Secure Boot - change public key?

papadeltasierra
Posts: 28
Joined: Thu Nov 03, 2022 1:57 pm

Secure Boot - change public key?

Postby papadeltasierra » Wed Dec 06, 2023 4:08 pm

I believe I understand the process for signing images and enabling secure boot but if the worse (inevitable!) happens and I need to change the public key on shipped devices, is there any way to do this? Many systems will permit TWO keys so that they keys can be rotated (you retire one, replace it with a new key whilst the second one keeps the system running then you replace the second key later) but I don't see ESP32 doing this so is secure boot stuck with just one key that, if compromised, means all devices become vulnerable forever?

MicroController
Posts: 1734
Joined: Mon Oct 17, 2022 7:38 pm
Location: Europe, Germany

Re: Secure Boot - change public key?

Postby MicroController » Wed Dec 06, 2023 8:11 pm

and I need to change the public key on shipped devices, is there any way to do this?
Nope.
https://docs.espressif.com/projects/esp ... v2-process :
A digest of the RSA-3072 public key is stored in the eFuse.
And the eFuses can only be written once.

ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Secure Boot - change public key?

Postby ESP_Mahavir » Thu Dec 07, 2023 5:21 am

Just to add that, some of our recent chips like ESP32-C3, ESP32-S3 do support multiple signing keys in secure boot v2 scheme. Key revocation guide for ESP32-C3 can be found here: https://docs.espressif.com/projects/esp ... revocation

Unfortunately, ESP32 and ESP32-C2 supports only single key digest block and hence revocation is not possible there.

papadeltasierra
Posts: 28
Joined: Thu Nov 03, 2022 1:57 pm

Re: Secure Boot - change public key?

Postby papadeltasierra » Thu Dec 07, 2023 10:32 am

Thanks for that info - very hepful.

CircuitGuy
Posts: 1
Joined: Sun Sep 08, 2024 5:01 pm

Re: Secure Boot - change public key?

Postby CircuitGuy » Sun Sep 08, 2024 5:10 pm

ESP_Mahavir wrote:
Thu Dec 07, 2023 5:21 am
some of our recent chips like ESP32-C3, ESP32-S3 do support multiple signing keys in secure boot v2 scheme.
Thanks for that link.

I'm still reading this as it's not possible to (for example) cycle keys on a regular basis via OTA updates. The three keys have to be pre-programmed at physical/JTAG programming time and the bootloader can't be updated in field. I'm reading this as it should be a "very rare" event to invalidate / cycle a key, and not something that could be done (for example) yearly. Is there any workaround or anything I'm missing?

jgrossholtz
Posts: 2
Joined: Thu Feb 29, 2024 11:27 am

Re: Secure Boot - change public key?

Postby jgrossholtz » Wed Nov 20, 2024 1:50 pm

I have a related question : I want to sign a firmware for an esp32-s3.

I follow the security features enablement workflow tutorial (or must)https://docs.espressif.com/projects/esp ... externally.

In the "7. Build, Sign and Flash the binaries" section in the case when there are multiple signing keys and digest flashed l it is mentioned that we can sign a firmware with multiple keys:

Code: Select all

espsecure.py sign_data --keyfile secure_boot_signing_key2.pem --version 2 --append_signatures -o bootloader-signed2.bin bootloader-signed.bin

espsecure.py sign_data --keyfile secure_boot_signing_key2.pem --version 2 --append_signatures -o my-app-signed2.bin my-app-signed.bin
But would we want to do this ?

From my understanding it would make more sense to keep the backup keys somewhere and to never use them unless we really have to.

If we flash multiple digest in the eFuses is a firmware gonna be validated if we only sign it with one key ?

Who is online

Users browsing this forum: No registered users and 157 guests