How to check firmware bin file for valid signature before writing to flash?

felixcollins
Posts: 125
Joined: Fri May 24, 2019 2:02 am

How to check firmware bin file for valid signature before writing to flash?

Postby felixcollins » Mon Jun 12, 2023 4:32 am

Is there an API to check a firmware bin file for a valid signature without writing it to the flash using the OTA system?

My scenario is I want to drop a fw file on an sd card connected to the esp32. When I boot I will check the file is there, if it is I'll read its version. If the version is newer than the running firmware, I'll check its digital signature to make sure it is firmware I have released and not a hacking attempt. If that checks out I'll write it to the flash using the ota_* API.

Thanks,
Felix

felixcollins
Posts: 125
Joined: Fri May 24, 2019 2:02 am

Re: How to check firmware bin file for valid signature before writing to flash?

Postby felixcollins » Thu Jul 27, 2023 12:13 am

Really? No one knows? Please can an ESP person guide my on this one?

ESP_igrr
Posts: 2071
Joined: Tue Dec 01, 2015 8:37 am

Re: How to check firmware bin file for valid signature before writing to flash?

Postby ESP_igrr » Thu Jul 27, 2023 12:59 am

Hi Felix,

Image signature verification already happens inside esp_ota_end function. This means that if signature verification fails, you can reject the update and not call esp_ota_set_boot_partition.

This does mean that if you actually get an invalid OTA image, you spend additional time copying it into flash before rejecting it. However an invalid OTA image seems to be a rather unlikely case in normal usage, so perhaps optimizing for its performance is not really necessary?

For reference, here is the code which performs image and signature verification. It is fairly tightly coupled to Flash and memory-mapping, so it's not quite trivial to make it work with an SD card directly, I'm afraid. So my suggestion is to always call esp_ota_begin, esp_ota_write, and finally check the return value from esp_ota_end.

Who is online

Users browsing this forum: Bing [Bot] and 77 guests