Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

hannes — Thu, 24 Jun 2021 14:48:07 GMT

Hi Amanda

thank you very much! So it works with the bootloader without the debug feature and removing --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 when creating the update package.

It works also when the "old" bootloader was compiled without NRF_BL_APP_SIGNATURE_CHECK_REQUIRED enabled ;-)

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

Amanda Hsieh — Thu, 24 Jun 2021 09:01:35 GMT

Hi Hannes,

Could you try the bootloader without the debug feature? I have the same issue with the debug version, but another one without debug can work.

-Amanda H.

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

hannes — Wed, 23 Jun 2021 11:54:22 GMT

Hi Amanda,

I've removed "-sd-boot-validation VALIDATE_ECDSA_P256_SHA256" from the nrfutil command when generating the update package.

No matter if the old SDK 15.3.0 Bootloader was compiled with or without NRF_BL_APP_SIGNATURE_CHECK_REQUIRED enabled the DFU process failes with the error "Connect timed out." In both cases the board remains in a dead state as it doesn't resume to it's normal activity or DFU mode. Also after repowering or pressing the hardware DFU-button the board stays dead. The only way is to erase the board using the programmer. Attached you can find the logs with and without NRF_BL_APP_SIGNATURE_CHECK_REQUIRED enabled for the old SDK 15.3.0 Bootloader.

devzone.nordicsemi.com/.../1-_2D00_-CHECK_5F00_REQUIRED-_3D00_-1.txt

devzone.nordicsemi.com/.../2-_2D00_-CHECK_5F00_REQUIRED-_3D00_-0.txt

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

Amanda Hsieh — Tue, 22 Jun 2021 08:26:03 GMT

Hi Hannes,

Sorry for the delay.

[quote user=""]nrfutil pkg generate --hw-version 52 --application-version 1 --application app17.0.2.hex --sd-req 0x00B8 --sd-id 0x0103 --softdevice s112_nrf52_7.2.0_softdevice.hex --bootloader-version 1 --bootloader secure_bootloader_ble_s112_pca10040.hex --key-file private.key --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 dfu_update_app_sd_bl_15to17.zip[/quote]

Created the package with --app-boot-validation only (remove --sd-boot-validation VALIDATE_ECDSA_P256_SHA256), the update should work fine. In Creating a firmware package with nrfutil section, If you include both a bootloader and a SoftDevice in your firmware package, those two images will be merged together." I think the bootloader treats the SD+BL as an application image, so --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 might cause the error.

[quote user="hannes"]How can I modify the page-alignment? The DFU Packages are generated with nrfutil.[/quote]

I guess that error comes with the Signature failed. If the package is only generated with --app-boot-validation and work, this error will also go out.

-Amanda H.

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

hannes — Tue, 15 Jun 2021 12:08:35 GMT

Hi Amanda,

no, the provided logs were taken when NRF_BL_APP_SIGNATURE_CHECK_REQUIRED was set to 0 in the sdk_config.h of the old SDK 15.3.0 bootloader while updating to SDK17.

The SDK 15.3.0 bootloader settings were generated by:
nrfutil settings generate --family NRF52 --application app.hex --application-version 0 --bootloader-version 0 --bl-settings-version 1 bootloader_settings.hex

When I set NRF_BL_APP_SIGNATURE_CHECK_REQUIRED to 1 in the sdk_config.h of the old SDK 15.3.0 bootloader while updating to SDK17 I'm getting the same error (see attached logfile).

The SDK 15.3.0 bootloader settings were generated by:
nrfutil settings generate --family NRF52 --application app.hex --application-version 0 --bootloader-version 0 --bl-settings-version 2 --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 --softdevice s112_nrf52_6.1.1_softdevice.hex --key-file private.key bootloader_settings.hex

And, yes, the same SDK 15.3.0 bootloader with NRF_BL_APP_SIGNATURE_CHECK_REQUIRED set to 1 performs SDK 15.3.0 APP-Updates (without SD and BL) without any problems.

devzone.nordicsemi.com/.../DFU_5F00_Log_5F00_APP_5F00_SD_5F00_BL-with-Signaturecheck-required.txt

How can I modify the page-alignment? The DFU Packages are generated with nrfutil.

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

Amanda Hsieh — Tue, 15 Jun 2021 09:23:27 GMT

Hi Hannes,

From both logs, I see:

<error> nrf_dfu_validation: Signature failed (err_code: 0x8542).

Do you enable the NRF_BL_APP_SIGNATURE_CHECK_REQUIRED to 1 in the sdk_config.h of the old and new bootloaders while updating from SDK15.3 to SDK17?

<error> nrf_dfu_req_handler: Object size must be page aligned

The object size must be page-aligned. Usually, the object size is 4kB. It's mentioned here in the error code.

[quote user="hannes"]After flashing the SDK 15.3.0 example works fine but the (APP, SD, BL) DFU to the SDK 17.0.2 still fails with the same error...[/quote]

Do you mean the same old SDK 15.3.0 bootloader with SIGNATURE_CHECK can update with SDK 15.3.0 examples?

Regards,

Amanda H.

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

hannes — Fri, 11 Jun 2021 15:48:56 GMT

Hi Amanda,

updating only SD and BL with NRF_BL_APP_SIGNATURE_CHECK_REQUIRED failes with the same error. Attached you can find the RTT output of the _debug version for both cases.
devzone.nordicsemi.com/.../DFU_5F00_Log_5F00_APP_5F00_SD_5F00_BL.txt

devzone.nordicsemi.com/.../DFU_5F00_Log_5F00_SD_5F00_BL.txt

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

Amanda Hsieh — Fri, 11 Jun 2021 09:09:11 GMT

Hi Hannes,

Could you provide the log of bootloader with _debug version?

Are you able to update SD and bootloader with SIGNATURE CHECK? Do you get the same error message?

-Amanda H.

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

hannes — Tue, 08 Jun 2021 08:09:46 GMT

Hi Amanda,

I changed NRF_BL_APP_SIGNATURE_CHECK_REQUIRED to 1 in the sdk_config.h of the old SDK 15.3.0 bootloader and used the following command to generate the bootloader_settings.hex of the old SDK 15.3.0 project:

nrfutil settings generate --family NRF52 --application app.hex --application-version 0 --bootloader-version 0 --bl-settings-version 2 --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 --softdevice s112_nrf52_6.1.1_softdevice.hex --key-file private.key bootloader_settings.hex

After flashing the SDK 15.3.0 example works fine but the (APP, SD, BL) DFU to the SDK 17.0.2 still fails with the same error...

RE: Secure DFU (APP, SD, BL) from SDK 15.3.0 to SDK 17.0.2 with VALIDATE_ECDSA_P256_SHA256

Amanda Hsieh — Tue, 08 Jun 2021 07:39:36 GMT

Hi Hannes,

[quote user=""]So I changed NRF_BL_APP_SIGNATURE_CHECK_REQUIRED to 1 in the sdk_config.h of the new bootloader.[/quote]

Try to set NRF_BL_APP_SIGNATURE_CHECK_REQUIRED to 1 in the sdk_config.h of the old bootloader, and use the same command with VALIDATE_ECDSA_P256_SHA256.

Regards,

Amanda H.