How do I include CA attributes in pulblic key for "Signed App Images"?

flouflou
Posts: 2
Joined: Thu May 06, 2021 8:24 pm

How do I include CA attributes in pulblic key for "Signed App Images"?

Postby flouflou » Thu May 06, 2021 8:55 pm

Hello everyone,

I'm currently working on my bachelor thesis and I want to design a secure ESP infrastructure with signed app images, flash-encryption, etc.

The specification of mine requires signed app images which can be revoked though a certification revocation list. Because of that I created a private prime256v1 key. Following up I created a public key with my root CA key and the private prime256v1 key.

The ESP bootloader needs a binary file of the public key which wouldn't be a problem if I take use of espsecure.py extract_public_key as default, documented in espressif docs: Remote Signing of Images - https://docs.espressif.com/projects/esp ... ot-v1.html

So how would I include CA attributes to the public key if i can only take use of extract_public_key from the private key? Is there any option to directly convert the public key (certicicate) within the CA attributes to a binary file? :|

Thanks to all

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: How do I include CA attributes in pulblic key for "Signed App Images"?

Postby ESP_Angus » Fri May 07, 2021 12:38 am

Hi flouflou,

Sounds like an interesting thesis project!

Unfortunately the binary format compiled into the bootloader for Secure Boot V1 is very simple - it's just the EC public key point value stored directly as two fixed length binary numbers. There isn't any additional metadata or support for variable-length fields, etc. like you would find in DER or PEM format certificate files. The reason for this is to keep the bootloader small and simple, and to avoid the security risks associated with parsing X.509 formats in C.

You probably have noticed this already, but the existing Secure Boot schemes don't support chained certificate trust. i.e. currently the certificate(s) trusted by the bootloader (one in the case of ESP32, up to three in the case of ESP32-S2 and ESP32-C3 with Secure Boot V2) have to directly match the private key used to sign the binary. There's no facility at the moment to verify a signing certificate that's been signed by a trusted root CA (I'm guessing this is the part that you plan to add in your thesis work).

If you're happy making the bootloader binary larger, then you could embed the certificate(s) in PEM or DER format directly and call a parsing function. You'll also need to switch from micro-ecc to a different cryptography library that supports parsing these formats (or build a parser).

Alternatively you could modify the binary format generated by espsecure.py to add some more fields as needed, at the moment it's literally just asking the ecdsa library for the binary representation of the key and writing it out:
https://github.com/espressif/esptool/bl ... re.py#L469

I'm looking forward to seeing what you implement. :)

flouflou
Posts: 2
Joined: Thu May 06, 2021 8:24 pm

Re: How do I include CA attributes in pulblic key for "Signed App Images"?

Postby flouflou » Mon May 10, 2021 8:35 pm

Hi ESP Angus

thank you very much for your fast reply!

As I thought there is no default way to verify the signature of the public key. Your argument of the Bootloader size makes sense but I would be happy to make the bootloader binary larger.

Today I had a call with my supervisor and we discussed if the design is still secure when the ESP doesn't verify the signature against the crl. We came to the point of view that we just use the default way to store the public key on the ESP because a manufacturer would trust his own stored public key.

I also didn't mention in my last post that I need to store two keys in the bootloader. A first key which can be revoked and a second key which can be used if the first key was revoked. This as well wouldn't be possible in default ways.

For this moment right now I will start writing the thesis and I will inspect the bootloader code in the next weeks.

I will keep you on track ;)

Who is online

Users browsing this forum: Pedro Hugo PSC and 96 guests