Skip to content

Commit d86815a

Browse files
de-nordicannwoj
andcommitted
samples: MCUboot with encryption
Sample based on SMP Server that shows how to build MCUboot with encryption support. Co-authored-by: Anna Wojdylo <[email protected]> Signed-off-by: Dominik Ermel <[email protected]>
1 parent dc286e8 commit d86815a

File tree

17 files changed

+611
-0
lines changed

17 files changed

+611
-0
lines changed

CODEOWNERS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -503,6 +503,7 @@
503503
/samples/dfu/dfu_target/ @nrfconnect/ncs-eris
504504
/samples/dfu/dfu_multi_image/ @nrfconnect/ncs-eris
505505
/samples/dfu/fw_loader/ @nrfconnect/ncs-eris
506+
/samples/dfu/mcuboot_with_encryption/ @nrfconnect/ncs-eris
506507
/samples/dfu/single_slot/ @nrfconnect/ncs-eris
507508
/samples/edge_impulse/ @nrfconnect/ncs-si-muffin
508509
/samples/esb/ @nrfconnect/ncs-si-muffin
@@ -635,6 +636,7 @@
635636
/samples/dfu/dfu_target/*.rst @nrfconnect/ncs-eris-doc
636637
/samples/dfu/dfu_multi_image/*.rst @nrfconnect/ncs-eris-doc
637638
/samples/dfu/fw_loader/**/*.rst @nrfconnect/ncs-eris-doc
639+
/samples/dfu/mcuboot_with_encryption/*.rst @nrfconnect/ncs-eris @nrfconnect/ncs-eris-doc
638640
/samples/dfu/single_slot/*.rst @nrfconnect/ncs-eris-doc
639641
/samples/esb/**/*.rst @nrfconnect/ncs-si-muffin-doc
640642
/samples/edge_impulse/**/*.rst @nrfconnect/ncs-si-muffin-doc

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -711,6 +711,7 @@ DFU samples
711711
* The :ref:`fw_loader_ble_mcumgr` sample that provides a minimal configuration for firmware loading using SMP over Bluetooth LE.
712712
This sample is intended as a starting point for developing custom firmware loader applications that work with the MCUboot bootloader.
713713
* The :ref:`single_slot_sample` sample to demonstrate how to maximize the available space for the application with MCUboot using firmware loader mode (single-slot layout).
714+
* The :ref:`mcuboot_with_encryption` sample demonstrating how to build MCUboot with image encryption enabled.
714715

715716
Edge Impulse samples
716717
--------------------

doc/nrf/samples/other.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,4 +24,5 @@ This section lists single |NCS| samples for various uses that are not part of ot
2424
../../../samples/ironside_se/*/README
2525
../../../tests/benchmarks/multicore/*/README
2626
../../../samples/zephyr/smp_svr_mini_boot/README
27+
../../../samples/dfu/mcuboot_with_encryption/README
2728
../../../samples/basic/*/README
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
#
2+
# Copyright (c) 2025 Nordic Semiconductor ASA
3+
#
4+
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
5+
#
6+
7+
cmake_minimum_required(VERSION 3.20.0)
8+
find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
9+
project(smp_svr)
10+
11+
# Import all sources for SMP Server, as this is the application
12+
# that is being used for demonstrating MCUboot with image encryption
13+
# and DFU of encrypted images.
14+
target_sources(app PRIVATE ${ZEPHYR_BASE}/samples/subsys/mgmt/mcumgr/smp_svr/src/main.c)
15+
target_sources(app PRIVATE ${ZEPHYR_BASE}/samples/subsys/mgmt/mcumgr/smp_svr/src/bluetooth.c)
Lines changed: 187 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,187 @@
1+
.. _mcuboot_with_encryption:
2+
3+
MCUboot with encryption enabled
4+
###############################
5+
6+
.. contents::
7+
:local:
8+
:depth: 2
9+
10+
The MCUboot with encryption enabled sample demonstrates secure device firmware update (DFU) using MCUboot with encryption enabled.
11+
You will learn how to build encrypted images and deploy them to supported development kits, protecting application code from unauthorized access during updates.
12+
This sample does not contain its own application code.
13+
Instead, it focuses on configuring encryption in MCUboot and generating encrypted DFU images.
14+
To provide a working example, the sample uses the :zephyr:code-sample:`smp-svr` project as its application by directly importing the project's sources in the main :file:`CMakeLists.txt` file.
15+
16+
Requirements
17+
************
18+
19+
The sample supports the following development kits:
20+
21+
.. table-from-sample-yaml::
22+
23+
.. note::
24+
25+
On the nRF54LV10 DK, the :zephyr:code-sample:`smp-svr` configuration is trimmed to fit the application slot size.
26+
For the nRF54L15 DK, an overlay is used to increase the size of the MCUboot partition.
27+
It is necessary because the enabled logging features require more space than the default partitioning provides.
28+
29+
Overview
30+
********
31+
32+
This sample provides a practical starting point for using MCUboot with application image encryption enabled.
33+
It walks you through the process of building encrypted firmware images and updating them securely on a supported development kit.
34+
35+
MCUboot in this sample is built with enhanced debug output, making it easier to observe and understand the secure boot process.
36+
For more information on minimal builds and optimization, see the :ref:`MCUboot minimal configuration <mcuboot_minimal_configuration>` documentation.
37+
38+
The firmware update protocol is handled by the :ref:`MCUmgr SMP server<zephyr:mcu_mgr>`, so you can use all related configuration options.
39+
40+
Platform-specific information
41+
=============================
42+
43+
The nRF54L Series platforms use the following cryptographic algorithms:
44+
45+
* ED25519 for digital signature verification.
46+
* X25519 for securely exchanging AES encryption keys during image updates.
47+
48+
.. _mcuboot_with_encryption_config:
49+
50+
Configuration
51+
*************
52+
53+
|config|
54+
55+
Configuration options
56+
=====================
57+
58+
You can use the following Kconfig options to configure the sample:
59+
60+
* :kconfig:option:`CONFIG_FPROTECT` - This option is disabled by default.
61+
It enables flash protection for the MCUboot code.
62+
You can disable it for development and enable it for production purposes to prevent MCUboot overwriting at runtime.
63+
* :kconfig:option:`CONFIG_MCUBOOT_LOG_LEVEL_DBG` - This option is enabled by default.
64+
It allows you to easily verify that MCUboot is starting up.
65+
Disable it for production builds.
66+
* :kconfig:option:`CONFIG_BOOT_SWAP_SAVE_ENCTLV` - Enable this option in the MCUboot configuration if you are performing DFU to an external storage device.
67+
This ensures that the random AES key used for the currently swapped image is not exposed.
68+
* :kconfig:option:`SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE` - MCUboot uses a default encryption key.
69+
To override it, adjust this option by setting a path to your custom encryption key file.
70+
* :kconfig:option:`CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION` - Use this option to set the application image version for software updates.
71+
72+
To configure the sample to use KMU crypto storage, add ``-DSB_EXTRA_CONF_FILE=kmu.sysbuild.conf`` to the build command line.
73+
This option brings in sysbuild configuration file that selects two additional options:
74+
75+
* :kconfig:option:`SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU` - This option enables KMU support.
76+
* :kconfig:option:`SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` - This option uses the build system to generate and prepare a bundle of default KMU keys to be used with the sample.
77+
Do not use this option in a production build.
78+
79+
Signature key
80+
*************
81+
82+
Even with encryption enabled, MCUboot relies on signature keys to verify images at each boot.
83+
On some devices, you can store the public signature key in one of the following ways:
84+
85+
* Compile it into the device firmware.
86+
* Use the crypto storage.
87+
88+
If your application is not using crypto storage, you can set a key with the :kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` Kconfig option.
89+
In this case, MCUboot can only use one signature key file compiled into the firmware.
90+
91+
On devices that store keys in crypto storage, the number of stored keys depends on the specific device and may range from one to several.
92+
Typically, three slots are reserved for storing MCUboot signature keys.
93+
To use MCUboot with crypto storage, you must provision a set of keys to the device in addition to compiling in support for crypto storage.
94+
If you use KMU for signature key storage, follow the instructions in :ref:`ug_nrf54l_developing_provision_kmu` to provision the keys.
95+
96+
Security considerations
97+
***********************
98+
99+
See the list of best practices, security-related options, and recommended settings when configuring the sample:
100+
101+
* For secure production builds, enable the :kconfig:option:`CONFIG_FPROTECT` and :kconfig:option:`CONFIG_BOOT_SWAP_SAVE_ENCTLV` Kconfig options.
102+
For production builds, it is recommended to manage keys independently rather than rely on the :kconfig:option:`SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`.
103+
See the :ref:`mcuboot_with_encryption_config` section for details.
104+
* MCUmgr's shell is enabled by default, allowing you to manage commands using a serial terminal.
105+
* MCUboot accepts unencrypted images in the secondary slot if signature verification passes.
106+
For higher security, use encrypted images wherever possible.
107+
* KMU key handling:
108+
109+
* By default, KMU is not used to store keys in MCUboot.
110+
* If KMU is enabled, the asymmetric private key used for transport encryption of the random AES key is still compiled into MCUboot in plain text.
111+
Use hardware-backed key storage in production.
112+
* Do not leave encryption keys or private keys in plain text inside the MCUboot binary.
113+
114+
Building and running
115+
********************
116+
117+
.. |sample path| replace:: :file:`samples/dfu/mcuboot_with_encryption`
118+
119+
.. include:: /includes/build_and_run.txt
120+
121+
By default, the sample builds without KMU support, and the encryption key is embedded within the MCUboot binary.
122+
To see the encryption workflow, you must build two application images with different version numbers (for example, set the :kconfig:option:`CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION` Kconfig option to ``1.0.0`` and ``2.0.0``), using separate build directories.
123+
124+
Testing
125+
=======
126+
127+
After programming the device with the first image, verify its functionality:
128+
129+
1. Connect to the device's serial console.
130+
#. Reset the device.
131+
#. Observe the boot output confirming successful start of the SMP Server application:
132+
133+
.. code-block:: console
134+
135+
*** Booting MCUboot v2.3.0-dev-0d263faf6e55 ***
136+
*** Using nRF Connect SDK v3.1.99-4f1d50b83bfb ***
137+
*** Using Zephyr OS v4.2.99-164b47d30942 ***
138+
139+
*** Booting nRF Connect SDK v3.1.99-4f1d50b83bfb ***
140+
*** Using Zephyr OS v4.2.99-164b47d30942 ***
141+
[00:00:00.075,512] <inf> bt_sdc_hci_driver: SoftDevice Controller build revision:
142+
9d dc 12 f9 d0 01 5e 7e af 5b 84 59 45 12 69 4e
143+
|......^~ .[.YE.iN
144+
5e dc 0b 2f |^../
145+
[00:00:00.076,807] <inf> bt_hci_core: HW Platform: Nordic Semiconductor (0x0002)
146+
[00:00:00.076,822] <inf> bt_hci_core: HW Variant: nRF54Lx (0x0005)
147+
[00:00:00.076,836] <inf> bt_hci_core: Firmware: Standard Bluetooth controller (0x00) Version
148+
157.4828 Build 1577177337
149+
[00:00:00.077,217] <inf> bt_hci_core: HCI transport: SDC
150+
[00:00:00.077,269] <inf> bt_hci_core: Identity: C0:0A:89:ED:8F:B9 (random)
151+
[00:00:00.077,285] <inf> bt_hci_core: HCI: version 6.1 (0x0f) revision 0x30c0, manufacturer 0x0059
152+
[00:00:00.077,299] <inf> bt_hci_core: LMP: version 6.1 (0x0f) subver 0x30c0
153+
[00:00:00.077,765] <inf> smp_bt_sample: Advertising successfully started
154+
155+
#. To test encrypted updates, upload the second (encrypted) image using any supported method, such as MCUmgr over Bluetooth, serial shell, or another DFU transport.
156+
For more information on DFU, see the :ref:`Zephyr Device Firmware Upgrade documentation <zephyr:dfu>`.
157+
#. After uploading the image, mark the new image for test.
158+
#. On reboot, verify that the new firmware version is running.
159+
If the image is not confirmed, the bootloader will revert to the previous version.
160+
The image will then be re-encrypted if swapped out of the boot slot.
161+
162+
.. note::
163+
164+
This sample also accepts unencrypted firmware updates.
165+
If you upload an unencrypted and properly signed image, MCUboot will successfully boot it.
166+
167+
Further information on image encryption and generating keys
168+
===========================================================
169+
170+
More information on MCUboot support for image encryption can be found in the :ref:`mcuboot_wrapper` section under Encrypted images.
171+
Users should familiarize themselves with this section, as they will need to generate their own keys for encryption key exchange.
172+
173+
.. note::
174+
175+
The keys used in this sample are publicly known.
176+
Do not use them in your product under any circumstances.
177+
178+
To learn how to upload custom keys to KMU, see the :ref:`ug_nrf54l_dfu_config` documentation page.
179+
180+
Dependencies
181+
************
182+
183+
The sample depends on following subsystems and libraries:
184+
185+
* :ref:`MCUboot <mcuboot_index_ncs>`
186+
* :ref:`zephyr:mcu_mgr`
187+
* :ref:`nrf_security`
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/*
2+
* Copyright (c) 2025 Nordic Semiconductor ASA
3+
*
4+
* SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
5+
*/
6+
7+
/delete-node/ &boot_partition;
8+
/delete-node/ &slot0_partition;
9+
/delete-node/ &slot1_partition;
10+
11+
&cpuapp_rram {
12+
partitions {
13+
boot_partition: partition@0 {
14+
label = "mcuboot";
15+
reg = < 0x0 0x12000 >;
16+
};
17+
18+
slot0_partition: partition@12000 {
19+
label = "image-0";
20+
reg = < 0x12000 0xa5000 >;
21+
};
22+
23+
slot1_partition: partition@b7000 {
24+
label = "image-1";
25+
reg = < 0xb7000 0xa5000 >;
26+
};
27+
};
28+
};
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# Cutting down some of the features to fit onto the platform.
2+
CONFIG_STATS=n
3+
CONFIG_STATS_NAMES=n
4+
5+
# Disable the LittleFS file system.
6+
CONFIG_FILE_SYSTEM=n
7+
CONFIG_FILE_SYSTEM_LITTLEFS=n
8+
9+
# Disable file system commands
10+
CONFIG_MCUMGR_GRP_FS=n
11+
12+
# Disable shell commands that are not needed
13+
CONFIG_CLOCK_CONTROL_NRF_SHELL=n
14+
CONFIG_DEVICE_SHELL=n
15+
CONFIG_DEVMEM_SHELL=n
16+
CONFIG_FLASH_SHELL=n
17+
18+
CONFIG_MCUMGR_GRP_OS_TASKSTAT=n
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
#
2+
# Copyright (c) 2025 Nordic Semiconductor ASA
3+
#
4+
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
5+
#
6+
7+
# Use KMU for crypto storage of signature keys.
8+
SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
9+
10+
# The below kconfig enables build generate default KMU key file bundle,
11+
# to be programmed to a device when sample is programmed with:
12+
# west flash --erase -d <build_dir>
13+
# You should not use the option in production build as
14+
# you are expected to have full control over key files.
15+
SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
#
2+
# Copyright (c) 2025 Nordic Semiconductor ASA
3+
#
4+
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
5+
#
6+
7+
CONFIG_BT=y
8+
CONFIG_BT_PERIPHERAL=y
9+
10+
# Allow for large Bluetooth data packets.
11+
CONFIG_BT_L2CAP_TX_MTU=498
12+
CONFIG_BT_BUF_ACL_RX_SIZE=502
13+
CONFIG_BT_BUF_ACL_TX_SIZE=502
14+
CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
15+
16+
# Enable the Bluetooth mcumgr transport (unauthenticated).
17+
CONFIG_MCUMGR_TRANSPORT_BT=y
18+
CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
19+
20+
# Enable the Shell mcumgr transport.
21+
CONFIG_BASE64=y
22+
CONFIG_CRC=y
23+
CONFIG_SHELL=y
24+
CONFIG_SHELL_BACKEND_SERIAL=y
25+
CONFIG_MCUMGR_TRANSPORT_SHELL=y
26+
27+
# Enable the mcumgr Packet Reassembly feature over Bluetooth and its configuration dependencies.
28+
# MCUmgr buffer size is optimized to fit one SMP packet divided into five Bluetooth Write Commands,
29+
# transmitted with the maximum possible MTU value: 498 bytes.
30+
CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y
31+
CONFIG_MCUMGR_TRANSPORT_NETBUF_SIZE=2475
32+
CONFIG_MCUMGR_GRP_OS_MCUMGR_PARAMS=y
33+
CONFIG_MCUMGR_TRANSPORT_WORKQUEUE_STACK_SIZE=4608
34+
35+
# Enable the LittleFS file system.
36+
CONFIG_FILE_SYSTEM=y
37+
CONFIG_FILE_SYSTEM_LITTLEFS=y
38+
39+
# Enable file system commands
40+
CONFIG_MCUMGR_GRP_FS=y
41+
42+
# Enable the storage erase command.
43+
CONFIG_MCUMGR_GRP_ZBASIC=y
44+
CONFIG_MCUMGR_GRP_ZBASIC_STORAGE_ERASE=y
45+
46+
# Disable Bluetooth ping support
47+
CONFIG_BT_CTLR_LE_PING=n
48+
49+
# Disable shell commands that are not needed
50+
CONFIG_CLOCK_CONTROL_NRF_SHELL=n
51+
CONFIG_DEVICE_SHELL=n
52+
CONFIG_DEVMEM_SHELL=n
53+
CONFIG_FLASH_SHELL=n

0 commit comments

Comments
 (0)