Custom keys with updatable bootloader

RE: Custom keys with updatable bootloader

Hung Bui — Wed, 22 Feb 2023 12:38:51 GMT

Hi Mustafa,
I don't see that problem when I built my example or build the nrfdesktop example with nRF5340dk_nrf5340_cpuapp.
Maybe you can try compile nrfdesktop on a fresh clone of the SDK?

RE: Custom keys with updatable bootloader

Mustafa — Wed, 22 Feb 2023 10:17:35 GMT

Hi Hung,

I found something weird, in my project when I choose the board ( nrf52840dk) then it works fine and the assigned key in prj.conf is detected well. but when I choose (nrf5340dk cpuapp board) then I get the warning message.

RE: Custom keys with updatable bootloader

Hung Bui — Wed, 22 Feb 2023 08:39:14 GMT

Hi Mustafa,

It must be something wrong with cmake that it couldn't pass the CONFIG_SB_SIGNING_KEY_FILE to the bootloader. You can try to add -DSB_SIGNING_KEY_FILE=/path/to/my/pem' as the extra CMake Arguments to see if it help.

Also please try to compile the nrf_desktop sample and select board nrf52840dk_nrf52840 . In that sample we do the same as in my example. It uses CONFIG_SB_SIGNING_KEY_FILE="configuration/nrf52840dk_nrf52840/b0_private.pem".

Please check if you also see that the default key (meaning CONFIG_SB_SIGNING_KEY_FILE is blank) is used or not.

RE: Custom keys with updatable bootloader

Mustafa — Tue, 21 Feb 2023 21:55:13 GMT

When I assign invlaid file location then I get an error as yours, but when I assign a valid key location then I get this message (is very strange)

RE: Custom keys with updatable bootloader

Hung Bui — Fri, 17 Feb 2023 12:22:01 GMT

I would say that modifying the default might not be the best solution.

If you compile the code I sent with a wrong .pem file (file not exist) do you see any error ?
For example if I set the path to the file to a wrong path

CONFIG_SB_SIGNING_KEY_FILE="C:/wrongpath/mykey2.pem"

, I would receive this error:

RE: Custom keys with updatable bootloader

Mustafa — Fri, 17 Feb 2023 09:21:56 GMT

Hey Hung, I have debugged it here and it seems that CONFIG_SB_SIGNING_KEY_FILE is always empty.

\nrf\subsys\bootloader\cmake\debug_keys.cmake

# Check if debug sign key should be generated.
if( "${CONFIG_SB_SIGNING_KEY_FILE}" STREQUAL "")
  message(WARNING "
    --------------------------------------------------------------
    --- WARNING: Using generated NSIB public/private key-pair. ---
    --- It should not be used for production.                  ---
    --- See CONFIG_SB_SIGNING_KEY_FILE                         ---
    --------------------------------------------------------------
    \n"
  )

for a kind of workaround, I modified the default value to the absolute path of my key then it works fine.

RE: Custom keys with updatable bootloader

Hung Bui — Fri, 17 Feb 2023 08:28:56 GMT

Hi Mustafa,
Which exact key was empty and which exact file you looked at ? Could you take a screenshot ?
Have you tried to change the key and test if you can update MCBoot when you change the key but test with the MCUBoot image signed by the previous key ?

The CONFIG_SB_SIGNING_KEY_FILE is fed to B0 from inside \nrf\subsys\bootloader\cmake\debug_keys.cmake

# Check if debug sign key should be generated.
if( "${CONFIG_SB_SIGNING_KEY_FILE}" STREQUAL "")
  message(WARNING "
    --------------------------------------------------------------
    --- WARNING: Using generated NSIB public/private key-pair. ---
    --- It should not be used for production.                  ---
    --- See CONFIG_SB_SIGNING_KEY_FILE                         ---
    --------------------------------------------------------------
    \n"
  )

  set(DEBUG_SIGN_KEY ${PROJECT_BINARY_DIR}/GENERATED_NON_SECURE_SIGN_KEY_PRIVATE.pem)
  set(SIGNATURE_PRIVATE_KEY_FILE ${DEBUG_SIGN_KEY})
  add_custom_command(
    OUTPUT
    ${DEBUG_SIGN_KEY}
    COMMAND
    ${PRIV_CMD}
    --out ${DEBUG_SIGN_KEY}
    WORKING_DIRECTORY ${APPLICATION_BINARY_DIR}
    COMMENT
    "Generating signing key"
    USES_TERMINAL
    )
  add_custom_target(
    debug_sign_key_target
    DEPENDS
    ${DEBUG_SIGN_KEY}
    )
  set(SIGN_KEY_FILE_DEPENDS debug_sign_key_target)
else()
  # Resolve path.
  if(IS_ABSOLUTE ${CONFIG_SB_SIGNING_KEY_FILE})
    set(SIGNATURE_PRIVATE_KEY_FILE ${CONFIG_SB_SIGNING_KEY_FILE})
  else()
    set(SIGNATURE_PRIVATE_KEY_FILE
      ${CMAKE_SOURCE_DIR}/${CONFIG_SB_SIGNING_KEY_FILE})
  endif()

  if (NOT EXISTS ${SIGNATURE_PRIVATE_KEY_FILE})
    message(FATAL_ERROR "Config points to non-existing PEM file '${SIGNATURE_PRIVATE_KEY_FILE}'")
  endif()
endif()

CONFIG_SB_SIGNING_KEY_FILE value is assigned to SIGNATURE_PRIVATE_KEY_FILE.

When I tested by removing the key in the prj.conf of the application I saw this when building:

If I have the key set in prj.conf of the application, I don't see that warning when built:

RE: Custom keys with updatable bootloader

Mustafa — Fri, 17 Feb 2023 06:46:08 GMT

Thanks Hung,

Actually, I've tried to debug the value CONFIG_SB_SIGNING_KEY_FILE in CMake of the bootloader in nrf but it seems that it always contains an empty string despite the assigned value in the prj.conf of the project.

RE: Custom keys with updatable bootloader

Hung Bui — Tue, 14 Feb 2023 09:22:28 GMT

Hi Mustafa,
I did a test and it worked for me. I used CONFIG_SB_SIGNING_KEY_FILE="C:/Pathtoyourkey/mykey2.pem" and can see that the key file is used.

Attached is my project. Both MCUBoot and B0 use customized key files.
devzone.nordicsemi.com/.../blinky_5F00_smp_5F00_uart_5F00_mykey_5F00_b0.zip

RE: Custom keys with updatable bootloader

Mustafa — Mon, 13 Feb 2023 07:00:41 GMT

[UPDATE]

for MCUboot it works when I use an absolute path with CONFIG_BOOT_SIGNATURE_KEY_FILE but still not working with secure bootloader (CONFIG_SB_SIGNING_KEY_FILE)