Is there an API to check a firmware bin file for a valid signature without writing it to the flash using the OTA system?
My scenario is I want to drop a fw file on an sd card connected to the esp32. When I boot I will check the file is there, if it is I'll read its version. If the version is newer than the running firmware, I'll check its digital signature to make sure it is firmware I have released and not a hacking attempt. If that checks out I'll write it to the flash using the ota_* API.
Thanks,
Felix
How to check firmware bin file for valid signature before writing to flash?
-
- Posts: 125
- Joined: Fri May 24, 2019 2:02 am
-
- Posts: 125
- Joined: Fri May 24, 2019 2:02 am
Re: How to check firmware bin file for valid signature before writing to flash?
Really? No one knows? Please can an ESP person guide my on this one?
Re: How to check firmware bin file for valid signature before writing to flash?
Hi Felix,
Image signature verification already happens inside esp_ota_end function. This means that if signature verification fails, you can reject the update and not call esp_ota_set_boot_partition.
This does mean that if you actually get an invalid OTA image, you spend additional time copying it into flash before rejecting it. However an invalid OTA image seems to be a rather unlikely case in normal usage, so perhaps optimizing for its performance is not really necessary?
For reference, here is the code which performs image and signature verification. It is fairly tightly coupled to Flash and memory-mapping, so it's not quite trivial to make it work with an SD card directly, I'm afraid. So my suggestion is to always call esp_ota_begin, esp_ota_write, and finally check the return value from esp_ota_end.
Image signature verification already happens inside esp_ota_end function. This means that if signature verification fails, you can reject the update and not call esp_ota_set_boot_partition.
This does mean that if you actually get an invalid OTA image, you spend additional time copying it into flash before rejecting it. However an invalid OTA image seems to be a rather unlikely case in normal usage, so perhaps optimizing for its performance is not really necessary?
For reference, here is the code which performs image and signature verification. It is fairly tightly coupled to Flash and memory-mapping, so it's not quite trivial to make it work with an SD card directly, I'm afraid. So my suggestion is to always call esp_ota_begin, esp_ota_write, and finally check the return value from esp_ota_end.
Who is online
Users browsing this forum: Bing [Bot] and 77 guests