What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

Vidar Berg — Fri, 17 Mar 2023 13:27:47 GMT

[quote user="RMV"]Does "--app-boot-validation" apply to both options above, or (as I would intuitively imagine) only to option (2) above?[/quote]

This is to option is to specify which boot validation method to use (see Boot validation), and is not related to the signing of the update itself (Signature verification).

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

RVM — Fri, 17 Mar 2023 11:59:26 GMT

Pardon me since I am not at all knowledgable on matters related to 'security' and 'encryption'.

The way I understood it (and please correct me if I am wrong) there are two notions of security in the DFU workflow.

Siging/verifying the DFU zip packet using some form of signature verification techniques.
Boot validation i.e. the boot loader validates the CRC of the application once (or everytime?) before loading and executing the application.

Does "--app-boot-validation" apply to both options above, or (as I would intuitively imagine) only to option (2) above?

And what role does the <private,public> key pair have in this workflow when these are used to build (public key) and generate the DFU (private key) and sign it?

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

Vidar Berg — Fri, 17 Mar 2023 06:56:05 GMT

Yes, you need to set the app boot validation type to VALIDATE_ECDSA_P256_SHA256. From the help text:

$ nrfutil pkg generate --help
...
  --app-boot-validation [NO_VALIDATION|VALIDATE_GENERATED_CRC|VALIDATE_GENERATED_SHA256|VALIDATE_ECDSA_P256_SHA256]
                                  The method of boot validation for
                                  application.

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

RVM — Fri, 17 Mar 2023 01:58:14 GMT

How does one ADD the signature to the init packet? Is that an extra option to the nrfutil package generation workflow?

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

Vidar Berg — Tue, 26 Jul 2022 07:20:12 GMT

Hi,

Yes, that is correct. The bootloader will copy the signature from the init packet and store it to the bootloader settings page in flash.

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

RVM — Tue, 19 Jul 2022 19:24:18 GMT

Hi Vidar,

// <q> NRF_BL_APP_SIGNATURE_CHECK_REQUIRED  - Perform signature check on the app. 
// Requires the signature to be sent in the init packet.
#ifndef NRF_BL_APP_SIGNATURE_CHECK_REQUIRED
#define NRF_BL_APP_SIGNATURE_CHECK_REQUIRED 0
#endif

The above is a snippet from the file 'sdk_config.h' available with the secure DFU example code from SDK version 16.0.0.
It says that the signature must be sent in the 'init' packet. I imagine the init packet is a one time transfer that is sent during the DFU process.

Does the boot loader save this signature somewhere in the flash and look it up every time the device (re-)boots?

RMV

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

ayewilling — Thu, 10 Sep 2020 07:14:51 GMT

Thanks for your explanation, quite clear.

RE: What's the difference between flag NRF_DFU_REQUIRE_SIGNED_APP_UPDATE and NRF_BL_APP_SIGNATURE_CHECK_REQUIRED?

Vidar Berg — Wed, 09 Sep 2020 13:40:35 GMT

Hello,

The NRF_DFU_REQUIRE_SIGNED_APP_UPDATE option says whether the bootloader should require signed app updates or not (Signature verification), while the NRF_BL_APP_SIGNATURE_CHECK_REQUIRED option relates to Boot validation (can optionally be performed on every startup). The default boot validation is a simple CRC validation of the app image.

Best regards,

Vidar