How to validate signature check requirements

RE: How to validate signature check requirements

Einar Thorsrud — Mon, 01 Feb 2021 09:55:41 GMT

Hi RMV,

[quote user="RMV"]I can get the version without any encryption to boot up, but have not been successful in making this update process work with encryption.[/quote]

It should have worked if you only use signature verification on the app. If also used on the SoftDevice then there is a bug in SDK 16 which was fixed in SDK 17 (see SDK 17.0.2 release notes). You could back-port that if needed. In what way does this not work? Do you get any errors or sensible logs form the bootloader if you test with the _debug bootloader with RTT loggign?

[quote user="RMV"]I would like to use ECDSA with 256bit hash but can settle for a related and supported variant on this ecosystem.[/quote]

The bootloader supports exactly what you want, and that is the only cryptographic has that is supported out of the box. Others can be added, but I do not see a need for that as your wishes is in line with the SDK support.

[quote user="RMV"]What combination of preprocessor symbols (and anything else that I am unaware of) is required to be defined in the sdk_config and the command line when:
1. Building the boot loader + DFU
2. Building the application + buttonless DFU service[/quote]

To be honest the down-side with sdk_config.h is that it is huge and automatically generated. We do not provide any minimal set. I recommend you just start off with the relevant example. Most examples have a complete sdk_config.h. If you for some reason want to minimize it, you can remove configurations that is not used, but I do not have any such minimal sdk_config.h files to provide. That does not have any effect on the resulting code, though. Similarly, if you miss some configuration macros you will typically see quite easily from the error when building what is missing so that you can add missing parts form an example sdk_config.h file. I understand this is not the answer you hoped for, but this is how the nRF5 SDK is organized.

Einar

RE: How to validate signature check requirements

RVM — Fri, 29 Jan 2021 17:01:53 GMT

[quote userid="7377" url="~/f/nordic-q-a/70726/how-to-validate-signature-check-requirements/290605#290605"]This is not related to programming itself. The points is that you need to specify the validation method when you generate the bootloader settings page so that it is properly signed. Specifically you need to use --app-boot-validation VALIDATE_ECDSA_P256_SHA256. You can type nrfutil settings generate --help for more details on settings page generation.[/quote]

I can get the version without any encryption to boot up, but have not been successful in making this update process work with encryption.

I am using SDK v16.0.0, Soft Device S132 v7.0.1 on an nRF52832 custom board.
I would like to use ECDSA with 256bit hash but can settle for a related and supported variant on this ecosystem.

My question is:
What combination of preprocessor symbols (and anything else that I am unaware of) is required to be defined in the sdk_config and the command line when:
1. Building the boot loader + DFU
2. Building the application + buttonless DFU service

Cheers
RMV

RE: How to validate signature check requirements

RVM — Thu, 21 Jan 2021 21:13:18 GMT

Thank you for the walkthrough. I will mark this as 'answered'

Cheers

RMV

RE: How to validate signature check requirements

Einar Thorsrud — Thu, 21 Jan 2021 18:23:26 GMT

Hi,

[quote user="RMV"]I am sorry but I do not know how to "specify here as well that there should be a signature verification" -- I am using JLINK over SWD so what would be the workflow for specifying signature verification at boot up?[/quote]

This is not related to programming itself. The points is that you need to specify the validation method when you generate the bootloader settings page so that it is properly signed. Specifically you need to use --app-boot-validation VALIDATE_ECDSA_P256_SHA256. You can type nrfutil settings generate --help for more details on settings page generation.

[quote user="RMV"]Do you mean a dummy 'key file' instead of 'hex file' ?[/quote]

No, I ment hex file, but you will get the same effect by changing the key file. Essentially, you need both the correct data and correct key to generate a valid signature. So replacing any of the two when generating the bootloader settings page would cause subsequent signature verification to fail (as expected).

RE: How to validate signature check requirements

RVM — Thu, 21 Jan 2021 16:52:38 GMT

[quote userid="7377" url="~/f/nordic-q-a/70726/how-to-validate-signature-check-requirements/290522#290522"]

(IMPORTANT) I want to download this package to the device using a 'SWD debug port' -- not by any generic DFU workflows.

No problem. As long as your merged hex file includes a bootloader settings page, the app will start and everything will work after programming via SWD. Note that you need to specify here as well that there should be a signature verification, so that the correct signature is part of the generated settings page.

[/quote]

I am sorry but I do not know how to "specify here as well that there should be a signature verification" -- I am using JLINK over SWD so what would be the workflow for specifying signature verification at boot up?

[quote userid="7377" url="~/f/nordic-q-a/70726/how-to-validate-signature-check-requirements/290522#290522"]

Then I want to power cycle and reboot the device and ensure that I can FORCE the device to FAIL the boot up validation by using a 'WRONG' key somewhere in the process that leads to the generation of the single HEX file in (2) above.

To do this, just supply a dummy hex file instead of the correct hex file when generating the bootloader settings page. Then the signature will not be valid for the actual hex file, and the bootloader will not start the application.

[/quote]

Do you mean a dummy 'key file' instead of 'hex file' ?

RE: How to validate signature check requirements

Einar Thorsrud — Thu, 21 Jan 2021 13:02:23 GMT

Hi RMV,

[quote user=""]Can this be done, and if so, how?[/quote]

Yes, this is all supported out of the box.

[quote user=""]I want to create a boot loader that checks the signature of the application every time the device boots up.[/quote]

This is supported by the nRF5 SDK bootloader. By default it will only check a CRC of the application, but you can require a signature check by setting NRF_BL_APP_SIGNATURE_CHECK_REQUIRED to 1 in the bootloader's sdk_config.h.

[quote user=""]I want to combine the SoftDevice, the boot loader, the boot loader settings and the application into a single HEX file[/quote]

That is no problem. You can merge all these to a single hex using the mergehex tool which is part of nRF Command Line Tools.

[quote user=""](IMPORTANT) I want to download this package to the device using a 'SWD debug port' -- not by any generic DFU workflows.[/quote]

[quote user=""]Then I want to power cycle and reboot the device and ensure that I can FORCE the device to FAIL the boot up validation by using a 'WRONG' key somewhere in the process that leads to the generation of the single HEX file in (2) above.[/quote]

Einar