FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Strategies for storing SBSFU private key

Go to solution
sute
Associate III

‎2023-05-15 01:07 AM

Hello,

We have an STM32 project with SBSFU bootloader used for firmware updates. We have a pipeline that is triggered from GitLab that will compile and sign the firmware and update pakcage. Before taking production private keys into use, we are considering strategies for secure storage of the keys while still trying to keep things as simple and automated as possible.

One option would be to add a manual step to the pipeline where update packages are signed and encrypted in an offline computer. Other option would be to store private keys only in RAM of the machine running the pipeline which would minimize risk of leaking the keys. This would have the benefit of keeping everything automated. The problem is that I haven't figured out a way of supplying the key to the prepareimage.py script from a variable stored in RAM, it seems to require a file. Is there any way of achieving this?

Is there a way of integrating a HSM (hardware security model) to the SBSFU process?

Thanks!

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
BBouw.2
Associate

‎2023-05-22 06:30 AM

" The problem is that I haven't figured out a way of supplying the key to the prepareimage.py"

The key could be stored in a secure area on the machine running the pipeline using something like HashiCorp Vault. You pull the production key out of the vault, and use a script to replace the key in ECCKEY1.txt with your production key. After the build is finished you can delete the ECCKEY1.txt file, or if the pipeline is run in a docker, then the key will be destroyed when the docker is torn down.

Brent

View solution in original post

0 Kudos
2 REPLIES 2
Go to solution
BBouw.2
Associate

‎2023-05-22 06:30 AM

" The problem is that I haven't figured out a way of supplying the key to the prepareimage.py"

The key could be stored in a secure area on the machine running the pipeline using something like HashiCorp Vault. You pull the production key out of the vault, and use a script to replace the key in ECCKEY1.txt with your production key. After the build is finished you can delete the ECCKEY1.txt file, or if the pipeline is run in a docker, then the key will be destroyed when the docker is torn down.

Brent

0 Kudos
Go to solution
Fred
ST Employee

‎2023-05-22 11:54 PM

The "prepareimage.py" is a "basic tool" we provide with our package but there is no guarantee that it is production level quality software.

The signing pipeline must be studied carefully.

You can find an example of HSM integration in the process with the Secure Firmware Installation offer:

STM32Trust - STMicroelectronics

But this is not SBSFU and this is not integrated with GitLab.

0 Kudos
Top