From 8563e7bdf4d4be63e52601b0fbd5557e28561454 Mon Sep 17 00:00:00 2001
From: xengineering <me@xengineering.eu>
Date: Mon, 24 Feb 2025 20:36:52 +0100
Subject: fw: Use custom MCUboot signing key

Using the MCUboot default key adds nearly not security at all.
---
 README.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index dd640d3..64da043 100644
--- a/README.md
+++ b/README.md
@@ -5,12 +5,25 @@ Furthermore roller shutter motors should be controlled.
 
 ## Usage
 
-The content of this repository can be build with CMake and Ninja.
+The firmware for iot-contact is cryptographically signed to only allow the
+device booting a firmware from a trusted source. The required key with both the
+private and the public part can be generated like this:
 
 ```
-cmake -Bbuild -GNinja
+./fw/zephyrproject/bootloader/mcuboot/scripts/imgtool.py \
+    keygen \
+    --key ~/mcuboot/key.pem \
+    --type ed25519
+```
+
+The content of this repository can be build with CMake and Ninja. The signing
+key is passed to include the public part into the bootloader and used to sign
+the application firmware:
+
+```
+cmake -Bbuild -GNinja -DKEY=~/mcuboot/key.pem
 ninja -C build
-./fw/sign.sh
+./fw/sign.sh ~/mcuboot/key.pem
 ```
 
 Exported files related to the printed circuit board (PCB) can be found in the
-- 
cgit v1.2.3-70-g09d2