ESP32 Forum

To keep the code signing private key secure I would like to configure and use a yubikey to sign the images (2nd stage boot loader / OTA apps). The instructions for signing images and creating the required signature blocks assume the private key is accessible on the signing server. By using an HSM (yubikey) the private key would but be accessible and therefore not be compromised.

Can espsecure be used as is to support this? If not can it be extended? Is this a good idea?

Thanks you!!

This sounds like a good idea! We had a discussion about adding PKCS11 support to espsecure, but seems like this hasn't been implemented yet.

Hey @ESP_igrr,

Is there any update on this, or at least some insights into if it is even possible? I am also curious if there are other HSM's to keep the sign process really secure in our CI/CD.

Secure boot version 2 uses an RSA-3072-based app signing scheme. YubiKey only supports RSA-2048 and hence, it cannot be used for app signing. Although, in the case of ESP32-C2, secure boot version 2 uses ECDSA-192/256-based signing scheme, which is supported by YubiKey.

We have been working on adding a PKCS11 interface to get the binaries signed using an HSM, please check this out https://github.com/Harshal5/esptool/tre ... _interface.
Before using this feature, you will need to install PyKCS (https://github.com/LudovicRousseau/PyKCS11) on your host, populate fields in the HSM espsecure/ext_hsm.ini config file, and generate the public key for the HSM private key to be used for signing.
(This workflow has been tested with ECDSA-256 signing using YubiKey5.)

Thank you! I will take a look!

This awesome post can also help others: https://blog.espressif.com/secure-signi ... e855a2f2ef