secure boot on the nRF52840

Question

Hi Team 
 From what I learned, the BPROT or ACL can protect the bootloader can not be modified by the application. 
 But is there any way to protect the chip from erased with "nrfjprog -f nrf52 --eraseall"? Because if the bootloader can be erased, the public key/ the root of trust was broken. 
 Waiting for your reply. Thanks a lot.

Sigurd · Accepted Answer

Hi, 
 But is there any way to protect the chip from erased with "nrfjprog -f nrf52 --eraseall"? 
 No. If someone have access to the SWD pins, they can use a debugger to erase the chip. 
 Wendel said: does that means the signature check happened after DFU? 
 The NRF_BL_APP_SIGNATURE_CHECK_REQUIRED setting is to require signature Boot validation . Signature is checked on each boot. 
 You might find these cases interesting: 
 https://devzone.nordicsemi.com/f/nordic-q-a/70726/how-to-validate-signature-check-requirements 
 https://devzone.nordicsemi.com/f/nordic-q-a/74838/dfu-error-invalid_parameter-after-uploading-of-all-packets-via-dfu/ 
 Wendel said: Can I combine the init packet with bootloader+softdevice+application+bootloader setting, and program it into the chip directly? 
 
 You are not flashing the init packet, but you can merge bootloader+softdevice+application+bootloader setting into a hex-file, and program it directly, yes.

secure boot on the nRF52840

Top Replies