This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

CMake warning: Using default MCUBoot key, it should not be used for production.

I'm following the steps at https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/ug_bootloader.html#adding-a-bootloader-chain-to-your-application

I generated a private key using

openssl ecparam -name prime256v1 -genkey -noout -out priv.pem

Side note: I got this command from the bootloader sample readme.rst, it might be useful to include it in the docs at the link above.

To my prj.conf I added:

CONFIG_SECURE_BOOT=y
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_SB_SIGNING_KEY_FILE="priv.pem"

When I re-run CMake I get the warning in the title of the question. Should it not be using the private key I specified?

Parents
  • Hi,

     

    That config is specific to the "SECURE_BOOT" (immutable bootloader, also named "B0"). To set the mcuboot key, you should first edit your CMakeLists.txt and add this just below the cmake_minimum_required() line:

    if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf")
        list(APPEND mcuboot_OVERLAY_CONFIG
          "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf"
          )
    endif()
    

    This will allow your application to append to the default mcuboot configuration.

    Then you create a mcuboot.conf file in your application folder, holding the absolute path of your .pem file:

    CONFIG_BOOT_SIGNATURE_KEY_FILE="/path/to/priv.pem"

     

    Now, when you delete your build folder and re-run cmake (or west, SES-NE), it shall use your private key.

     

    PS: Note that CONFIG_SB_SIGNING_FILE="" should be in your prj.conf, ie. specific to the project which also set the CONFIG_SECURE_BOOT.

     

    Kind regards,

    Håkon

  • I don't get it. Where should I add my keyfile? In CONFIG_SB_SIGNING_FILE="?" or in CONFIG_BOOT_SIGNATURE_KEY_FILE="path/to/key.pem"?

Reply Children
No Data
Related