alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'docs/support_for_pre_calculated_signatures' into 'master'

Browse Source 
docs: Added documetation for using pre-calculated signatures

See merge request espressif/esp-idf!21377
This commit is contained in:
Mahavir Jain 2022-12-20 14:03:04 +08:00
commit 371a6abdca
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/en/security/secure-boot-v2.rst
View File

@ -368,9 +368,12 @@ Remember that the strength of the Secure Boot system depends on keeping the sign
Remote Signing of Images
------------------------
Signing using espsecure.py
~~~~~~~~~~~~~~~~~~~~~~~~~~
For production builds, it can be good practice to use a remote signing server rather than have the signing key on the build machine (which is the default esp-idf Secure Boot configuration). The espsecure.py command line program can be used to sign app images & partition table data for Secure Boot, on a remote system.
To use remote signing, disable the option "Sign binaries during build". The private signing key does not need to be present on the build system.
To use remote signing, disable the option :ref:`CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES` and build the firmware. The private signing key does not need to be present on the build system.
After the app image and partition table are built, the build system will print signing steps using espsecure.py::
@ -380,6 +383,17 @@ The above command appends the image signature to the existing binary. You can us
espsecure.py sign_data --version 2 --keyfile PRIVATE_SIGNING_KEY --output SIGNED_BINARY_FILE BINARY_FILE
Signing using an external HSM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For security reasons, you might also use an external Hardware Security Module (HSM) to store your private signing key, which cannot be accessed directly but has an interface to generate the signature of a binary file and its corresponding public key.
In such cases, disable the option :ref:`CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES` and build the firmware. The public key and the binary file signature generated using external HSM can be provided as inputs to the following command to generate a signed binary. ::
espsecure.py sign_data --version 2 --pub-key PUBLIC_SIGNING_KEY --signature SIGNATURE_FILE --output SIGNED_BINARY_FILE BINARY_FILE
The above command verifies the signature, generates a signature block (refer to :ref:`signature-block-format`) and appends it to the binary file. The signed binary is written to the filename provided to the `--output` argument.
Secure Boot Best Practices
--------------------------