Skip to content

Use a different key to sign Non-secure image for ARM_MUSCA_B1 target #13285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 14, 2020
Merged

Use a different key to sign Non-secure image for ARM_MUSCA_B1 target #13285

merged 1 commit into from
Jul 14, 2020

Conversation

jainvikas8
Copy link
Contributor

Summary of changes

MCUBOOT has been upgraded to image 2, therefore the Non-secure image
needs to be signed with its own private key, which is validated during
boot.

MCUBOOT_REPO: 'UPSTREAM'
MCUBOOT_IMAGE_NUMBER: '2'
MCUBOOT_UPGRADE_STRATEGY: 'OVERWRITE_ONLY'
MCUBOOT_HW_KEY: 'On' (default)

The private key is been imported from - https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/bl2/ext/mcuboot/root-rsa-3072_1.pem

Impact of changes

These changes impact only the ARM_MUSCA_B1 target.

Migration actions required

Documentation

Pull request type 

[x] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

Test results 

[] No Tests required for this change (E.g docs only update)
[x] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

Reviewers

@jainvikas8
tool: Use a different key to sign Non-secure image
486e72a 
This applies only to `ARM_MUSCA_B1` target
When MCUBOOT repo: UPSTREAM was set as default as part of TF-M 1.1
release, few things were changed:
MCUBOOT_IMAGE_NUMBER: '2'
MCUBOOT_UPGRADE_STRATEGY: 'OVERWRITE_ONLY'
MCUBOOT_HW_KEY: 'On'(default)

Therefore the signing strategy for Non-secure image (Mbed OS)
needs to be done with its own private key, which is validated during
boot.

Signed-off-by: Vikas Katariya <[email protected]>
Patater
Patater approved these changes Jul 13, 2020
View reviewed changes
Copy link
Contributor

@Patater Patater left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mergify mergify bot added the needs: CI label Jul 13, 2020
@mbed-ci
Copy link

mbed-ci commented Jul 13, 2020

Test run: SUCCESS

Summary: 6 of 6 test jobs passed
Build number : 1
Build artifacts

@jamesbeyond
Copy link
Contributor

jamesbeyond commented Jul 14, 2020
edited
Loading

maybe a silly question: but is publish the private key expected here ? @0xc0170 @jainvikas8

@jainvikas8
Copy link
Contributor Author

maybe a silly question: but is publish the private key expected here ? @0xc0170 @jainvikas8

We already have many private keys - https://github.com/ARMmbed/mbed-os/tree/master/tools/targets , Ideally I'd not expect it, but we have a note saying don't use it in production.

@0xc0170 0xc0170 added the release-type: patch Indentifies a PR as containing just a patch label Jul 14, 2020
@0xc0170
Copy link
Contributor

0xc0170 commented Jul 14, 2020

Approved for 6.2, I'll merge now

@0xc0170 0xc0170 merged commit 851c887 into ARMmbed:master Jul 14, 2020
@mergify mergify bot removed the ready for merge label Jul 14, 2020
@adbridge adbridge added release-version: 6.2.0 Release-pending and removed release-type: patch Indentifies a PR as containing just a patch Release-pending labels Jul 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Patater Patater Patater approved these changes

@0xc0170 0xc0170 0xc0170 approved these changes

Assignees
No one assigned
Labels
release-version: 6.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jainvikas8 @mbed-ci @jamesbeyond @0xc0170 @Patater @adbridge