From 5e2a061d126041d81ca4881e8690661be5b74088 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Thu, 12 May 2022 11:14:23 +0200 Subject: [PATCH 1/2] followup of https://github.com/arduino/ArduinoCore-mbed/pull/475 --- .../boards/portenta-h7/tutorials/secure-boot/secure-boot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md b/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md index adf3b0529d..ca134bd120 100644 --- a/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md +++ b/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md @@ -34,7 +34,7 @@ In order to have secure boot enabled you must update the bootloader on your Port Once The bootloader has been updated to MCUboot, it's possible to use [secure boot](https://www.keyfactor.com/blog/what-is-secure-boot-its-where-iot-security-starts/) to have an additional layer of security. From that point on it is required to upload a compiled sketch with the Custom Board Option **"Security settings"** set to **"Signature + Encryption"** (the option can be found under **Tools > Security settings** in the IDE when selecting Portenta H7 as board, or you can use `--board-options security=sien` if using the Arduino CLI). Failing to provide such option will cause the bootloader not to run the compiled sketch because it is not trusted. If the security keys are not overridden, the default ones are used. -Two keys are embedded in the example sketch `STM32H747_updateBootloader` which can be found in **Files > Examples > STM32H747_System > STM32H747_updateBootloader** and used by the bootloader. +Two keys are embedded in the example sketch `STM32H747_manageBootloader` which can be found in **Files > Examples > STM32H747_System > STM32H747_manageBootloader** and used by the bootloader. A private 256bit [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) key is used to extract the encryption key and decrypt the binary update (`ecdsa-p256-encrypt-priv-key.h`), while a public key is used for image verification (`ecdsa-p256-signing-pub-key.h`). As counterpart, when building the image update, imgtool uses this private [key](https://github.com/arduino/ArduinoCore-mbed/pull/447/files#diff-f43e4850d60c61854678f6f80c6ddc4b59e3e68ca7e71b02e5ed15288c9aadb4) to sign the image and this public [key](https://github.com/arduino/ArduinoCore-mbed/pull/447/files#diff-95bb7b27de14276896a2bec099dc5a498d5332616458c04263efc8d24810e6a6) for image encryption with elliptic curve integrated encryption scheme. @@ -61,7 +61,7 @@ imgtool getpriv -k my-encrypt-keyfile.pem > ecsda-p256-encrypt-priv-key.h imgtool getpub -k my-sign-keyfile.pem > ecsda-p256-signing-pub-key.h ``` -Now you have to replace the keys inside the Sketch to update the bootloader(**STM32H747_updateBootloader**). +Now you have to replace the keys inside the Sketch to update the bootloader(**STM32H747_manageBootloader**). To do so just save the sketch to another location and replace the `ecsda-p256-encrypt-priv-key.h` and `ecsda-p256-signing-pub-key.h` files with the newly generated ones and then [update the bootloader](https://docs.arduino.cc/tutorials/portenta-h7/updating-the-bootloader) again. ***NOTE: In case the keys are compromised, this process can be performed again with a new set of keys, but any firmware signed with the previous pair will no longer work.*** From c5c06b2974be5c2a1b3278a8c8b02e49af790ed5 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Thu, 12 May 2022 17:19:12 +0200 Subject: [PATCH 2/2] update mbed core version --- .../boards/portenta-h7/tutorials/secure-boot/secure-boot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md b/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md index ca134bd120..80a5cdd1a0 100644 --- a/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md +++ b/content/hardware/04.pro/boards/portenta-h7/tutorials/secure-boot/secure-boot.md @@ -22,7 +22,7 @@ In other words, secure boot ensures that the boot technology and operating syste ## Hardware & Software Required - [Portenta H7](https://store.arduino.cc/portenta-h7) - Arduino IDE 1.8.19+ or Arduino IDE 2.0.0-rc5+ (https://www.arduino.cc/en/software) -- [Arduino Core for mbed enabled devices](https://github.com/arduino/ArduinoCore-mbed) version 3.0.0+ +- [Arduino Core for mbed enabled devices](https://github.com/arduino/ArduinoCore-mbed) version 3.1.0+ - [imgtool](https://github.com/arduino/imgtool-packing/releases/latest) (optional) ## Instructions