Hello,
I would like to sign a firmware image with a custom private key. This is intended for OTA firmware update. The key type is ecdsa-p256 and the file containing the key is named ecdsa-dev.pem. The SDK is nRF Connect SDK 1.6.0.
To illustrate the issue, I took the hello_world example and modified it like described below.
In CMakeLists.txt, I set a value for mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE
as follows:
(got idea from https://devzone.nordicsemi.com/f/nordic-q-a/67510/ncs-recommended-mcuboot-enabled-apps-build-and-flash-methods/324792#324792 )
In prj.conf, I enabled mcuboot as follows:
In the root of the project (beside CMakeLists.txt), I copied the private key file ecdsa-dev.pem.
Then, when I want to compile with the command west build -b nrf52833dk_nrf52833
, I have errors related to undefined reference to `rsa_pub_key' and `rsa_pub_key_len' :
Instead of setting mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE
in the app's CMakeLists.txt, i tried to set it directly in the prj.conf file of mcuboot in bootloader\mcuboot\boot\zephyr (by adding CONFIG_BOOT_SIGNATURE_KEY_FILE="C:\\ota\\ecdsa-dev.pem"
for example), but exactly the same error occurs at compile time.
The fact that the error itself is related to a RSA key is a first issue since the custom private key is for ECDSA.
The compilation succeeds in the following cases:
- Either use a custom .pem file containing a rsa-2048 key instead of a ecdsa-p256 key.
- Or compile for the target the nRF52840 DK, using the command
west build -b nrf52840dk_nrf52840
As a consequence, I think that this compilation error might be related to the fact that the nRF52833 embeds less cryptographic hardware compared to the nRF52840, such as the Cryptocell.
Is there a way to use the ecdsa-p256 algorithm with the nRF52833 nevertheless ?