feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

secure boot: Derive secure bootloader key from private key

Browse Source 
Means only one key needs to be managed.
This commit is contained in:
Angus Gratton
2016-11-04 16:05:00 +11:00
parent b5de581399
commit 64f3893cb9
7 changed files with 25 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
components/bootloader/Kconfig.projbuild
View File

@@ -54,29 +54,14 @@ config SECURE_BOOTLOADER_ONE_TIME_FLASH
config SECURE_BOOTLOADER_REFLASHABLE config SECURE_BOOTLOADER_REFLASHABLE
bool "Reflashable" bool "Reflashable"
help help
Generate the bootloader digest key on the computer instead of inside Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key.
the chip. Allows the secure bootloader to be re-flashed by using the
same key.
This option is less secure than one-time flash, because a leak of the digest key allows reflashing of any device that uses it. This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing key.
This option is less secure than one-time flash, because a leak of the digest key from one device allows reflashing of any device that uses it.
endchoice endchoice
config SECURE_BOOTLOADER_KEY_FILE
string "Secure bootloader key file"
depends on SECURE_BOOTLOADER_REFLASHABLE
default secure_boot_key.bin
help
Path to the key file for a reflashable secure bootloader digest.
File must contain 32 randomly generated bytes.
Path is evaluated relative to the project directory.
You can generate a new key by running the following command:
espsecure.py generate_key secure_boot_key.bin
See docs/security/secure-boot.rst for details.
config SECURE_BOOT_SIGNING_KEY config SECURE_BOOT_SIGNING_KEY
string "Secure boot signing key" string "Secure boot signing key"
depends on SECURE_BOOTLOADER_ENABLED depends on SECURE_BOOTLOADER_ENABLED

25
components/bootloader/Makefile.projbuild
View File

@@ -15,8 +15,7 @@ BOOTLOADER_BUILD_DIR=$(abspath $(BUILD_DIR_BASE)/bootloader)
BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin
BOOTLOADER_SDKCONFIG=$(BOOTLOADER_BUILD_DIR)/sdkconfig BOOTLOADER_SDKCONFIG=$(BOOTLOADER_BUILD_DIR)/sdkconfig
# both signing key paths are resolved relative to the project directory # signing key path is resolved relative to the project directory
SECURE_BOOTLOADER_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOTLOADER_KEY_FILE)))
SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY))) SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY)))
export SECURE_BOOT_SIGNING_KEY # used by bootloader_support component export SECURE_BOOT_SIGNING_KEY # used by bootloader_support component
@@ -31,10 +30,6 @@ BOOTLOADER_MAKE=+$(MAKE) -C $(BOOTLOADER_COMPONENT_PATH)/src \
$(BOOTLOADER_BIN): | $(BOOTLOADER_BUILD_DIR)/sdkconfig $(BOOTLOADER_BIN): | $(BOOTLOADER_BUILD_DIR)/sdkconfig
$(Q) $(BOOTLOADER_MAKE) $@ $(Q) $(BOOTLOADER_MAKE) $@
bootloader-clean:
$(Q) $(BOOTLOADER_MAKE) app-clean config-clean
$(Q) rm -f $(BOOTLOADER_SDKCONFIG) $(BOOTLOADER_SDKCONFIG).old
clean: bootloader-clean clean: bootloader-clean
ifdef CONFIG_SECURE_BOOTLOADER_DISABLED ifdef CONFIG_SECURE_BOOTLOADER_DISABLED
@@ -66,7 +61,11 @@ else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE
# Reflashable secure bootloader # Reflashable secure bootloader
# generates a digest binary (bootloader + digest) # generates a digest binary (bootloader + digest)
BOOTLOADER_DIGEST_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin
SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key.bin
$(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY)
$(Q) $(ESPSECUREPY) digest_private_key -k $< $@
bootloader: $(BOOTLOADER_DIGEST_BIN) bootloader: $(BOOTLOADER_DIGEST_BIN)
@echo $(SEPARATOR) @echo $(SEPARATOR)
@@ -84,20 +83,16 @@ $(BOOTLOADER_DIGEST_BIN): $(BOOTLOADER_BIN) $(SECURE_BOOTLOADER_KEY)
@echo "DIGEST $(notdir $@)" @echo "DIGEST $(notdir $@)"
$(Q) $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $< $(Q) $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $<
$(SECURE_BOOTLOADER_KEY):
@echo $(SEPARATOR)
@echo "Need to generate secure boot signing key. Run following command:"
@echo "$(ESPSECUREPY) generate_key $@"
@echo "Keep key file safe after generating."
@echo "(See secure boot documentation for caveats & alternatives.)")
@exit 1
else else
bootloader: bootloader:
@echo "Invalid bootloader target: bad sdkconfig?" @echo "Invalid bootloader target: bad sdkconfig?"
@exit 1 @exit 1
endif endif
bootloader-clean:
$(Q) $(BOOTLOADER_MAKE) app-clean config-clean
$(Q) rm -f $(BOOTLOADER_SDKCONFIG) $(BOOTLOADER_SDKCONFIG).old $(SECURE_BOOTLOADER_KEY) $(BOOTLOADER_DIGEST_BIN)
all_binaries: $(BOOTLOADER_BIN) all_binaries: $(BOOTLOADER_BIN)
# synchronise the project level config to the bootloader's # synchronise the project level config to the bootloader's

3
components/bootloader_support/Makefile.projbuild
View File

@@ -1,3 +0,0 @@
# projbuild file for bootloader support
# (included in bootloader & main app)

8
components/bootloader_support/component.mk
View File

@@ -17,10 +17,9 @@ COMPONENT_SRCDIRS := src
# #
ifdef CONFIG_SECURE_BOOTLOADER_ENABLED ifdef CONFIG_SECURE_BOOTLOADER_ENABLED
# this path is created relative to the component build directory
SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin) SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)
COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)
$(SECURE_BOOT_SIGNING_KEY): $(SECURE_BOOT_SIGNING_KEY):
@echo "Need to generate secure boot signing key." @echo "Need to generate secure boot signing key."
@echo "One way is to run this command:" @echo "One way is to run this command:"
@@ -31,6 +30,11 @@ $(SECURE_BOOT_SIGNING_KEY):
$(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY) $(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY)
$(ESPSECUREPY) extract_public_key --keyfile $< $@ $(ESPSECUREPY) extract_public_key --keyfile $< $@
COMPONENT_EXTRA_CLEAN += $(SECURE_BOOT_VERIFICATION_KEY)
COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)
endif endif
include $(IDF_PATH)/make/component_common.mk include $(IDF_PATH)/make/component_common.mk

2
components/esptool_py/esptool

Submodule components/esptool_py/esptool updated: 68ed7c7a4e...98e5dbfa78

5
make/project.mk
View File

@@ -306,6 +306,9 @@ app-clean: $(addsuffix -clean,$(notdir $(COMPONENT_PATHS_BUILDABLE)))
$(summary) RM $(APP_ELF) $(summary) RM $(APP_ELF)
$(Q) rm -f $(APP_ELF) $(APP_BIN) $(APP_MAP) $(Q) rm -f $(APP_ELF) $(APP_BIN) $(APP_MAP)
clean: app-clean # NB: this ordering is deliberate (app-clean before config-clean),
# so config remains valid during all component clean targets
config-clean: app-clean
clean: config-clean

1
make/project_config.mk
View File

@@ -59,7 +59,6 @@ $(AUTO_CONF_REGEN_TARGET) $(BUILD_DIR_BASE)/include/sdkconfig.h: $(SDKCONFIG) $(
# sometimes you can get an infinite make loop on Windows where sdkconfig always gets regenerated newer # sometimes you can get an infinite make loop on Windows where sdkconfig always gets regenerated newer
# than the target(!) # than the target(!)
clean: config-clean
.PHONY: config-clean .PHONY: config-clean
config-clean: config-clean:
$(summary RM CONFIG) $(summary RM CONFIG)