Skip to content

makefiles/suit: store public keys, make it easier to work with multiple keys#20858

Merged
benpicco merged 3 commits intoRIOT-OS:masterfrom
benpicco:suit_multi_key-2
Sep 13, 2024
Merged

makefiles/suit: store public keys, make it easier to work with multiple keys#20858
benpicco merged 3 commits intoRIOT-OS:masterfrom
benpicco:suit_multi_key-2

Conversation

@benpicco
Copy link
Copy Markdown
Contributor

@benpicco benpicco commented Sep 9, 2024

Contribution description

This makes it easier to work with encrypted keys and multiple keys. The firmware binary can contain multiple public keys that are used to verify the manifest.
The use case is that we want to include the production public key in the debug build, so we can seamlessly update to the production version without re-flashing the device.

If the public keys is always generated on the fly, this would still require the production key password even for the debug build.

Instead if we store the (unencrypted) public key, we can always include it in the debug build.

Testing procedure

  • create a 2nd, encrypted signature key, call it prod.pem
  • build examples/suit_update with make SUIT_KEY="default prod"

OpenSSL only asks for the passwort to create the public key once, then the firmware can be build without needing to decrypt the production key.

contents of generated riotbuild/public_key.h

const uint8_t public_key[][32] = {
 {
  0x91, 0x6e, 0xc8, 0xf1, 0x5b, 0x8a, 0x30, 0x84, 0x31, 0x1c, 0xd3, 0xf8,
  0xe4, 0xdf, 0xc3, 0x50, 0x11, 0xd6, 0x67, 0xc5, 0x1c, 0x2c, 0x6a, 0x30,
  0x03, 0x58, 0x96, 0x75, 0x8c, 0x33, 0x49, 0x8c
 },
 {
  0xba, 0x0c, 0x4f, 0x89, 0x7d, 0x5f, 0x3f, 0x5c, 0x41, 0x9c, 0xde, 0xd0,
  0x57, 0xa6, 0xbc, 0x56, 0xeb, 0xcc, 0xe3, 0x6f, 0x70, 0x50, 0x70, 0x6d,
  0x46, 0x00, 0x33, 0xeb, 0x76, 0xa9, 0x6a, 0xfd
 },
};

Only when the firmware is published (signed) the password for the production key needs to be entered.

Issues/PRs references

@github-actions github-actions bot added the Area: build system Area: Build system label Sep 9, 2024
@benpicco benpicco force-pushed the suit_multi_key-2 branch 2 times, most recently from 3f839d4 to db70fa0 Compare September 9, 2024 22:02
@benpicco benpicco added Type: enhancement The issue suggests enhanceable parts / The PR enhances parts of the codebase / documentation CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR labels Sep 9, 2024
@benpicco benpicco requested a review from fabian18 September 9, 2024 22:03
@riot-ci
Copy link
Copy Markdown

riot-ci commented Sep 9, 2024
edited
Loading

Murdock results

✔️ PASSED

765dd68 makefiles/suit: use OpenSSL to generate key

Success Failures Total Runtime
10197 0 10197 17m:19s

Artifacts

@benpicco benpicco requested a review from bergzand September 10, 2024 08:22
@fabian18
Copy link
Copy Markdown
Contributor

fabian18 commented Sep 10, 2024

Cool feature.
I think the testing procedure assumes that default.pem already exists.
If I delete it and do SUIT_KEY="default prod" make -C examples/suit_update, I think what happens on key generation
is that the second key is taken as the password of the first key.

Maybe this is simply a case of bad usage but was still kind of unexpected to me.

@benpicco
Copy link
Copy Markdown
Contributor Author

benpicco commented Sep 10, 2024

heh, good catch!
that's because suit/gen_key.py takes the 2nd argument as key. When using the make target instead of $(SUIT_SEC) (which is wrong with multiple keys anyway) things work as expected.

We might also just replace that call to the 'custom' Python script with another OpenSSL invocation.

@benpicco
makefiles/suit: store public keys
fbf1cd1 
This makes it easier to work with encrypted keys and multiple keys.
The firmware binary can contain multiple public keys that are used
to verify the manifest.
The use case is that we want to include the production public key
in the debug build, so we can seamlessly update to the production
version without re-flashing the device.

If the public keys is always generated on the fly, this would still
require the production key password even for the debug build.

Instead if we store the (unencrypted) public key, we can always
include it in the debug build.
fabian18
fabian18 reviewed Sep 11, 2024
View reviewed changes
fabian18
fabian18 reviewed Sep 12, 2024
View reviewed changes
fabian18
fabian18 approved these changes Sep 12, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@fabian18 fabian18 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make -C examples/suit_update clean suit/publish SUIT_KEY="default prod" SUIT_KEY_SIGN=prod SUIT_SEC_PASSWORD=123456789

make: Entering directory '/home/[email protected]/RIOT/examples/suit_update'
rm -rf /home/[email protected]/RIOT/bootloaders/riotboot/bin/samr21-xpro/pkg-build/cmsis
# Reset package to checkout state.
rm -rf /home/[email protected]/RIOT/build/pkg/c25519
rm -rf /home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/pkg-build/cmsis
rm -rf /home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/pkg-build/libcose
rm -rf /home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/pkg-build/nanocbor
compiling /home/[email protected]/RIOT/dist/tools/riotboot_gen_hdr/bin/genhdr...
make: Nothing to be done for 'all'.
suit: generating key in /home/[email protected]/.local/share/RIOT/keys
0) none
1) aes-256-cbc
Choose encryption for key file /home/[email protected]/.local/share/RIOT/keys/prod.pem: 1
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
read EC key
Enter pass phrase for /home/[email protected]/.local/share/RIOT/keys/prod.pem:
writing EC key
read EC key
writing EC key
read EC key
writing EC key
test "dbfb4285837ab2ea3d99c448b22877cc7a139ccbaebb1de367e2bec1fd562fe629b389d86603915448078b8fd7e631c8fc9a7d126eb889a1ba0c17611369b190  /home/[email protected]/RIOT/build/pkg/c25519-2017-10-05.zip" =  "$(sha512sum "/home/[email protected]/RIOT/build/pkg/c25519-2017-10-05.zip")"
"make" -C /home/[email protected]/RIOT/pkg/c25519/ 
"make" -C /home/[email protected]/RIOT/build/pkg/c25519/src -f /home/[email protected]/RIOT/Makefile.base MODULE=c25519
"make" -C /home/[email protected]/RIOT/pkg/cmsis/ 
"make" -C /home/[email protected]/RIOT/pkg/libcose/ 
"make" -C /home/[email protected]/RIOT/build/pkg/libcose/src -f /home/[email protected]/RIOT/Makefile.base MODULE=libcose
"make" -C /home/[email protected]/RIOT/build/pkg/libcose/src/crypt -f /home/[email protected]/RIOT/pkg/libcose/Makefile.libcose_crypt
"make" -C /home/[email protected]/RIOT/pkg/nanocbor/ 
"make" -C /home/[email protected]/RIOT/build/pkg/nanocbor/src -f /home/[email protected]/RIOT/Makefile.base MODULE=nanocbor
"make" -C /home/[email protected]/RIOT/boards/common/init
"make" -C /home/[email protected]/RIOT/boards/samr21-xpro
"make" -C /home/[email protected]/RIOT/core
"make" -C /home/[email protected]/RIOT/core/lib
"make" -C /home/[email protected]/RIOT/cpu/samd21
"make" -C /home/[email protected]/RIOT/cpu/cortexm_common
"make" -C /home/[email protected]/RIOT/cpu/cortexm_common/periph
"make" -C /home/[email protected]/RIOT/cpu/sam0_common
"make" -C /home/[email protected]/RIOT/cpu/sam0_common/periph
"make" -C /home/[email protected]/RIOT/cpu/samd21/periph
"make" -C /home/[email protected]/RIOT/cpu/samd21/vectors
"make" -C /home/[email protected]/RIOT/drivers
"make" -C /home/[email protected]/RIOT/drivers/edbg_eui
"make" -C /home/[email protected]/RIOT/drivers/ethos
"make" -C /home/[email protected]/RIOT/drivers/netdev
"make" -C /home/[email protected]/RIOT/drivers/periph_common
"make" -C /home/[email protected]/RIOT/pkg/libcose/init
"make" -C /home/[email protected]/RIOT/sys
"make" -C /home/[email protected]/RIOT/sys/auto_init
"make" -C /home/[email protected]/RIOT/sys/checksum
"make" -C /home/[email protected]/RIOT/sys/crypto
"make" -C /home/[email protected]/RIOT/sys/div
"make" -C /home/[email protected]/RIOT/sys/event
"make" -C /home/[email protected]/RIOT/sys/evtimer
"make" -C /home/[email protected]/RIOT/sys/fmt
"make" -C /home/[email protected]/RIOT/sys/frac
"make" -C /home/[email protected]/RIOT/sys/hashes
"make" -C /home/[email protected]/RIOT/sys/iolist
"make" -C /home/[email protected]/RIOT/sys/isrpipe
"make" -C /home/[email protected]/RIOT/sys/libc
"make" -C /home/[email protected]/RIOT/sys/luid
"make" -C /home/[email protected]/RIOT/sys/malloc_thread_safe
"make" -C /home/[email protected]/RIOT/sys/net/application_layer/nanocoap
"make" -C /home/[email protected]/RIOT/sys/net/application_layer/uhcp
"make" -C /home/[email protected]/RIOT/sys/net/crosslayer/inet_csum
"make" -C /home/[email protected]/RIOT/sys/net/gnrc
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/netapi
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/netif
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/netif/ethernet
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/netif/hdr
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/netif/init_devs
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/netreg
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/network_layer/icmpv6
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/network_layer/icmpv6/echo
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/network_layer/ipv6
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/network_layer/ipv6/hdr
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/network_layer/ipv6/nib
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/network_layer/ndp
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/pkt
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/pktbuf
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/pktbuf_static
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/sock
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/sock/udp
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/transport_layer/udp
"make" -C /home/[email protected]/RIOT/sys/net/gnrc/application_layer/uhcpc
"make" -C /home/[email protected]/RIOT/sys/net/link_layer/eui_provider
"make" -C /home/[email protected]/RIOT/sys/net/link_layer/l2util
"make" -C /home/[email protected]/RIOT/sys/net/netif
"make" -C /home/[email protected]/RIOT/sys/net/netutils
"make" -C /home/[email protected]/RIOT/sys/net/network_layer/icmpv6
"make" -C /home/[email protected]/RIOT/sys/net/network_layer/ipv6/addr
"make" -C /home/[email protected]/RIOT/sys/net/network_layer/ipv6/hdr
"make" -C /home/[email protected]/RIOT/sys/net/sock
"make" -C /home/[email protected]/RIOT/sys/net/transport_layer/udp
"make" -C /home/[email protected]/RIOT/sys/newlib_syscalls_default
"make" -C /home/[email protected]/RIOT/sys/pm_layered
"make" -C /home/[email protected]/RIOT/sys/posix/inet
"make" -C /home/[email protected]/RIOT/sys/preprocessor
"make" -C /home/[email protected]/RIOT/sys/progress_bar
"make" -C /home/[email protected]/RIOT/sys/random
"make" -C /home/[email protected]/RIOT/sys/riotboot
"make" -C /home/[email protected]/RIOT/sys/shell
"make" -C /home/[email protected]/RIOT/sys/shell/cmds
"make" -C /home/[email protected]/RIOT/sys/suit
"make" -C /home/[email protected]/RIOT/sys/suit/storage
"make" -C /home/[email protected]/RIOT/sys/suit/transport
"make" -C /home/[email protected]/RIOT/sys/test_utils/interactive_sync
"make" -C /home/[email protected]/RIOT/sys/tiny_strerror
"make" -C /home/[email protected]/RIOT/sys/tsrb
"make" -C /home/[email protected]/RIOT/sys/uuid
"make" -C /home/[email protected]/RIOT/sys/vfs
"make" -C /home/[email protected]/RIOT/sys/vfs_util
"make" -C /home/[email protected]/RIOT/sys/ztimer
creating /home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/riotboot_files/slot0.1726166621.bin...
creating /home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/riotboot_files/slot1.1726166621.bin...
published "/home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/suit_files/riot.suit.1726166621.bin"
       as "coap://localhost/fw/suit_update/samr21-xpro/riot.suit.1726166621.bin"
published "/home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/suit_files/riot.suit.latest.bin"
       as "coap://localhost/fw/suit_update/samr21-xpro/riot.suit.latest.bin"
published "/home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/riotboot_files/slot0.1726166621.bin"
       as "coap://localhost/fw/suit_update/samr21-xpro/slot0.1726166621.bin"
published "/home/[email protected]/RIOT/examples/suit_update/bin/samr21-xpro/riotboot_files/slot1.1726166621.bin"
       as "coap://localhost/fw/suit_update/samr21-xpro/slot1.1726166621.bin"
make: Leaving directory '/home/[email protected]/RIOT/examples/suit_update'

const uint8_t public_key[][32] = {
 {
  0xad, 0x7f, 0x4e, 0xc2, 0xd5, 0x0b, 0xa3, 0xb3, 0xef, 0x8f, 0x7a, 0xc5,
  0xa6, 0x73, 0xcc, 0x4a, 0xf5, 0x01, 0x30, 0xae, 0x6a, 0x58, 0xf8, 0xce,
  0xd4, 0xcf, 0x8e, 0xf9, 0x3f, 0xc6, 0xc8, 0x92
 },
 {
  0x18, 0xcb, 0x23, 0x9f, 0x6c, 0xd6, 0x82, 0xae, 0x7f, 0xbd, 0x77, 0xc1,
  0x4a, 0x9b, 0x04, 0x33, 0xa4, 0xce, 0x99, 0xb6, 0x12, 0x92, 0x38, 0x5b,
  0x1d, 0xdf, 0xd4, 0x87, 0x67, 0x2c, 0x4d, 0xed
 },
};

@benpicco benpicco added this pull request to the merge queue Sep 12, 2024
@benpicco
Copy link
Copy Markdown
Contributor Author

benpicco commented Sep 12, 2024

Thank you for the review!

Merged via the queue into RIOT-OS:master with commit 870fe04 Sep 13, 2024
@benpicco benpicco deleted the suit_multi_key-2 branch September 13, 2024 06:52
@chrysn chrysn mentioned this pull request Sep 16, 2024
Merged
@benpicco benpicco added this to the Release 2024.10 milestone Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabian18 fabian18 fabian18 approved these changes

@bergzand bergzand Awaiting requested review from bergzand

Assignees

No one assigned

Labels

Area: build system Area: Build system CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Type: enhancement The issue suggests enhanceable parts / The PR enhances parts of the codebase / documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benpicco @riot-ci @fabian18