• State Not Answered
  • Replies 4 replies
  • Subscribers 65 subscribers
  • Views 70 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 330227
Options

AWS Key Management System - DFU Package Signing

rob-phazeone

Hello,

We have a requirement to ensure all private keys are stored within AWS Key Management System (KMS) and the only way to interact with these is via the KMS APIs that are provided. There is no way to extract the private key and therefore it can't be exposed to any single party. However, this prevents a problem when trying to sign a DFU package using nrfutil, as we can't simply pass the private_key.pem file into the command line with `nrfutil pkg generate --key-file private_key.pem`

I'm intrigued to understand if others have had similar security requirements, and how they have overcome them?

I think it is a legitimate request to keep private keys inside a key vault or key management system, but I'm not sure how nrfutil can be modified or used to then interact with AWS KMS or even Azure Key Vault.

There are some deprecated python based pc_nrfutil tools available on github, and it would be possible to reverse these and find a way to interact with keyvault for the signing process, but this would be unsupported I expect and would require some time to reverse and understand the process.

Is there another way? Any suggestions welcomed!

Parents
  • 0

    Hi,

    Could you explain short an overview here?

    Such as SDK version and use-case

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    Hey,

    Here is an example of the CMD line to sign a DFU package we would use:

    nrfutil pkg generate --bootloader My_Boot_Loader_s140_pca10056.hex --bootloader-version 1 --softdevice s140_nrf52_7.2.0_softdevice.hex --application My_App.hex --application-version 1 --hw-version 52 --sd-id 0x100 --sd-req 0x100 --key-file My_Private_Key.pem DFU_Package.zip
    Here we have to have a copy of "My_Private_Key.pem" If we create our private keys in a key vault or key management system such as Azure Key Vault or AWS KMS, there is no way to extract the private key to use it in the command line.
    You have to use an API to interact with the private key, see amazon documentation below:
    So to sign the data for DFU, I think we would somehow need to calculate a SHA_256 hash of the firmware bin (InitPacketPB data), sign this using the AWS KMS API mentioned above and then use the R&S values in the DFU package to create a signed package somehow? Lot of assumptions here, but guessing at the process using the github python source for pc_nrfutil!
    This would be for SDK5, rather than ConnectSDK, but if movign to ConnectSDK at somepoint I'd be interested to know if this type of approach has been considered in ConnectSDK.
Reply
  • 0 in reply to Sigurd Hellesvik

    Hey,

    Here is an example of the CMD line to sign a DFU package we would use:

    nrfutil pkg generate --bootloader My_Boot_Loader_s140_pca10056.hex --bootloader-version 1 --softdevice s140_nrf52_7.2.0_softdevice.hex --application My_App.hex --application-version 1 --hw-version 52 --sd-id 0x100 --sd-req 0x100 --key-file My_Private_Key.pem DFU_Package.zip
    Here we have to have a copy of "My_Private_Key.pem" If we create our private keys in a key vault or key management system such as Azure Key Vault or AWS KMS, there is no way to extract the private key to use it in the command line.
    You have to use an API to interact with the private key, see amazon documentation below:
    So to sign the data for DFU, I think we would somehow need to calculate a SHA_256 hash of the firmware bin (InitPacketPB data), sign this using the AWS KMS API mentioned above and then use the R&S values in the DFU package to create a signed package somehow? Lot of assumptions here, but guessing at the process using the github python source for pc_nrfutil!
    This would be for SDK5, rather than ConnectSDK, but if movign to ConnectSDK at somepoint I'd be interested to know if this type of approach has been considered in ConnectSDK.
Children
Related