2021-01-29 03:11 AM
I have signature of my user app and user app in .bin format.
if i have to use only these two inputs, what modification i need to do in SBSFU? and under what files?
i dont want to use post built .bat and prebuilt.bat.
i am using Single slot image example for stm32f407.
Regards,
Vrund
2021-01-29 05:53 AM
Hi Vrund,
The prebuild is just updating the keys in the SBSFU. You can deactivate it in your IDE.
Regarding postbuild, this is mandatory to launch it.
The signature will change each time you change one bit in your application.
So, no way to avoid it.
Best regards
Jocelyn
2021-01-31 07:30 PM
Hello Jocelyn,
May be i haven't explain the situation in a proper manner.
Now I have a PKI system in our organization.
I have to use this system and as per system,
It will give me Public key that I can integrate in ST code.
But it wont provide private key.(.txt or .pem format)
It provides directly the signature(hashed+signed) file of my Binary application.
If I change my application I can create new signature file. That is not a problem here.
I also don't want use encryption(AES key: as it is not provided by our PKI system)
So with signature(one file) and my use app (.bin file) how can I leverage the SBSFU bootloader?
Is it possible to use sbsfu(with modification) in such case?
Postbuild.bat script does many(encrypt, signature, packaging, header generation) things as I have gone through video link that you have earlier provided.
Regards,
Vrund
2021-02-01 12:37 PM
Hello Vrund,
I would advice you look at the last slides of this video : https://www.youtube.com/watch?v=MDgstQdtf9A&list=PLnMKNibPkDnGd7J7fV7tr-4xIBwkNfD--&index=4
At around 34:20
You can see that private key is use to sign the hash of the header only.
One possible solution I can see it that you are first using the normal postbuild script using a fake private key.
Then write some code that reads the header content, computes the same hash (SHA256) and get it signed by your company tool.
Then replace the fake signature by that one.
This requires some coding, but this way you don't impact SBSFU code in any way.
Best regards
Jocelyn
2021-02-09 02:06 AM
Hello Jocelyn,
If i have to use only signature verification (binary file signed(hash + signed with private key) by PKI system)
what part of the SBSFU i need to modify.
can modifying sfu_boot will work?
static void (* fnStateMachineTable[])(void) = {SFU_BOOT_SM_CheckStatusOnReset,
#if (SECBOOT_LOADER == SECBOOT_USE_LOCAL_LOADER) || (SECBOOT_LOADER == SECBOOT_USE_STANDALONE_LOADER)
SFU_BOOT_SM_CheckNewFwToDownload,
SFU_BOOT_SM_DownloadNewUserFw,
#endif /* (SECBOOT_LOADER == SECBOOT_USE_LOCAL_LOADER) || (SECBOOT_LOADER == SECBOOT_USE_STANDALONE_LOADER) */
SFU_BOOT_SM_CheckUserFwStatus,/**commenting part /
SFU_BOOT_SM_VerifyUserFwSignature,/*this will only check binary file signature*/
SFU_BOOT_SM_ExecuteUserFw,
SFU_BOOT_SM_HandleCriticalFailure,
SFU_BOOT_SM_RebootStateMachine
};
Regards,
vrund
2021-02-09 09:16 AM
Hello Vrund,
At boot time the SBSFU only checks signature.
No need to change anything.
Now if you don't want to encrypt the update firmware file you just need to change the crypto scheme in se_crypto_config.h
Best regards
Jocelyn