Question about Over the Air update in NCS_V2

Hello,

Hieu is away for a week and from here on I will be the one handling this case.

Midhunjac said:

To use a custom key for MCUboot, I need to use CONFIG_BT_SIGNATURE_KEY_FILE="path to private key" . But from what I have learned, MCUBoot is not built from source.So where does the public key come from ? How can I embed my custom public key into MCUboot ?

AFAIK, the public key is generated from the private key. For getting a better idea on this please read the Design,Encryption and Image signing section.
Take a look at this ticket from my colleague which shows how you can embed this in the MCUboot. Please let me know If this not what you were looking for.

I need to confirm few things before answering the 4th question. I will answer it tomorrow.

Kind Regards,

Abhijith

Hello,

While reading all your old threads I guess you are bit confused on 1st stage and 2nd stage bootloaders. I can see that your use case is only to update the Application via OTA DFU. For this you don't need a Second stage bootloader. You only want to include bootloader chain if you only want to update the bootloader itself while doing the upgrade. See our Secure bootloader chain section

Take a look at this blog which will give you more idea on adding MCUboot to the application. IF you check the testing section it will show you how you can do the DFU via Bluetooth.

Please let me know if you need anymore clarification.

Kind Regards,

Abhijith

Hi Abhijith,

Thanks for the update. i will take a look into these threads and try them and get back to you. Thanks!

i get it now. MCUboot works fine. I can update via Bluetooth too. However, I need to add encryption too to this implementation. I have a ECDSA256 key and I want to add it to the MCUboot implementation. I am following this thread. However, I have a few problems while building. I am not building this  as a child image. Should I compulsorily build it as a separate child image ?

Assuming that I need not, I went ahead and tried the following

When I tried setting this kConfig option,

CONFIG_BOOT_SIGNATURE_KEY_FILE="priv.pem"

the value was not set successfully and I understood that this option must be set for it to work.

But I have not built any images for MCUboot to give as a hex path to this option. So i tried building the MCUboot with this as a reference. However I ran into errors while building MCUboot.

Also, while working through this thread, when I tried to set the key type using the option 

CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y

I could not find any such option in the Kconfig. Is that a deprecated one or am I doing something wrong ?

I did find this in the \bootloader\mcuboot\boot\zephyr\prj.conf

Is it the same thing as above ?

I do not know if I am in the right path here. Please correct me if I am wrong at any point.

Hello,

Midhunjac said:

CONFIG_BOOT_SIGNATURE_KEY_FILE="priv.pem"

In this configuration you need to mention the full path length of the key file. I assume you are only using MCUboot( bit confused as the thread you shared is from bootloader chain).

As a starting point take a look at this repo from my colleague which explains how to  work with custom key. Take a look at the generating key section which gives you more idea on this.

Let me know if you are still struggling.

Kind Regards,

Abhijith