• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 12 replies
  • Subscribers 76 subscribers
  • Views 4310 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 249383
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Updatable bootloader for nrf9160

gregers

Hi, I'm confused how to do fota of mcuboot on the nrf9160.

The source code is public on github in this branch: https://github.com/ExploratoryEngineering/nrf9160-telenor/tree/immutable-bootloader

fota sample is here: https://github.com/ExploratoryEngineering/nrf9160-telenor/tree/immutable-bootloader/samples/fota

The sample use lwm2m to download a new firmware image from our (Telenor's) IoT gateway. It's just standard LwM2M, and uses dfu_target to flash the new firmware. I have enabled CONFIG_SECURE_BOOT to use the immutable bootloader and use CONFIG_FW_INFO_FIRMWARE_VERSION to bump mcuboot's version.

I've tried to read the source code to understand what's going on, but I'm struggling to understand a few pieces. According to the mcuboot design docs, I get the impression that image swaps only happen between the image slots. However the dfu_target doesn't look at the image header before flashing the image to the secondary slot for the application instead of s1. I might be missing some magic configuration or call to change this behaviour, but I can't find it. By commenting out the reboot I can verify that the image is actually written to the secondary slot:

$ nrfjprog -f nrf91 --memrd 0x94400 --n 28
0x00094400: 281EE6DE 8FCEBB4C 00005B02 0000003C   |...(L....[..<...|
0x00094410: 00009080 00000002 00015200            |.........R..|

The secondary slot starts at 0x94000 and by looking at the fw_info data we can see that this is version 2 and the start of the image is 0x15200, which is where s1 is located.

Double check fw_info for s0 and s1:

$ nrfjprog -f nrf91 --memrd 0x8400 --n 28
0x00008400: 281EE6DE 8FCEBB4C 00005B02 0000003C   |...(L....[..<...|
0x00008410: 00009080 00000001 00008200            |............|

$ nrfjprog -f nrf91 --memrd 0x15400 --n 28
0x00015400: 281EE6DE 8FCEBB4C 00005B02 0000003C   |...(L....[..<...|
0x00015410: 00009080 00000001 00015200            |.........R..|

When calling dfu_target_done, it writes BOOT_SWAP_TYPE_TEST to the FLASH_AREA_IMAGE_SECONDARY swap field.

On the next reboot the immutable bootloader choose s0, since s1 is not changed in flash yet. Then (old) mcuboot does it's magic and boots the application. Now if I look at the flash, s1 has been updated with the image flashed to the secondary slot:

$ nrfjprog -f nrf91 --memrd 0x8400 --n 28
0x00008400: 281EE6DE 8FCEBB4C 00005B02 0000003C   |...(L....[..<...|
0x00008410: 00009080 00000001 00008200            |............|

$ nrfjprog -f nrf91 --memrd 0x15400 --n 28
0x00015400: 281EE6DE 8FCEBB4C 00005B02 0000003C   |...(L....[..<...|
0x00015410: 00009080 00000002 00015200            |.........R..|

In the fota code in our application we would like to see what version and slot the bootloader is using. We used fw_info to check this, but even though s0 was used during boot fw_info will report what's on flash after booting, so it will look like s1 was used since it's valid and has a higher version.

By manually rebooting, the immutable bootloader now sees version 2 in s1 and boots from 0x15200. However I don't know how we'll be able to detect this state from code and trigger the second reboot.

Sorry for the long explanation. Here are my questions:

  • Are we doing something wrong since the dfu_target stores the image in the wrong slot? (or is it not wrong)
  • mcuboot only has one public key embedded to verify the signature of the application. If we want to change this key, I assume we have to update both mcuboot and the application in flash before rebooting. How can we do this if both are stored in the secondary slot?
  • Is it possible to do a test run of mcuboot before persisting it?
  • The immutable bootloader have a list of public keys stored in the OTP area for verifying the mcuboot signature. Will we brick the device if we upload a new version of mcuboot signed with a new key and mcuboot or the application fails the test? Looks like all previous public keys are invalidated before the new images are marked OK. Is this intentional?
  • I've read that images can have dependencies between them, so when one fails mcuboot will roll back the others. Is this used automatically for mcuboot and the application, or does it not make sense to use for the bootloader?
  • I have a few suggestions for improving the documentation. What is your preferred method of giving feedback on the documentation? Do you have a public github for the docs hosted on https://developer.nordicsemi.com?
  • 0 in reply to shibshab
    shibshab said:
    Note that mcuboot is signed twice, first by CONFIG_SB_SIGNING_KEY_FILE then by CONFIG_BOOT_SIGNATURE_KEY_FILE. This because mcuboot needs to verify the update of itself using its own key before swapping mcubootv2 into s0/s1, then when b0 boots in will validate mcubootv2 using CONFIG_SB_SIGNING_KEY_FILE.

    So to update mcuboot with a new public key for application signature, you'd have to build with the new key. Then look in the build.ninja file in the build folder. Locate the command that outputs signed_by_mcuboot_and_b0_s1_image_update.bin and replace the key with the old key:

    cd /Users/gregers/devel/nrf9160-telenor/build/modules/mcuboot && /usr/local/bin/python3 /Users/gregers/devel/nrf9160-telenor/deps/bootloader/mcuboot/zephyr/../scripts/imgtool.py sign --key /Users/gregers/devel/nrf9160-telenor/deps/bootloader/mcuboot/zephyr/../../../../samples/fota/cert.pem --header-size 0x200 --align 4 --version 0.0.0+0 --slot-size 0x6c000 --pad-header /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_b0_s1_image.hex /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_mcuboot_and_b0_s1_image_signed.hex && /usr/local/opt/gcc-arm-none-eabi/bin/arm-none-eabi-objcopy --input-target=ihex --output-target=binary /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_b0_s1_image.hex /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_mcuboot_and_b0_s1_image_to_sign.bin && /usr/local/bin/python3 /Users/gregers/devel/nrf9160-telenor/deps/bootloader/mcuboot/zephyr/../scripts/imgtool.py sign --key /Users/gregers/devel/nrf9160-telenor/deps/bootloader/mcuboot/zephyr/../../../../samples/fota/cert.pem --header-size 0x200 --align 4 --version 0.0.0+0 --slot-size 0x6c000 --pad-header /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_mcuboot_and_b0_s1_image_to_sign.bin /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_mcuboot_and_b0_s1_image_update.bin && /usr/local/bin/python3 /Users/gregers/devel/nrf9160-telenor/deps/bootloader/mcuboot/zephyr/../scripts/imgtool.py sign --key /Users/gregers/devel/nrf9160-telenor/deps/bootloader/mcuboot/zephyr/../../../../samples/fota/cert.pem --header-size 0x200 --align 4 --version 0.0.0+0 --slot-size 0x6c000 --pad-header --pad /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_b0_s1_image.hex /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_mcuboot_and_b0_s1_image_test_update.hex && /usr/local/opt/gcc-arm-none-eabi/bin/arm-none-eabi-objcopy --input-target=ihex --output-target=ihex --change-address 520192 /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_mcuboot_and_b0_s1_image_test_update.hex /Users/gregers/devel/nrf9160-telenor/build/zephyr/signed_by_mcuboot_and_b0_s1_image_moved_test_update.hex

    Why does mcuboot need to validate the signature of the new mcuboot image before storing it in the slot? Isn't this the job of the immutable bootloader to validate the image with one of the keys in the OTP area? If the image is not signed by any of the keys, it will get invalidated. Right?

    Using the application key to sign mcuboot and making mcuboot validate itself seems like a weird solution to me. It makes it much harder to understand, and makes the update process very fault prone. A process that might end up bricking the device. IoT has already been criticised for it's lack of security. One of the selling points of nrf9160 is that it has ARM Cortex M33 and many good solutions to make secure product. But it doesn't help much if the security features are so hard to use that it scares developers away from using it.

    Please let me explain how I imagine to solve this, and let me know if there are any problems with the solution.

    1. We revert your patch to mcuboot loader.c to write the image to the address it belongs (by looking at the headers)
      1. This solves being able to update the bootloader and the application before rebooting the device, since the images are stored in the extra slot belonging to the image.
      2. It also skips the problematic (imho) signature verification of mcuboot using the application key, or will it still check using the application key? Any way to skip this check and only rely on boot validation?
      3. On the first boot the immutable bootloader will validate the new mcuboot image using the same public key as before from the OTP area, and boot from the new mcuboot address.
      4. The new mcuboot (with a new public key for the application signature) will validate the new application image and do a test swap.
      5. Hopefully the new image is able to boot and confirm. If not the device is bricked until someone has physical access. So it's probably best to not update any bootloader nor application logic at the same time as changing the signature for the application.
  • 0 in reply to gregers

    There is no technical reason for the double signing, and ideally it mcubootv2 should only be signed by B0. The double signing was done to save time when developing this feature.
    (I won't go into the details, but the building blocks available at this today (non secure services among others) make it much easier to come up with a similar scheme without double signing). Hence there is good motivation for improving the mcuboot update procedure by having the app download mcubootv2 directly into S0/S1 and then only having 1 level of signing.

    gregers said:
    Why does mcuboot need to validate the signature of the new mcuboot image before storing it in the slot? Isn't this the job of the immutable bootloader to validate the image with one of the keys in the OTP area? If the image is not signed by any of the keys, it will get invalidated. Right?

    It doesn't. It is. The key which does not result in a successful validating will get invalidated, not the image. If the next key in the list of keys validates the image, this is now used, and so on.

    gregers said:
    Using the application key to sign mcuboot and making mcuboot validate itself seems like a weird solution to me. It makes it much harder to understand, and makes the update process very fault prone.

    Double signing is weird, and it makes it harder to understand the process, I agree.

    a) Note that you will not have any dependency tracking or synchronization of the two images, because this is handled by mcuboot (B0 does not support this concept at all). So you must verify that you don't end up in the situation where one of the two images (mcuboot and app) has been updates but not the other, such that the device is bricked.

    b) If the app writes mcubootv2 straight into s0/s1 only b0's key will be used to perform validation. There might be a pre-validate function exposed from b0 which you can use for this to verify mcubootv2 already at the application level, using b0's key.

    c) Correct, as long as the version number (CONFIG_FIRMWARE_VERSION_NUMBER or something) is higher.

    d) Yes, if there is an update in mcuboots secondary slot.

    e) This scheme is too risky for production IMO, it would be easier to add the same key-revocation scheme to mcuboot that is used in b0 today. This way you only need to sign the app with key#2 to get key#1 revoked, instead of updating mcuboot itself. Also, if key revocation is the only reason to have an upgradeable bootloader you no longer need b0 at all.

Related
Terms of service