Best process for signing firmware images when using mcuboot

RE: Best process for signing firmware images when using mcuboot

lcoudeville — Mon, 21 Mar 2022 08:56:54 GMT

That doesn't make a difference. Even tried LIST(append.... but that doesn't make a difference.

Added some debug messages in the "extensions.cmake" file in nrf-sdk learned that the variable mcuboot_OVERLAY_CONFIG is configured. In the macro/function `add_overlay` I added a message debug line:

macro(add_overlay_config image overlay_file)
  add_overlay(${image} ${overlay_file} OVERLAY_CONFIG)
  message(${mcuboot_OVERLAY_CONFIG})
endmacro()

When I pass the variable as cli argument ( -Dmcuboot_OVERLAY_CONFIG=$(pwd)/mcuboot_prj.conf ), I get:

/home/.../mcuboot_prj.conf;/home/.../ncs/nrf/subsys/partition_manager/partition_manager_enabled.conf

Which is OK!

When I set the variable from the CMakeLists.txt (as first line!) I get:

/home/.../mcuboot_prj.conf

Which is NOT OK! mcuboot is compiled without partition manager support, causing errors at boot time.

I solved my issue with the "child_image" approach, however, I preferred to set the variable from the CMakeLists.txt file.

RE: Best process for signing firmware images when using mcuboot

d_c_h_w — Fri, 18 Mar 2022 15:08:14 GMT

[quote userid="112790" url="~/f/nordic-q-a/72365/best-process-for-signing-firmware-images-when-using-mcuboot/358909#358909"]set(mcuboot_OVERLAY_CONFIG "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot_prj.conf")[/quote]

I noticed you are using quotes here, could that be the problem?

RE: Best process for signing firmware images when using mcuboot

lcoudeville — Fri, 18 Mar 2022 14:56:50 GMT

I tried to walk on this approach, but unfortunately this doesn't work with the latest ncs (1.9.1). I digged deeper to reveal that something is loose with the "add_overlay*" functions/macro's. After investigating a lot of time I'm still not able to say what's wrong. I temporarily resolved this issue by using the "child_image" approach. But I want to share the issue, so it can be resolved in one of the upcoming ncs releases.

Setting the variable in the cmake file doesn't seems to work:

set(mcuboot_OVERLAY_CONFIG "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot_prj.conf")

For some reason, this late overlay config(s) are not appended when building the project. So the nrf/subsys/partition_manager/partition_manager_enabled.conf file is not loaded resulting in mcuboot errors.

The strange thing is supplying it over the command line works:

west build -p=always -- -Dmcuboot_OVERLAY_CONFIG=$(pwd)/mcuboot_prj.conf && west flash

Adding some debug info shows that "mcuboot_OVERLAY_CONFIG" only contains the path set in the CMakeLists.txt and not the appended files by the ncs scripts (in my case the partition_manager_enabled.conf file).

RE: Best process for signing firmware images when using mcuboot

d_c_h_w — Wed, 10 Mar 2021 09:26:17 GMT

Hi Simon,

I have just tried that, and this expects the pem file in the source mcuboot directory (or use a absolute path), so it is the same as creating an append overlay in the child_image directory.

In fact, I think the new v1.5.0 feature of the child_image directory is a neatened up implementation of doing what you have suggested.

I will stick with the new child_image method and just pre-copy across the pem file to the mcuboot directory, and ignore the cmake warning.

Thanks for all your suggestions

RE: Best process for signing firmware images when using mcuboot

Simon — Tue, 09 Mar 2021 17:07:31 GMT

Try doing this instead:

if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf")
    list(APPEND mcuboot_OVERLAY_CONFIG
      "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf"
      )
endif()

From https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.5.0/zephyr/application/index.html?highlight=overlay_config#important-build-system-variables:

"OVERLAY_CONFIG: Additional Kconfig configuration fragment files. Multiple filenames can be separated with either spaces or semicolons. This can be useful in order to leave CONF_FILE at its default value, but “mix in” some additional configuration options."

RE: Best process for signing firmware images when using mcuboot

d_c_h_w — Tue, 09 Mar 2021 10:44:59 GMT

Hi Simon, Thank you for your response and suggestions.

I think your first option is basically the same as my first option. The down side to this seems to be as it is the main conf file now for mcuboot it requires extra config options for it to be the same as a letting it configure itself.

The other two options rely on absolute paths which I am not keen on, as I work locally in Windows with SES, but have a docker environment under linux that creates builds too.

I think I will stick with my 2nd option for now, it's a shame that the cmake warning logic is a bit wrong assuming any key in the mcuboot directory must be a default one

RE: Best process for signing firmware images when using mcuboot

Simon — Mon, 08 Mar 2021 18:30:24 GMT

Would any of these methods work?

"In a dedicated `mcuboot_prj.conf` and pass it to the build system as: `-Dmcuboot_CONF_FILE=mcuboot_prj.confI
containing:
CONFIG_BOOT_SIGNATURE_KEY_FILE=<path>/public-key.pem
If using this method, CONFIG_BOOT_SIGNATURE_KEY_FILE <path> can be omitted and path will be taken relative to the location of the conf file.
In a Kconfig fragment, like: mcuboot_overlay-keys.conf , and pass it to the build system as: `-Dmcuboot_OVERLAY_CONFIG=mcuboot_overlay-keys.conf` containing:
Path must be absolute in this case.
CONFIG_BOOT_SIGNATURE_KEY_FILE=<path>/public-key.pem
using `-Dmcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE=<path>/public-key.pem`.
Path must be absolute in this case."

Best regards,

Simon