• State Verified Answer
  • Replies 10 replies
  • Subscribers 66 subscribers
  • Views 2115 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 289811
Options

MCUBOOT Sign the firmware

Aleksa

Hello Everyone,

First of all, what a terrible experience this has been. I'm trying to use custom RSA private key in order to sign the firmware before we go into production. However whatever I do, I can't get rid of this warning:

---------------------------------------------------------
--- WARNING: Using default MCUBoot key, it should not ---
--- be used for production.                           ---
---------------------------------------------------------

Let me say that I've gone through all of devzone forum, all of the documentation I could find, and nothing seems to work. So I think the only thing that can work for me is to give me a step by step guide on how to use a custom key to sign one of your samples, and I'll adjust it for our product. I've been stuck on this for hours, and it seems like config is completely broken.

We are using ncs v1.9.1.


What I'd like to do is to get it all done in the config (probably mcuboot.conf which I've linked in the CMakeLists.txt). Something like this seems to be working on your end:

CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n
CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="custom_key_rsa-2048.pem"

But the build system just keeps telling me how this is wrong, how the key file variable is ignored and how it will keep on using the default keys. 


Does this really work at all for NCS? It should be trivial to sign the firmware with a custom key, but somehow I've wasted quite a bit of time on it by now.

Cheers,
Aleksa

  • 0

    Hi Aleksa,

    You need to specify a full path to the key file. Alternatively, you can do as described here.

  • 0 in reply to Einar Thorsrud

    I was able to sign with a full path. But the suggestion for the relative path doesn't work, I get an error:

    CMake Error at /home/aleksa/Desktop/01_POSAO/02_UPWORK/04_PENNY/01_MG105_NCS191/mg105-nrf9160-root/lib/nordic/ncs/nrf/cmake/multi_image.cmake:409 (message):
  CMake generation for mcuboot failed, aborting.  Command: 1
Call Stack (most recent call first):
  /home/aleksa/Desktop/01_POSAO/02_UPWORK/04_PENNY/01_MG105_NCS191/mg105-nrf9160-root/lib/nordic/ncs/nrf/cmake/multi_image.cmake:150 (add_child_image_from_source)
  /home/aleksa/Desktop/01_POSAO/02_UPWORK/04_PENNY/01_MG105_NCS191/mg105-nrf9160-root/lib/nordic/ncs/nrf/modules/mcuboot/CMakeLists.txt:216 (add_child_image)

    Also, I don't understand why I had to make child_image/mcuboot.conf file. Signing works only when I put there the config below, but I see no logic behind it. Here is the config:
    CONFIG_BOOT_SIGNATURE_TYPE_RSA=n
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="path/to/private.pem"
# CONFIG_BOOT_SIGNATURE_KEY_FILE="private.pem"
     

    Also, it doesn't work when I try to use RSA instead of ECDSA (and fix their respective configs of course). Again, I see no reason why it would behave this way.

  • 0 in reply to Aleksa

    Hi,

    RSA should work and is the default key type. You can see for instance this post which includes a sample project with a custom RSA key.

  • 0 in reply to Einar Thorsrud

    I'm fine with ECDSA key. But it would be great to find something that works for setting a relative path towards the key, since the suggestions I've found didn't work. 
    Also I'd like to understand what child_image/mcuboot.conf changes. Why I have to do it this way, and why it's enough just to add this file without linking it anywhere.

  • 0 in reply to Aleksa

    Hi,

    When you build an application and enable MCUboot, that will also be built as a child image (which is a build system concept). In recent nRF Connect SDK releases, you can add a configuration overlay under child_image/<child_image_name>.conf. This also works for other overlays. When you do this, it is automatically picked up by the build system and applied.

    With regard to relative paths that is a common request but there are no elegant ways to do this for now.

Related