• State Verified Answer
  • Replies 2 replies
  • Subscribers 88 subscribers
  • Views 1351 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 270847
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF52832 Secure Boot / DFU

hannes

Hi,

i'm a litte bit confused about the Secure Boot functionality. I'm using a custom example and the SDK 17.0.2 Secure bootloader. When generating a DFU package I have to specify my private.key to encrypt the signature and sign the DFU image using ECDSA_P256_SHA256.

So this key/validation is only used for the DFU-update process?

When I also want to implement a secure boot validation for every boot AFTER the DFU I also have to add the VALIDATE_ECDSA_P256_SHA256 Option (for APP and or SD)?

When I want to implement a secure boot validation for every boot already BEFORE a DFU I have to add the VALIDATE_ECDSA_P256_SHA256 Option already when generating the Bootloader-settings file and flashing the chip for the first time?

Do I need to enable NRF_BL_APP_SIGNATURE_CHECK_REQUIRED in the bootloaders skd_config.h to get the boot validation finally enabled/work, or what does this option do in this case?

Kind regards

Parents
  • +1

    Hi,

    Sorry for the late reply.

    So this key/validation is only used for the DFU-update process?

    Yes, the DFU requires private and public keys. The public key can be computed from a private key but the private key must be provided. When the update is signed and verification of the signature passes the bootloader can be sure that the update is correct bit-for-bit and that the holder of the private key has approved the contents. You can read more about the Signature verification for the DFU process here.

    When I also want to implement a secure boot validation for every boot AFTER the DFU I also have to add the VALIDATE_ECDSA_P256_SHA256 Option (for APP and or SD)?

     Yes.

    When I want to implement a secure boot validation for every boot already BEFORE a DFU I have to add the VALIDATE_ECDSA_P256_SHA256 Option already when generating the Bootloader-settings file and flashing the chip for the first time?

    Yes.

    Do I need to enable NRF_BL_APP_SIGNATURE_CHECK_REQUIRED in the bootloaders skd_config.h to get the boot validation finally enabled/work, or what does this option do in this case?

     Yes.

    For more information about boot validation see here. Take notice that hash validation VALIDATE_ECDSA_P256_SHA256 is the most secure but also the most time costly, which will result in some delay before booting.

    Best regards,

    Marjeris

Reply
  • +1

    Hi,

    Sorry for the late reply.

    So this key/validation is only used for the DFU-update process?

    Yes, the DFU requires private and public keys. The public key can be computed from a private key but the private key must be provided. When the update is signed and verification of the signature passes the bootloader can be sure that the update is correct bit-for-bit and that the holder of the private key has approved the contents. You can read more about the Signature verification for the DFU process here.

    When I also want to implement a secure boot validation for every boot AFTER the DFU I also have to add the VALIDATE_ECDSA_P256_SHA256 Option (for APP and or SD)?

     Yes.

    When I want to implement a secure boot validation for every boot already BEFORE a DFU I have to add the VALIDATE_ECDSA_P256_SHA256 Option already when generating the Bootloader-settings file and flashing the chip for the first time?

    Yes.

    Do I need to enable NRF_BL_APP_SIGNATURE_CHECK_REQUIRED in the bootloaders skd_config.h to get the boot validation finally enabled/work, or what does this option do in this case?

     Yes.

    For more information about boot validation see here. Take notice that hash validation VALIDATE_ECDSA_P256_SHA256 is the most secure but also the most time costly, which will result in some delay before booting.

    Best regards,

    Marjeris

Children
Related
Terms of service