MCU Boot for secondary slot, fw_validation_info magic

Hi Hung,

My goal is to upgrade mcuboot, leaving B0 and app untouched. I'm following ideas from Adding Upgradeable Bootloader

I build peripheral_hr_coded sample project using this command line:

west build -b nrf5340dk_nrf5340_cpuapp -- -DCONFIG_BUILD_S1_VARIANT=y

Then I program the board using

west flash --erase

At this stage I see on the terminal that B0 bootloade boots code from slot 0:

Attempting to boot slot 0.
Attempting to boot from address 0xc200.
Verifying signature against key 0.
Hash: 0xd3...cd
Firmware signature verified.
Firmware version 3

So far everything is as expected. Note that Firmware version is 3. Next I change the mcuboot version number by setting CONFIG_FW_INFO_FIRMWARE_VERSION=4 and rebuild using west build as before.

At this stage I expect to find .hex/.bin/.elf of an mcuboot which I could load into slot 1. After doing so, slot 0 would contain version 3 and slot 1 would contain verison 4 of the mcuboot. The B0 should pick mcuboot verison 4 from slot 1.

I'm guessing here, but file named "build/mcuboot/zephyr/s1_image.elf" looks like the mcuboot built for slot1. I load it on the board with

nrfjprog --program ./build/mcuboot/zephyr/s1_image.elf --sectorerase

B0 bootloader sees this image and since it has higher version numer, it tries to verify it first. Fails with "Could not find valid firmware validation info". Looks like some build step is missing. But which one?

There are too many files in the build ... but here are .bin/.hex/.elf that I have there

> find build/ -type f -name "*bin"
build/mcuboot/zephyr/zephyr.bin
build/mcuboot/zephyr/s1_isrList.bin
build/mcuboot/zephyr/isrList.bin
build/b0/zephyr/zephyr.bin
build/b0/zephyr/isrList.bin
build/hci_rpmsg/b0n/zephyr/zephyr.bin
build/hci_rpmsg/b0n/zephyr/isrList.bin
build/hci_rpmsg/zephyr/zephyr.bin
build/hci_rpmsg/zephyr/signed_by_b0_app.bin
build/hci_rpmsg/zephyr/isrList.bin
build/zephyr/app_update.bin
build/zephyr/signed_by_b0_s0_image.bin
build/zephyr/zephyr.bin
build/zephyr/app_to_sign.bin
build/zephyr/signed_by_mcuboot_and_b0_s1_image_update.bin
build/zephyr/signed_by_mcuboot_and_b0_s1_image_to_sign.bin
build/zephyr/signed_by_mcuboot_and_b0_s0_image_update.bin
build/zephyr/net_core_app_to_sign.bin
build/zephyr/net_core_app_update.bin
build/zephyr/signed_by_b0_s1_image.bin
build/zephyr/signed_by_mcuboot_and_b0_s0_image_to_sign.bin
build/zephyr/isrList.bin

>find build/ -type f -name "*hex"
build/mcuboot/zephyr/zephyr.hex
build/b0/zephyr/zephyr.hex
build/hci_rpmsg/b0n/zephyr/zephyr.hex
build/hci_rpmsg/zephyr/zephyr.hex
build/hci_rpmsg/zephyr/b0n_container.hex
build/hci_rpmsg/zephyr/merged_CPUNET.hex
build/hci_rpmsg/zephyr/signed_by_b0_app.hex
build/hci_rpmsg/zephyr/app.hex
build/hci_rpmsg/zephyr/provision.hex
build/zephyr/merged_domains.hex
build/zephyr/s0_image.hex
build/zephyr/GENERATED_CP_APPLICATION_merged_domains.hex
build/zephyr/spm_app.hex
build/zephyr/zephyr.hex
build/zephyr/signed_by_mcuboot_and_b0_s0_image_signed.hex
build/zephyr/b0_container.hex
build/zephyr/merged.hex
build/zephyr/app_moved_test_update.hex
build/zephyr/signed_by_mcuboot_and_b0_s0_image_test_update.hex
build/zephyr/net_core_app_test_update.hex
build/zephyr/app_signed.hex
build/zephyr/signed_by_mcuboot_and_b0_s1_image_signed.hex
build/zephyr/mcuboot_primary.hex
build/zephyr/GENERATED_CP_NETWORK_merged_domains.hex
build/zephyr/net_core_app_moved_test_update.hex
build/zephyr/net_core_app_signed.hex
build/zephyr/signed_by_mcuboot_and_b0_s1_image_test_update.hex
build/zephyr/s1.hex
build/zephyr/signed_by_b0_s1_image.hex
build/zephyr/s0.hex
build/zephyr/signed_by_b0_s0_image.hex
build/zephyr/signed_by_mcuboot_and_b0_s1_image_moved_test_update.hex
build/zephyr/signed_by_mcuboot_and_b0_s0_image_moved_test_update.hex
build/zephyr/mcuboot_primary_app.hex
build/zephyr/app_test_update.hex
build/zephyr/s1_image.hex
build/zephyr/provision.hex

> find build/ -type f -name "*elf"
build/mcuboot/zephyr/zephyr_prebuilt.elf
build/mcuboot/zephyr/s1_image_prebuilt.elf
build/mcuboot/zephyr/zephyr.elf
build/mcuboot/zephyr/s1_image.elf
build/b0/zephyr/zephyr_prebuilt.elf
build/b0/zephyr/zephyr.elf
build/hci_rpmsg/b0n/zephyr/zephyr_prebuilt.elf
build/hci_rpmsg/b0n/zephyr/zephyr.elf
build/hci_rpmsg/zephyr/zephyr_prebuilt.elf
build/hci_rpmsg/zephyr/zephyr.elf
build/zephyr/zephyr_prebuilt.elf
build/zephyr/zephyr.elf

Thanks for your help.

Hi Rtscts,

I assume you have used CONFIG_SECURE_BOOT=y, CONFIG_BOOTLOADER_MCUBOOT=y in your prj.conf ? 
I think what caused the issue here is that you haven't specify which private key to be used for b0 to sign the MCUBoot. When you don't specific the key(s) it will generate new key pair and this explain why b0 can't verify the image 

I tested here with a key that I generated using

python3 bootlooader/mcuboot/scripts/imgtool.py keygen -t ecdsa-p256 -k mykey.pem


And then add this into my prj.conf: 

CONFIG_SB_SIGNING_KEY_FILE="D:\\mykey.pem"

After that I can build, flash merged.hex (show version 1) and then change the version, build again and flash the signed_by_b0_s1_image.hex file and then it can be verified and I have Firmware version 2: 

Hi, 

I have same problem, Can you help me?

Hi, 

I have same problem, Can you help me?

thang47 Please create a new ticket. This is a 2 years old case. 

You are a Vietnamese, Right?