Decouple MCUBoot public key storage and image signing (nrf9160 + MCUBoot)

Hi,

I'm investigating firmware image signing on the nrf9160 using MCUBoot and the nRF Connect SDK v17. I have configured 

CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="/path/to/key.pem"

and it seems to work via `west build  -b nrf9160dk_nrf9160ns -s myapp`

For production however I don't want to keep my private "key.pem" on the build machine. I'd like to decouple things so my build server produces the firmware image, and then makes a remote call to a signing server that has the private key, signs the image, and returns it.

I can't figure out how to decouple this. My understanding is that "CONFIG_MCUBOOT_SIGNATURE_KEY_FILE" expects the path to the *private* key, from which the build system will:

1. Generate the *public* key from the *private* key

2. Embed the *public* key in the bootloader.

3. Sign the firmware with the *private* key.

Is that right? I think I am looking for a way to *not* provide the private key to the build system at all. Instead I want to specify something like "PUBLIC_KEY_FILE=/path/to/public.pem" and simply embed that in the bootloader, and skip all the signing steps, leaving that to us.

Thanks for any advice,

Robbie

Parents Reply Children
No Data
Related