signature verification of application during secure boot and check condition to jump to DFU or application

Hi,

When Generating bootloader settings it's important that you specify the mode so that the app signature gets included. Did you do this already?

Generating bootloader settings page with app signature validation:

nrfutil settings generate --family NRF52^
 --application application.hex^
 --application-version-string "1.0.0"^
 --bootloader-version 1^
 --bl-settings-version 2^
 --app-boot-validation VALIDATE_ECDSA_P256_SHA256^
 --key-file <path to key file>^
 settings.hex

Best regards,

Vidar

HI,

--app-boot-validation VALIDATE_ECDSA_P256_SHA256.
this part i didn't include while generating settings.hex.

But is it necessary to include this, because i have my own signature which i get from the externally signed from the server.

I am also using my own private key not the one which there in example code.

Regards

Rohit saini

Hi,

Yes, unless you have modified the bootloader, the boot validation signature for your application must be generated with your private key and placed in the settings page.

nrf_dfu_settings_t:

R_S said:

I am also using my own private key not the one which there in example code.

I forgot to point to the key file in my example. I have updated it now.

Regards,

Vidar

Hi,

Yes i am generating my own signature using private key.

but to keep in the setting page part is bit confusing for me.

is this the location of signature for app in setting page or its a location for app.

and if its for signature then directly we can load that signature value in it. or something else need to be specified there.

And Signature should be kept in little endian format only..?

Regards

Hi,

Yes, this is the location of where the application signature is stored in the settings page and it must be little-endian (see Working with keys). This is the same kind of signature used for the DFU init command. Have you been able to perform DFU with your key-pair? In that case, do you use nrfutil to generate the DFU package?

Regards,

Vidar

Hi,

Yes, this is the location of where the application signature is stored in the settings page and it must be little-endian (see Working with keys). This is the same kind of signature used for the DFU init command. Have you been able to perform DFU with your key-pair? In that case, do you use nrfutil to generate the DFU package?

Regards,

Vidar

Hi,

No that part i have not tested with my key and signature. because previously i faced some issue while using "nrf_crypto_ecdsa_verify" this API for verification. 

After that i contact with nordic team they suggest me to use "nrf_dfu_validation_signature_check" this one. but now i have issue with my hardware , it went bad. hopefully today will receive new hardware and then i will perform DFU operation using my public key and signature .

i have one more doubt but before that i want to test it on the hardware.

Regards

Rohit Saini