RE: Decouple MCUBoot public key storage and image signing (nrf9160 + MCUBoot)

Simon — Thu, 14 Oct 2021 15:56:53 GMT

It does not seem like this is supported at the moment, but you should be able to achieve this by modifying NCS

How it currently works

Assume the following command is used to build the project

west build -b nrf52dk_nrf52840 hello_world -- -DCONFIG_BOOTLOADER_MCUBOOT=y -Dmcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"mcuboot_private.pem\" -Dmcuboot_CONFIG_BOOT_ENCRYPT_RSA=n -Dmcuboot_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y -Dmcuboot_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n

app_update.bin is signed in nrf/modules/mcuboot/CMakeLists.txt
- Get CONFIG_BOOT_SIGNATURE_KEY_FILE
- Sign app_update.bin
The public key is generated in bootloader/mcuboot/boot/zephyr/CMakeLists.txt
- Get CONFIG_BOOT_SIGNATURE_KEY_FILE
- Generate public key autogen-pubkey.c
- The key will be placed in zephyr/samples/hello_world/build/mcuboot/zephyr/autogen-pubkey.c
- If RSA is used, It looks like this: const unsigned char rsa_pub_key[] = {0x30, 0x82, 0x01...
The public key is then integrated into mcuboot
- extern const .. rsa_pub_key is set in bootloader/mcuboot/boot/zephyr/keys.c
- bootutil_keys.key is set to rsa_pub_key in bootloader/mcuboot/boot/zephyr/keys.c

How to modify it to get signed externally

In nrf/modules/mcuboot/CMakeLists.txt, modify sign_cmd, and use a custom python script instead of imgtool.py. The custom python script should connect to the server, provide it with the bin/hex file and get the signed file in return.
In bootloader/mcuboot/boot/zephyr/CMakeLists.txt, modify these lines. Use a custom python script, that will get the public key from the application folder and generate autogen-pubkey.c

I am by no means an expert on CMake, and it will probably be more difficult to implement this than described above. But now you know how it works and where stuff happens, and what files you need to modify

Best regards,

Simon