signature verification of application during secure boot and check condition to jump to DFU or application

Hi guys,

i am using nrf52840 controller. 

and in that i have mbe at 0x0000000 location.

i have two bootloader stage. that boot1 and boot 2.

boot 1 i am using to validate the bootloader 2 using signature verfication.

and once control reached to the boot2 then i want to verifiy the signature of my application and also want to check whether need to stay in dfu mode or should jump to application part.

For Boot2 i am using "nRF5_SDK_17.1.0_ddde560\examples\dfu\secure_bootloader" example code.

Can someone guide me to resolve this

Parents
  • Hi,

    When Generating bootloader settings it's important that you specify the mode so that the app signature gets included. Did you do this already?

    Generating bootloader settings page with app signature validation:

    nrfutil settings generate --family NRF52^
     --application application.hex^
     --application-version-string "1.0.0"^
     --bootloader-version 1^
     --bl-settings-version 2^
     --app-boot-validation VALIDATE_ECDSA_P256_SHA256^
     --key-file <path to key file>^
     settings.hex

    Best regards,

    Vidar

Reply
  • Hi,

    When Generating bootloader settings it's important that you specify the mode so that the app signature gets included. Did you do this already?

    Generating bootloader settings page with app signature validation:

    nrfutil settings generate --family NRF52^
     --application application.hex^
     --application-version-string "1.0.0"^
     --bootloader-version 1^
     --bl-settings-version 2^
     --app-boot-validation VALIDATE_ECDSA_P256_SHA256^
     --key-file <path to key file>^
     settings.hex

    Best regards,

    Vidar

Children
  • 0
    2 pts.
    in reply to Vidar Berg

    HI,

    --app-boot-validation VALIDATE_ECDSA_P256_SHA256.
    this part i didn't include while generating settings.hex.

    But is it necessary to include this, because i have my own signature which i get from the externally signed from the server.

    I am also using my own private key not the one which there in example code.

    Regards

    Rohit saini

  • 0
    24755 pts.
    in reply to R_S

    Hi,

    Yes, unless you have modified the bootloader, the boot validation signature for your application must be generated with your private key and placed in the settings page.

    nrf_dfu_settings_t:

    R_S said:
    I am also using my own private key not the one which there in example code.

    I forgot to point to the key file in my example. I have updated it now.

    Regards,

    Vidar

  • 0
    2 pts.
    in reply to Vidar Berg

    Hi,

    Yes i am generating my own signature using private key.

    but to keep in the setting page part is bit confusing for me.

    is this the location of signature for app in setting page or its a location for app.

    and if its for signature then directly we can load that signature value in it. or something else need to be specified there.

    And Signature should be kept in little endian format only..?

    Regards

  • 0
    24755 pts.
    in reply to R_S

    Hi,

    Yes, this is the location of where the application signature is stored in the settings page and it must be little-endian (see Working with keys). This is the same kind of signature used for the DFU init command. Have you been able to perform DFU with your key-pair? In that case, do you use nrfutil to generate the DFU package?

    Regards,

    Vidar

  • 0
    2 pts.
    in reply to Vidar Berg

    Hi,

    No that part i have not tested with my key and signature. because previously i faced some issue while using "nrf_crypto_ecdsa_verify" this API for verification. 

    After that i contact with nordic team they suggest me to use "nrf_dfu_validation_signature_check" this one. but now i have issue with my hardware , it went bad. hopefully today will receive new hardware and then i will perform DFU operation using my public key and signature .

    i have one more doubt but before that i want to test it on the hardware.

    Regards

    Rohit Saini 

Related