decoupling the placement of public key in mcuboot and signing the image

RE: decoupling the placement of public key in mcuboot and signing the image

user72692 — Wed, 11 May 2022 14:43:23 GMT

[quote user="daviddedwin"]A. Question : We should be able use imgtool,py to get the C struct for the ECDSA key type, Is that correct ?[/quote]

Yes, take a look at ./scripts/imgtool.py getpub -k filename.pem and my colleagues sample and guide. In the last link, it generates an RSA key type, but as you can see, imgtool supports ecdsa types as well:

Simon@Simons_PC MINGW64 /c/v1.8.0/bootloader/mcuboot/scripts ((v1.8.99-ncs1))
$ python imgtool.py keygen -h
Usage: imgtool.py keygen [OPTIONS]

  Generate pub/private keypair

Options:
  -k, --key filename  [required]
  -t, --type type     One of: rsa-2048, rsa-3072, ecdsa-p256, ecdsa-p224,
                      ed25519, x25519  [required]

  -p, --password      Prompt for password to protect key
  -h, --help          Show this message and exit.

[quote user="daviddedwin"]B. Question: How do we manually place this in the build and ensure that it is not overwritten by the existing work flow which is autogenerating the keys ?[/quote]

There are many ways to do this. If you follow the approach here https://devzone.nordicsemi.com/f/nordic-q-a/80629/decouple-mcuboot-public-key-storage-and-image-signing-nrf9160-mcuboot,you will remove the code that places the public key C struct in the build, and replace it with your own (which uses your custom API to get the ), so it will not be overwritten by the work flow.

Another approach (that is a little cleaner) I just thought of now is the following:

Modify these lines https://github.com/nrfconnect/sdk-mcuboot/blob/v1.8.99-ncs1/boot/zephyr/keys.c#L34 and https://github.com/nrfconnect/sdk-mcuboot/blob/v1.8.99-ncs1/boot/zephyr/keys.c#L58-L59 and swap ecdsa_pub_key with my_custom_ecdsa_pub_key
Modify the CMakeLists.txt of you application to include src/my_custom_pub_key.c
- Check out https://devzone.nordicsemi.com/guides/nrf-connect-sdk-guides/b/getting-started/posts/nrf-connect-sdk-tutorial---part-2-ncs-v1-4-0#h9skdynelh91f6vt6g1cw90uq4xtu0j how to do this
- Don't create my_custom_pub_key.c, since this will be generated when asking for it
Then get the public key, using your custom API, and place it into <your sample>/src
- It should be named my_custom_pub_key.c (same as the one used in CMakeLists.txt)
- It should contain a struct containing the public key, of the name my_custom_ecdsa_pub_key
Then you build your sample, and your public key should be used

There might be better ways of going about it, so please share if you find a better/cleaner approach

[quote user="daviddedwin"]C. Question : How do we manually sign the unsigned image with imgtool to get a signed image and what are the options to be used for it. The ECDSA keys also seem to have padding issues to be dealt with. The correct options to give to imgtool appear important.[/quote]

To be honest, I have not worked too much with this before (keys, encryption and so on), my expertise lies in mcuboot/dfu updates. However, have you taken a look at https://github.com/nrfconnect/sdk-nrf/blob/v1.9.1/modules/mcuboot/CMakeLists.txt#L291-L300 and tried using the same arguments. If you don't get this to work, please let me know, and I will take a deeper look

Best regards,

Simon

RE: decoupling the placement of public key in mcuboot and signing the image

user72692 — Tue, 10 May 2022 18:46:36 GMT

Okay, I understand. I will look into and try to answer your questions tomorrow.

Best regards,

Simon

RE: decoupling the placement of public key in mcuboot and signing the image

user84049 — Tue, 10 May 2022 15:14:00 GMT

Yes, your understanding is reasonable. I broke it out iinto specific questions where additional input was requested.

Thanks
David

RE: decoupling the placement of public key in mcuboot and signing the image

user72692 — Mon, 09 May 2022 14:02:26 GMT

[quote user="daviddedwin"]We cannot use the automated key gen in the nRF connect SDK environment as that puts the private key into the build and increases the probability of a leak.[/quote]

If you follow the steps in the referred ticket, this will not be the case. Before answering your questions, let me make sure we're on the same page. If you follow the steps in Decouple MCUBoot public key storage and image signing (nrf9160 + MCUBoot), you will end up with this:

This seems exactly what you're asking for. The key generation is decoupled from the application development, and the public key will be put in the correct location automatically.

Could you clarify if I have misunderstood something

Best regards,

Simon

RE: decoupling the placement of public key in mcuboot and signing the image

user84049 — Wed, 04 May 2022 14:06:11 GMT

We cannot use the automated key gen in the nRF connect SDK environment as that puts the private key into the build and increases the probability of a leak.

This is what I have proposed for the decoupling:

1. The core team will generate a private key and public key pair.
The resulting key file with the public key will be used to generate the C Struct for the public key.
I guess we will have to manually place this C struct in the right location and also modify the build so that it does not get overwritten.

A. Question : We should be able use imgtool,py to get the C struct for the ECDSA key type, Is that correct ?

B. Question: How do we manually place this in the build and ensure that it is not overwritten by the existing work flow which is autogenerating the keys ?

2. The C struct file containing the public key is delivered by the core team to the development team.

3. The C struct file is placed in the mcuboot build manually and the hex file is delivered to the factory for programming.

4. The updates to the product are built by the development team and an unsigned image(bin) is generated and delivered to the core team.

5. The core team signs the image and delivers a signed image to the update process through the mobile apps for OTA to the products on the field.

C. Question : How do we manually sign the unsigned image with imgtool to get a signed image and what are the options to be used for it. The ECDSA keys also seem to have padding issues to be dealt with. The correct options to give to imgtool appear important.

Guidance on questions A, B and C are useful.

Thanks for the support
David

RE: decoupling the placement of public key in mcuboot and signing the image

user72692 — Wed, 04 May 2022 12:28:59 GMT

[quote user=""]

I did look at the case below but its solution was a bit hazy.

https://devzone.nordicsemi.com/f/nordic-q-a/80629/decouple-mcuboot-public-key-storage-and-image-signing-nrf9160-mcuboot

Placing the C struct of the public key into the keys.c

[/quote]

This happens automatically by the current build system. What I wrote under "How it currently works" is how the build system automatically signs images (and generates the public key and places it inside keys.c). What I wrote under "How to modify it to get signed externally" is what you have to do in order to decouple the image signing.

This was written 7 months ago, so keep in mind that there may have happen some changes since then.

Best regards,

Simon