• State Not Answered
  • Replies 6 replies
  • Subscribers 75 subscribers
  • Views 1317 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 285022
Options

Firmware signature for HW key configured MCUboot

mateo-ligne

Hello everyone, 

I am developping on a nRF52840 using sdk-nrf v1.8.0 and Nordic MCUboot fork as bootloader.

For security matter, we want to use the HW keys MCUboot options which enable the user to implement a function to retrieve his signing public key hash. The point is that when this option is activated, MCUboot no longer expect the Hash of the key in Firmware TLV but the key itself. (cf https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/design.html#using-hardware-keys-for-verification

As we find convenient all generated binary by Nordic MCUboot relative Cmake (https://github.com/nrfconnect/sdk-nrf/blob/v1.9.0/modules/mcuboot/CMakeLists.txt) and would like to use them for our release build, we wonder if it is conceivable to condition the argument given to imgtool.py call on HW key configuration. It is something done for instance on trusted firmware-m  (https://github.com/ARMmbed/trusted-firmware-m/blob/master/bl2/ext/mcuboot/CMakeLists.txt) on imgtool.py sign call with following line : 

 --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash> 

Thanks for your time, 

Matéo

Parents
  • 0

    Hi Matéo,

    This is not currently supported. See this thread for more information.

    Einar

  • 0 in reply to Einar Thorsrud

    My bad, I did not read this thread.

    When is nrf-connect HW_KEYS support planned ? To me, HW_key nordic support doesnt imply an implementation of SHA 256 computation but rather the modification I suggested previously which is only a new argument to add on on imgtool script call. 

    In fact, as far as I understood, some things on this thread are outdated. Imgtool.py has solutions to calculate hash and --public-key-format corresponds to the way we want to include the key in TLV and can be either: 

    • hash (by default): imgtool.py calculate key hash and send it on TLV. In another hand, MCUboot calculates the hash of stored key and check if they match.
    • full: With HW_KEY option, MCUboot expect the key hash to be embedded and full key in firmware TLV. Same way, they calculate the key of TLV key and compare it to stored one.
Reply
  • 0 in reply to Einar Thorsrud

    My bad, I did not read this thread.

    When is nrf-connect HW_KEYS support planned ? To me, HW_key nordic support doesnt imply an implementation of SHA 256 computation but rather the modification I suggested previously which is only a new argument to add on on imgtool script call. 

    In fact, as far as I understood, some things on this thread are outdated. Imgtool.py has solutions to calculate hash and --public-key-format corresponds to the way we want to include the key in TLV and can be either: 

    • hash (by default): imgtool.py calculate key hash and send it on TLV. In another hand, MCUboot calculates the hash of stored key and check if they match.
    • full: With HW_KEY option, MCUboot expect the key hash to be embedded and full key in firmware TLV. Same way, they calculate the key of TLV key and compare it to stored one.
Children
Related
Terms of service