• State Not Answered
  • Replies 13 replies
  • Subscribers 77 subscribers
  • Views 5031 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 261287
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to create a MCUBoot image and an application image without modifying the SDK?

Giannis Anastasopoulos

Dear All,

I am trying to create  an application that uses the MCUBoot, so that later I can perform a FOTA operation.

From what I know so far there are some keys in the SDK that the MCUBoot prj.conf is pointing to and uses those keys to create the signed bin files.

So if someone wants to use a custom key, he could potentially replace thekey in the SDK and then it would work. But this would require to modify the SDK, which I would like to avoid completely.

While I was trying to figure out this issue, I came across this link that suggests that someone can first compile the application, including the MCUBoot and then sign it with a custom key, that felt right the exact thing I am looking for. But this unfortunately didn't work.

What I did is this:

west build -p auto -b nrf9160dk_nrf9160ns
west sign -t imgtool -- --key private-key.pem --header-size 32 --pad

And what I got is this:

Error: Header padding was not requested and image does not start with zeros
FATAL ERROR: command exited with status 2: 'C:\Python37\Scripts\imgtool.EXE' sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 196608 --key private-key.pem --header-size 32 --pad C:/Users/SODAQ/Desktop/GIT_Projects/bayer_tag/build/zephyr/zephyr.bin 'C:\Users\SODAQ\Desktop\GIT_Projects\bayer_tag\build\zephyr\zephyr.signed.bin'


From what I can understand the

CONFIG_BOOTLADER_MCUBOOT=y

effectively compiles and adds the bootloader in the project, but the bootloader uses the default key of the SDK and this very undesired.

So is there any way possible to effectively sign the .hex file again with the custom private key and then be able to use the .bin file with the custom private key, without modifying the SDK at all?

Also, I am not sure what is the role of the SPM in this process.

I am using the NCS SDK v1.3.0

Thank you very much for your assistance

  • 0 in reply to Heidi

    Hi Heidi,

    I am a colleague of Giannis and took over the FOTA implementation.

    I have created a mcuboot.conf file in the project folder, containing solely this line:
    CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="key.pem"

    The same line I added to the prj.conf. There we also specified CONFIG_BOOTLOADER_MCUBOOT=y.

    I also added the key.pem file to the project folder. I have created this key.pem with the instructions of this link.

    As we do not want to make changes to the ncs (in this case to keys.c), I was not sure what to do with this instruction.
    I skipped it for now, which is probably not the best idea.

    During build I get the following warning:

    === child image mcuboot -  end ===

CMake Warning at C:/ncs/nrf/modules/mcuboot/CMakeLists.txt:151 (message):
  

        ---------------------------------------------------------
        --- WARNING: Using default MCUBoot key, it should not ---
        --- be used for production.                           ---
        ---------------------------------------------------------




CMake Warning at C:/ncs/nrf/modules/mcuboot/CMakeLists.txt:352 (message):
  CONFIG_MCUBOOT_SIGNATURE_KEY_FILE is set to "key.pem".

  You are using the NCS Mcuboot signing, which means this option will be
  ignored.

  Image signing in NCS is done via the MCUboot image's
  CONFIG_BOOT_SIGNATURE_KEY_FILE option.

  Consider setting CONFIG_MCUBOOT_SIGNATURE_KEY_FILE in your application
  image back to its default value, the empty string.



    I am not sure what these warnings mean. Has the imaged been signed during build? How can I check that the image has been signed correctly? Or is there still something going wrong?

    I tried using this 
    west sign -t imgtool -- --key key.pem --header-size 32 --pad
    after building but that still gives the same error as Giannis had initially.


    Also can you tell me how I should incorporate the public key in the code?

    Thanks in advance.

    Kind regards,
    Maaike

  • 0 in reply to Maaike

    Hi!

    You can specify the public key file without modifying NCS in one of the following ways:

    • in a dedicated `mcuboot_prj.conf` and pass it to the build system as: `-Dmcuboot_CONF_FILE=mcuboot_prj.conf`
      containing:
      CONFIG_BOOT_SIGNATURE_KEY_FILE=<path>/public-key.pem
      If using this method, CONFIG_BOOT_SIGNATURE_KEY_FILE <path> can be omitted and path will be taken relative to the location of the conf file.
    • In a Kconfig fragment, like: mcuboot_overlay-keys.conf , and pass it to the build system as: `-Dmcuboot_OVERLAY_CONFIG=mcuboot_overlay-keys.conf` containing:
      Path must be absolute in this case.
      CONFIG_BOOT_SIGNATURE_KEY_FILE=<path>/public-key.pem
    • using `-Dmcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE=<path>/public-key.pem`.
      Path must be absolute in this case.

    So try one of these methods and let me know if you still see the warnings.

    Best regards,

    Heidi

  • 0

    Hi Heidi,

    I've setup the mcuboot bootloader with a private key. I've validated that this is consumed correctly by checking that the public key matches the generated one at build/mcuboot/zephyr/autogen-pubkey.c. Basic functionality of mcuboot works for me.

    The issue I'm running into is when attempting to encrypt the hex generated by Zephyr, this can be done directly with mcuboot by enabling the following configuration:

    • CONFIG_BOOT_ENCRYPT_RSA=y

    This requires a Crypto library, in my case I'm using mbedtls with all ciphers enabled for my networking stack. The issue I'm having is that during the build mcuboot is unable to locate the following mbedtls dependency. 

    In file included from C:/project/bootloader/mcuboot/boot/bootutil/include/bootutil/enc_key.h:33,
                 from C:/project/bootloader/mcuboot/boot/bootutil/src/bootutil_priv.h:43,
                 from C:/project/bootloader/mcuboot/boot/boot_serial/src/boot_serial.c:60:
C:/project/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/aes_ctr.h:23:14: fatal error: mbedtls/aes.h: No such file or directory
   23 |     #include <mbedtls/aes.h>
      |              ^~~~~~~~~~~~~~~
compilation terminated.

    This is my configurations for the mcuboot_CONF_FILE:

    CONFIG_SIZE_OPTIMIZATIONS=y
CONFIG_DEBUG=y
CONFIG_SYSTEM_CLOCK_DISABLE=y
CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"

# Do not erase all flash when flashing mcuboot
CONFIG_ZEPHYR_TRY_MASS_ERASE=n

# nrf52840 with QSPI
CONFIG_FLASH=y
CONFIG_MPU_ALLOW_FLASH_WRITE=y
CONFIG_MULTITHREADING=y
CONFIG_NORDIC_QSPI_NOR=y
CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16
CONFIG_PM_EXTERNAL_FLASH=y
CONFIG_PM_EXTERNAL_FLASH_DEV_NAME="MX25R64"
CONFIG_PM_EXTERNAL_FLASH_SIZE=0x800000
CONFIG_PM_EXTERNAL_FLASH_BASE=0x0

CONFIG_UART_CONSOLE=n
CONFIG_CONSOLE_HANDLER=n
CONFIG_RTT_CONSOLE=y

# Updates over Serial
CONFIG_MCUBOOT_SERIAL=y
CONFIG_BOOT_SERIAL_UART=y
CONFIG_BOOT_SERIAL_DETECT_PIN=31
CONFIG_BOOT_SERIAL_DETECT_PIN_VAL=0
CONFIG_BOOT_WATCHDOG_FEED=y
CONFIG_BOOT_MAX_IMG_SECTORS=256

# Boot Security Configuration
CONFIG_BOOT_VALIDATE_SLOT0=y
CONFIG_BOOT_UPGRADE_ONLY=n 
# CONFIG_BOOT_SIGNATURE_TYPE_NONE=y
CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
# CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
CONFIG_BOOT_ENCRYPT_RSA=y
# CONFIG_BOOT_ENCRYPT_X25519=y

CONFIG_BOOT_SIGNATURE_KEY_FILE="C:/test_key_rsa_2048.pem"
CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="C:/test_key_rsa_2048.pem"

    This is my configurations for the mcuboot_DTC_OVERLAY_FILE:

    # Ensure an MCUboot-compatible binary is generated.
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_FW_INFO=y
    :

    Any help is much appreciated.

    Thanks & Best Regards,

    Ramiro

  • 0 in reply to SirBranch

    Hi Ramiro! Due to the summer holidays, we are quite understaffed in the support department at the moment. But I will get to your issue next week. 

  • 0 in reply to Heidi

    Hi Heidi,

    Are you able to provide an update? 

    Thanks & Best Regards,

    Ramiro

Related
Terms of service