nRF52840 + NCS + MCUBoot, CC310-enabled image encryption?

Hi there,

I am working on a new product iteration that uses the nRF52840. Our existing application is already using nRF52832 + NCS + MCUBoot with image signing.

I would like to take this opportunity to enable image encryption in MCUBoot and use the CC310 crypto hardware accelerator to perform image verification and decryption. However, I cannot find a working KConfig configuration that enables image encryption on MCUBoot with CC310.

Normally I can eventually figure these configuration issues out, but this one is difficult. I cannot find a relevant example project, or similar questions on the devzone.

The main compiler errors I am getting are:

 #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"

Could someone tell me what KConfig options are required, or point me to an existing sample project?

Thanks,

Sean

  • Thank you for the fast response Vidar!

    I'm having a good deal of difficulty enabling image encryption regardless of the encryption library used.  I see good (but incomplete) documentation around imaging signing and verification and what KConfig values to set but there seems to be missing guidance entirely on how exactly to enable encryption on the image as well.  At this moment I have signing working by creating an mcuboot.conf and defining CONFIG_BOOT_SIGNATURE_KEY_FILE with an absolute path to an ECDSA private key.  I cannot figure out what settings to add to this conf file or prj.conf to enable image encryption as well.  I found the CONFIG_BOOT_ENCRYPTION_KEY_FILE setting but I've had had no luck setting that analogously with a another key...

    Can you assist or point me to the documentation I missed?

    I also have the below added to my CmakeLists.txt file just after the  "cmake_minimum_required(VERSION 3.20.0)" line.  Getting boot signature was hard enough; I was only able to figure it out after watching someone's video on the subject.  

    if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf")
        list(APPEND mcuboot_OVERLAY_CONFIG
          "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf"
          )
    endif()

    Personally, I think signature and image encryption should be front and center and super easy to configure on every platform it's supported.  Curious why it's so difficult given that nearly every organization that deploys firmware on this platform is going to want these features.

  • papatel said:
    defining CONFIG_BOOT_SIGNATURE_KEY_FILE with an absolute path to an ECDSA private key.  I cannot figure out what settings to add to this conf file or prj.conf to enable image encryption as well

    What happens when you point this symbol to your key file, do you get a build error? To enable encryption in the bootloader, it should be sufficient to set the following symbols:

    CONFIG_BOOT_ENCRYPT_EC256=y
    CONFIG_BOOT_ENCRYPTION_KEY_FILE="<encryption key file>.pem"

  • Hello Vidar,

    Instead of going back and forth too much.  Let's start over.  We want to enable both signature and encryption, can you give me the correct set of symbols to set and exactly what file to put them in?  I expected to have everything in prj.conf but from searching around everyone puts these settings in mcuboot.conf (which that detail isn't documented?) and then you have to modify the CMakeLists file...


    If you provide or point me to documentation on all the required details, I will execute verbatim and report back.  To be 100% clear: we need bootloader signature verification using only a derived public key (the private key is NOT stored anywhere in the firmware image).  For image encryption, we obviously need a private key in the image (but that will be a different key than the signing key pair). I believe this is the intended implementation based on Nordic's MCU boot errata.  But you have me concerned given your last response was defining a single .pem file.


    Thank you!

  • Hi,

    The CONFIG_BOOT_* Kconfig symbols are used for MCUBOOT specific configurations. Therefore, they need to be applied to the MCUBOOT build, and not the application.

    As you found out, you can point to a specific  Kconfig file or fragment for your MCUBOOT build by editing the CMakelists.txt file. However, the more common approach for applying changes to a child image configuration is to create a 'child_image' folder in the project directory and add the Kconfig file/overlays there as outlined in the 'Image-specific variables' section of the SDK documentation. 

    papatel said:
    But you have me concerned given your last response was defining a single .pem file.

    This file is only for encryption and not for signing. You should provide another key file to derive the public signing key from. Attached below is an example of what the 'child_image' folder may look like. 

    6445.child_image.zip

  • Hello Vidar,

    Thanks to your help (specifically your rather specific sample child_images zip file) I was able to compile my project with desired image signing and encryption support.  There are no warnings/errors in the build log and I see the MCU child image pointing to the desired key files, hurray!.

    Unfortunately, one last Huge issue remains: the build process does not generate an encrypted DFU file or firmware image.  It does generate a signed image as expected.  Reading around, all posts are a few years old on this subject so I'm hesitant to try them toward creating the TLV + encrypting the firmware image myself from the generated signed bin file...  Looking forward to your guidance.

    I know we've long strayed from the topic of this post and it may be wise to move this elsewhere.  I can't imagine I'm the only one struggling here.

Related