signature verification of application during secure boot and check condition to jump to DFU or application

Hi guys,

i am using nrf52840 controller. 

and in that i have mbe at 0x0000000 location.

i have two bootloader stage. that boot1 and boot 2.

boot 1 i am using to validate the bootloader 2 using signature verfication.

and once control reached to the boot2 then i want to verifiy the signature of my application and also want to check whether need to stay in dfu mode or should jump to application part.

For Boot2 i am using "nRF5_SDK_17.1.0_ddde560\examples\dfu\secure_bootloader" example code.

Can someone guide me to resolve this

Parents Reply Children
  • HI,

    --app-boot-validation VALIDATE_ECDSA_P256_SHA256.
    this part i didn't include while generating settings.hex.

    But is it necessary to include this, because i have my own signature which i get from the externally signed from the server.

    I am also using my own private key not the one which there in example code.

    Regards

    Rohit saini

  • Hi,

    Yes, unless you have modified the bootloader, the boot validation signature for your application must be generated with your private key and placed in the settings page.

    nrf_dfu_settings_t:

    R_S said:
    I am also using my own private key not the one which there in example code.

    I forgot to point to the key file in my example. I have updated it now.

    Regards,

    Vidar

  • Hi,

    Yes i am generating my own signature using private key.

    but to keep in the setting page part is bit confusing for me.

    is this the location of signature for app in setting page or its a location for app.

    and if its for signature then directly we can load that signature value in it. or something else need to be specified there.

    And Signature should be kept in little endian format only..?

    Regards

  • Hi,

    Yes, this is the location of where the application signature is stored in the settings page and it must be little-endian (see Working with keys). This is the same kind of signature used for the DFU init command. Have you been able to perform DFU with your key-pair? In that case, do you use nrfutil to generate the DFU package?

    Regards,

    Vidar

  • Hi,

    No that part i have not tested with my key and signature. because previously i faced some issue while using "nrf_crypto_ecdsa_verify" this API for verification. 

    After that i contact with nordic team they suggest me to use "nrf_dfu_validation_signature_check" this one. but now i have issue with my hardware , it went bad. hopefully today will receive new hardware and then i will perform DFU operation using my public key and signature .

    i have one more doubt but before that i want to test it on the hardware.

    Regards

    Rohit Saini 

Related