WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfBoot/docs/Signing.md

87 lines
2.7 KiB
Markdown
Raw Blame History

# wolfBoot Signing
Instructions for setting up Python, wolfCrypt-py module and wolfBoot for firmware signing.
Note: There is a pure C signing tool available as well. See [C Signing Tool](#c-signing-tool) below.
## Install Python3
1. Download latest Python 3.x and run installer: https://www.python.org/downloads
2. Check the box that says Add Python 3.x to PATH
## Install wolfCrypt
```sh
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./configure --enable-keygen --enable-rsa --enable-ecc --enable-ed25519 --enable-des3 CFLAGS="-DWOLFSSL_PUBLIC_MP"
make
sudo make install
```
## Install wolfcrypt-py
```sh
git clone https://github.com/wolfSSL/wolfcrypt-py.git
cd wolfcrypt-py
sudo USE_LOCAL_WOLFSSL=/usr/local pip3 install .
```
## Install wolfBoot
```sh
git clone https://github.com/wolfSSL/wolfBoot.git
cd wolfBoot
git submodule update --init
# Setup configuration (or copy template from ./config/examples)
make config
# Build the wolfBoot binary and sign an example test application
make
```
## Signing Firmware
1. Load the private key to use for signing into “./rsa4096.der”
2. `python3 ./tools/keytools/sign.py --rsa4096 --sha3 test-app/image.bin rsa4096.der 1`
Note: The last argument is the “version” number.
## Signing Firmware with External Private Key (HSM)
I've tested this with separate signature and the correct public key, the two files are identical either if I do one step signing:
```sh
# Create file with Public Key
openssl rsa -inform DER -outform DER -in rsa4096.der -out rsa4096_pub.der -pubout
# Generate Hash to Sign
python3 ./tools/keytools/sign.py --rsa4096 --sha-only --sha3 test-app/image.bin rsa4096_pub.der 1
# Example for signing
openssl rsautl -sign -keyform der -inkey rsa4096.der -in test-app/image_v1_digest.bin > test-app/image_v1.sig
# Generate final signed binary
python3 ./tools/keytools/sign.py --rsa4096 --sha3 --manual-sign test-app/image.bin rsa4096_pub.der 1 test-app/image_v1.sig
```
## C Signing Tool
A standalone C version of the signing tool is available here: `./tools/keytools/sign.c`. Build using `make keytools`
```sh
./tools/keytools/sign --rsa4096 --sha3 test-app/image.bin rsa4096.der 1
```
### Windows Visual Studio
Use the `wolfBootSignTool.vcxproj` Visual Studio project to build the `sign.exe` tool for use on Windows.
## Command Line Usage
```
./tools/keytools/sign [--ed25519 | --ecc256 | --rsa2048 | --rsa4096 ] [--sha256 | --sha3] [--wolfboot-update] image key.der fw_version
- or - ./tools/keytools/sign [--sha256 | --sha3] [--sha-only] [--wolfboot-update] image pub_key.der fw_version
- or - ./tools/keytools/sign [--ed25519 | --ecc256 | --rsa2048 | --rsa4096 ] [--sha256 | --sha3] [--manual-sign] image pub_key.der fw_version signature.sig
```
Reference in New Issue View Git Blame Copy Permalink