8000 README: Substitute default keys for sketch generation by pennam · Pull Request #29 · arduino/mcuboot-arduino-stm32h7 · GitHub
[go: up one dir, main page]
Skip to content

README: Substitute default keys for sketch generation #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 4, 2023
Merged

README: Substitute default keys for sketch generation #29

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 30 additions & 6 deletions README.md
View file
Open in desktop
B82F
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,8 @@ To write the default keys in flash you can use this [Sketch](https://github.com/
### Customize signing and encryption keys
You can use your preferred tool the generate your `ecdsa-p256` keys. With imgtool:
```
imgtool keygen -k ecdsa-p256-signing-key.pem -t ecdsa-p256
imgtool keygen -k ecdsa-p256-encrypt-key.pem -t ecdsa-p256
imgtool keygen -k ecdsa-p256-signing-priv-key.pem -t ecdsa-p256
imgtool keygen -k ecdsa-p256-encrypt-priv-key.pem -t ecdsa-p256
```
The public signing key and the private encryption key have to be written in flash at this addresses:
```
Expand All @@ -55,15 +55,39 @@ encrypt key @ 0x8000400
```
To get this data from the generated pem files with imgtool:
```
imgtool getpub -k ecdsa-p256-signing-key.pem
imgtool getpriv -k ecdsa-p256-encrypt-key.pem
imgtool getpub -k ecdsa-p256-signing-priv-key.pem > ecdsa-p256-signing-pub-key.h
imgtool getpriv -k ecdsa-p256-encrypt-priv-key.pem > ecdsa-p256-encrypt-priv-key.h
```
Copy and paste the key data in this [Sketch](https://github.com/arduino/ArduinoCore-mbed/blob/master/libraries/STM32H747_System/examples/STM32H747_manageBootloader/STM32H747_manageBootloader.ino) and run it to flash the keys alongside the bootloader.

### Create a signed and encrypted update Sketch
### Substitute default keys for sketch generation
By default the IDE uses the keys located in `{runtime.platform.path}/libraries/MCUboot/default_keys`

To use your custom keys follow this steps:
1. Remove default keys
```
cd {runtime.platform.path}/libraries/MCUboot/default_keys
rm -f *.pem
```
2. Generate encryption public key
```
openssl pkey -in ecdsa-p256-encrypt-priv-key.pem -pubout > ecdsa-p256-encrypt-pub-key.pem
```
or
```
ssh-keygen -e -f ecdsa-p256-encrypt-priv-key.pem -y -m "PEM" > ecdsa-p256-encrypt-pub-key.pem
```
3. Move keys in the MCUboot library folder
```
mv ecsdsa-p256-signing-priv-key.pem `{runtime.platform.path}/libraries/MCUboot/default_keys/ecdsa-p256-signing-priv-key.pem`
mv ecdsa-p256-encrypt-pub-key.pem `{runtime.platform.path}/libraries/MCUboot/default_keys/ecdsa-p256-encrypt-pub-key.pem`
```
Alternatively you can customize your board.txt file following this [guide](https://arduino.github.io/arduino-cli/0.31/guides/secure-boot/)

### Manually create a signed and encrypted update Sketch
To create a signed and encrypted Sketch an additional step is needed after the Sketch binary is generated. This additional step is done passing the binary through `imgtool`. The flags used by the board to create a secure Sketch are defined [here](https://github.com/arduino/ArduinoCore-mbed/blob/fa628e35011a92fb7e54fa6bfd9a69be33173bf8/boards.txt#L79-L86). The resulting command resembles as follows:
```
imgtool sign --key ecdsa-p256-signing-key.pem --encrypt ecdsa-p256-encrypt-key.pem input.bin output.bin --align 32 --max-align 32 --version 1.2.3+4 --header-size 0x20000 --pad-header --slot-size 0x1E0000
imgtool sign --key ecdsa-p256-signing-priv-key.pem --encrypt ecdsa-p256-encrypt-pub-key.pem input.bin output.bin --align 32 --max-align 32 --version 1.2.3+4 --header-size 0x20000 --pad-header --slot-size 0x1E0000
```

### Load an update sketch
Expand Down
0