RE: Adding encryption to secure DFU SDK v16.0.0 - Failed decryption

cbrown_cdi — Tue, 08 Dec 2020 23:47:02 GMT

Sigurd Thanks for the help. I got it working, I was passing the little-endian versions of the ECB KEY and nonce into the openssl encryption command. Once I got that fixed everything worked as expected.

RE: Adding encryption to secure DFU SDK v16.0.0 - Failed decryption

cbrown_cdi — Tue, 08 Dec 2020 18:46:34 GMT

Hi Sigurd,

Absolutely, I understand. I'm posting this here in hopes that this may help others in the future as well.

No, I did not try that. I was hoping to avoid making the changes twice.

Yes, I added debug prints to those functions in the following locations -

static void ctr_init(const uint8_t * p_nonce, const uint8_t * p_ecb_key)
{
    m_initialized = true;
    m_index = 0;
    m_counter = 0;

    // Copy the nonce.
    memcpy(&m_ecb_data.cleartext[0], p_nonce, ECB_KEY_LEN);

    /* Reverse the array as ECB expects it in big-endian format */
    for (uint8_t i=0; i<ECB_KEY_LEN; i++)
    {
        // Save the key.
        m_ecb_data.key[i] = p_ecb_key[ECB_KEY_LEN-1-i];
    }

    //TODO remove prints
    NRF_LOG_INFO("Init Nonce: ");
    NRF_LOG_HEXDUMP_DEBUG(m_ecb_data.cleartext, ECB_KEY_LEN);
    NRF_LOG_INFO("Init ECB Key: ");
    NRF_LOG_HEXDUMP_DEBUG(m_ecb_data.key, ECB_KEY_LEN);
}

uint32_t nrf_dfu_validation_crypt(uint8_t * buf)
{
    uint32_t err_code;

    if (!m_initialized)
    {
        return NRF_ERROR_INVALID_STATE;
    }

    if (m_index == 0)
    {
        //TODO remove prints
        NRF_LOG_INFO("Working Nonce: ");
        NRF_LOG_HEXDUMP_DEBUG(m_ecb_data.cleartext, ECB_KEY_LEN);
        NRF_LOG_INFO("Working ECB Key: ");
        NRF_LOG_HEXDUMP_DEBUG(m_ecb_data.key, ECB_KEY_LEN);

        err_code = sd_ecb_block_encrypt(&m_ecb_data);
        if (NRF_SUCCESS != err_code)
        {
            return err_code;
        }
    }

    * buf ^= m_ecb_data.ciphertext[m_index];

    m_index++;

    if (m_index == 16)
    {
        m_index = 0;

        //Increment the counter
        m_counter++;

        m_ecb_data.cleartext[ECB_KEY_LEN-1] = (uint8_t)(m_counter & 0xFF);
        m_ecb_data.cleartext[ECB_KEY_LEN-2] = (uint8_t)((m_counter >> 8) & 0xFF);
        m_ecb_data.cleartext[ECB_KEY_LEN-3] = (uint8_t)((m_counter >> 16) & 0xFF);
        m_ecb_data.cleartext[ECB_KEY_LEN-4] = (uint8_t)((m_counter >> 24) & 0xFF);
    }

    return NRF_SUCCESS;
}

The relevant sections of the log show that the nonce and ECB key are being copied into m_ecb_data and are big-endian. The nonce and key match the nonce in key used when generating the DFU zip.

00> <debug> nrf_dfu_validation: PB: Init packet data len: 78
00> <info> nrf_dfu_validation: Init Nonce: 
00> <debug> nrf_dfu_validation:  FF E5 87 F1 2E 3F 7A 1A|.....?z.
00> <debug> nrf_dfu_validation:  7B 62 FE 75 00 00 00 00|{b.u....
00> <info> nrf_dfu_validation: Init ECB Key: 
00> <debug> nrf_dfu_validation:  5F 12 D1 50 98 87 12 E3|_..P....
00> <debug> nrf_dfu_validation:  18 5B 37 6B AD 0F 33 93|.[7k..3.
00> <info> nrf_dfu_validation: nrf_dfu_validation_crypt_init()

00> <debug> nrf_dfu_req_handler: Creating object with size: 4096. Offset: 0x00000000, CRC: 0x00000000
00> <debug> nrf_dfu_req_handler: Request handling complete. Result: 0x1
00> <debug> nrf_dfu_flash: Flash erase success: addr=0x00026000, pending 0
00> <info> nrf_dfu_validation: Working Nonce: 
00> <debug> nrf_dfu_validation:  FF E5 87 F1 2E 3F 7A 1A|.....?z.
00> <debug> nrf_dfu_validation:  7B 62 FE 75 00 00 00 05|{b.u....
00> <info> nrf_dfu_validation: Working ECB Key: 
00> <debug> nrf_dfu_validation:  5F 12 D1 50 98 87 12 E3|_..P....
00> <debug> nrf_dfu_validation:  18 5B 37 6B AD 0F 33 93|.[7k..3.
00> <info> nrf_dfu_validation: Working Nonce: 
00> <debug> nrf_dfu_validation:  FF E5 87 F1 2E 3F 7A 1A|.....?z.
00> <debug> nrf_dfu_validation:  7B 62 FE 75 00 00 00 06|{b.u....
00> <info> nrf_dfu_validation: Working ECB Key: 
00> <debug> nrf_dfu_validation:  5F 12 D1 50 98 87 12 E3|_..P....
00> <debug> nrf_dfu_validation:  18 5B 37 6B AD 0F 33 93|.[7k..3.
00> <info> nrf_dfu_validation: Working Nonce: 
00> <debug> nrf_dfu_validation:  FF E5 87 F1 2E 3F 7A 1A|.....?z.
00> <debug> nrf_dfu_validation:  7B 62 FE 75 00 00 00 07|{b.u....

The log shown above for the working nonce/ECB key shows the first calls to nrf_dfu_validation_crypt. I've just noticed that the 4 byte counter in the 4 LSBs of the m_ecb_data.cleartext is starting at 5. Should this be starting at 0?

Yes, I saw that post but ibeckermayer's issue seems to be different. My DFU failure seems to be caused by a hash verification failure. My suspicion was that this was caused by the decryption issue.

00> <debug> nrf_dfu_req_handler: Handle NRF_DFU_OP_OBJECT_EXECUTE (data)
00> <debug> nrf_dfu_req_handler: Whole firmware image received. Postvalidating.
00> <info> nrf_dfu_validation: in postvalidate()
00> <debug> nrf_dfu_validation: Hash verification. start address: 0x26000, size: 0x28B9C
00> <warning> nrf_dfu_validation: Hash verification failed.
00> <debug> nrf_dfu_validation: Expected FW hash:
00> <debug> nrf_dfu_validation:  CE 5F D2 8D 99 8B DE 7A|._.....z
00> <debug> nrf_dfu_validation:  B6 8E 67 CA 32 46 E9 5C|..g.2F.\
00> <debug> nrf_dfu_validation:  68 87 52 27 48 BF 6A 5A|h.R'H.jZ
00> <debug> nrf_dfu_validation:  1D F7 1C 8A 18 B9 F9 91|........
00> <debug> nrf_dfu_validation: Actual FW hash:
00> <debug> nrf_dfu_validation:  86 64 66 BB 8C 6E C7 46|.df..n.F
00> <debug> nrf_dfu_validation:  81 38 67 8A C8 E5 CE 23|.8g....#
00> <debug> nrf_dfu_validation:  95 16 FB D3 9E 98 1E 35|.......5
00> <debug> nrf_dfu_validation:  9D 93 1B DB 00 55 01 44|.....U.D
00> <warning> nrf_dfu_ble: DFU request 4 failed with error: 0xB

RE: Adding encryption to secure DFU SDK v16.0.0 - Failed decryption

Sigurd — Tue, 08 Dec 2020 16:14:43 GMT

Hi,

First of all, please note that the code posted in the other thread by devzone user Matthew, is not official code from Nordic Semiconductor. That said, the code has been very useful for several users that wants to add support for DFU encryption.

I believe the post from Matthew is written for SDK v15.0. There were several changes in the bootloader and nrfutil from SDK v15.0 to SDK v16.0. There was e.g. a new bootloader settings versions introduced in SDK v15.3 because of the changes. See this page

Some questions:

Were you able to follow the steps in the guide, and add support for DFU encryption in SDK v15, before trying to port it to SDK v16 ?
Did you check that the nrf_dfu_validation_crypt_init() function was able to properly copy/save the ecb_key and nonce to m_ecb_data? And that the same key is actually used in nrf_dfu_validation_crypt() / sd_ecb_block_encrypt() ?
Did you see this post ? Devzone user ibeckermayer tried to port it to SDK v15.2 in that post, he had some issues, but there might be some useful pointers there.