Hello,
I want to build a configuration where MCU Boot secondary partition is in the external flash and QSPI data encryption is turned on.
I modified the nrf_qspi_nor.c driver to enable the encryption during initialisation, so far using a dummy key.
I wanted to use the Hardware Unique Key library for generating proper encryption key for QSPI. I used the HUK library samples to figure out which CONFIG_ options I need. It wasn't a problem to build the application with the HUK suport, but I'm having some problems with the MCU Boot side.
Below are the options that I added to my mcuboot.conf
CONFIG_PM_PARTITION_SIZE_MCUBOOT=10000 CONFIG_HW_UNIQUE_KEY=y CONFIG_HW_UNIQUE_KEY_RANDOM=y CONFIG_MAIN_STACK_SIZE=8192 CONFIG_NORDIC_SECURITY_BACKEND=y CONFIG_CC3XX_BACKEND=y CONFIG_MPU_ALLOW_FLASH_WRITE=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MULTITHREADING=y
I added the two last CONFIG_ lines to get past build errors when mbedtls heap functions and some mutexes were not found by the linker. I also had to double the MCU Boot partition size. That gave me a build of MCU Boot that can start and generate an encryption key - I used hw_unique_key_derive_key().
Unfortunately that build of MCU Boot isn't able to find the app image:
E: Image in the primary slot is not valid! E: Unable to find bootable image
I found that this happens because the keyhash array passed into the bootutil_find_key() function gets corrupted sometime during calls to bootutil_sha256_xxx functions. I tried increasing the CONFIG_MAIN_STACK_SIZE to 8192, but that didn't help.
So I wanted to ask whether building MCU Boot with the HUK and other dependand libraries is supported and whether this configuration is known to work?
Thanks.
