• State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 74 subscribers
  • Views 1537 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 303360
Options

HOWTO securize the loading flow: MCUboot first-stage

JesusA

Hi all,

First of all let me thank you for taking time to review this "SOS".

I've tried to read and collect all the information I have been capable before opening this thread.

I have finally decided to contact you because althouth I found some interesting information, it is not totally clear to me, so let me present you the project I am currently working on...

It is base on: WIN11 / nrf52840DK and nrf Connect SDK 2.2.0 / Implementation base on first-stage architecture where MCUboot is used as immutable bootloader (we just need to update the app)

Currently, we have the project running and working properly (with some extra features) but with NON secure capabilities. This is why I am here, because I would like to apply some securements to the loading/updating flow.

I have distinguished two phases for securizing my proyect:

1) Customize the SIGNATURE key used by the MCUboot.
2) Encrypt the binary before updating it.


Lets go to focus on the first stage (1): "Customize the SIGNATURE key used by the MCUboot"

I have visited all these pages:
> https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/mcuboot/design.html

> https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/mcuboot/imgtool.html

> https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/nrf/ug_bootloader.html

Additional info as to MCUboot, such as:
> https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.1/mcuboot/ecdsa.html

> https://docs.foundries.io/44/howto/zephyr-mcuboot-keys.html#configure-mcuboot-to-use-your-key


... I have done my best trying to understand the described processes, but some doubts came to my mind:

I added the following entry to the 'prj.conf':

CONFIG_BOOTLOADER_MCUBOOT=y

...to say: "hey, I want to make use of the MCUboot as (immutable) bootloader".

To be able to configure and modify the MCUboot, I've also added the next sentence to the 'CMakeLists.txt' of the main project:

list(APPEND mcuboot_OVERLAY_CONFIG "${CMAKE_CURRENT_SOURCE_DIR}/mcuboot.conf")

and create a 'mcuboot.conf' file, where I set:

# CUSTOMIZING SIGNATURE KEY (ECDSA 256)
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="C:/\Private_Soltec_Keys/\priv_signing_key.pem"

(I have also been able to generate and set a RSA key, but as long as I saw type 'ECDSA 256' used by default, I have also wanted to keep this format).

After setting these parameters, I build and flash getting the following prompt:

Connected via Serial Port with settings COM8 115200 8n1 rtscts:off

*** Booting Zephyr OS build v3.2.99-ncs1 ***
I: Starting bootloader
I: Bootloader chainload address offset: 0x40000
: Jumping to the first image slot


Here is the question:

Am I attaching to the MCUboot my custom signing key? I have this doubt because I have seen others parameters such as:

CONFIG_SB_SIGNING_KEY_FILE
CONFIG_SB_SIGNING_CUSTOM
CONFIG_SB_SIGNING_PUBLIC_KEY
CONFIG_SB_SIGNING_COMMAND

I really do not know if I must use or not. Or what are their purpose for? And what is the different against the one I use: CONFIG_BOOT_SIGNATURE_KEY_FILE?

What did I miss?

For signing I will use the following comand: imgtool sign -k priv_a.pem --align 8 -v 52 -H 32 --pad-header -S 0x60000 --confirm App.bin App_SIGNED.bin

But honestly, appart from the help, I do not have quite clear the value: -S 0x60000, that I use... what reference should I take to know the correct value to this entry?

 

I was thinking on using   mcumgr tool for sending, updating the app image, but I am getting the error: NMP timeout, (yes, I am working on WIN) so I am considering the use of a different tool instead of 'mcumgr', any suggestion?


(As to the 2nd phase of my securizing plan: "Encrypt the binary before updating it").
We pospone it up to confirm the correct behaviour of the 1st phase, ok?

Parents
  • 0

    Hello,

    To check you have done it correctly you can simply look at the mcuboot output files:
    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/app_dev/build_and_config_system/index.html#mcuboot-output-build-files  

    When building the application the signed files will automatically be generated according to the above table.

    I also attach an example that show how it can be setup. 

    8831.ble_dfu_peripheral_lbs_ec.zip

    You can find in the example I attach that mcuboot will sign the application image with the configuration as specified for the child_image/mcuboot/boards/nrf52840dk_nrf52840.conf, in specific:

    CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
    CONFIG_BOOT_SIGNATURE_KEY_FILE="key/root-ec-p256.pem"

    If you want to sign the application using imgtool directly, you can use the same command as west use during build like this:

    imgtool sign --key key/root-ec-p256.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --slot-size 0x7a000 app_to_sign.bin app_update.bin
imgtool sign --key key/root-ec-p256.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --slot-size 0x7a000 mcuboot_primary_app.hex app_signed.hex
imgtool sign --key key/root-ec-p256.pem --header-size 0x200 --align 4 --version 0.0.0+0 --pad-header --slot-size 0x7a000 --pad mcuboot_primary_app.hex app_test_update.hex

    Tip: To find the above command I build using 'west -vvv build --board=nrf52840dk_nrf52840 --pristine' and search for imgtool in the output.

    Best regards,
    Kenneth

  • 0 in reply to Kenneth

    Thx for the quick response. I'll check it but... what about this?

    CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="C:/\Private_Soltec_Keys/\priv_signing_key.pem"

    And these other entries?? Are the following entries needed?

    CONFIG_SB_SIGNING_KEY_FILE
CONFIG_SB_SIGNING_CUSTOM
CONFIG_SB_SIGNING_PUBLIC_KEY
CONFIG_SB_SIGNING_COMMAND

    What are they use for?

    Currently, I am just making use of:
    CONFIG_BOOT_SIGNATURE_KEY_FILE

    Regards

Reply
  • 0 in reply to Kenneth

    Thx for the quick response. I'll check it but... what about this?

    CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
CONFIG_BOOT_SIGNATURE_KEY_FILE="C:/\Private_Soltec_Keys/\priv_signing_key.pem"

    And these other entries?? Are the following entries needed?

    CONFIG_SB_SIGNING_KEY_FILE
CONFIG_SB_SIGNING_CUSTOM
CONFIG_SB_SIGNING_PUBLIC_KEY
CONFIG_SB_SIGNING_COMMAND

    What are they use for?

    Currently, I am just making use of:
    CONFIG_BOOT_SIGNATURE_KEY_FILE

    Regards

Children
  • 0 in reply to JesusA
    JesusA said:
    Currently, I am just making use of:
    CONFIG_BOOT_SIGNATURE_KEY_FILE

    That is the same as I show in the project I attached, by default CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y is used, so you don't need to explicit set it.

    Regarding these kconfig options:

    CONFIG_SB_SIGNING_KEY_FILE
CONFIG_SB_SIGNING_CUSTOM
CONFIG_SB_SIGNING_PUBLIC_KEY
CONFIG_SB_SIGNING_COMMAND

    You don't need to set these kconfig options it in your project, because you said previously you want: "MCUboot is used as immutable bootloader (we just need to update the app)"

    Best regards,
    Kenneth

  • 0 in reply to Kenneth

    Ok , clear.

    For working with MCUboot as IMMUTABLE BOOTLOADER it is JUST NEEDED the configuration ot the pair:

    CONFIG_BOOT_SIGNATURE_KEY_FILE + CONFIG_BOOT_SIGNATURE_TYPE_xx

    Indeed, I can confirm that the binaries are signed automatically and properly uploaded (at least from Linux enviroment). 

    Thanks a lot!

Related
Terms of service