BLE Secure boot validation option on the App/bootloader zip file

Question

Hi 
 I have a running DFU code and can update the bootloader as generated zip file and the app with the zip file. Now I saw, that there is the option "V ALIDATE_ECDSA_P256_SHA256" to generate the packages. 
 See also : https://devzone.nordicsemi.com/guides/short-range-guides/b/software-development-kit/posts/getting-started-with-nordics-secure-dfu-bootloader#h12sk6tbb3hw1qnwn7q4hvp5tvthcli 
 Now I got 2 questions: 
 1. I made a test and got the Info from the packages with nrfutil pkg display and saw that to zip file for the bootloader is still with CRC validation, why? 
 
 the app is with the correct validation: 
 
 2. If I download the zip package of the APP with the --app-boot-validation VALIDATE_ECDSA_P256_SHA256, its working. But I can still download an App zip file with CRC validation. The same for the bootloader zip file. Why this? Do I have to use the nrfutil settings generate with the option --app-boot-validation and --sd-boot-validation with VALIDATE_ECDSA_P256_SHA256 aswell? 
 I expected that a zip file without the VALIDATE_ECDSA_P256_SHA256 is not valid and the update would be impossible, which is not the case. 
 Thanks for a feedback

Edvin · Answer

Dominik Eugster said: Can you try this on your DK please? Does the bootloader on your DK check and block the flashing of a application zip file WITHOUT the validation added before flashing the complete file or can the bootloader check this only if the file was transferred 100% before? (I use nRF Connect App on a Android Phone) 
 That is what I did (in an otherwise unmodified SDK). 
 Actually, I was testing on SDK17.1.0, but after realizing that your bootloader project was written for SDK17.0.2, I ran the test again now. 
 So the unmodified bootloader, pca10056_s140_ble, together with the ble_app_buttonless_dfu example for simplicity. 
 First, without any modifications, just checking that everything was OK, and normal DFU was working. Then I changed: 
 #define NRF_BL_APP_SIGNATURE_CHECK_REQUIRED 0 
 to 
 #define NRF_BL_APP_SIGNATURE_CHECK_REQUIRED 1 
 In order to get the ble_app_buttonless_dfu example to still run, I changed the command to generate the bootloader settings from: 
 nrfutil settings generate --family NRF52840 --application files\buttonless.hex --application-version 2 --bootloader-version 2 --bl-settings-version 2 --key-file ..\..\..\private.key files\settings.hex
to
nrfutil settings generate --family NRF52840 --application files\buttonless.hex --application-version 2 --bootloader-version 2 --bl-settings-version 2 --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --key-file ..\..\..\private.key files\settings.hex 
 Then the ble_app_buttonless_dfu example would still run. However, the dfu image created with the command: 
 nrfutil pkg generate --application files\buttonless2.hex --application-version 3 --hw-version 52 --sd-req 0x0100 --key-file ..\..\..\private.key files\dfu_test.zip 
 Does not work. It transfers the image, but the image will be rejected when the CRC is validated. To confirm that it will not run, you can monitor the nrfutil output, or you can make a change in the application that you are trying to upload (I turned on LED4 in the updated application, just to see whether it was running or not). 
 
 Then I added the app validation in the nrfutil pkg generate command: 
 nrfutil pkg generate --application files\buttonless2.hex --application-version 3 --hw-version 52 --sd-req 0x0100 --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --key-file ..\..\..\private.key files\dfu_test.zip 
 And then the image was accepted again. 
 
 If you want to test yourself, unzip an unmodified DK, and add the following test.bat file to your SDK\examples\dfu\secure_bootloader\pca10056_s140_ble\armgcc folder:

Fullscreen 
 2308.test.bat 
 Download 
 
 make -j9
make -j9 -C ..\..\..\..\ble_peripheral\ble_app_buttonless_dfu\pca10056\s140\armgcc

mkdir files

del files\buttonless.hex
copy ..\..\..\..\ble_peripheral\ble_app_buttonless_dfu\pca10056\s140\armgcc\_build
rf52840_xxaa.hex files\buttonless.hex

del files\settings.hex
::nrfutil settings generate --family NRF52840 --application files\buttonless.hex --application-version 2 --bootloader-version 2 --bl-settings-version 2 --key-file ..\..\..\private.key files\settings.hex
nrfutil settings generate --family NRF52840 --application files\buttonless.hex --application-version 2 --bootloader-version 2 --bl-settings-version 2 --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --key-file ..\..\..\private.key files\settings.hex
::nrfutil settings generate --family NRF52840 --application files\buttonless.hex --application-version 2 --bootloader-version 2 --bl-settings-version 2 --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 --key-file ..\..\..\private.key files\settings.hex


:: REPLACE THE SERIAL NUMBER TO MATCH YOUR TARGET DK
nrfjprog -e --snr 683825227
nrfjprog --program _build
rf52840_xxaa_s140.hex --verify --snr 683825227
nrfjprog --program ..\..\..\..\..\components\softdevice\s140\hex\s140_nrf52_7.2.0_softdevice.hex --verify --snr 683825227
nrfjprog --program files\settings.hex --verify --snr 683825227
nrfjprog --program files\buttonless.hex --verify --snr 683825227
nrfjprog --reset --snr 683825227



nrfutil pkg generate --application files\buttonless2.hex --application-version 3 --hw-version 52 --sd-req 0x0100 --key-file ..\..\..\private.key files\dfu_test.zip
::nrfutil pkg generate --application files\buttonless2.hex --application-version 3 --hw-version 52 --sd-req 0x0100 --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --key-file ..\..\..\private.key files\dfu_test.zip
timeout 5

:: REPLACE THE COM PORT TO MATCH YOUR CONNECTIVITY DK
nrfutil dfu ble -pkg files\dfu_test.zip -ic NRF52 -p COM8 -n "Nordic_Buttonless" -f

NB: You need to change the serial number to match your target DK and the COM port to match your connectivity DK. 
 The current setup in test.bat will fail to upload the DFU. To succeed, comment out line 25 and uncomment line 26. 
 Also, you need to compile the ble_app_buttonless_dfu example with a modification (not strictly needed to modify it), and place it in the files\ folder, with the name buttonless2.hex. 
 
 Best regards, 
 Edvin

BLE Secure boot validation option on the App/bootloader zip file

Top Replies