Secure Boot¶
A "secure boot" capability may be offered by Arduino boards platforms.
The compiled sketch is signed and encrypted by a tool before being flashed to the target board. The bootloader of the board is then responsible for starting the compiled sketch only if the matching keys are used.
To be able to correctly carry out all the operations at the end of the build we can leverage the
post build hooks to sign and encrypt a
binary by using recipe.hooks.objcopy.postobjcopy.NUMBER.pattern key in
platform.txt. The security keys used are defined in the
boards.txt file, this way there could be different keys for different
boards.
[...]
## Create secure image (bin file)
recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd}
#
# IMGTOOL
#
tools.imgtool.cmd=imgtool
tools.imgtool.flags=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size}
[...]
By having only tools.TOOL_NAME.cmd and tools.TOOL_NAME.flags, we can customize the behavior with a
custom board option. Then in the
boards.txt we can define the new option to use a different
build.postbuild.cmd:
[...]
menu.security=Security setting
envie_m7.menu.security.none=None
envie_m7.menu.security.sien=Signature + Encryption
envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.path}/{tools.imgtool.cmd}" {tools.imgtool.flags}
envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.path}/{tools.imgtool.cmd}" exit
envie_m7.menu.security.sien.build.keys.keychain={runtime.platform.path}/libraries/MCUboot/default_keys
envie_m7.menu.security.sien.build.keys.sign_key=default-signing-priv-key.pem
envie_m7.menu.security.sien.build.keys.encrypt_key=default-encrypt-pub-key.pem
[...]
The security keys can be added with:
- build.keys.keychainindicates the path of the dir where to search for the custom keys to sign and encrypt a binary.
- build.keys.sign_keyindicates the name of the custom signing key to use to sign a binary during the compile process.
- build.keys.encrypt_keyindicates the name of the custom encryption key to use to encrypt a binary during the compile process.
It's suggested to use the property names mentioned before, because they can be overridden respectively with
--keys-keychain, --sign-key and --encrypt-key Arduino CLI compile flags.
For example, by using the following command, the sketch is compiled and the resulting binary is signed and encrypted
with the specified keys located in /home/user/Arduino/keys directory:
arduino-cli compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-keychain /home/user/Arduino/keys --sign-key ecdsa-p256-signing-priv-key.pem --encrypt-key ecdsa-p256-encrypt-pub-key.pem /home/user/Arduino/MySketch