Signing and versioning an image for MCUboot

Hi

I am unsure if I understand exactly what you want. But I have a question and an example.
Then I will read through your questions again after I get the context from your new answers:

Question

This recent  thread

Can you link this again? I am not able to access it.

Example

I have this unofficial Manual signing sample. Is it what you are looking for? If not, how is it different?

Regards,
Sigurd Hellesvik

The link is fixed now. I'll read that manual, thanks for the suggestion. I don't see a mistake with what I have coded to set a new signing key, but it fails to build with the new key. I am using the build system to assign the new key, but it's not working for me.

Hi

From, this, I still guess the Manual signing sample is what you need. Let me know if it is not.

Here are some info on how I have been setting the path to the private ket for MCUBoot:

If you have your mcuboot.conf inside the child_image/ folder, the application will look for your key in "ncs/bootloader/mcuboot/boot/zephyr/" I think.

To work around this, you can create a "child_image/mcuboot" folder, and place the key +  a prj.conf file inside this folder, as I show in my sample. This way, mcuboot will find your key file in your own project (See Multi Image builds for the explanation of this folder setup).

Another alternative is to use CMake to add the key yourself. To do this, you need some extra apostrophes and backslashes, but the following line into CMakeLists.txt should point to a key in the directory below your source directory.

set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \\"${CMAKE_CURRENT_SOURCE_DIR}/../private_key.pem\\")

(Try "message(${CMAKE_CURRENT_SOURCE_DIR}) in CMake to test the path)

Regards,
Sigurd Hellesvik

When newly created mcuboot.conf is placed at

                My_Project\child_image\mcuboot.conf

It seems to be parsed.  The single line in the mcuboot.conf

                CONFIG_BOOT_SIGNATURE_KEY_FILE ="priv_rsa2048.pem"

causes the build to fail with a fatal error.  Could it be the pem file is not in the correct location?  I have tried both just the file name and the absolute path with the pem file located in the

My_Project\child_image\

Location.  Where should it be?

If I create a folder as described and then place the config file inside I do not think it is parsed such as follows:

                My_Project\child_image\mcuboot\mcuboot.conf

I can put garbage in the mcuboot.conf file and it makes no difference and it does not change the generated autogen-public key.

When I try the alternative method of adding a line to CMakeList.txt

                set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \\"${CMAKE_CURRENT_SOURCE_DIR}/../priv_rsa2048.pem\\")

And put the pem file at the root of My_Project, the project builds but the autogen-publickey.c remains unchanged and the build warning about using a public key remains.  What could be wrong with this?

Thank you

Hi ICannon,

lCannon said:

  My_Project\child_image\mcuboot\mcuboot.conf

Per Multi Image builds this path should be My_Project/child_image/mcuboot/prj.conf.

lCannon said:

When I try the alternative method of adding a line to CMakeList.txt

                set(mcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE \\"${CMAKE_CURRENT_SOURCE_DIR}/../priv_rsa2048.pem\\")

 

And put the pem file at the root of My_Project, the project builds but the autogen-publickey.c remains unchanged and the build warning about using a public key remains.  What could be wrong with this?

The folder structure in this case should look like this:

Is that what you have?
Especially mark that the priv_rsa2048.pem is located outside your project folder, as set in CMake.

Regards,
Sigurd Hellesvik

I think I have it figured out, but I haven't proven it since I am fighting a hardfault with writing to slot1 for an over-the-air update. At this point I think it is using the key file that I want it to, since the build logs show it listing the key file without any objections and notifications saying that it's using the default that is insecure. The real confirmation will come when I can get MCUboot to verify and swap the file or fail when I sign with a wrong key.

I did not want to do any manual signing, I just wanted to use the build system as provided. I think my big mistake was use of backslashes in the address path to the key file instead of forward slashes. Escaping the backslashes may have worked too, but I have only tried just changing all the back slashes to forward slashes. This is probably only going to be an issue on Windows based development systems.

My files are organized like this:

ProjectFolder
|
--child_image
|    |
|    --mcuboot.conf
--prj.conf
--my_key.pem

In proj.conf I have:

# # MCUBOOT for OTA
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_IMG_MANAGER=y
CONFIG_IMG_ENABLE_IMAGE_CHECK=y
CONFIG_MCUBOOT_IMAGE_VERSION="0.0.0+1"

I thought that CONFIG_MCUBOOT_IMAGE_VERSION would go in the mcuboot.conf, but it seems to not compile right there. I have yet to confirm that the correct versioning data ends up in the file, but that is on my to do list.

In my mcuboot.conf file I only have this:

# MCUBOOT SmarterHome signing key location:
CONFIG_BOOT_SIGNATURE_KEY_FILE="C:/projects/my_project/my_key.pem"

From what I understand in SDKv1.9.1 that path has to be an absolute path. I assume that it can lead to anywhere on disk, if you want to keep it out of your project (and repository) for security reasons.

I cannot find the documentation where it specifically says that this must be in this folder, but I think that is comes from some references to having child images. I also cannot find what specifically makes the build system look in this folder. In another help ticket I had found an answer that said that a line needs to be added to the CMakLists.txt file to reference the file for the child image. I currently have that commented out in my code because it is not necessary.  Something tells the system to look in that child_image folder for a conf file and  "set(mcuboot_CONF_FILE ${CMAKE_CURRENT_LIST_DIR} child_image/mcuboot.conf)" does not make it work. My hope had been to use this to reference a relative path to the key file, but I could not get that to work.

lCannon, let me know if that helps.

Hello Ryjan,

Thank you, your solution worked.  Perhaps only a windows problem but the back slashes must be changed to forward slashes.  Also care must be taken to ensure there is no extra spaces in the .config file as that will cause a build to fail as well.

Hello Sigurd,

Thank you for the update.  When a proj.conf is created at

    My_Project\child_image\prj.conf\proj.conf

The project will not build with a fatal error even if the file is empty.  Should the contents of the file be copied form somewhere else then the line to add the key be appended to it?

Thank you

Hello Ryjan,

Thank you, your solution worked.  Perhaps only a windows problem but the back slashes must be changed to forward slashes.  Also care must be taken to ensure there is no extra spaces in the .config file as that will cause a build to fail as well.

Hello Sigurd,

Thank you for the update.  When a proj.conf is created at

    My_Project\child_image\prj.conf\proj.conf

The project will not build with a fatal error even if the file is empty.  Should the contents of the file be copied form somewhere else then the line to add the key be appended to it?

Thank you

Hi ICannon,

lCannon said:

My_Project\child_image\prj.conf\proj.conf

Have another look at my previous comment:

Sigurd Hellesvik said:

Per Multi Image builds this path should be My_Project/child_image/mcuboot/prj.conf.

When you say:

lCannon said:

The project will not build with a fatal error

Can you repeat what this error says? Is it a build-time error or a run-time error?

Regards,
Sigurd Hellesvik