• State Verified Answer
  • Replies 30 replies
  • Subscribers 65 subscribers
  • Views 8223 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 258321
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Problem with signing images for OTA DFU

Antonio

I have had several problems with signing images, so I'll start with something simple, and I hope you can bear with me as I get to my final goal which is to OTA (which I am already doing, but not signed) with the project we are working on.

I am testing everything on a nrf52dk_nrf52832 using both windows 10 and ubuntu 20 VM's and I have had similar problems with both of them. I am using NCS v1.3.2 in both cases. I am not a beginner in Zephyr, or Nordic in general for that matter, but I feel like one with the whole signing, mcumgr cli using the 840 as HCI_USB in ubuntu, etc

Firstly, there are two "how to " pages that do not work following directions, so if you would kindly tell me what is wrong with the instructions.

Please advice.

The first page is "Signing Binaries

Following instructions, the first line has no problem...

antonio@ubuntu:~/ncs$ west build -b nrf52dk_nrf52832 -s bootloader/mcuboot/boot/zephyr -d build-mcuboot

But then the next command line...

antonio@ubuntu:~/ncs$ west build -b nrf52dk_nrf52832 -s zephyr/samples/hello_world -d build-hello-signed -- -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"bootloader/mcuboot/root-rsa-2048.pem\"

Comes with errors...

antonio@ubuntu:~/ncs$ west build -b nrf52dk_nrf52832 -s zephyr/samples/hello_world -d build-hello-signed -- -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"bootloader/mcuboot/root-rsa-2048.pem\"

-- west build: generating a build system

Including boilerplate (Zephyr base): /home/antonio/ncs/zephyr/cmake/app/boilerplate.cmake

-- Application: /home/antonio/ncs/zephyr/samples/hello_world

-- Zephyr version: 2.3.0-rc1 (/home/antonio/ncs/zephyr)

-- Found Python3: /usr/bin/python3.8 (found suitable exact version "3.8.5") found components: Interpreter

-- Board: nrf52dk_nrf52832

-- Found west: /home/antonio/.local/bin/west (found suitable version "0.8.0", minimum required is "0.7.1")

-- Found dtc: /usr/bin/dtc (found suitable version "1.5.0", minimum required is "1.4.6")

-- Found toolchain: gnuarmemb (/opt/gnuarmemb)

-- Found BOARD.dts: /home/antonio/ncs/zephyr/boards/arm/nrf52dk_nrf52832/nrf52dk_nrf52832.dts

-- Generated zephyr.dts: /home/antonio/ncs/build-hello-signed/zephyr/zephyr.dts

-- Generated devicetree_unfixed.h: /home/antonio/ncs/build-hello-signed/zephyr/include/generated/devicetree_unfixed.h

Parsing /home/antonio/ncs/zephyr/Kconfig

Loaded configuration '/home/antonio/ncs/zephyr/boards/arm/nrf52dk_nrf52832/nrf52dk_nrf52832_defconfig'

Merged configuration '/home/antonio/ncs/zephyr/samples/hello_world/prj.conf'

Merged configuration '/home/antonio/ncs/build-hello-signed/zephyr/misc/generated/extra_kconfig_options.conf'

/home/antonio/ncs/build-hello-signed/zephyr/misc/generated/extra_kconfig_options.conf:3: warning: attempt to assign the value '"bootloader/mcuboot/root-rsa-2048.pem"' to the undefined symbol MCUBOOT_SIGNATURE_KEY_FILE

error: Aborting due to Kconfig warnings

CMake Error at /home/antonio/ncs/zephyr/cmake/kconfig.cmake:217 (message):

  command failed with return code: 1

Call Stack (most recent call first):

  /home/antonio/ncs/zephyr/cmake/app/boilerplate.cmake:506 (include)

  /home/antonio/ncs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:24 (include)

  /home/antonio/ncs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:35 (include_boilerplate)

  CMakeLists.txt:5 (find_package)

-- Configuring incomplete, errors occurred!

FATAL ERROR: command exited with status 1: /usr/bin/cmake -B/home/antonio/ncs/build-hello-signed -S/home/antonio/ncs/zephyr/samples/hello_world -GNinja -DBOARD=nrf52dk_nrf52832 -DCONFIG_BOOTLOADER_MCUBOOT=y '-DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE="bootloader/mcuboot/root-rsa-2048.pem"'

The second page is "SMP Server Sample"

Which, again, the build and flash for the mcu_boot works ok

west build -b <board> -d build_mcuboot bootloader/mcuboot/boot/zephyr

west flash -d build_mcuboot

But when you try the sample application…

west build \

   -b nrf52dk_nrf52832 \

   samples/subsys/mgmt/mcumgr/smp_svr \

   -- \

   -DOVERLAY_CONFIG=overlay-bt.conf

Works ok if you change your directory to zephyr, or if you alter the command to build fom ./ncs

 

But the signing has an error:

west sign -t imgtool -- --key bootloader/mcuboot/root-rsa-2048.pem

antonio@ubuntu:~/ncs$ west sign -t imgtool -- --key bootloader/mcuboot/root-rsa-2048.pem

=== image configuration:

partition offset: 49152 (0xc000)

partition size: 204800 (0x32000)

text section offset: 0 (0x0)

=== signed binaries:

bin: /home/antonio/ncs/build/zephyr/zephyr.signed.bin

Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Error: Invalid value for "-H" / "--header-size": Minimum value for -H/--header-size is 32

FATAL ERROR: command exited with status 2: /home/antonio/.local/bin/imgtool sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 204800 --key bootloader/mcuboot/root-rsa-2048.pem /home/antonio/ncs/build/zephyr/zephyr.bin /home/antonio/ncs/build/zephyr/zephyr.signed.bin

  • 0

    Updated request now that v1.4.0 is official

    I am using the just released v1.4.0, the sample which I started with smp_srv, with the board nrf52dk_nrf52832, but since now it does not loads BL automatically, I added to the pro.conf:

    CONFIG_MCUMGR_SMP_BT=y

    CONFIG_MCUMGR_SMP_BT_AUTHEN=n

    This compiles and runs as expected, but does not OTA (as expected) since the new rule is that if no valid key is presented, you have to sign yourself afterwards. If you try to do an OTA, y connects, then you select “Test and verify” with the android app nRF Connect, and it keeps at “Validating” for like a minute, and then disconnects. The logger does not show any error, other that disconnecting…

    If introduce a key, that in my case is:

    CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="~/Documents/tracker_sensor/Tools/psl-rsa-2048.pem"

    The behavior is exactly the same as when I did not include any key.

    And finally, if, as per last instructions, I modify CMakeLists.txt after minimum_required with:

    if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf")

      set(mcuboot_CONF_FILE prj.conf ${CMAKE_CURRENT_LIST_DIR}/mcuboot.conf)

    endif()

    And I include such file with:

    CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="~/Documents/tracker_sensor/Tools/psl-rsa-2048.pem"

    Or:

    CONFIG_BOOT_SIGNATURE_KEY_FILE="~/Documents/tracker_sensor/Tools/psl-rsa-2048.pem"

    When I reload the project it responds with the following error:

    CMake Warning at /home/antonio/ncs/zephyr/kernel/CMakeLists.txt:54 (message):

      Single threaded mode (CONFIG_MULTITHREADING=n) is deprecated

    MCUBoot bootloader key file: ~/Documents/tracker_sensor/Tools/psl-rsa-2048.pem

    -- Configuring done

    -- Generating done

    -- Build files have been written to: /home/antonio/Documents/tests/smp_svr/build_nrf52dk_nrf52832/mcuboot

    === child image mcuboot -  end ===

    CMake Error at /home/antonio/ncs/nrf/cmake/mcuboot.cmake:112 (get_filename_component):

      get_filename_component unknown component

      /home/antonio/Documents/tests/smp_svr/mcuboot.conf

    Call Stack (most recent call first):

      /home/antonio/ncs/bootloader/mcuboot/zephyr/CMakeLists.txt:1 (include)

    CMake Warning at /home/antonio/ncs/nrf/cmake/mcuboot.cmake:120 (message):

      

            ---------------------------------------------------------

            --- WARNING: Using default MCUBoot key, it should not ---

            --- be used for production.                           ---

            ---------------------------------------------------------

            

    Call Stack (most recent call first):

      /home/antonio/ncs/bootloader/mcuboot/zephyr/CMakeLists.txt:1 (include)

    CMake Warning at /home/antonio/ncs/nrf/cmake/mcuboot.cmake:303 (message):

      CONFIG_MCUBOOT_SIGNATURE_KEY_FILE is set to

      "~/Documents/tracker_sensor/Tools/psl-rsa-2048.pem".

      You are using the NCS Mcuboot signing, which means this option will be

      ignored.

      Image signing in NCS is done via the MCUboot image's

      CONFIG_BOOT_SIGNATURE_KEY_FILE option.

      Consider setting CONFIG_MCUBOOT_SIGNATURE_KEY_FILE in your application

      image back to its default value, the empty string.

    Call Stack (most recent call first):

      /home/antonio/ncs/bootloader/mcuboot/zephyr/CMakeLists.txt:1 (include)

    -- Configuring incomplete, errors occurred!

    See also "/home/antonio/Documents/tests/smp_svr/build_nrf52dk_nrf52832/CMakeFiles/CMakeOutput.log".

    See also "/home/antonio/Documents/tests/smp_svr/build_nrf52dk_nrf52832/CMakeFiles/CMakeError.log".

    Project load failed

    Reported error: solution load command failed (1)

    Please advise…

  • 0 in reply to Antonio

    Hi Antonio,

    There is a bug in NCS 1.4 that causes problems in this case. BOOT_SIGNATURE_KEY_FILE needs to be duplicated in bootloader/mcuboot/zephyr/Kconfig, but that was removed from NCS 1.4. So you should put it back as done in this PR.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    I think I must be doing something wrong because I tried all the combinations possible and neither one worked.

    I modified Kconfig as you and the PR described, tried with and without default (which should not matter because i am changing the key) tried the key with absolute and relative paths (relative ended up compiling).

    I also tried with and without the extra mcuboot.conf, calling the setting both CONFIG_BOOT_SIGNATURE_KEY_FILE and the new CONFIG_MCUBOOT_SIGNATURE_KEY_FILE, etc, etc.

    This is my setting. I take the smp_srv project and place it under ~/Documents/, my key is on ~/Documents/tracker_sensor/Tools/psl-rsa-2048.pem, created using imgtool, and I added to prj.conf the folowing in order for it to load BT:

    # Enable the Bluetooth (unauthenticated) and shell mcumgr transports.
    CONFIG_MCUMGR_SMP_BT=y
    CONFIG_MCUMGR_SMP_BT_AUTHEN=n
    # Linux
    CONFIG_BOOT_SIGNATURE_KEY_FILE="../../../Documents/tracker_sensor/Tools/psl-rsa-2048.pem"
    and added also to CMakeLists.txt:
    if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf")
       set(mcuboot_CONF_FILE prj.conf ${CMAKE_CURRENT_LIST_DIR}/mcuboot.conf)
    endif()
    As well as the included mcuboot.conf.
    So, I tried all combinations, some of them would not even make the project, some others would fail at compiling, some other would fail on runtime.
    Bottom line is I am not sure if it is CONFIG_MCUBOOT_SIGNATURE_KEY_FILE or CONFIG_BOOT_SIGNATURE_KEY_FILE or a combination, if I need to modified CMakeLists to load mcuboot.conf, if the path is absolute or relative to my key, 
    Could you tell me in a few steps how to make smp_srv sample work out of tree? 
    Thanks!
  • 0 in reply to Antonio

    Hi,

    There seems to be more problems with this in 1.4 then just what is fixed by this PR. I am not able to make it work with 1.4 either, but unfortunately I have not made any progress yet. I am checking with the developer and will let you know when I know more.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    I am very eager to jump to 1.4. Do you know if this has been fixed or there is a workaround?

    Thanks!

Related