https://devzone.nordicsemi.com/f/nordic-q-a/95700/signed_by_b0_s1_image-bin-vs-signed_by_mcuboot_and_b0_s1_image_update-binI am using b0 and MCUBoot (configured with two slots) and am trying to find documentation that explains the difference between &quot;signed_by_b0_s0_image.bin&quot; vs &quot;signed_by_mcuboot_and_b0_s0_image_update.bin&quot;. Any help appreciated.en-USTelligent Community 13Wed, 25 Jan 2023 11:39:22 GMThttps://devzone.nordicsemi.com/thread/406434?ContentTypeID=1Wed, 25 Jan 2023 11:39:22 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a57bea79-1004-4d8f-81d7-0be7caa7f9d6AHaug<p>Hi,</p> [quote user="brandon_ask_questions"]<blockquote><div>AFIAIK the reason for why MCUboot will require signatures to authenticate&nbsp;is since MCUboot is handling the image swapping.</div></blockquote><div></div> <p>But there is no image swapping for updating MCUBoot. </p>[/quote] <p>Good thing you followed up on this, because I see I was a bit unclear/too fast with this comment, so I&#39;ll expand on this some more: It&#39;s correct that there are no swapping, but the signature is not only for the transport of the image. B0 checks versions and chooses that MCUboot version which is the newest version. Then b0 validates that MCUboot version before it boots. It can validate with both signature and/or hash, but the default is signature.</p> <p>This sample should illustrate how it&#39;s done:&nbsp;<a href="https://github.com/nrfconnect/sdk-nrf/blob/main/samples/bootloader/src/main.c">https://github.com/nrfconnect/sdk-nrf/blob/main/samples/bootloader/src/main.c</a></p> <p>Please feel free to ask more questions if you still have anything unanswered</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/406353?ContentTypeID=1Tue, 24 Jan 2023 22:12:09 GMT137ad170-7792-4731-bb38-c0d22fbe4515:77e451a7-5bf0-47bf-a725-9ef01af5c4c7brandon_ask_questions<p>Thank you for the thorough response.</p> [quote userid="107683" url="~/f/nordic-q-a/95700/signed_by_b0_s1_image-bin-vs-signed_by_mcuboot_and_b0_s1_image_update-bin/405976"]Also its worth noting this about the app primary/secondary slot: per documentation about <a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/design.html#image-slots">image slots</a>[/quote] <p>I understand that MCUBoot authenticates and swaps the contents in mcuboot_secondary and&nbsp;mcuboot_primary to perform a update.</p> [quote userid="107683" url="~/f/nordic-q-a/95700/signed_by_b0_s1_image-bin-vs-signed_by_mcuboot_and_b0_s1_image_update-bin/405976"]AFIAIK the reason for why MCUboot will require signatures to authenticate&nbsp;is since MCUboot is handling the image swapping.[/quote] <p>But there is no image swapping for updating MCUBoot. The file name &quot;<span>signed_by_mcuboot_and_b0_s0_image_update.bin&quot; implies that there is swapping or MCUBoot is authenticating the s0/s1 update prior to writing.&nbsp;<br /><br />My interpretation is that it&nbsp;is signed by MCUBoot purely to <a href="https://github.com/nrfconnect/sdk-nrf/blob/v2.2.0/subsys/net/lib/fota_download/src/fota_download.c#L117">make the fota_download</a>&nbsp;library compatible and&nbsp;<a href="https://github.com/nrfconnect/sdk-nrf/blob/v2.2.0/subsys/dfu/dfu_target/src/dfu_target.c#L41">not fail the target check</a>. I am not using the fota_download library and my conf does not have it enabled.</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/405976?ContentTypeID=1Mon, 23 Jan 2023 09:10:09 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ac1efdd0-03b8-47c8-aaa6-942998e0e46bAHaug<p>Hi,<br /><br />Apologies for the delayed response time, I&#39;ve been out of office since last week.</p> [quote user="brandon_ask_questions"]when OTA&#39;ing a MCUBoot is &quot;<span>signed_by_mcuboot_and_b0_s0_image_update.bin&quot; written by the main application to the&nbsp;mucboot_secondary Application slot or s0?</span>[/quote] <p>They are written for s0 (or s1 for signed_by_x_s1_image_update.bin&quot;) per&nbsp;<a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/app_build_system.html#mcuboot-output-build-files">MCUboot output build files</a>, and has nothing to do with the primary or secondary application slot (which are reserved for the application itself).</p> <p>As an example (to attempt) to illustrate this: In your firmware with an updatable bootloader you will have a B0, S0 and S1 slot in addition to the application slot(s). In FW v.1, you will run the immutable bootloader in b0 and the second stage bootloader in S0. The immutable bootloader will ensure that itself runs first, followed by whatever is in S0, then it will run the application.</p> <p>If you want to update the bootloader in FW v.2 you will have to use &quot;<span>signed_by_mcuboot_and_b0_s1_image_update&quot; to put the new instance of MCUboot in S1. The immutable bootloader (b0) will now update to run itself first, then use s1 (and ignore s0), and then the app.</span></p> <p>If you want to update the bootloader yet again in FW v.3 you will need to use s0_image_update and put the new instance of MCUboot in s0 and now you will overwrite the first instance of mcuboot stored in s0. This procedure repeats for FW v.X.&nbsp;</p> <p>Also its worth noting this about the app primary/secondary slot: per documentation about <a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/design.html#image-slots">image slots</a>&nbsp;&quot;<em>Normally, the bootloader will only run an image from the primary slot, so images must be built such that they can run from that fixed location in flash (the exception to this is the direct-xip and the ram-load upgrade mode). If the bootloader needs to run the image resident in the secondary slot, it must copy its contents into the primary slot before doing so, either by swapping the two images or by overwriting the contents of the primary slot.&quot;</em></p> [quote user="brandon_ask_questions"]I am confused on why it is signed by MCUboot sense MCUBoot isnt authenticating &quot;signed_by_mcuboot_and_b0_s0_image_update.bin&quot; (i.e. bootchain is b0-&gt;mcuboot-&gt;app)[/quote] <p>AFIAIK the reason for why MCUboot will require signatures to authenticate&nbsp;is since MCUboot is handling the image swapping.</p> <p>Let me know if this clarifies things for you!&nbsp;</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/405309?ContentTypeID=1Tue, 17 Jan 2023 15:26:16 GMT137ad170-7792-4731-bb38-c0d22fbe4515:19a36491-f6db-4a53-bffc-9508aa14240abrandon_ask_questions<p>Hi AHaug,&nbsp;</p> <p>Thanks for answering.<br /><br />Another question, when OTA&#39;ing a MCUBoot is &quot;<span>signed_by_mcuboot_and_b0_s0_image_update.bin&quot; written by the main application to the&nbsp;mucboot_secondary Application slot or s0?&nbsp;I am confused on why it is signed by MCUboot sense MCUBoot isnt authenticating &quot;signed_by_mcuboot_and_b0_s0_image_update.bin&quot; (i.e. bootchain is b0-&gt;mcuboot-&gt;app)</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/405164?ContentTypeID=1Tue, 17 Jan 2023 08:26:21 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ee9115af-35c0-46b3-94f3-136b285a670cAHaug<p>Hi,</p> <p>We have&nbsp;<a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/app_build_system.html">https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/app_build_system.html&nbsp;</a>which describes&nbsp;<span>signed_by_mcuboot_and_b0_s0_image_update (</span><a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/app_build_system.html#mcuboot-output-build-files">https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/app_build_system.html#mcuboot-output-build-files</a>), which is the image you will want to use.</p> <p>If you examine CMake, then you can see that signed_by_b0_ is generated in&nbsp;<a href="https://github.com/nrfconnect/sdk-nrf/blob/81c0de2459dbb41248edf632f8678b515c074d8a/subsys/bootloader/cmake/sign.cmake#L78">sign.cmake</a>&nbsp;and is later used in <a href="https://github.com/nrfconnect/sdk-nrf/blob/81c0de2459dbb41248edf632f8678b515c074d8a/modules/mcuboot/CMakeLists.txt#L497">nrf/modules/mcuboot/CMakeLists.txt t</a>o generate&nbsp;signed_by_mcuboot_and_b0</p> <p>You will want to use&nbsp;signed_by_b0 if you use NSIB as the only bootloader, ref this (unofficial) sample:&nbsp;<a href="https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/updatable_bootloader/nsib_simple">https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/updatable_bootloader/nsib_simple</a></p> <p>I know that this documentation is hard to find, and I will have a chat with our tech writers if we can add some documentation about&nbsp;<span>signed_by_b0_image in the build system page I linked at the top</span></p> <p><span>Let me know if this answers your questions!</span></p> <p><span>Kind regards,<br />Andreas</span></p><div style="clear:both;"></div>