Custom Signing Function

RE: Custom Signing Function

Roedy — Thu, 05 Sep 2024 13:56:36 GMT

Thanks Sigurd, I appreciate all of the insight.

RE: Custom Signing Function

Sigurd Hellesvik — Thu, 05 Sep 2024 13:49:26 GMT

Mentioning this to the devs, they agree that modifying imgtool is the best way. But to give you a possible alternative, they say:

for mcuboot they can use a custom signing script, they'd want to base it off whichever one they are using (which depends on the mode of their application) https://github.com/nrfconnect/sdk-nrf/tree/main/cmake/sysbuild one of the image_signing files, they would need to set this from sysbuild, doing so is a bit convoluted... Modifying imgtool is probably what they would want anyway

RE: Custom Signing Function

Sigurd Hellesvik — Thu, 05 Sep 2024 13:44:11 GMT

[quote user="Roedy"]I can get the public key out of the system and store it as a file. The issue is that when I actually need to do the signature from an HSM it isn't just a file that I can load. We're using a cloud based HSM, so I need to make an API call to my cloud service to generate the signature.

If we were using a local HSM (like a yubi key, for instance) we'd still need to use some sort of library to load the key reference, for example https://python-pkcs11.readthedocs.io/en/latest/index.html[/quote]

Right, that makes it harder then.

[quote user="Roedy"]The way that you guys included the SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND option for the nordic bootloader is wonderful, and is exactly what I was looking for, but I think I'm stuck with mcuboot at the moment so I'll probably just modify the imgtool to do what I need it to do.[/quote]

I agree that this seems like the way.
Thanks for the feedback on this though; I will forward it to our bootloader team.

RE: Custom Signing Function

Roedy — Wed, 04 Sep 2024 14:00:48 GMT

I can get the public key out of the system and store it as a file. The issue is that when I actually need to do the signature from an HSM it isn't just a file that I can load. We're using a cloud based HSM, so I need to make an API call to my cloud service to generate the signature.

If we were using a local HSM (like a yubi key, for instance) we'd still need to use some sort of library to load the key reference, for example https://python-pkcs11.readthedocs.io/en/latest/index.html

The way that you guys included the SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND option for the nordic bootloader is wonderful, and is exactly what I was looking for, but I think I'm stuck with mcuboot at the moment so I'll probably just modify the imgtool to do what I need it to do.

Thank you!

RE: Custom Signing Function

Sigurd Hellesvik — Wed, 04 Sep 2024 08:30:32 GMT

The post you found is for the old SDK, so it is not as relevant.
But yes, this is something other users have asked about earlier as well.

That being said, I find it a bit strange that you are unable to get the public key out of your system. It is after all public.

But oh well, you work with what you got.
To make your own signing functionality, imgtool is open source, so you can have a look at its source code.

To understand the MCUboot image layout which you need to achieve, see https://www.youtube.com/watch?v=qMMD0WcKShc.

RE: Custom Signing Function

Roedy — Tue, 03 Sep 2024 15:01:56 GMT

I think I will need to write my own image signing script, because the pub/priv keys are stored in a cloud HSM. This just popped up the related section, so it seems like others are trying to do this as well.
AWS Key Management System - DFU Package Signing

It would be nice to include a feature to imgtool where a user can implement custom `get_pub_key` and `sign` functions

RE: Custom Signing Function

Sigurd Hellesvik — Tue, 03 Sep 2024 14:55:26 GMT

I recommend using only MCUboot if you want just one bootloader.

MCUboot does not have a feature to input the public key, so this must be done manually. It is not an issue, just a bit finicky.

I did a sample for it here:

MCUBoot sample using SMP Server and manually signed images.

Is this what you need?

PS: The sample uses the old multi-image build system, and thus the configuration method will be some changes with sysbuild.
I beleive that for the most part, you can just rename the child_image/ folder to sysbuild/, and then move some stuff from prj.conf to sysbuild.conf. See Sysbuild migration guide for more in depth info, and this other sample where I have converted one of my samples to sysbuild so far.

RE: Custom Signing Function

Roedy — Tue, 03 Sep 2024 14:34:27 GMT

Ahh, okay I see where the confusion is. I was under the impression that I was using MCUboot, but I see that enabling CONFIG_SECURE_BOOT is enabling the NSIB. I think I just saw the custom signing script and jumped to implementation.

I don't need two bootloader necessarily, but my current implementation is relying on mcuboot style image headers for updates and I'm running code in direct XIP mode with a primary and secondary slot from internal flash only.

I do require a custom signing command, as my code is signed by a HSM and I don't have access to the private key.

I'm pretty flexible at the moment, so with those requirements in mind, can you suggest a path forward?

RE: Custom Signing Function

Sigurd Hellesvik — Mon, 02 Sep 2024 09:04:33 GMT

Hi,

We got two different bootloaders:
MCUboot and Nordic Secure Immutable Bootloader (NSIB).
Which one of these do you refer to?

How many bootloaders do you plan to use?

For general info, see our bootloader docs.

Regards,
Sigurd Hellesvik