RE: nRF52832 Secure Boot / DFU

hannes — Fri, 04 Jun 2021 14:19:29 GMT

Thanks very much! So far I understood everything correct. Nevertheless, using VALIDATE_ECDSA_P256_SHA256 and setting NRF_BL_APP_SIGNATURE_CHECK_REQUIRED to 1 does not work in my DFU case. Since this is something new I've created a new Post:

New-Post

RE: nRF52832 Secure Boot / DFU

Marjeris Romero — Thu, 03 Jun 2021 12:07:56 GMT

Hi,

Sorry for the late reply.

[quote user=""]So this key/validation is only used for the DFU-update process?[/quote]

Yes, the DFU requires private and public keys. The public key can be computed from a private key but the private key must be provided. When the update is signed and verification of the signature passes the bootloader can be sure that the update is correct bit-for-bit and that the holder of the private key has approved the contents. You can read more about the Signature verification for the DFU process here.

[quote user=""]When I also want to implement a secure boot validation for every boot AFTER the DFU I also have to add the VALIDATE_ECDSA_P256_SHA256 Option (for APP and or SD)?[/quote]

Yes.

[quote user=""]When I want to implement a secure boot validation for every boot already BEFORE a DFU I have to add the VALIDATE_ECDSA_P256_SHA256 Option already when generating the Bootloader-settings file and flashing the chip for the first time?[/quote]

Yes.

[quote user=""]Do I need to enable NRF_BL_APP_SIGNATURE_CHECK_REQUIRED in the bootloaders skd_config.h to get the boot validation finally enabled/work, or what does this option do in this case?[/quote]

Yes.

For more information about boot validation see here. Take notice that hash validation VALIDATE_ECDSA_P256_SHA256 is the most secure but also the most time costly, which will result in some delay before booting.

Best regards,

Marjeris