• State Not Answered
  • Replies 12 replies
  • Subscribers 70 subscribers
  • Views 3465 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 257351
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Documentation on generating/using custom signing key for FOTA in nRF Connect SDK

Cody

Hello Nordic Team,

Over the course of development I have had to reverse engineer and pick apart various sources (DevZone, Google, Zephyr documentation, etc) in order to figure out how to properly generate and utilize a custom, private signing key for our FOTA images. I currently have a working solution but it feels more like a hack and as I frequently test on the master branch to prepare for upcoming changes, it appears that the method I am using is generating warnings.


My question is: is there any official documentation and/or guide on how to properly generate and sign images using a custom signing key and how that is integrated into a project (ie asset_tracker)?

I want to make sure that I am doing it right and that it is properly integrated into my project and build system.

Thanks,
Cody

Parents
  • 0

    This should get done automatically, as mentioned in this ticket and in Signing Binaries, just make sure to set CONFIG_BOOTLOADER_MCUBOOT=y  and CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="path to your key" in prj.conf of your application. Then the files mentioned here should be generated.

    Best regards,

    Simon

  • 0 in reply to Simon

    Hey @Simon,


    Thanks for getting back to me. I ensured that the two configuration options were part of my projects prj.conf (CONFIG_BOOTLOADER_MCUBOOT and CONFIG_MCUBOOT_SIGNATURE_KEY_FILE). When I attempt to build the project, I get the following message...

    CMake Warning at /ncs_v1.4/nrf/cmake/mcuboot.cmake:303 (message):
    CONFIG_MCUBOOT_SIGNATURE_KEY_FILE is set to
    "build/key/testkey/testkey-rsa-2048.pem".

    You are using the NCS Mcuboot signing, which means this option will be
    ignored.

    Image signing in NCS is done via the MCUboot image's
    CONFIG_BOOT_SIGNATURE_KEY_FILE option.

    Consider setting CONFIG_MCUBOOT_SIGNATURE_KEY_FILE in your application
    image back to its default value, the empty string.
    Call Stack (most recent call first):
    /ncs_v1.4/bootloader/mcuboot/zephyr/CMakeLists.txt:1 (include)

     It looks like it relates to this commit here: https://github.com/nrfconnect/sdk-nrf/commit/45c9fbbc330ecd24eecd43c7dd0cfcdd4e93b8f4

    The commit mentions the following...

    "    If partition manager is in use and there are multiple images, we want to make sure users understand this option should probably be left alone, since the NCS build system has its own way of managing signing."

    Can you explain how the NCS build system has its own way of managing signing?

  • 0 in reply to Cody

    I'm sorry for the delay on this. I will look into it the next couple of days.

    Best regards,

    Simon

  • 0 in reply to Simon

    I'm sorry for the delay on this. I have not looked into this topic (singing, keys, etc..)  very much and I put off some time yesterday and today to get an overview of how all this works. I'm gradually getting a better understanding of this and will try to provide you with an answer soon.

    Best regards,

    Simon

  • 0 in reply to Simon

    I provided an answer to your question in the ticket NCS recommended MCUboot enabled apps build and flash methods. Take a look at that and see if it answers all of your questions. If not, please tell me.

    Best regards,

    Simon

  • 0 in reply to Simon

    Hey @Simon,


    I reviewed the the other ticket and I am now on nRF Connect SDK v1.4.2, in the thread someone mentions that in v1.4.0+ you only need to provide the following lines in the mcuboot configuration file:

    CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n
CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="custom_key_rsa-2048.pem"

    That appears to be in line with the asset_tracker/connectivity bridge examples in v1.4.2 where they have a mcuboot_overlay-rsa.conf file in the root and then added to the MCUBoot configuration in CMakeLists. with the following code:

    list(APPEND mcuboot_OVERLAY_CONFIG
  "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot_overlay-rsa.conf"
  )

    Doing so in my project still leads to the following scary warning message from MCUBoot -

    ---------------------------------------------------------
    --- WARNING: Using default MCUBoot key, it should not ---
    --- be used for production. ---
    ---------------------------------------------------------

    Do you know if I am doing something wrong? What's weird is I think it is still working, if I put a log statement in mcuboot.cmake where that message is printed out, my custom defined signature key file is being set....

    # Set default key
if (NOT DEFINED mcuboot_key_file)
message(WARNING "
  ---------------------------------------------------------
  --- WARNING: Using default MCUBoot key, it should not ---
  --- be used for production.                           ---
  ---------------------------------------------------------
  \n"
)
set(mcuboot_key_file ${MCUBOOT_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE})
message(WARNING "mcuboot_key_file ${mcuboot_CONF_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE}")
endif()

    Thanks,
    Cody

Reply
  • 0 in reply to Simon

    Hey @Simon,


    I reviewed the the other ticket and I am now on nRF Connect SDK v1.4.2, in the thread someone mentions that in v1.4.0+ you only need to provide the following lines in the mcuboot configuration file:

    CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n
CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="custom_key_rsa-2048.pem"

    That appears to be in line with the asset_tracker/connectivity bridge examples in v1.4.2 where they have a mcuboot_overlay-rsa.conf file in the root and then added to the MCUBoot configuration in CMakeLists. with the following code:

    list(APPEND mcuboot_OVERLAY_CONFIG
  "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot_overlay-rsa.conf"
  )

    Doing so in my project still leads to the following scary warning message from MCUBoot -

    ---------------------------------------------------------
    --- WARNING: Using default MCUBoot key, it should not ---
    --- be used for production. ---
    ---------------------------------------------------------

    Do you know if I am doing something wrong? What's weird is I think it is still working, if I put a log statement in mcuboot.cmake where that message is printed out, my custom defined signature key file is being set....

    # Set default key
if (NOT DEFINED mcuboot_key_file)
message(WARNING "
  ---------------------------------------------------------
  --- WARNING: Using default MCUBoot key, it should not ---
  --- be used for production.                           ---
  ---------------------------------------------------------
  \n"
)
set(mcuboot_key_file ${MCUBOOT_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE})
message(WARNING "mcuboot_key_file ${mcuboot_CONF_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE}")
endif()

    Thanks,
    Cody

Children
  • 0 in reply to Cody

    The warning just tells you that you're using the default key from NCS, and you should definitely not use this key on the deivices that goes out to production, as it will make your devices unprotected. That key is only meant for testing. You should geneate your own keys for the production versions.

  • 0 in reply to Simon

    I have generated my own private key and am following the same/similar setup as asset_tracker/connectivity bridge in nRF Connect SDK v1.4.2.

    It is very strange though because CONFIG_BOOT_SIGNATURE_KEY_FILE is being set to my custom key file name and appears to be utilized.

    CMake Warning at /Users/crsharff/Development_Tools/ncs_v1.4/nrf/cmake/mcuboot.cmake:125 (message):


        ---------------------------------------------------------
        --- WARNING: Using default MCUBoot key, it should not ---
        --- be used for production.                           ---
        ---------------------------------------------------------

CMake Warning at /Users/crsharff/Development_Tools/ncs_v1.4/nrf/cmake/mcuboot.cmake:133 (message):
  mcuboot_key_file /cody-custom-rsa-2048.pem

    Doing more research it appears that this error is shown because the following code block doesn't set the mcuboot_key_file because mcuboot_CONF_DIR and mcuboot_CONF_DIR appear undefined.

      if (DEFINED mcuboot_CONF_FILE)
    message(WARNING "DEFINED mcuboot_CONF_FILE")
    get_filename_component(mcuboot_CONF_DIR ${mcuboot_CONF_FILE} DIRECTORY)
    if (EXISTS ${mcuboot_CONF_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE})
      message(WARNING "EXISTS ${mcuboot_CONF_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE}")
      set(mcuboot_key_file ${mcuboot_CONF_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE})
    endif()
  endif()

  # Set default key
  if (NOT DEFINED mcuboot_key_file)
    message(WARNING "
      ---------------------------------------------------------
      --- WARNING: Using default MCUBoot key, it should not ---
      --- be used for production.                           ---
      ---------------------------------------------------------
      \n"
    )
    set(mcuboot_key_file ${MCUBOOT_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE})
    message(WARNING "mcuboot_key_file ${mcuboot_CONF_DIR}/${CONFIG_BOOT_SIGNATURE_KEY_FILE}")
  endif()

  • 0 in reply to Cody

    I'll look into it tomorrow morning (CET).

  • 0 in reply to Simon

    Thanks Simon, much appreciated. The more I delve into it the more it looks like its just an issue with the logic inside mcuboot.cmake. It will print the scary message 100% of the time as long as mcuboot_CONF_FILE is not defined and mcuboot_CONF_FILE being defined does not look like a requirement for CONFIG_BOOT_SIGNATURE_KEY_FILE to be properly set by the MCUBoot overlay configuration file in my project.

    Found this other thread on the DevZone that seems to be discussing a lot of the same issues: devzone.nordicsemi.com/.../problem-with-signing-images-for-ota-dfu

  • 0 in reply to Cody

    Sorry for answering 4 days late. I've asked internally if there has been any progress on this.

Related