https://devzone.nordicsemi.com/f/nordic-q-a/82071/signature-verification-of-application-during-secure-boot-and-check-condition-to-jump-to-dfu-or-applicationHi guys, i am using nrf52840 controller. and in that i have mbe at 0x0000000 location. i have two bootloader stage. that boot1 and boot 2. boot 1 i am using to validate the bootloader 2 using signature verfication. and once control reacheden-USTelligent Community 13Fri, 26 Nov 2021 10:41:08 GMThttps://devzone.nordicsemi.com/thread/340877?ContentTypeID=1Fri, 26 Nov 2021 10:41:08 GMT137ad170-7792-4731-bb38-c0d22fbe4515:15cc2b50-221b-4049-a945-22c13f0c1147R_S<p>Hi,</p> <p>No that part i have not tested with my key and signature. because previously i faced some issue while using &quot;nrf_crypto_ecdsa_verify&quot; this API for verification.&nbsp;</p> <p>After that i contact with nordic team they suggest me to use &quot;nrf_dfu_validation_signature_check&quot; this one. but now i have issue with my hardware , it went bad. hopefully today will receive new hardware and then i will perform DFU operation using my public key and signature .</p> <p>i have one more doubt but before that i want to test it on the hardware.</p> <p></p> <p>Regards</p> <p>Rohit Saini&nbsp;</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/340864?ContentTypeID=1Fri, 26 Nov 2021 09:57:47 GMT137ad170-7792-4731-bb38-c0d22fbe4515:320b669b-efe0-4d2f-8a63-66973eaee5b0Vidar Berg<p>Hi,</p> <p>Yes, this is the location of where the application signature is stored in the settings page and it must be little-endian (see <span class="item"><a class="" title="Working with keys" href="https://infocenter.nordicsemi.com/topic/sdk_nrf5_v17.1.0/lib_bootloader_dfu_keys.html?cp=8_1_3_5_1_3">Working with keys</a></span>). This is the same kind of signature used for the DFU init command. Have you been able to perform DFU with your key-pair? In that case, do you use nrfutil to generate the DFU package?</p> <p>Regards,</p> <p>Vidar</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/340861?ContentTypeID=1Fri, 26 Nov 2021 09:47:12 GMT137ad170-7792-4731-bb38-c0d22fbe4515:9e1eb565-cc87-4a24-b462-30eca5296aabR_S<p>Hi,</p> <p></p> <p>Yes i am&nbsp;generating my own signature using private key.</p> <p>but to keep in the setting page part is bit confusing for me.</p> <p><img src="https://devzone.nordicsemi.com/resized-image/__size/640x480/__key/communityserver-discussions-components-files/4/pastedimage1637919784421v1.png" alt=" " /></p> <p>is this the location of signature for app in setting page or its a location for app.</p> <p>and if its for signature then directly we can load that signature value in it. or something else need to be specified there.</p> <p><img src="https://devzone.nordicsemi.com/resized-image/__size/640x480/__key/communityserver-discussions-components-files/4/pastedimage1637919941077v2.png" alt=" " /></p> <p>And Signature should be kept in little endian format only..?</p> <p></p> <p>Regards</p> <p></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/340836?ContentTypeID=1Fri, 26 Nov 2021 08:44:29 GMT137ad170-7792-4731-bb38-c0d22fbe4515:dcdaca1a-a999-4eb4-8104-d0e7cb32fa01Vidar Berg<p>Hi,</p> <p>Yes, unless you have modified the bootloader, the boot validation signature for your application must be generated with your private key and placed in the settings page.</p> <p><a href="https://infocenter.nordicsemi.com/topic/sdk_nrf5_v17.1.0/structnrf__dfu__settings__t.html">nrf_dfu_settings_t</a>:</p> <p><img src="https://devzone.nordicsemi.com/resized-image/__size/320x240/__key/communityserver-discussions-components-files/4/pastedimage1637916181240v1.png" alt=" " /></p> [quote user="R_S"]I am also using my own private key not the one which there in example code.[/quote] <p>I forgot to point to the key file in my example. I have updated it now.</p> <p>Regards,</p> <p>Vidar</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/340818?ContentTypeID=1Fri, 26 Nov 2021 04:18:17 GMT137ad170-7792-4731-bb38-c0d22fbe4515:2ea379c5-6789-4064-b3bc-43d33fa51310R_S<p>HI,</p> <p>--app-boot-validation VALIDATE_ECDSA_P256_SHA256.<br />this part i didn&#39;t include while generating settings.hex.</p> <p>But is it necessary to include this,&nbsp;because i have my own signature which i get from the externally signed from the server.</p> <p>I am also using my own private key not the one which there in example code.</p> <p></p> <p>Regards</p> <p>Rohit saini</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/340724?ContentTypeID=1Thu, 25 Nov 2021 12:38:26 GMT137ad170-7792-4731-bb38-c0d22fbe4515:7eb4c5a2-a305-47ab-81f8-c9bf0f553b52Vidar Berg<p>Hi,</p> <p>When <span><a title="Generating and displaying bootloader settings" href="https://infocenter.nordicsemi.com/topic/ug_nrfutil/UG/nrfutil/nrfutil_settings_generate_display.html?cp=10_7_6">Generating bootloader settings</a> it&#39;s important that you specify the mode so that the app signature gets included. Did you do this already?</span></p> <p><span><img src="https://devzone.nordicsemi.com/resized-image/__size/320x240/__key/communityserver-discussions-components-files/4/5516.pastedimage1637841031041v1.png" alt=" " /></span></p> <p><span>Generating bootloader settings page with app signature validation:</span></p> <p><span><pre class="ui-code" data-mode="bat">nrfutil settings generate --family NRF52^ --application application.hex^ --application-version-string &quot;1.0.0&quot;^ --bootloader-version 1^ --bl-settings-version 2^ --app-boot-validation VALIDATE_ECDSA_P256_SHA256^ --key-file &lt;path to key file&gt;^ settings.hex</pre></span></p> <p><span>Best regards,</span></p> <p><span>Vidar</span></p> <p><span></span></p><div style="clear:both;"></div>