nRF52840 + NCS + MCUBoot, CC310-enabled image encryption?

Hi there,

I am working on a new product iteration that uses the nRF52840. Our existing application is already using nRF52832 + NCS + MCUBoot with image signing.

I would like to take this opportunity to enable image encryption in MCUBoot and use the CC310 crypto hardware accelerator to perform image verification and decryption. However, I cannot find a working KConfig configuration that enables image encryption on MCUBoot with CC310.

Normally I can eventually figure these configuration issues out, but this one is difficult. I cannot find a relevant example project, or similar questions on the devzone.

The main compiler errors I am getting are:

 #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"

Could someone tell me what KConfig options are required, or point me to an existing sample project?

Thanks,

Sean

  • Thank you for this update. I was able to build the application.

    A lot of the documentation talks about encrypting images on secondary paritions, but to get this to compile, mcuboot requires  CONFIG_SINGLE_APPLICATION_SLOT=y.

    Have you been able to get mcuboot image encryption to work with secondary paritions ? The version of mcuboot bundled in ncs talks about secondary partitions, but it seems to me that only newer versions of mcuboot support it. Is there a way to build a newer version of mcuboot without too much headache ?

  • Hi,

    Please try this sample put together by a coworker of mine: https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_smp_encryption. It has been tested for the 'nrf52840dk_nrf52840' board.

    eb12345 said:
    A lot of the documentation talks about encrypting images on secondary paritions, but to get this to compile, mcuboot requires  CONFIG_SINGLE_APPLICATION_SLOT=y.

    To support encrypted DFU, the image must be stored in a secondary slot. So I'm not sure why the build fails without the CONFIG_SINGLE_APPLICATION_SLOT=y setting. I would help to see the build log if you want to investigate this further.

  • I tried to build the sample application from the link above for the nrf52833dk board. It builds fine for the nrf5340dk, but not for the nrf52833dk. Below is a snippet of the build log, as I can't upload the complete log file.

    <command-line>: warning: "MBEDTLS_CONFIG_FILE" redefined
    <command-line>: note: this is the location of the previous definition
    C:\ncs\v2.4.2\bootloader\mcuboot\ext\tinycrypt\lib\source\ctr_mode.c:33:10: fatal error: tinycrypt/constants.h: No such file or directory
    33 | #include <tinycrypt/constants.h>

  • Please add 'CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y' to the mcuboot.conf overlay in your child_image folder. This should remove the dependency on mbedtls and allow you to use Tinycrypt module for both the signature validation and decryption. 

  • Thank you. Now I can build and test. Which brings me to the original issue. When you add CONFIG_MCUBOOT_SERIAL=y, you get an error:

    C:\ncs\v2.4.2\bootloader\mcuboot\boot\boot_serial\src\boot_serial.c:634: undefined reference to `boot_handle_enc_fw'
    collect2.exe: error: ld returned 1 exit status
    The only way I found to alleviate this is to enable CONFIG_SINGLE_APPLICATION_SLOT=y. This is in the mcuboot child image. I think it's important failsafe to be able to use DFU/SMP Server (USB CDC, UART/Serial, or BLE) from the mcuboot image (can enter DFU in the bootloader using gpio or wait for DFU command for a short time). I don't care about switching images when you're in the bootloader, but there will be some cases where this will be the only way to recover a faulty image (correctly signed and encrypted, but one that needs to be overwritten manually).
Related