Generate a firmware for mcuboot with a small non secure partition and a secure partition

_arthur_

Hello,

I'm using the frdm_rw612 board for this test. My IDE is vscode with the MCUxpresso plugin. I'm trying to compile my firmware to be "mcuboot ready" meaning I would like to be able to do the OTA with it.

First, I followed this tutorial: https://community.nxp.com/t5/Zephyr-Project-Knowledge-Base/Zephyr-app-with-MCUboot-in-VS-Code/ta-p/2...

It's working as expected. The current partitions organization being what I found in the boards\nxp\frdm_rw612\frdm_rw612_common.dtsi file:

partitions {
			compatible = "fixed-partitions";
			#address-cells = <1>;
			#size-cells = <1>;

			/*
			 * Partition sizes must be aligned
			 * to the flash security sub-region size of 128KB.
			 */
			boot_partition: partition@0 {
				label = "mcuboot";
				reg = <0x00000000 DT_SIZE_K(128)>;
			};
			slot0_partition: partition@20000 {
				label = "image-0";
				reg = <0x00020000 DT_SIZE_K(640)>;
			};
			slot0_ns_partition: partition@C0000 {
				label = "image-0-non-secure";
				reg = <0x000C0000 DT_SIZE_M(3)>;
			};
			slot1_partition: partition@3C0000 {
				label = "image-1";
				reg = <0x003C0000 DT_SIZE_K(640)>;
			};
			slot1_ns_partition: partition@460000 {
				label = "image-1-non-secure";
				reg = <0x00460000 DT_SIZE_M(3)>;
			};
			storage_partition: partition@760000 {
				label = "storage";
				reg = <0x00760000 (DT_SIZE_M(57) - DT_SIZE_K(384))>; 
			};
		};

From my understanding, the hello-world example is so small it can fit inside the small (640kB) secure partition.

Unfortunately, when I do the same thing for my current firmware (which has Wifi, Bluetooth etc.) I cannot compile because it says it overloads the partition:

[...]/arm-zephyr-eabi/bin/ld.bfd.exe: zephyr\zephyr_pre0.elf section `rodata' will not fit in region `FLASH'
[...]/arm-zephyr-eabi/bin/ld.bfd.exe: region `FLASH' overflowed by 1682828 bytes

To sumup:

I can compile and flash mcuboot. I also can correctly flash the hello-world example (I can see from the UART it can correctly load this hello-world app). On the other hand, I cannot compile my "big" firmware.

How can I generate an image with a minimal secure partition that will only jump in the non secure area where my main firmware will be?

I want to keep your current partition structure because I'll use in the future this secure partition.

Thank you,

RomanVR

Hello @_arthur_, hope you are doing well.

Could you please confirm your desired partition distribution? Is it a small non-secure partition and a big secure partition, or the other way around? Additionally, could you please also share your application size?

In any case, you should be able to modify your partition sizes with an overlay file, taking care to consider the alignment for each partition size of 128kB.

Best Regards!

_arthur_

Hello Roman,

To be honest, I don't know. Like I said in my first post, I wanted to follow the frdm_rw612 partition distribution because it seems to be the recommended way to do it.

Today I don't use any secure feature because it's still a prototype but soon we will work on the production version and I don't want to make a choice today that will be an issue later.

The FRDM_RW612 has a 640kB secure partition and a 3MB non-secure partition.

My current application size is 2.3MB (no optimization at all).

How can I generate a firmware handling both these partitions?

_arthur_

I read this post: https://community.nxp.com/t5/Wi-Fi-Bluetooth-802-15-4/Zephyr-MCUBoot-TFM-Demo-using-RW612/ta-p/20475...

I also downloaded the "psa_protected_storage" sample to better understand the tfm structure but I'm still not sure to understand how you partition the image.

For example, for the psa_protected_storage, which partition is used to store encrypted data? Is it in the "storage_partition"?

In the post I mention above, it mentions a fw_storage partition. I don't have this partition and yet, I'm able to use the Wifi.

Where are the up-to-date documentation? I'm not trying to do something fancy, just use mcuboot to be able to do OTA but I struggle to find the correct documentation to understand how to do it.

Thanks for your help,

Arthur

RomanVR

Hello @_arthur_.

If you need to do OTA with MCUboot, I suggest to use the "smp_svr" sample which main purpose is to make firmware updates to use with MCUmgr protocol and allow updates via Bluetooth, UDP, UART, etc. This sample works along MCUboot to check for properly signed binaries and update them into your MCU.

To test the sample you would need to download an MCUmgr client to make the firmware updates, as well as to build and flash separately MCUboot first, and then build and flash the smp_svr sample with the required macros added to the prj.conf file of the smp_svr sample (this will depend on the OTA transport you wish to use). Once this is done, your system should be ready to communicate properly with your MCUmgr client to check a list of uploaded images and to be able to load a new image.

To load a new valid image for MCUboot, I suggest to add the following configurations to the prj.conf file of the sample you wish to load:

CONFIG_HEAP_MEM_POOL_SIZE=2048

The following will allow to generate an MCUboot valid signed image just by building your sample:

CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="<path-to-imported-zephyr-mcuboot-sample>/root-rsa-2048.pem"

CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE=y

CONFIG_BOOTLOADER_MCUBOOT=y

Please let me know if this works for you and fits your requirements.

Best Regards!

_arthur_

Hello Roman,

The issue is the same with your sample, as soon as I exceed the flash size of 640kB (your default secure partition size) I get this error when I compile:

region `FLASH' overflowed by 15872 bytes

Add BT and UDP support to this smp_svr sample and you will see the error

So all my previous questions still stands to try to understand and solve my issue:

How can I generate an image with a minimal secure partition that will only jump in the non secure area where my main firmware will be?

How can I generate a firmware handling both these partitions?

When using the psa_protected_storage, where is the encrypted data stored? I would like to use this feature.

Moroever, I'll need to have a custom non-volatile partition for files, is it the current storage_partition from your partition table definition in the common.dtsi?

_arthur_

I made some progress. As a short-term solution I invert slotx_partition with slotx_ns_partition in the frdm_rw612_common.dtsi file and I can compile and use a bigger secure partition.

If I change this in my overlay file, it can compile but mcuboot is not able to jump to the image during runtime. I suppose that when mcuboot is generated, it's not using my overlay file in my current project.

Anyway, I'm not sure to understand the difference between a secure and a non-secure partition. Is there any drawbacks to have my whole firmware in a secure partition?

I'm still wondering how I can add the PSA_protected_storage to this project. Which partition will be used for this feature if I add it?

RomanVR

Hello @_arthur_, hope you are doing well.

If you want to re-size your partitions you could do it in an overlay file as you did with the partitions, however you should maintain the structure so MCUboot is able to recognize the images in their destined partitions.

Additionally, please consider that if you wish to use the flash partitioning shared, this is meant to be used with the TF-M stack, which also uses MCUboot as secure bootloader to validate and load images in a secure environment.

For more information about the protected storage, please see the Zephyr reference documentation Secure Storage.

Best Regards!