I have a bunch of development kits from project 1 for company 1. I built signed firmware on these.
I now have project 2 for company 2 and have generated a new signing certificate. I've built signed firmware, and I can flash it using idy.py, but my company 2 OTA's fail the signature validation unless I sign them with company 1's key.
I believe that these dev kits have been set up for company 1's signing key.
I've been confused by the Secure Boot V2 documentation, since I have only used the App Signing feature.
* Is there a way to load a second App Image Signing Public key onto these boards, so that I can load firmware built for company 1 and 2 on the same development kits?
* Is there a faster way to validate what signing key is on a board, other than performing an OTA and getting a failed result?
Thank you,
-scott.e
Multiple code signing keys possible?
-
- Posts: 200
- Joined: Sun Jun 23, 2024 6:18 pm
Re: Multiple code signing keys possible?
Check if the CONFIG_SECURE_BOOT_KEY_DIGEST or CONFIG_SECURE_BOOT_ALLOW_KEY_ROTATION options are enabled in your bootloader.
Re: Multiple code signing keys possible?
Thanks for your help. I see neither of these set:
CONFIG_SECURE_BOOT_KEY_DIGEST
CONFIG_SECURE_BOOT_ALLOW_KEY_ROTATION
But I do have these security settings:
CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE=y
CONFIG_BOOTLOADER_APP_ANTI_ROLLBACK=y
CONFIG_BOOTLOADER_APP_SECURE_VERSION=0
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
# CONFIG_SECURE_BOOT is not set
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY=<path to PEM>
# CONFIG_SECURE_FLASH_ENC_ENABLED is not set
CONFIG_SOC_SECURE_BOOT_V2_RSA=y
CONFIG_SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS=3
CONFIG_SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS=y
CONFIG_SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY=y
CONFIG_SECURE_BOOT_KEY_DIGEST
CONFIG_SECURE_BOOT_ALLOW_KEY_ROTATION
But I do have these security settings:
CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE=y
CONFIG_BOOTLOADER_APP_ANTI_ROLLBACK=y
CONFIG_BOOTLOADER_APP_SECURE_VERSION=0
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
# CONFIG_SECURE_BOOT is not set
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY=<path to PEM>
# CONFIG_SECURE_FLASH_ENC_ENABLED is not set
CONFIG_SOC_SECURE_BOOT_V2_RSA=y
CONFIG_SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS=3
CONFIG_SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS=y
CONFIG_SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY=y
Who is online
Users browsing this forum: Baidu [Spider], Bing [Bot], Majestic-12 [Bot] and 68 guests