• State Not Answered
  • Replies 2 replies
  • Subscribers 73 subscribers
  • Views 1442 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 281522
Options

MCU Boot - Using Hardware Keys for Verification

rtscts

Hello, 

I'd like to separate mcuboot code from keys and implement a strategy described on this page: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/design.html#hw-key-support 

My plan is to precalculate hash(es) that boot_retrieve_public_key_hash() at build time and load them into OTP. Similar to how provisioning works in the immutable bootloader.

I noticed that imgtool.py does not provide an option for generating key hashes.

Are there any reasons why, e.g. not the right tool?

Are there scripts that do this or plans to add such?

What is the general state of this feature, given that one has to make manual changes to get the code to compile with CONFIG_BOOT_HW_KEY.

See https://devzone.nordicsemi.com/f/nordic-q-a/74798/mcuboot-hardware-key

I also found this page describing shortcut/workarounds for the ECDSA signature: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/ecdsa.html#

What is the current state of this issue? 

Thanks!

Parents
  • 0

    Hi,

    To quote you from another post:
    "Is Mcuboot Hardware Key feature supported on NCS 1.8.0?"

    No , it not supported in nRF Connect SDK 1.8.0.

    I might therefore not be able to help you too much with the your implementation for this.
    Fell free to ask though, and I will answer what I can.

    ||

    I noticed that imgtool.py does not provide an option for generating key hashes.

    Are there any reasons why, e.g. not the right tool?

    Are there scripts that do this or plans to add such?

    I will have to look some more into this, and will return with an answer by end of Wednesday.

    ||

    I also found this page describing shortcut/workarounds for the ECDSA signature: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/ecdsa.html#

    What is the current state of this issue? 

    From our Documentation structure:
    "The local MCUboot documentation is a slightly extended version of the official MCUboot documentation, containing some additions specific to Nordic Semiconductor."

    The issue you mention here is from the official MCUboot documentation on the ECDSA signature format. If you want a status on this, you will need to contact them directly.

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    I noticed that imgtool.py does not provide an option for generating key hashes.

    Are there any reasons why, e.g. not the right tool?

    Are there scripts that do this or plans to add such?

    Imgtool is automatically generating hash by default if the argument "--public-key-format" is used.

    "The --public-key-format argument can be used to distinguish where the public key is stored for image authentication. The hash option is used by default, in which case only the hash of the public key is added to the TLV area (the full public key is incorporated into the bootloader)." [1]

    Nordic Semiconductor does not supply any command line tools for generating key hashes which I am aware of.

    Since many of your questions are MCUboot related, you likely get better answers if you contact MCUboot directly.
    See https://www.mcuboot.com/contact/

    Regards,
    Sigurd Hellesvik

Reply
  • 0 in reply to Sigurd Hellesvik

    I noticed that imgtool.py does not provide an option for generating key hashes.

    Are there any reasons why, e.g. not the right tool?

    Are there scripts that do this or plans to add such?

    Imgtool is automatically generating hash by default if the argument "--public-key-format" is used.

    "The --public-key-format argument can be used to distinguish where the public key is stored for image authentication. The hash option is used by default, in which case only the hash of the public key is added to the TLV area (the full public key is incorporated into the bootloader)." [1]

    Nordic Semiconductor does not supply any command line tools for generating key hashes which I am aware of.

    Since many of your questions are MCUboot related, you likely get better answers if you contact MCUboot directly.
    See https://www.mcuboot.com/contact/

    Regards,
    Sigurd Hellesvik

Children
No Data
Related
Terms of service