diff options
| -rw-r--r-- | README.md | 19 | ||||
| -rw-r--r-- | fw/CMakeLists.txt | 2 | ||||
| -rwxr-xr-x | fw/sign.sh | 15 | ||||
| -rw-r--r-- | fw/zephyrproject/bootloader/bootloader.conf | 1 |
4 files changed, 31 insertions, 6 deletions
@@ -5,12 +5,25 @@ Furthermore roller shutter motors should be controlled. ## Usage -The content of this repository can be build with CMake and Ninja. +The firmware for iot-contact is cryptographically signed to only allow the +device booting a firmware from a trusted source. The required key with both the +private and the public part can be generated like this: ``` -cmake -Bbuild -GNinja +./fw/zephyrproject/bootloader/mcuboot/scripts/imgtool.py \ + keygen \ + --key ~/mcuboot/key.pem \ + --type ed25519 +``` + +The content of this repository can be build with CMake and Ninja. The signing +key is passed to include the public part into the bootloader and used to sign +the application firmware: + +``` +cmake -Bbuild -GNinja -DKEY=~/mcuboot/key.pem ninja -C build -./fw/sign.sh +./fw/sign.sh ~/mcuboot/key.pem ``` Exported files related to the printed circuit board (PCB) can be found in the diff --git a/fw/CMakeLists.txt b/fw/CMakeLists.txt index 8c229e0..1d90178 100644 --- a/fw/CMakeLists.txt +++ b/fw/CMakeLists.txt @@ -24,6 +24,8 @@ ExternalProject_Add( CMAKE_ARGS "-DBOARD=${BOARD}" "-DZEPHYR_MODULES=${ZEPHYR_MODULES_COMMA}" + "-DEXTRA_CONF_FILE=${CMAKE_CURRENT_SOURCE_DIR}/zephyrproject/bootloader/bootloader.conf" + -DCONFIG_BOOT_SIGNATURE_KEY_FILE="${KEY}" ) find_package(Zephyr @@ -12,15 +12,24 @@ set -euf ROOT="$(dirname "$0")" MCUBOOT="${ROOT}/zephyrproject/bootloader/mcuboot" IMGTOOL="${MCUBOOT}/scripts/imgtool.py" -KEY="${MCUBOOT}/root-rsa-2048.pem" INPUT="${ROOT}/../build/fw/zephyr/zephyr.bin" OUTPUT="${INPUT}.signed" +if test $# -ne 1 +then + echo "Please provide the path to the MCUboot signing key as single argument." + exit 1 +fi + +key="$1" + python $IMGTOOL sign \ --version 0.0.0 \ --header-size 0x200 \ --slot-size 0xc0000 \ - --key "${KEY}" \ + --key "${key}" \ "${INPUT}" \ - "${OUTPUT}" + "${OUTPUT}" > /dev/null + +echo "Signed application firmware: ${OUTPUT}" diff --git a/fw/zephyrproject/bootloader/bootloader.conf b/fw/zephyrproject/bootloader/bootloader.conf new file mode 100644 index 0000000..e70e50e --- /dev/null +++ b/fw/zephyrproject/bootloader/bootloader.conf @@ -0,0 +1 @@ +CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y |