How to authenticate data signed with secure boot signing key

jhnlmn
Posts: 15
Joined: Wed Mar 03, 2021 4:22 am

How to authenticate data signed with secure boot signing key

Postby jhnlmn » Fri Feb 11, 2022 4:25 am

I want to send some configuration data to my ESP32 device (without Digital Signature Peripheral) and I want to authenticate it.
I can, of course, create my own public/private key pair and embed public key in FW, but I wonder whether I can sign the data using the same private key as used for Secure Boot V2 and validate message using public key, which is already embedded in signature block at the end of my FW image.
First question: are there security issues with this approach?
Second question is how to do that.
I came up with some code, but it is surprisingly complex.
First problem is to find the signature block. The only way I found is to call esp_ota_get_running_partition, esp_image_get_metadata, esp_flash_read_encrypted,
but esp_image_get_metadata is very slow because it validates hash of the FW image, which I do not need. I wonder whether there is an better way.
Then call mbedtls_sha256_starts_ret, mbedtls_sha256_update_ret, mbedtls_sha256_finish_ret
Then call mbedtls_rsa_init, mbedtls_rsa_import_raw, mbedtls_rsa_check_pubkey, mbedtls_rsa_rsassa_pss_verify_ext or use undocumented ets_rsa_pss_verify.
All of that is kind of too complex, undocumented, no code samples
Message authentication is such a common operation, there must be a simpler way.
Thank you

Who is online

Users browsing this forum: Bing [Bot], TRUEcabbage and 92 guests