-
good to know that,
if nordic dfu could provide some "secure boot"function,
then may be for processing sensitive information, i could handle it like
the bangle app "2fa auth watch" and "pin lock"?then the situation just be similar to android before v4,
that the OS is ensured to be authenic by the boot lock,
and only the sensitive data is encrypted and handled by the app?thanks
ccchan-
that the OS is ensured to be authenic by the boot lock,
and only the sensitive data is encrypted and handled by the app?Well I see those two as unrelated but yes.
Anyway, to have the whole system 'authentic' you'd also need to check the bangleApps layer, Either the app install/upload needs to be restricted too (to some verified source) or every piece of javascript needs to be signed (like e.g in powershell).and checked on upload (or execution, but upload should be enough too - that would save storage and execution speed)
No mater how 'authentic' the system is some apps could support encrypted data, however I am not sure how practical it is in daily use.
fanoush
In the use case you described it is not about encryption but about signed firmware updates or what is called 'secure boot' on PCs - system will not run unsigned kernel or drivers.
Nordic dfu bootloader can do signed firmware updates but we have it turned off, also it can prevent modification of bootloader by setting some part of flash memory read only before the application is started. It can also verify the application at each reboot that it was not modified.
If you would enable this you could sign your builds with your private key and only such signed builds could be uploaded to the device