2023-04-19
Developers of embedded and IoT devices have questions about firmware signing, which is crucial for secure booting and firmware updates. The following answers some of the most common questions we receive.
Firmware signing is the process of adding a digital signature to the firmware code to verify its authenticity and integrity. The digital signature is a cryptographic mechanism that ensures that the firmware has not been tampered with, corrupted, or modified in any way.
As an IoT device or embedded developer, firmware signing is important because it provides a way to protect the firmware code from unauthorized modification and ensure that only the authorized firmware can be installed and executed on the device. This is particularly important for devices connected to a network, such as IoT devices.
Firmware signing is also important for compliance and regulatory reasons. Industries are starting to have strict regulations that require firmware to be signed and verified before it can be deployed.
Firmware signing is a critical aspect of firmware development and software lifecycle management, and it should be implemented as a standard practice to ensure the security and integrity of embedded devices.
Firmware signing can be a complex and critical aspect of embedded development, and embedded developers need to have a solid understanding of the principles and best practices involved to ensure the security and integrity of their firmware.
To create a firmware signing certificate, you can follow these general steps:
Here are some best practices for managing firmware signing certificates:
Creating and managing firmware signing certificates requires careful attention to security and best practices to ensure that firmware is signed only by trusted sources and is protected against unauthorized modifications.
It is important to carefully assess the CA/PKI and signing software that best suits your use case. While OpenSSL or other utilities may seem convenient, they are often designed for individual developers and may include manual steps that can hinder scalability and security.
A firmware signing certificate is not the same as a TLS certificate, although they are both types of digital certificates, so-called X.509 certificates.
A firmware signing certificate is used specifically to sign firmware images for embedded systems. The certificate includes a public key, and the private key is used to generate digital signatures that can be used to verify the authenticity of firmware images. The certificate is issued by a Certificate Authority (CA) and the private key is generally stored securely within a hardware security module (HSM) that is connected to the actual signing software.
A TLS (Transport Layer Security) certificate is used to establish secure communication over a network, such as the Internet. TLS certificates are used to encrypt data in transit between a client (a web browser) and a server (a website). The certificate includes a public key and is issued by a trusted public CA or by a private CA depending on the use case.
While both types of certificates use public key cryptography to ensure security, they serve different purposes and are used in different contexts. It’s important to ensure that you are using the correct type of certificate for your specific security needs.
You should consider several factors when deciding whether to obtain a code signing certificate from a public Certificate Authority (CA) or use your own private CA:
The decision of whether to use a code signing certificate from a public CA or your own private CA will depend on your specific needs and circumstances. You can use SignServer for firmware signing with either public or private trusted code signing certificates.
Code and firmware signing should use an already defined and standard format. However, you will encounter different code signing formats for signing software code. The specific format you use will depend on the platform and operating system you are developing for, as well as any specific requirements or standards you need to comply with. Semiconductor companies like ARM, Intel, and Qualcomm specify their own secure boot and secure firmware development environments.
It’s important to note that organizations may need to use multiple code signing formats depending on their products and use cases. Furthermore, many code-signing formats require the use of timestamps to ensure that the certificate used to sign the code was not revoked at the time of the signature. You can find a comprehensive list of the code signing formats supported by SignServer, including those with time-stamping, in our documentation.
A Hardware Security Module (HSM) is a physical device that provides a secure environment for storing and managing cryptographic keys. HSMs are designed to protect against attacks that attempt to steal or tamper with sensitive information and in this case the code signing keys.
By using HSMs, attackers cannot steal keys and developers do not lose keys by accident when they store them on their laptops. In addition, HSM usage can be mandated by regulatory security standards and regulations.
The specific steps for integrating trusted firmware signing into your build process will depend on the toolchain and platform you are using. Some platforms may have built-in support for firmware signing, while others may require you to use third-party tools. It is important to consult the documentation for your platform and toolchain to determine the best approach for your specific use case.
Our tutorial demonstrates how to set up a trusted signing process for the Espressif ESP32.
Take a look and let us know what you think! Are there any other devices you think we should try out with EJBCA and SignServer?