From 8563e7bdf4d4be63e52601b0fbd5557e28561454 Mon Sep 17 00:00:00 2001
From: xengineering <me@xengineering.eu>
Date: Mon, 24 Feb 2025 20:36:52 +0100
Subject: fw: Use custom MCUboot signing key

Using the MCUboot default key adds nearly not security at all.
---
 README.md                                   | 19 ++++++++++++++++---
 fw/CMakeLists.txt                           |  2 ++
 fw/sign.sh                                  | 15 ++++++++++++---
 fw/zephyrproject/bootloader/bootloader.conf |  1 +
 4 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 fw/zephyrproject/bootloader/bootloader.conf

diff --git a/README.md b/README.md
index dd640d3..64da043 100644
--- a/README.md
+++ b/README.md
@@ -5,12 +5,25 @@ Furthermore roller shutter motors should be controlled.
 
 ## Usage
 
-The content of this repository can be build with CMake and Ninja.
+The firmware for iot-contact is cryptographically signed to only allow the
+device booting a firmware from a trusted source. The required key with both the
+private and the public part can be generated like this:
 
 ```
-cmake -Bbuild -GNinja
+./fw/zephyrproject/bootloader/mcuboot/scripts/imgtool.py \
+    keygen \
+    --key ~/mcuboot/key.pem \
+    --type ed25519
+```
+
+The content of this repository can be build with CMake and Ninja. The signing
+key is passed to include the public part into the bootloader and used to sign
+the application firmware:
+
+```
+cmake -Bbuild -GNinja -DKEY=~/mcuboot/key.pem
 ninja -C build
-./fw/sign.sh
+./fw/sign.sh ~/mcuboot/key.pem
 ```
 
 Exported files related to the printed circuit board (PCB) can be found in the
diff --git a/fw/CMakeLists.txt b/fw/CMakeLists.txt
index 8c229e0..1d90178 100644
--- a/fw/CMakeLists.txt
+++ b/fw/CMakeLists.txt
@@ -24,6 +24,8 @@ ExternalProject_Add(
 	CMAKE_ARGS
 		"-DBOARD=${BOARD}"
 		"-DZEPHYR_MODULES=${ZEPHYR_MODULES_COMMA}"
+		"-DEXTRA_CONF_FILE=${CMAKE_CURRENT_SOURCE_DIR}/zephyrproject/bootloader/bootloader.conf"
+		-DCONFIG_BOOT_SIGNATURE_KEY_FILE="${KEY}"
 )
 
 find_package(Zephyr
diff --git a/fw/sign.sh b/fw/sign.sh
index 343a038..2ae31bb 100755
--- a/fw/sign.sh
+++ b/fw/sign.sh
@@ -12,15 +12,24 @@ set -euf
 ROOT="$(dirname "$0")"
 MCUBOOT="${ROOT}/zephyrproject/bootloader/mcuboot"
 IMGTOOL="${MCUBOOT}/scripts/imgtool.py"
-KEY="${MCUBOOT}/root-rsa-2048.pem"
 INPUT="${ROOT}/../build/fw/zephyr/zephyr.bin"
 OUTPUT="${INPUT}.signed"
 
 
+if test $# -ne 1
+then
+	echo "Please provide the path to the MCUboot signing key as single argument."
+	exit 1
+fi
+
+key="$1"
+
 python $IMGTOOL sign \
 	--version 0.0.0 \
 	--header-size 0x200 \
 	--slot-size 0xc0000 \
-	--key "${KEY}" \
+	--key "${key}" \
 	"${INPUT}" \
-	"${OUTPUT}"
+	"${OUTPUT}" > /dev/null
+
+echo "Signed application firmware: ${OUTPUT}"
diff --git a/fw/zephyrproject/bootloader/bootloader.conf b/fw/zephyrproject/bootloader/bootloader.conf
new file mode 100644
index 0000000..e70e50e
--- /dev/null
+++ b/fw/zephyrproject/bootloader/bootloader.conf
@@ -0,0 +1 @@
+CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
-- 
cgit v1.2.3-70-g09d2