signature verification of application during secure boot and check condition to jump to DFU or application

Hi guys,

i am using nrf52840 controller. 

and in that i have mbe at 0x0000000 location.

i have two bootloader stage. that boot1 and boot 2.

boot 1 i am using to validate the bootloader 2 using signature verfication.

and once control reached to the boot2 then i want to verifiy the signature of my application and also want to check whether need to stay in dfu mode or should jump to application part.

For Boot2 i am using "nRF5_SDK_17.1.0_ddde560\examples\dfu\secure_bootloader" example code.

Can someone guide me to resolve this

  • Hi,

    When Generating bootloader settings it's important that you specify the mode so that the app signature gets included. Did you do this already?

    Generating bootloader settings page with app signature validation:

    nrfutil settings generate --family NRF52^
     --application application.hex^
     --application-version-string "1.0.0"^
     --bootloader-version 1^
     --bl-settings-version 2^
     --app-boot-validation VALIDATE_ECDSA_P256_SHA256^
     --key-file <path to key file>^
     settings.hex

    Best regards,

    Vidar

  • 0
    2 pts.
    in reply to Vidar Berg

    HI,

    --app-boot-validation VALIDATE_ECDSA_P256_SHA256.
    this part i didn't include while generating settings.hex.

    But is it necessary to include this, because i have my own signature which i get from the externally signed from the server.

    I am also using my own private key not the one which there in example code.

    Regards

    Rohit saini

  • 0
    24575 pts.
    in reply to R_S

    Hi,

    Yes, unless you have modified the bootloader, the boot validation signature for your application must be generated with your private key and placed in the settings page.

    nrf_dfu_settings_t:

    R_S said:
    I am also using my own private key not the one which there in example code.

    I forgot to point to the key file in my example. I have updated it now.

    Regards,

    Vidar

  • 0
    2 pts.
    in reply to Vidar Berg

    Hi,

    Yes i am generating my own signature using private key.

    but to keep in the setting page part is bit confusing for me.

    is this the location of signature for app in setting page or its a location for app.

    and if its for signature then directly we can load that signature value in it. or something else need to be specified there.

    And Signature should be kept in little endian format only..?

    Regards

  • 0
    24575 pts.
    in reply to R_S

    Hi,

    Yes, this is the location of where the application signature is stored in the settings page and it must be little-endian (see Working with keys). This is the same kind of signature used for the DFU init command. Have you been able to perform DFU with your key-pair? In that case, do you use nrfutil to generate the DFU package?

    Regards,

    Vidar

Related