Skip to content

Instantly share code, notes, and snippets.

@DaBs

DaBs/nrf2.7.0-signing.patch

Created May 30, 2025 10:49
Show Gist options
  • Save DaBs/d188a2d4a0b4af679a7bd93a265ffeb7 to your computer and use it in GitHub Desktop.
Save DaBs/d188a2d4a0b4af679a7bd93a265ffeb7 to your computer and use it in GitHub Desktop.
Download ZIP
nRF pass fixed signature option to MCUBoot
Raw
nrf2.7.0-signing.patch
diff --git a/cmake/sysbuild/b0_mcuboot_signing.cmake b/cmake/sysbuild/b0_mcuboot_signing.cmake
index f9b205da0..4abb3b26c 100644
--- a/cmake/sysbuild/b0_mcuboot_signing.cmake
+++ b/cmake/sysbuild/b0_mcuboot_signing.cmake
@@ -12,6 +12,7 @@
function(ncs_secure_boot_mcuboot_sign application bin_files signed_targets prefix)
set(keyfile "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
+ string(CONFIGURE "${keyfile}" keyfile)
# Find imgtool. Even though west is installed, imgtool might not be.
# The user may also have a custom manifest which doesn't include
@@ -41,12 +42,24 @@ function(ncs_secure_boot_mcuboot_sign application bin_files signed_targets prefi
string(TOUPPER "${application}" application_uppercase)
set(imgtool_sign ${PYTHON_EXECUTABLE} ${imgtool_path} sign --version ${SB_CONFIG_SECURE_BOOT_MCUBOOT_VERSION} --align 4 --slot-size $<TARGET_PROPERTY:partition_manager,${prefix}PM_${application_uppercase}_SIZE> --pad-header --header-size ${SB_CONFIG_PM_MCUBOOT_PAD})
- if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
- set(imgtool_extra --security-counter ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE})
+ # Arguments to imgtool.
+ if(NOT SB_CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS STREQUAL "")
+ # Separate extra arguments into the proper format for adding to
+ # extra_post_build_commands.
+ #
+ # Use UNIX_COMMAND syntax for uniform results across host
+ # platforms.
+ set(imgtool_extra "${SB_CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS}")
+ string(CONFIGURE "${imgtool_extra}" imgtool_extra)
+ separate_arguments(imgtool_extra UNIX_COMMAND ${imgtool_extra})
else()
set(imgtool_extra)
endif()
+ if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
+ set(imgtool_extra --security-counter ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE} ${imgtool_extra})
+ endif()
+
if(NOT "${keyfile}" STREQUAL "")
set(imgtool_extra -k "${keyfile}" ${imgtool_extra})
endif()
diff --git a/cmake/sysbuild/debug_keys.cmake b/cmake/sysbuild/debug_keys.cmake
index af94348d0..94eff63b9 100644
--- a/cmake/sysbuild/debug_keys.cmake
+++ b/cmake/sysbuild/debug_keys.cmake
@@ -47,11 +47,13 @@ if(NOT SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM AND "${SB_CONFIG_SECURE_BOOT_SIGNING
)
set(SIGN_KEY_FILE_DEPENDS debug_sign_key_target)
else()
- if(IS_ABSOLUTE ${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE})
- set(SIGNATURE_PRIVATE_KEY_FILE ${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE})
+ set(keyfile "${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE}")
+ string(CONFIGURE "${keyfile}" keyfile)
+ if(IS_ABSOLUTE ${keyfile})
+ set(SIGNATURE_PRIVATE_KEY_FILE ${keyfile})
else()
# Resolve path relative to the application configuration directory.
- set(SIGNATURE_PRIVATE_KEY_FILE ${APPLICATION_CONFIG_DIR}/${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE})
+ set(SIGNATURE_PRIVATE_KEY_FILE ${APPLICATION_CONFIG_DIR}/${keyfile})
endif()
if(NOT EXISTS ${SIGNATURE_PRIVATE_KEY_FILE})
diff --git a/cmake/sysbuild/image_signing.cmake b/cmake/sysbuild/image_signing.cmake
index c59681b8f..a109258fe 100644
--- a/cmake/sysbuild/image_signing.cmake
+++ b/cmake/sysbuild/image_signing.cmake
@@ -19,6 +19,8 @@ endfunction()
function(zephyr_mcuboot_tasks)
set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
set(keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")
+ string(CONFIGURE "${keyfile}" keyfile)
+ string(CONFIGURE "${keyfile_enc}" keyfile_enc)
if(NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}")
# Check for misconfiguration.
@@ -85,7 +87,9 @@ function(zephyr_mcuboot_tasks)
#
# Use UNIX_COMMAND syntax for uniform results across host
# platforms.
- separate_arguments(imgtool_extra UNIX_COMMAND ${CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS})
+ set(imgtool_extra "${CONFIG_MCUBOOT_EXTRA_IMGTOOL_ARGS}")
+ string(CONFIGURE "${imgtool_extra}" imgtool_extra)
+ separate_arguments(imgtool_extra UNIX_COMMAND ${imgtool_extra})
else()
set(imgtool_extra)
endif()
diff --git a/cmake/sysbuild/sign.cmake b/cmake/sysbuild/sign.cmake
index 3881744c5..c593a2723 100644
--- a/cmake/sysbuild/sign.cmake
+++ b/cmake/sysbuild/sign.cmake
@@ -30,8 +30,10 @@ function(b0_gen_keys)
-out ${SIGNATURE_PUBLIC_KEY_FILE}
)
elseif(SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM)
- set(SIGNATURE_PUBLIC_KEY_FILE ${SB_CONFIG_SECURE_BOOT_SIGNING_PUBLIC_KEY})
- set(SIGNATURE_PUBLIC_KEY_FILE ${SB_CONFIG_SECURE_BOOT_SIGNING_PUBLIC_KEY} PARENT_SCOPE)
+ set(keyfile "${SB_CONFIG_SECURE_BOOT_SIGNING_PUBLIC_KEY}")
+ string(CONFIGURE "${keyfile}" keyfile)
+ set(SIGNATURE_PUBLIC_KEY_FILE ${keyfile})
+ set(SIGNATURE_PUBLIC_KEY_FILE ${keyfile} PARENT_SCOPE)
if(NOT EXISTS ${SIGNATURE_PUBLIC_KEY_FILE} OR IS_DIRECTORY ${SIGNATURE_PUBLIC_KEY_FILE})
message(WARNING "Invalid public key file: ${SIGNATURE_PUBLIC_KEY_FILE}")
@@ -165,6 +167,7 @@ function(b0_sign_image slot)
)
elseif(SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM)
set(custom_sign_cmd "${SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND}")
+ string(CONFIGURE "${custom_sign_cmd}" custom_sign_cmd)
if (("${custom_sign_cmd}" STREQUAL "") OR (NOT EXISTS ${SIGNATURE_PUBLIC_KEY_FILE}))
message(FATAL_ERROR "You must specify a signing command and valid public key file for custom signing.")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment