• State Not Answered
  • Replies 4 replies
  • Subscribers 87 subscribers
  • Views 2423 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 272819
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

MCUBoot: Validate firmware image before booting

NelsonGoncalves

Hello,

I am using the NCS v1.5.0 and a custom board with the nRF9160. In my case, I am using only MCUBoot as the bootloader and would like to validate a firmware image before writting it to the secondary slot. Searching through the documentation, I found that this is possible for the Immutable Bootloader.

Is the same functionality available from MCUBoot ? Or must I implement it myself ? Ideally, I would like to use the MCUBoot functionalities in the same manner as secure services from the SPM child application.

Best regards,

  Nelson Goncalves

  • 0

    Hi,

     

     

    Is the same functionality available from MCUBoot ?
    Or must I implement it myself ? Ideally, I would like to use the MCUBoot functionalities in the same manner as secure services from the SPM child application.

    Which functionality specifically? mcuboot also validates images (they're signed). B0 provides the option to update mcuboot itself by acting as the very first bootloader stage. note that SPM is a part of the whole application slot.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hello Hakon,

    Our firmware upgrade procedure has three steps: transfer, verify signature, boot new image. The user can perform each of these steps individually. For instance it can transfer a firmware image, then verify that the signature is valid but still decide not to upgrade.

    As I understand it, MCUBoot does the last two steps (verify signature and booting the new image) automatically for the image in the secondary slot. I was wondering if it would be possible to call the MCUBoot functions that perform the firmware validation, from the user application. In the same way that the user application can call functions in SPM (aka secure services).

    Looking at the MCUBoot source code, I found "boot_validate_slot" in boot\bootutil\src\loader.c which seems to do what I need. But I am not sure how to call it from the user application, or if it is even possible to do so.

    Kind regards,

     Nelson 

  • 0 in reply to NelsonGoncalves

    Hi Nelson,

     

    Thank you for explaining in-depth.

     

    NelsonGoncalves said:

    Our firmware upgrade procedure has three steps: transfer, verify signature, boot new image. The user can perform each of these steps individually. For instance it can transfer a firmware image, then verify that the signature is valid but still decide not to upgrade.

    As I understand it, MCUBoot does the last two steps (verify signature and booting the new image) automatically for the image in the secondary slot. I was wondering if it would be possible to call the MCUBoot functions that perform the firmware validation, from the user application. In the same way that the user application can call functions in SPM (aka secure services).

    Looking at the MCUBoot source code, I found "boot_validate_slot" in boot\bootutil\src\loader.c which seems to do what I need. But I am not sure how to call it from the user application, or if it is even possible to do so.

     one slot in mcuboot can contain several images, like secure + non-secure region, and when it detects a new image, it does a test-run.

    http://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/design.html#boot-swap-types

     

    If the test-image does not verify itself via calling this function, it will revert back to the old image:

    https://github.com/nrfconnect/sdk-nrf/blob/master/samples/nrf9160/aws_fota/src/main.c#L467-L470

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hey,

    I was aware of the call to boot_write_img_confirmed(), but this is a check that occurs after the new image has been booted.

    What I am searching for is a way to validate the firmware image in the secondary slot *before* rebooting and handing it over to the bootloader. I was hopping this to be possible, but I am starting to suspect it is not.

    Kind regards,

     Nelson

Related
Terms of service