Unsecure bootloader

Hi Jordan,

we have two different bootloader architectures; the Legacy bootloader (SDK v11.0.0 and older), and the Secure bootloader (SDK v12.x.0). The Legacy bootloader will accept any firmware image, while the the secure bootloader uses a private-public key pair to sign and verify that the firmware image is from a trusted source. The private key is used to sign the firmware image and the public key is stored in the bootloader and used to verify that the firmware image was signed by the corresponding private key.

Both bootloaders uses dual bank updates, i.e. the old application is not erased until the new application firmware image has been received and its integrity checked. However, if for some reason you end up in bootloader mode without a valid application, then you have to perform another DFU. At this point the only difference between the Legacy and the Secure bootloader is that the Secure bootloader requires a signed image and the legacy does not.

From a security perspective I would say that anything is not better than nothing, since anyone, e.g. an attacker may upload malicious firmware to your device.

Note: No further development will be done on the Legacy bootloader.

Best regards

Bjørn

Hi Jordan,

we have two different bootloader architectures; the Legacy bootloader (SDK v11.0.0 and older), and the Secure bootloader (SDK v12.x.0). The Legacy bootloader will accept any firmware image, while the the secure bootloader uses a private-public key pair to sign and verify that the firmware image is from a trusted source. The private key is used to sign the firmware image and the public key is stored in the bootloader and used to verify that the firmware image was signed by the corresponding private key.

Both bootloaders uses dual bank updates, i.e. the old application is not erased until the new application firmware image has been received and its integrity checked. However, if for some reason you end up in bootloader mode without a valid application, then you have to perform another DFU. At this point the only difference between the Legacy and the Secure bootloader is that the Secure bootloader requires a signed image and the legacy does not.

From a security perspective I would say that anything is not better than nothing, since anyone, e.g. an attacker may upload malicious firmware to your device.

Note: No further development will be done on the Legacy bootloader.

Best regards

Bjørn

I would disagree. If you're in the bootloader, you've probably already failed. Especially during development.

But, I appreciate the answer. It was helpful.

Jordan

I agree that the device should "never" end up in bootloader mode, but if you do then I argue it's better to have a bootloader that only accepts firmware images issued from a trusted source, than a bootloader that will accept any image.