What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

Hello,

The NRF_DFU_REQUIRE_SIGNED_APP_UPDATE option says whether the bootloader should require signed app updates or not (Signature verification), while the NRF_BL_APP_SIGNATURE_CHECK_REQUIRED option relates to Boot validation (can optionally be performed on every startup). The default boot validation is a simple CRC validation of the app image.

Best regards,

Vidar

Hi Vidar,

// <q> NRF_BL_APP_SIGNATURE_CHECK_REQUIRED  - Perform signature check on the app. 
// Requires the signature to be sent in the init packet.
#ifndef NRF_BL_APP_SIGNATURE_CHECK_REQUIRED
#define NRF_BL_APP_SIGNATURE_CHECK_REQUIRED 0
#endif

The above is a snippet from the file 'sdk_config.h' available with the secure DFU example code from SDK version 16.0.0.
It says that the signature must be sent in the 'init' packet. I imagine the init packet is a one time transfer that is sent during the DFU process.

Does the boot loader save this signature somewhere in the flash and look it up every time the device (re-)boots?

RMV

Hi Vidar,

// <q> NRF_BL_APP_SIGNATURE_CHECK_REQUIRED  - Perform signature check on the app. 
// Requires the signature to be sent in the init packet.
#ifndef NRF_BL_APP_SIGNATURE_CHECK_REQUIRED
#define NRF_BL_APP_SIGNATURE_CHECK_REQUIRED 0
#endif

The above is a snippet from the file 'sdk_config.h' available with the secure DFU example code from SDK version 16.0.0.
It says that the signature must be sent in the 'init' packet. I imagine the init packet is a one time transfer that is sent during the DFU process.

Does the boot loader save this signature somewhere in the flash and look it up every time the device (re-)boots?

RMV

Hi,

Yes, that is correct. The bootloader will copy the signature from the init packet and store it to the bootloader settings page in flash.

Hi

How does one ADD the signature to the init packet? Is that an extra option to the nrfutil package generation workflow?

Yes, you need to set the app boot validation type to VALIDATE_ECDSA_P256_SHA256. From the help text:

$ nrfutil pkg generate --help
...
  --app-boot-validation [NO_VALIDATION|VALIDATE_GENERATED_CRC|VALIDATE_GENERATED_SHA256|VALIDATE_ECDSA_P256_SHA256]
                                  The method of boot validation for
                                  application.

Pardon me since I am not at all knowledgable on matters related to 'security' and 'encryption'.

The way I understood it (and please correct me if I am wrong) there are two notions of security in the DFU workflow.

1. Siging/verifying the DFU zip packet using some form of signature verification techniques.
2. Boot validation i.e. the boot loader validates the CRC of the application once (or everytime?) before loading and executing the application.

Does "--app-boot-validation" apply to both options above, or (as I would intuitively imagine) only to option (2) above?

And what role does the <private,public> key pair have in this workflow when these are used to build (public key) and generate the DFU (private key)  and sign it?

RMV said:

Does "--app-boot-validation" apply to both options above, or (as I would intuitively imagine) only to option (2) above?

This is to option is to specify which boot validation method to use (see Boot validation), and is not related to the signing of the update itself (Signature verification).