MCUBOOT Sign the firmware

RE: MCUBOOT Sign the firmware

mytzyiay — Wed, 22 Jun 2022 23:18:23 GMT

[quote userid="110917" url="~/f/nordic-q-a/88416/mcuboot-sign-the-firmware/373782"]Why is it necessary to double escape (\\") the quotation marks in the sample code you provided?[/quote]

I believe this is the same issue as https://github.com/nrfconnect/sdk-nrf/pull/7997

i.e. the NCS cmake scripts cache the value of this variable but they're storing that value without properly escaping the quotes.

Hoping it gets fixed in v2.1.0.

(Also I suspect that backslashes might suffer from a similar issue, but I'll leave it to the Windows users to test that.)

[quote userid="110917" url="~/f/nordic-q-a/88416/mcuboot-sign-the-firmware/373782"]Per that link above it seems necessary to set both CONFIG_MCUBOOT_SIGNATURE_KEY_FILE and CONFIG_BOOT_SIGNATURE_KEY_FILE. Is that correct, or is it sufficient to set only CONFIG_BOOT_SIGNATURE_KEY_FILE?[/quote]

I'm just a random user so maybe I'm doing things all wrong, but after applying the change from the above PR on github, this is what has worked for me:

OTA_ARGS = \
 -DOVERLAY_CONFIG=overlay-fota.conf \
 -DPM_STATIC_YML_FILE=pm_ota.yml \
 -D"mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"$(ZIGBEE_SIGNING_KEY)\"" \
 -D"CONFIG_MCUBOOT_IMAGE_VERSION=\"$(shell ./scripts/unix-time-to-version.sh)\"" \
 -D"CONFIG_DATE_CODE=\"$(shell date +%Y%m%d-%H%M)\""

.PHONY: ota
ota:
 $(if $(ZIGBEE_SIGNING_KEY),,$(error Please set $$ZIGBEE_SIGNING_KEY))
 $(WEST_BUILD) --board raw_dongle -- $(OTA_ARGS)

There are no CONFIG_MCUBOOT options in prj.conf or overlay-fota.conf

RE: MCUBOOT Sign the firmware

KRich — Wed, 22 Jun 2022 18:47:35 GMT

Thanks Einar Thorsrud, I have confirmed that this method works for my project and configuration. Since this is not my thread originally, I'll leave marking as an accepted answer it to Aleksa.

Some quick (I hope) follow-up questions:

Will a relative path ever be supported in a Kconfig fragment as indicated at https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/kconfig/index.html#CONFIG_MCUBOOT_SIGNATURE_KEY_FILE?
Per that link above it seems necessary to set both CONFIG_MCUBOOT_SIGNATURE_KEY_FILE and CONFIG_BOOT_SIGNATURE_KEY_FILE. Is that correct, or is it sufficient to set only CONFIG_BOOT_SIGNATURE_KEY_FILE?
Why is it necessary to double escape (\\") the quotation marks in the sample code you provided?

Thanks!

RE: MCUBOOT Sign the firmware

Einar Thorsrud — Wed, 22 Jun 2022 18:27:54 GMT

Hi,

I did not get a chance to test it myself today, but a colleague of me mentioned that it should be possible now (in 2.0.0). You can modify the application CMakeLists.txt as indicated here, where a relative path to the key file is used:

cmake_minimum_required(VERSION 3.20.0)

set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \\"${CMAKE_CURRENT_SOURCE_DIR}/../burd.pem\\")

find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
project(hello_world)

target_sources(app PRIVATE src/main.c)

RE: MCUBOOT Sign the firmware

KRich — Tue, 21 Jun 2022 20:21:17 GMT

Is there a plan to add/fix the relative path support soon? The documentation would seem to indicate that relative paths are supported. Is this a bug that will be fixed soon? As is already mentioned, expecting multiple developers to use a system that requires absolute paths is untenable.

Also, based on https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/ug_bootloader_adding.html?highlight=mcuboot_config_boot_signature_key_file#id2 it seems that even though I get the message about MCU boot using the default key, the actual generated code is using my new/private key (even when using the relative path to the key file). Is that possible?

RE: MCUBOOT Sign the firmware

mytzyiay — Thu, 02 Jun 2022 18:17:01 GMT

[quote userid="7377" url="~/f/nordic-q-a/88416/mcuboot-sign-the-firmware/370586#370586"]With regard to relative paths that is a common request but there are no elegant ways to do this for now.[/quote]

I second this request. It's very common in our environment for multiple developers to clone the project into their respective home directories on MacOS/Linux, which will have different absolute paths. Requiring them to fix up the .config options adds an unnecessary point of failure to the build process.

RE: MCUBOOT Sign the firmware

Einar Thorsrud — Thu, 02 Jun 2022 07:24:05 GMT

Hi,

When you build an application and enable MCUboot, that will also be built as a child image (which is a build system concept). In recent nRF Connect SDK releases, you can add a configuration overlay under child_image/<child_image_name>.conf. This also works for other overlays. When you do this, it is automatically picked up by the build system and applied.

With regard to relative paths that is a common request but there are no elegant ways to do this for now.

RE: MCUBOOT Sign the firmware

Aleksa — Wed, 01 Jun 2022 13:39:03 GMT

I'm fine with ECDSA key. But it would be great to find something that works for setting a relative path towards the key, since the suggestions I've found didn't work.
Also I'd like to understand what child_image/mcuboot.conf changes. Why I have to do it this way, and why it's enough just to add this file without linking it anywhere.

RE: MCUBOOT Sign the firmware

Einar Thorsrud — Wed, 01 Jun 2022 12:52:55 GMT

Hi,

RSA should work and is the default key type. You can see for instance this post which includes a sample project with a custom RSA key.

RE: MCUBOOT Sign the firmware

Aleksa — Tue, 31 May 2022 16:29:34 GMT

I was able to sign with a full path. But the suggestion for the relative path doesn't work, I get an error:

CMake Error at /home/aleksa/Desktop/01_POSAO/02_UPWORK/04_PENNY/01_MG105_NCS191/mg105-nrf9160-root/lib/nordic/ncs/nrf/cmake/multi_image.cmake:409 (message):
  CMake generation for mcuboot failed, aborting.  Command: 1
Call Stack (most recent call first):
  /home/aleksa/Desktop/01_POSAO/02_UPWORK/04_PENNY/01_MG105_NCS191/mg105-nrf9160-root/lib/nordic/ncs/nrf/cmake/multi_image.cmake:150 (add_child_image_from_source)
  /home/aleksa/Desktop/01_POSAO/02_UPWORK/04_PENNY/01_MG105_NCS191/mg105-nrf9160-root/lib/nordic/ncs/nrf/modules/mcuboot/CMakeLists.txt:216 (add_child_image)

Also, I don't understand why I had to make child_image/mcuboot.conf file. Signing works only when I put there the config below, but I see no logic behind it. Here is the config:

CONFIG_BOOT_SIGNATURE_TYPE_RSA=n
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="path/to/private.pem"
# CONFIG_BOOT_SIGNATURE_KEY_FILE="private.pem"

Also, it doesn't work when I try to use RSA instead of ECDSA (and fix their respective configs of course). Again, I see no reason why it would behave this way.

RE: MCUBOOT Sign the firmware

Einar Thorsrud — Tue, 31 May 2022 11:39:05 GMT

Hi Aleksa,

You need to specify a full path to the key file. Alternatively, you can do as described here.