Secure Boot - change public key?
-
- Posts: 28
- Joined: Thu Nov 03, 2022 1:57 pm
Secure Boot - change public key?
I believe I understand the process for signing images and enabling secure boot but if the worse (inevitable!) happens and I need to change the public key on shipped devices, is there any way to do this? Many systems will permit TWO keys so that they keys can be rotated (you retire one, replace it with a new key whilst the second one keeps the system running then you replace the second key later) but I don't see ESP32 doing this so is secure boot stuck with just one key that, if compromised, means all devices become vulnerable forever?
-
- Posts: 1724
- Joined: Mon Oct 17, 2022 7:38 pm
- Location: Europe, Germany
Re: Secure Boot - change public key?
Nope.and I need to change the public key on shipped devices, is there any way to do this?
https://docs.espressif.com/projects/esp ... v2-process :
And the eFuses can only be written once.A digest of the RSA-3072 public key is stored in the eFuse.
-
- Posts: 190
- Joined: Wed Jan 24, 2018 6:51 am
Re: Secure Boot - change public key?
Just to add that, some of our recent chips like ESP32-C3, ESP32-S3 do support multiple signing keys in secure boot v2 scheme. Key revocation guide for ESP32-C3 can be found here: https://docs.espressif.com/projects/esp ... revocation
Unfortunately, ESP32 and ESP32-C2 supports only single key digest block and hence revocation is not possible there.
Unfortunately, ESP32 and ESP32-C2 supports only single key digest block and hence revocation is not possible there.
Mahavir
https://github.com/mahavirj/
https://github.com/mahavirj/
-
- Posts: 28
- Joined: Thu Nov 03, 2022 1:57 pm
Re: Secure Boot - change public key?
Thanks for that info - very hepful.
-
- Posts: 1
- Joined: Sun Sep 08, 2024 5:01 pm
Re: Secure Boot - change public key?
Thanks for that link.ESP_Mahavir wrote: ↑Thu Dec 07, 2023 5:21 amsome of our recent chips like ESP32-C3, ESP32-S3 do support multiple signing keys in secure boot v2 scheme.
I'm still reading this as it's not possible to (for example) cycle keys on a regular basis via OTA updates. The three keys have to be pre-programmed at physical/JTAG programming time and the bootloader can't be updated in field. I'm reading this as it should be a "very rare" event to invalidate / cycle a key, and not something that could be done (for example) yearly. Is there any workaround or anything I'm missing?
-
- Posts: 2
- Joined: Thu Feb 29, 2024 11:27 am
Re: Secure Boot - change public key?
I have a related question : I want to sign a firmware for an esp32-s3.
I follow the security features enablement workflow tutorial (or must)https://docs.espressif.com/projects/esp ... externally.
In the "7. Build, Sign and Flash the binaries" section in the case when there are multiple signing keys and digest flashed l it is mentioned that we can sign a firmware with multiple keys:
But would we want to do this ?
From my understanding it would make more sense to keep the backup keys somewhere and to never use them unless we really have to.
If we flash multiple digest in the eFuses is a firmware gonna be validated if we only sign it with one key ?
I follow the security features enablement workflow tutorial (or must)https://docs.espressif.com/projects/esp ... externally.
In the "7. Build, Sign and Flash the binaries" section in the case when there are multiple signing keys and digest flashed l it is mentioned that we can sign a firmware with multiple keys:
Code: Select all
espsecure.py sign_data --keyfile secure_boot_signing_key2.pem --version 2 --append_signatures -o bootloader-signed2.bin bootloader-signed.bin
espsecure.py sign_data --keyfile secure_boot_signing_key2.pem --version 2 --append_signatures -o my-app-signed2.bin my-app-signed.bin
From my understanding it would make more sense to keep the backup keys somewhere and to never use them unless we really have to.
If we flash multiple digest in the eFuses is a firmware gonna be validated if we only sign it with one key ?
Who is online
Users browsing this forum: No registered users and 82 guests