnas/zephyr_tests/peripheral_uart/build/zephyr/zephyr.bin /home/voja/Documents/irnas/zephyr_tests/peripheral_uart/build/zephyr/zephyr.signed.bin

Aldo this is not that important if it is done automatically as you explained.

Best regards,
Vojislav.

RE: signing zephyr images - west sign

Vojislav — Fri, 08 May 2020 12:04:29 GMT

Also, I would like to know more about what each bin and hex means:
app_signed.hex (signed application ready for update)
app_test_update.hex
app_to_sign.bin
app_update.bin
app_moved_test_update.hex

For me problem with the current build is that I can not use app_signed.hex with nRF Connect Android App because this app requires .bin format. I am able to do an update using app_update.bin file, but I cannot use app_signed.hex

RE: signing zephyr images - west sign

Vojislav — Fri, 08 May 2020 11:57:57 GMT

Hi Einar,

Thank you for the answer. I see the app_signed.hex in the build folder. I did not know it is done automatically.
My next question is with which key (.pem) file is this app file signed?
And if I flash merged.hex using jLink is that also signed with the same key?
Can you recommend me a please where I can read more about this?

RE: signing zephyr images - west sign

Einar Thorsrud — Fri, 08 May 2020 08:53:44 GMT

Hi Vojislav,

First of all, you should not need to do this manually, since the partition manager should sign the application automatically when you have used CONFIG_BOOTLOADER_MCUBOOT and generates the app_signed.hex. That said, it looks like you need to specify the header size, so you could try:

west sign -t imgtool -- --key root-rsa-2048.pem -H 32

Einar