• State Not Answered
  • Replies 13 replies
  • Subscribers 77 subscribers
  • Views 5043 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 261287
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to create a MCUBoot image and an application image without modifying the SDK?

Giannis Anastasopoulos

Dear All,

I am trying to create  an application that uses the MCUBoot, so that later I can perform a FOTA operation.

From what I know so far there are some keys in the SDK that the MCUBoot prj.conf is pointing to and uses those keys to create the signed bin files.

So if someone wants to use a custom key, he could potentially replace thekey in the SDK and then it would work. But this would require to modify the SDK, which I would like to avoid completely.

While I was trying to figure out this issue, I came across this link that suggests that someone can first compile the application, including the MCUBoot and then sign it with a custom key, that felt right the exact thing I am looking for. But this unfortunately didn't work.

What I did is this:

west build -p auto -b nrf9160dk_nrf9160ns
west sign -t imgtool -- --key private-key.pem --header-size 32 --pad

And what I got is this:

Error: Header padding was not requested and image does not start with zeros
FATAL ERROR: command exited with status 2: 'C:\Python37\Scripts\imgtool.EXE' sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 196608 --key private-key.pem --header-size 32 --pad C:/Users/SODAQ/Desktop/GIT_Projects/bayer_tag/build/zephyr/zephyr.bin 'C:\Users\SODAQ\Desktop\GIT_Projects\bayer_tag\build\zephyr\zephyr.signed.bin'


From what I can understand the

CONFIG_BOOTLADER_MCUBOOT=y

effectively compiles and adds the bootloader in the project, but the bootloader uses the default key of the SDK and this very undesired.

So is there any way possible to effectively sign the .hex file again with the custom private key and then be able to use the .bin file with the custom private key, without modifying the SDK at all?

Also, I am not sure what is the role of the SPM in this process.

I am using the NCS SDK v1.3.0

Thank you very much for your assistance

Parents
  • 0

    Hi Heidi,

    I've setup the mcuboot bootloader with a private key. I've validated that this is consumed correctly by checking that the public key matches the generated one at build/mcuboot/zephyr/autogen-pubkey.c. Basic functionality of mcuboot works for me.

    The issue I'm running into is when attempting to encrypt the hex generated by Zephyr, this can be done directly with mcuboot by enabling the following configuration:

    • CONFIG_BOOT_ENCRYPT_RSA=y

    This requires a Crypto library, in my case I'm using mbedtls with all ciphers enabled for my networking stack. The issue I'm having is that during the build mcuboot is unable to locate the following mbedtls dependency. 

    In file included from C:/project/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:33,
                 from C:/project/bootloader/mcuboot/boot/bootutil/src/bootutil_priv.h:43,
                 from C:/project/bootloader/mcuboot/boot/boot_serial/src/boot_serial.c:60:
C:/project/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/aes_ctr.h:23:14: fatal error: mbedtls/aes.h: No such file or directory
   23 |     #include <mbedtls/aes.h>
      |              ^~~~~~~~~~~~~~~
compilation terminated.

    This is my configurations for the mcuboot_CONF_FILE:

    CONFIG_SIZE_OPTIMIZATIONS=y
CONFIG_DEBUG=y
CONFIG_SYSTEM_CLOCK_DISABLE=y
CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"

# Do not erase all flash when flashing mcuboot
CONFIG_ZEPHYR_TRY_MASS_ERASE=n

# nrf52840 with QSPI
CONFIG_FLASH=y
CONFIG_MPU_ALLOW_FLASH_WRITE=y
CONFIG_MULTITHREADING=y
CONFIG_NORDIC_QSPI_NOR=y
CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16
CONFIG_PM_EXTERNAL_FLASH=y
CONFIG_PM_EXTERNAL_FLASH_DEV_NAME="MX25R64"
CONFIG_PM_EXTERNAL_FLASH_SIZE=0x800000
CONFIG_PM_EXTERNAL_FLASH_BASE=0x0

CONFIG_UART_CONSOLE=n
CONFIG_CONSOLE_HANDLER=n
CONFIG_RTT_CONSOLE=y

# Updates over Serial
CONFIG_MCUBOOT_SERIAL=y
CONFIG_BOOT_SERIAL_UART=y
CONFIG_BOOT_SERIAL_DETECT_PIN=31
CONFIG_BOOT_SERIAL_DETECT_PIN_VAL=0
CONFIG_BOOT_WATCHDOG_FEED=y
CONFIG_BOOT_MAX_IMG_SECTORS=256

# Boot Security Configuration
CONFIG_BOOT_VALIDATE_SLOT0=y
CONFIG_BOOT_UPGRADE_ONLY=n 
# CONFIG_BOOT_SIGNATURE_TYPE_NONE=y
CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
# CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
CONFIG_BOOT_ENCRYPT_RSA=y
# CONFIG_BOOT_ENCRYPT_X25519=y

CONFIG_BOOT_SIGNATURE_KEY_FILE="C:/test_key_rsa_2048.pem"
CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="C:/test_key_rsa_2048.pem"

    This is my configurations for the mcuboot_DTC_OVERLAY_FILE:

    # Ensure an MCUboot-compatible binary is generated.
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_FW_INFO=y
    :

    Any help is much appreciated.

    Thanks & Best Regards,

    Ramiro

  • 0 in reply to SirBranch

    Hi Ramiro! Due to the summer holidays, we are quite understaffed in the support department at the moment. But I will get to your issue next week. 

  • 0 in reply to Heidi

    Hi Heidi,

    Are you able to provide an update? 

    Thanks & Best Regards,

    Ramiro

  • 0 in reply to SirBranch

    Hi!

    Could you send me the following files: 

    build/mcuboot/zephyr/.config

    build/spm/zephyr/.config

    build/zephyr/.config

  • 0 in reply to Heidi

    Are we able to move the discussion to a private ticket so I can share those files? Apologies if this causes issues, it's  production firmware 

Reply Children
Related
Terms of service