| Christopher Collins | 92ea77f | 2016-12-12 15:59:26 -0800 | [diff] [blame] | 1 | <!-- |
| 2 | # |
| 3 | # Licensed to the Apache Software Foundation (ASF) under one |
| 4 | # or more contributor license agreements. See the NOTICE file |
| 5 | # distributed with this work for additional information |
| 6 | # regarding copyright ownership. The ASF licenses this file |
| 7 | # to you under the Apache License, Version 2.0 (the |
| 8 | # "License"); you may not use this file except in compliance |
| 9 | # with the License. You may obtain a copy of the License at |
| 10 | # |
| 11 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | # |
| 13 | # Unless required by applicable law or agreed to in writing, |
| 14 | # software distributed under the License is distributed on an |
| 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| 16 | # KIND, either express or implied. See the License for the |
| 17 | # specific language governing permissions and limitations |
| 18 | # under the License. |
| 19 | # |
| 20 | --> |
| 21 | |
| 22 | ## Image signing |
| 23 | |
| 24 | This signs the image by computing hash over the image, and then |
| 25 | signing that hash. Signature is computed by newt tool when it's |
| 26 | creating the image. This signature is placed in the image trailer. |
| 27 | |
| 28 | The public key of this keypair must be included in the bootloader, |
| 29 | as it verifies it before allowing the image to run. |
| 30 | |
| 31 | This facility allows you to use multiple signing keys. This would |
| 32 | be useful when you want to prevent production units from booting |
| 33 | development images, but want development units to be able to boot |
| 34 | both production images and development images. |
| 35 | |
| 36 | ## Creating signing keys |
| 37 | First you need a keypair to use for signing. You can create |
| 38 | one with openssl command line tool. |
| 39 | |
| 40 | openssl genrsa -out image_sign.pem 2048 |
| 41 | |
| 42 | This created a file which contains both the private and public key, |
| 43 | and will be used when signing images. |
| 44 | |
| 45 | Then you need to extract the public key from this to include it |
| 46 | in the bootloader. Bootloader need to keep key parsing minimal, |
| 47 | so it expects simple key format. |
| 48 | |
| 49 | openssl rsa -in image_sign.pem -pubout -out image_sign_pub.der -outform DER -RSAPublicKey_out |
| 50 | |
| 51 | Now the public key is in file called image_sign_pub.der. |
| 52 | |
| 53 | ## Creating a key package |
| 54 | |
| 55 | xxd -i image_sign_pub.der image_sign_pub.c.import |
| 56 | |
| 57 | Then you need to create a package containing this key, or keys. |
| 58 | In the pkg.yml for this package, you advertise feature IMAGE_KEYS_RSA or |
| 59 | IMAGE_KEYS_EC. |
| 60 | Once this is done, bootloader will expect keys to be filled in |
| 61 | 'bootutil_keys', and the number of keys to be in 'bootutil_key_cnt'. |
| 62 | |
| 63 | ## Sample pkg.yml |
| 64 | This gets bootutil to turn on image signature validation. |
| 65 | |
| 66 | pkg.name: libs/mykeys |
| 67 | pkg.deps: |
| Marko Kiiskila | bf986da | 2016-12-13 17:15:24 -0800 | [diff] [blame^] | 68 | - "@apache-mynewt-core/boot/bootutil" |
| Christopher Collins | 92ea77f | 2016-12-12 15:59:26 -0800 | [diff] [blame] | 69 | |
| 70 | ## Sample source file |
| 71 | This exports the keys. |
| 72 | |
| 73 | #include <bootutil/sign_key.h> |
| 74 | |
| 75 | #include "image_sign_pub.c.import" |
| 76 | |
| 77 | const struct bootutil_key bootutil_keys[] = { |
| 78 | [0] = { |
| 79 | .key = image_sign_pub_der, |
| 80 | .len = &image_sign_pub_der_len, |
| 81 | } |
| 82 | }; |
| 83 | |
| 84 | const int bootutil_key_cnt = sizeof(bootutil_keys) / sizeof(bootutil_keys[0]); |
| 85 | |
| 86 | ## Building bootloader |
| 87 | |
| 88 | Enable the BOOTUTIL_SIGN_RSA syscfg setting in your app or target syscfg.yml |
| 89 | file |
| 90 | |
| 91 | syscfg.vals: |
| 92 | BOOTUTIL_SIGN_RSA: 1 |
| 93 | |
| 94 | After you've created the key package, you must include it in the build |
| 95 | for bootloader. So modify the pkg.yml for apps/boot to include it. |