• State Verified Answer
  • Replies 30 replies
  • Subscribers 67 subscribers
  • Views 8434 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 258321
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Problem with signing images for OTA DFU

Antonio

I have had several problems with signing images, so I'll start with something simple, and I hope you can bear with me as I get to my final goal which is to OTA (which I am already doing, but not signed) with the project we are working on.

I am testing everything on a nrf52dk_nrf52832 using both windows 10 and ubuntu 20 VM's and I have had similar problems with both of them. I am using NCS v1.3.2 in both cases. I am not a beginner in Zephyr, or Nordic in general for that matter, but I feel like one with the whole signing, mcumgr cli using the 840 as HCI_USB in ubuntu, etc

Firstly, there are two "how to " pages that do not work following directions, so if you would kindly tell me what is wrong with the instructions.

Please advice.

The first page is "Signing Binaries

Following instructions, the first line has no problem...

antonio@ubuntu:~/ncs$ west build -b nrf52dk_nrf52832 -s bootloader/mcuboot/boot/zephyr -d build-mcuboot

But then the next command line...

antonio@ubuntu:~/ncs$ west build -b nrf52dk_nrf52832 -s zephyr/samples/hello_world -d build-hello-signed -- -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"bootloader/mcuboot/root-rsa-2048.pem\"

Comes with errors...

antonio@ubuntu:~/ncs$ west build -b nrf52dk_nrf52832 -s zephyr/samples/hello_world -d build-hello-signed -- -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"bootloader/mcuboot/root-rsa-2048.pem\"

-- west build: generating a build system

Including boilerplate (Zephyr base): /home/antonio/ncs/zephyr/cmake/app/boilerplate.cmake

-- Application: /home/antonio/ncs/zephyr/samples/hello_world

-- Zephyr version: 2.3.0-rc1 (/home/antonio/ncs/zephyr)

-- Found Python3: /usr/bin/python3.8 (found suitable exact version "3.8.5") found components: Interpreter

-- Board: nrf52dk_nrf52832

-- Found west: /home/antonio/.local/bin/west (found suitable version "0.8.0", minimum required is "0.7.1")

-- Found dtc: /usr/bin/dtc (found suitable version "1.5.0", minimum required is "1.4.6")

-- Found toolchain: gnuarmemb (/opt/gnuarmemb)

-- Found BOARD.dts: /home/antonio/ncs/zephyr/boards/arm/nrf52dk_nrf52832/nrf52dk_nrf52832.dts

-- Generated zephyr.dts: /home/antonio/ncs/build-hello-signed/zephyr/zephyr.dts

-- Generated devicetree_unfixed.h: /home/antonio/ncs/build-hello-signed/zephyr/include/generated/devicetree_unfixed.h

Parsing /home/antonio/ncs/zephyr/Kconfig

Loaded configuration '/home/antonio/ncs/zephyr/boards/arm/nrf52dk_nrf52832/nrf52dk_nrf52832_defconfig'

Merged configuration '/home/antonio/ncs/zephyr/samples/hello_world/prj.conf'

Merged configuration '/home/antonio/ncs/build-hello-signed/zephyr/misc/generated/extra_kconfig_options.conf'

/home/antonio/ncs/build-hello-signed/zephyr/misc/generated/extra_kconfig_options.conf:3: warning: attempt to assign the value '"bootloader/mcuboot/root-rsa-2048.pem"' to the undefined symbol MCUBOOT_SIGNATURE_KEY_FILE

error: Aborting due to Kconfig warnings

CMake Error at /home/antonio/ncs/zephyr/cmake/kconfig.cmake:217 (message):

  command failed with return code: 1

Call Stack (most recent call first):

  /home/antonio/ncs/zephyr/cmake/app/boilerplate.cmake:506 (include)

  /home/antonio/ncs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:24 (include)

  /home/antonio/ncs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:35 (include_boilerplate)

  CMakeLists.txt:5 (find_package)

-- Configuring incomplete, errors occurred!

FATAL ERROR: command exited with status 1: /usr/bin/cmake -B/home/antonio/ncs/build-hello-signed -S/home/antonio/ncs/zephyr/samples/hello_world -GNinja -DBOARD=nrf52dk_nrf52832 -DCONFIG_BOOTLOADER_MCUBOOT=y '-DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE="bootloader/mcuboot/root-rsa-2048.pem"'

The second page is "SMP Server Sample"

Which, again, the build and flash for the mcu_boot works ok

west build -b <board> -d build_mcuboot bootloader/mcuboot/boot/zephyr

west flash -d build_mcuboot

But when you try the sample application…

west build \

   -b nrf52dk_nrf52832 \

   samples/subsys/mgmt/mcumgr/smp_svr \

   -- \

   -DOVERLAY_CONFIG=overlay-bt.conf

Works ok if you change your directory to zephyr, or if you alter the command to build fom ./ncs

 

But the signing has an error:

west sign -t imgtool -- --key bootloader/mcuboot/root-rsa-2048.pem

antonio@ubuntu:~/ncs$ west sign -t imgtool -- --key bootloader/mcuboot/root-rsa-2048.pem

=== image configuration:

partition offset: 49152 (0xc000)

partition size: 204800 (0x32000)

text section offset: 0 (0x0)

=== signed binaries:

bin: /home/antonio/ncs/build/zephyr/zephyr.signed.bin

Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Error: Invalid value for "-H" / "--header-size": Minimum value for -H/--header-size is 32

FATAL ERROR: command exited with status 2: /home/antonio/.local/bin/imgtool sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 204800 --key bootloader/mcuboot/root-rsa-2048.pem /home/antonio/ncs/build/zephyr/zephyr.bin /home/antonio/ncs/build/zephyr/zephyr.signed.bin

  • 0 in reply to Antonio

    Hi,

    I am sorry this has taken so long, but we are still looking into this. There is also another bug in NCS 1.4 which prevents setting MCUboot overlay via CMakeLists.txt. So instead the key file must be specified on the command line similar to this instead:

    west build -b nrf52dk_nrf52832 --pristine -- -Dmcuboot_OVERLAY_CONFIG=mcuboot.conf

    That brings us a bit further, but are still some issues. I am discussing with the R&D team and hope to have a proper solution in a few days.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    Do you have news on this?

    I saw that there is a 1.4.1-rc1. Do you think it is fixed there?

    Thanks!

  • 0 in reply to Antonio

    Hi Antonio,

    No, it is not fixed in 1.4.1. I think the only way around it for now is to set the key configurations in your app for the app and in the mcboot folder in within NCS. It has been reported though and the developers are looking at it, so I hope it will be fixed in 1.5.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    I tried again with the sample app smp_svr from the v1.4.1-rc1, using the default keys, not even mine, and could not make it work. It would keep reseting, I imagine because it is not accepting the primary image.

    Can you make it work with that sample code in the BLE configuration, flash the first image, create another and OTA it, and send me a step by step of how to do it? 

    Or, if you prefer, copy the smp_svr folder outside ncs, like ~/Documents, make it work in the BLE configuration, flash the first image, create another and OTA it, and attach here the folder? I can just check what you did in the config files.

    At this point I am feeling helpless and I already tried everything.

    Thanks.

  • 0 in reply to Antonio

    Hi,

    I am sorry for the delay with this. I do not have a proper way of handling this yet, but the R&D team responsible has it on their list.

    There is a dirty but very simple workaround you can do though, which is to simply replace the path to the default key with the path to your key in ncs/bootloader/mcuboot/boot/zephyr/Kconfig:

    Fullscreen 5460.Kconfig.diff Download 
    diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index f283e67..8028726 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -153,7 +153,7 @@ config BOOT_SIGNATURE_KEY_FILE
 	default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
 	default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
 	default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
-	default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
+	default "/Users/eith/src/smp_svr_test/test_keyfile.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
 	help
 	  You can use either absolute or relative path.
 	  In case relative path is used, the build system assumes that it starts

    This is not ideal, but it is a simple workaround that works.

Related