Remote signing of images with espsecure using yubikey

bobbygz
Posts: 2
Joined: Fri May 25, 2018 5:25 pm

Remote signing of images with espsecure using yubikey

Postby bobbygz » Mon Aug 29, 2022 5:32 pm

To keep the code signing private key secure I would like to configure and use a yubikey to sign the images (2nd stage boot loader / OTA apps). The instructions for signing images and creating the required signature blocks assume the private key is accessible on the signing server. By using an HSM (yubikey) the private key would but be accessible and therefore not be compromised.

Can espsecure be used as is to support this? If not can it be extended? Is this a good idea?

Thanks you!!

ESP_igrr
Posts: 2067
Joined: Tue Dec 01, 2015 8:37 am

Re: Remote signing of images with espsecure using yubikey

Postby ESP_igrr » Tue Aug 30, 2022 7:35 am

This sounds like a good idea! We had a discussion about adding PKCS11 support to espsecure, but seems like this hasn't been implemented yet.

DCSBL-
Posts: 3
Joined: Mon Dec 05, 2022 9:50 am

Re: Remote signing of images with espsecure using yubikey

Postby DCSBL- » Mon Dec 05, 2022 9:54 am

Hey @ESP_igrr,

Is there any update on this, or at least some insights into if it is even possible? I am also curious if there are other HSM's to keep the sign process really secure in our CI/CD.

ESP_harshal
Posts: 18
Joined: Wed Jul 06, 2022 8:36 am

Re: Remote signing of images with espsecure using yubikey

Postby ESP_harshal » Wed Dec 07, 2022 12:27 pm

Secure boot version 2 uses an RSA-3072-based app signing scheme. YubiKey only supports RSA-2048 and hence, it cannot be used for app signing. Although, in the case of ESP32-C2, secure boot version 2 uses ECDSA-192/256-based signing scheme, which is supported by YubiKey.

We have been working on adding a PKCS11 interface to get the binaries signed using an HSM, please check this out https://github.com/Harshal5/esptool/tre ... _interface.
Before using this feature, you will need to install PyKCS (https://github.com/LudovicRousseau/PyKCS11) on your host, populate fields in the HSM espsecure/ext_hsm.ini config file, and generate the public key for the HSM private key to be used for signing.
(This workflow has been tested with ECDSA-256 signing using YubiKey5.)

DCSBL-
Posts: 3
Joined: Mon Dec 05, 2022 9:50 am

Re: Remote signing of images with espsecure using yubikey

Postby DCSBL- » Fri Dec 09, 2022 3:36 pm

Thank you! I will take a look!

DCSBL-
Posts: 3
Joined: Mon Dec 05, 2022 9:50 am

Re: Remote signing of images with espsecure using yubikey

Postby DCSBL- » Sun Feb 12, 2023 1:17 pm

This awesome post can also help others: https://blog.espressif.com/secure-signi ... e855a2f2ef

Who is online

Users browsing this forum: johboh and 161 guests