ARDUINO.CC
Go Back
Secure boot
Home / Software / Arduino CLI / Secure boot

Secure boot

Author Arduino
v1.2.0







































Secure Boot

A "secure boot" capability may be offered by Arduino boards platforms.

The compiled sketch is signed and encrypted by a tool before being flashed to the target board. The bootloader of the board is then responsible for starting the compiled sketch only if the matching keys are used.

To be able to correctly carry out all the operations at the end of the build we can leverage the post build hooks to sign and encrypt a binary by using 

recipe.hooks.objcopy.postobjcopy.NUMBER.pattern
key in 
platform.txt
. The security keys used are defined in the 
boards.txt
 file, this way there could be different keys for different boards.

1[...]
2## Create secure image (bin file)
3recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd}
4

5#
6# IMGTOOL
7#
8tools.imgtool.cmd=imgtool
9tools.imgtool.flags=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size}
10[...]

By having only 

tools.TOOL_NAME.cmd
and 
tools.TOOL_NAME.flags
, we can customize the behavior with a custom board option. Then in the 
boards.txt
 we can define the new option to use a different 
build.postbuild.cmd
:

1[...]
2menu.security=Security setting
3

4envie_m7.menu.security.none=None
5envie_m7.menu.security.sien=Signature + Encryption
6

7envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.path}/{tools.imgtool.cmd}" {tools.imgtool.flags}
8envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.path}/{tools.imgtool.cmd}" exit
9

10envie_m7.menu.security.sien.build.keys.keychain={runtime.platform.path}/libraries/MCUboot/default_keys
11envie_m7.menu.security.sien.build.keys.sign_key=default-signing-priv-key.pem
12envie_m7.menu.security.sien.build.keys.encrypt_key=default-encrypt-pub-key.pem
13[...]

The security keys can be added with:

  • build.keys.keychain
    indicates the path of the dir where to search for the custom keys to sign and encrypt a binary.
  • build.keys.sign_key
    indicates the name of the custom signing key to use to sign a binary during the compile process.
  • build.keys.encrypt_key
    indicates the name of the custom encryption key to use to encrypt a binary during the compile process.

It's suggested to use the property names mentioned before, because they can be overridden respectively with 

--keys-keychain
, 
--sign-key
and 
--encrypt-key
Arduino CLI compile flags.

For example, by using the following command, the sketch is compiled and the resulting binary is signed and encrypted with the specified keys located in 

/home/user/Arduino/keys
directory:

1arduino-cli compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-keychain /home/user/Arduino/keys --sign-key ecdsa-p256-signing-priv-key.pem --encrypt-key ecdsa-p256-encrypt-pub-key.pem /home/user/Arduino/MySketch
In this page you can check the latest version of the Arduino CLI. You can find previous versions here.

ON THIS PAGE