nRF52832 Buttonless Secure DFU with bonds

Hi,

There is no support for bonding in the bootloader. The difference between using the bootloader with and without bonds is that when you configure the bootloader to use bonding, it will get the bonding data from the application (which must previously have bonded with the phone), and use that to secure the link when re-connecting in bootloader mode.

See the Testing Buttonless Secure DFU with bonds in the Buttonless DFU Template Application documentation for details on how to do this.

This bonding data comes from the project's hex file that is converted into a zip file?

I'm still confused by the instructions listed in the "Testing Buttonless Secure DFU with bonds" section since it states to go into Settings -> Security Settings -> Perform Bonding  (I cannot find this in the phone's mobile app)

GCL-SOENCO said:

This bonding data comes from the project's hex file that is converted into a zip file?

No, the bonding data comes from the pairing process (when two bluetooth devices exhcange encryption keys etc).

GCL-SOENCO said:

I'm still confused by the instructions listed in the "Testing Buttonless Secure DFU with bonds" section since it states to go into Settings -> Security Settings -> Perform Bonding  (I cannot find this in the phone's mobile app)

If you are using nRF Connect for Android, then there is an option to bond. On iOS, there is no way for an app to explicitly bond, so you will need to try to access a characteristic that requiers security in order to initiate pairing/bonding if that is what you are using.

I am wondering though. Do you really need/want DFU with boding (this is particularily relevant as it seems to me you were not aware what this feature was)? It causes a few potential pittfals, and in most cases DFU without bonds is secure enough. You can still use bonding as normal when in the application, and the updgrade images are signed. The only major difference is that the DFU procedure is not encrypted.

Thank you! That makes more sense, we're using iPhone for this process.

Long story short, I've been tasked to get up to speed with secure DFU for the nRF52832 chip we're using on our product in pre production. The company's goal is to either.

1) Only allow access to firmware updates through one main device (iphone, ipad, etc) here at our facility without the ability of someone with an external device being able to read or write to memory on the chip (locked)

2) To be able to integrate the DFU process into the product's mobile application allowing the end users to download the firmware update to the chip whenever changes have been made (i.e any device nowadays)

I suggest you look at DFU without bonding then, as it does not seem you have a specific reason for using it.

The secure bootloader always checks the signature of the image, so only images signed by someone that has the private key will be accepted. So in the 2) case, just allow anyone to enter DFU mode.

There is one caveat, though. If anyone is allowed to cause the device to enter DFU mode via Bluetooth, that could potentially mean that it is possible to do a denial of service attach by making the device enter DFU mode again and again. So even if that would not make it possible to update the device with any firmware that is not signed, it could be a problem non the less. So in that case, it could be that you would want to adjust the buttonless DFU service so that bonding is requiered in order to enter DFU mode (that would mean changing line 220 in components/ble/ble_services/ble_dfu/ble_dfu_unbonded.c. Or use some other mechanism like whitelisting to only allow specific devices to connect in the first place. But generally how to solve this, and your 1) and 2) in general, will be application specific.