From 8563e7bdf4d4be63e52601b0fbd5557e28561454 Mon Sep 17 00:00:00 2001
From: xengineering <me@xengineering.eu>
Date: Mon, 24 Feb 2025 20:36:52 +0100
Subject: fw: Use custom MCUboot signing key

Using the MCUboot default key adds nearly not security at all.
---
 fw/CMakeLists.txt                           |  2 ++
 fw/sign.sh                                  | 15 ++++++++++++---
 fw/zephyrproject/bootloader/bootloader.conf |  1 +
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 fw/zephyrproject/bootloader/bootloader.conf

(limited to 'fw')

diff --git a/fw/CMakeLists.txt b/fw/CMakeLists.txt
index 8c229e0..1d90178 100644
--- a/fw/CMakeLists.txt
+++ b/fw/CMakeLists.txt
@@ -24,6 +24,8 @@ ExternalProject_Add(
 	CMAKE_ARGS
 		"-DBOARD=${BOARD}"
 		"-DZEPHYR_MODULES=${ZEPHYR_MODULES_COMMA}"
+		"-DEXTRA_CONF_FILE=${CMAKE_CURRENT_SOURCE_DIR}/zephyrproject/bootloader/bootloader.conf"
+		-DCONFIG_BOOT_SIGNATURE_KEY_FILE="${KEY}"
 )
 
 find_package(Zephyr
diff --git a/fw/sign.sh b/fw/sign.sh
index 343a038..2ae31bb 100755
--- a/fw/sign.sh
+++ b/fw/sign.sh
@@ -12,15 +12,24 @@ set -euf
 ROOT="$(dirname "$0")"
 MCUBOOT="${ROOT}/zephyrproject/bootloader/mcuboot"
 IMGTOOL="${MCUBOOT}/scripts/imgtool.py"
-KEY="${MCUBOOT}/root-rsa-2048.pem"
 INPUT="${ROOT}/../build/fw/zephyr/zephyr.bin"
 OUTPUT="${INPUT}.signed"
 
 
+if test $# -ne 1
+then
+	echo "Please provide the path to the MCUboot signing key as single argument."
+	exit 1
+fi
+
+key="$1"
+
 python $IMGTOOL sign \
 	--version 0.0.0 \
 	--header-size 0x200 \
 	--slot-size 0xc0000 \
-	--key "${KEY}" \
+	--key "${key}" \
 	"${INPUT}" \
-	"${OUTPUT}"
+	"${OUTPUT}" > /dev/null
+
+echo "Signed application firmware: ${OUTPUT}"
diff --git a/fw/zephyrproject/bootloader/bootloader.conf b/fw/zephyrproject/bootloader/bootloader.conf
new file mode 100644
index 0000000..e70e50e
--- /dev/null
+++ b/fw/zephyrproject/bootloader/bootloader.conf
@@ -0,0 +1 @@
+CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
-- 
cgit v1.2.3-70-g09d2