Skip to content

Add secure boot support for compile command. #1686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Mar 24, 2022
Merged

Add secure boot support for compile command. #1686

merged 20 commits into from
Mar 24, 2022

Conversation

umbynos
Copy link
Contributor

@umbynos umbynos commented Mar 7, 2022
edited
Loading

Please check if the PR fulfills these requirements

  • The PR has no duplicates (please search among the Pull Requests
    before creating one)
  • The PR follows
    our contributing guidelines
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)
  • UPGRADING.md has been updated with a migration guide (for breaking changes)
  • What kind of change does this PR introduce?

feature

  • What is the current behavior?
  • What is the new behavior?

The secure boot is now supported in the compile command

I've added three flags to support the override of the default security keys used to sign and encrypt a binary:

  • --keys-keychain allows specifying the directory used to search for the security keys
  • --sign-key indicates the name+extension of the sign key to use
  • --encrypt-key indicates the name+extension of the encryption key to use

The keys are red from the properties.Map representing the platform.txt file and are overwritten, even if security=sien board option is not used. Because we don't know if it will be the standard for secure boot.

  • Other information:

See how to contribute

@umbynos umbynos added type: enhancement Proposed improvement topic: code Related to content of the project itself topic: CLI Related to the command line interface topic: gRPC Related to the gRPC interface labels Mar 7, 2022
@umbynos umbynos requested a review from a team March 7, 2022 16:10
@umbynos umbynos self-assigned this Mar 7, 2022
@matthijskooijman
Copy link
Collaborator

I have not been involved with any development leading up to this, but at first glance it seems these extra options added are a bit arbitrary. Various platforms support all kinds of options in their platform.txt, and I wonder if it makes sense to make these particular options special and understood by arduino-cli. Going onto this train of development might eventually lead to a ton of different options, each supported by different platforms, each with their own compatibility needs...

IOW, I wonder:

  • Are these options really needed? Can the existing --build-property option not be used instead?
  • If these are needed, are they generic enough? I.e. will they work for a broad range of platforms and usecases, or will more (similar but not quite the same) options be needed in the future for other platforms?
  • Should this PR not include an update for the platform.txt documentation, to clearly document the particular keys updated by this option, with a clear contract about how they are intended to be used and set?

per1234
per1234 requested changes Mar 7, 2022
View reviewed changes
@umbynos
Copy link
Contributor Author

umbynos commented Mar 8, 2022

Hi @matthijskooijman, first off, thanks for the points you brought up.

Are these options really needed? Can the existing --build-property option not be used instead?

  • If you are referring to --board-options flag, unfortunately no, because this kind of properties are set along with the fqbn and not by the legacy builder.
    Using arduino-cli compile -b <fqbn> --build-property security=sien just won't work. Instead, adding the option along with the fqbn will work just fine (like before): arduino-cli compile -b <fqbn>:security=sien.
    As @per1234 pointed out I should move this change to another PR though.
  • If you are referring to the flags used to override the security keys used, yes, can be overridden with just --build-property but it requires knowledge on the platform:
    In the first platform that we will release shortly, it was decided to use these key names and combinations to specify the security keys used to sign and encrypt the binary.
    As you can see, they depend on the tool-name. It could happen in the future that a new platform comes out and uses a different tool to sign and encrypt. Using these newly introduced flags, we take away responsibility from the user to know exactly what properties to manually override with --build-properties.

If these are needed, are they generic enough? I.e. will they work for a broad range of platforms and usecases, or will more (similar but not quite the same) options be needed in the future for other platforms?

The flags introduced to override the default security keys IMHO are generic enough secureboot-wise. As long as a platform uses this approach of signing and/or encrypting a binary, they should work just fine.

Should this PR not include an update for the platform.txt documentation, to clearly document the particular keys updated by this option, with a clear contract about how they are intended to be used and set?

Yes, an update to the docs is definitely needed. And I'm doing it right now.

If you have further questions/observations/feedback I will be pleased to answer

@umbynos umbynos force-pushed the umbynos/add_board_option_flag branch from 1b1767c to 69a309f Compare March 9, 2022 11:38
@umbynos
Copy link
Contributor Author

umbynos commented Mar 9, 2022

--board-options PR created #1688

@umbynos umbynos force-pushed the umbynos/add_board_option_flag branch 4 times, most recently from b924cae to acdc565 Compare March 10, 2022 18:05
@umbynos umbynos requested review from cmaglie and per1234 March 14, 2022 17:04
@umbynos umbynos changed the title Add secureboot support for compile command. Add secure boot support for compile command. Mar 14, 2022
@umbynos umbynos force-pushed the umbynos/add_board_option_flag branch from ab57e78 to e325b16 Compare March 14, 2022 17:11
@umbynos
Copy link
Contributor Author

umbynos commented Mar 14, 2022

Docs updated

per1234
per1234 requested changes Mar 15, 2022
View reviewed changes
Copy link
Contributor

@per1234 per1234 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My opinion is that we should postpone the merge of this.

Start out by using the existing mechanism, as suggested by @matthijskooijman:

arduino-cli compile --build-property build.keys.sign_key=<some path>  --build-property build.keys.encrypt_key=<some path>

I really don't think it is so much more difficult for the advanced users who will use Arduino CLI and secure boot.

Once the first platform providing "secure boot" capability has been released and in use by the users, any requirements for facilitating its use may become more clear.

@ubidefeo
Copy link

In my opinion, as we offer facilities to burn a bootloader, we should enhance arduino-cli with the functionalities we need for secure-boot platforms.
Starting with our choice of MCUboot, which we might use in more upcoming boards, our CLI needs to be able to handle operations such as key generation, binary encryption and upload of such binaries.

Although the use of --build-property is a valid option, semantically I'd like to keep such operations into their respective realms.
Nothing prevents a user to work their way through a convoluted breakdown of properties and use them in the canonical way, but I'd prefer to keep the operations easily documented also through the command line itself (-h).

Once we provide support for our preferred way of doing key generation to support MCUboot, developers of other platforms and boards flavours might decide to implement other secure bootloaders and use the same commands which will leverage their own scripts and tools.

The idea of providing a local keychain is in my opinion valuable as more advanced use cases present themselves, hence we might end up implementing some form of keychain management through the CLI.
As we discussed yesterday in an internal meeting with @facchinm and @umbynos , generation of .pem files using ecdsa-p256 would not be done through imgtool but directly in Go to simplify things and reduce clutter, but we still want to offer platform developers a gateway into writing their own implementation of secure bootloaders or other means of generating keys to be used in yet unspecified contexts

@umbynos umbynos requested a review from per1234 March 16, 2022 15:10
per1234
per1234 requested changes Mar 16, 2022
View reviewed changes
@umbynos umbynos force-pushed the umbynos/add_board_option_flag branch 2 times, most recently from 0dba986 to 4912d48 Compare March 17, 2022 16:34
@umbynos umbynos requested a review from per1234 March 17, 2022 16:35
per1234
per1234 requested changes Mar 17, 2022
View reviewed changes
@umbynos umbynos requested a review from per1234 March 18, 2022 10:02
per1234
per1234 requested changes Mar 24, 2022
View reviewed changes
umbynos and others added 20 commits March 24, 2022 10:12
@umbynos
add flags to allow the override of the keys used to sign and encrypt …
04b8d5c 
…a binary for the boards that support the secure boot
@umbynos
add integration test for ReplaceSecurityKeys() function
3a8972f
@umbynos
fix regression introduced: target platform could be nil so using befo…
35294ce 
…re checking is not a good idea
@umbynos
apply suggestions from code review
50cc358
@umbynos
rename of some flags (done to accommodate the proposed changes in pla…
04a41e7 
…tform.txt)
@umbynos
change approach: override keys using builderCtx.CustomBuildProperties
e96fc18
@umbynos
add check in the builder regarding the usage of "build.keys.type" pro…
900c0e1 
…perties
@umbynos
add secure boot to the platform specifications
87a19ea
@umbynos @per1234
Apply suggestions from code review
dd05e7d 
Co-authored-by: per1234 <[email protected]>
@umbynos
modify the check on in the builder regarding the usage of "build.keys…
583dd9c 
…" properties:

The "build.keys.type" is no longer mandatory, and the default is "public_keys"
We also check if the secureboot keys are all defined or none of them is.
@umbynos
remove check on the flags specifying the keys, it's the tool responsi…
33e4c0d 
…bility to check if they are valid
@umbynos
move content to a guides section
6262cfa
@umbynos
add specifications regarding build.keys properties
2ed7002
@umbynos @per1234
Apply suggestions from code review
06f4beb 
Co-authored-by: per1234 <[email protected]>
@umbynos
add link to external resource to provide a quick explanation of the r…
c18bbca 
…eason for an Arduino boards platform developer to add a "secure boot" capability
@umbynos
change tools.imgtool.build.pattern to tools.imgtool.flags
3510509 
The property had the same form as the special `tools.TOOL_NAME.ACTION.pattern` properties
However, there is not a `build` action, the form of the property gives the impression that it is one that has special treatment by the build system.

It looks like the convention is `*.flags`
@umbynos
add small section explaining why is recommended to use these prop names
1d2e03e
@umbynos @per1234
Apply suggestions from code review
47c3917 
Co-authored-by: per1234 <[email protected]>
@umbynos
Correct error message
d480ae5
@umbynos @per1234
Apply suggestions from code review
c40e6cb 
Co-authored-by: per1234 <[email protected]>
@umbynos umbynos force-pushed the umbynos/add_board_option_flag branch from 162e73c to c40e6cb Compare March 24, 2022 09:15
@umbynos
Copy link
Contributor Author

umbynos commented Mar 24, 2022

image

@umbynos umbynos merged commit b86e5cf into master Mar 24, 2022
@umbynos umbynos deleted the umbynos/add_board_option_flag branch March 24, 2022 15:59
umbynos added a commit that referenced this pull request Apr 13, 2022
@umbynos
fix nav being left out form #1686
17b7889
@umbynos umbynos mentioned this pull request Apr 13, 2022
Merged
5 tasks
umbynos added a commit that referenced this pull request Apr 14, 2022
@umbynos
fix nav being left out form #1686
990167d
umbynos added a commit that referenced this pull request Apr 14, 2022
@umbynos
[skip-changelog] fix nav being left out form #1686 (#1710)
67924a3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmaglie cmaglie cmaglie approved these changes

@per1234 per1234 per1234 approved these changes

Assignees

@umbynos umbynos

Labels
topic: CLI Related to the command line interface topic: code Related to content of the project itself topic: gRPC Related to the gRPC interface type: enhancement Proposed improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@umbynos @matthijskooijman @ubidefeo @cmaglie @per1234