Apachecon 2017 - mcuboot

Transcript

1. Secure Software Upgrade For Microcontrollers Fabio Utzig, Runtime Inc

2. History §  Apache Mynewt Bootloader §  (/boot/bootutil, /apps/boot) §  MCUBoot

   §  https://github.com/runtimeco/mcuboot §  Zephyr support §  More to come… §  CI running on both Mynewt and Zephyr

3. Lifecycle of a FW upgrade § Firmware is sent to device

   •  Mynewt uses the newtmgr protocol •  Image is sent to free slot § Image is checked after it is written § On reset bootloader checks config, validates images, do upgrade if requested

4. Concepts § Bootloader itself can be built on any OS which

   it has a port for § Once built, bootloader should boot any compatible image § Any microcontroller OS should be made bootable easily

5. Flash partitioning BOOTLOADER SLOT 0 (Running Image) SLOT 1 (Swap-To

   Image) SCRATCH

6. Flash partitioning §  Bootloader §  Smaller as possible, target 16k

   or less §  Slots §  Accommodates a mcuboot image (not a binary image!) §  Slot 0 always has the running image §  Slot 1 contains image to swap to §  Scratch §  Temporary space used for swapping

7. Boot process § Bootloader checks both slots § If no upgrade is

   requested, validate slot 0 and boot § If upgrade is requested, swap images § Upgrade can be test or permanent, if it was test, revert on next boot

8. Slot Format Firmware Image TLVs TRAILER HEADER §  HEADER: magic,

   versioning, sizes, flags (TLVs, etc) §  TLVs: hash, signature §  Trailer: state of slot, progress of swapping

9. Non-swappable Upgrade (mcuboot only) BL SLOT 0 (Running Image) SLOT

   1 (Image to Run) §  Non revertible §  Impossible to fail? (the copy might be, what about fw?)

10. Swappable Upgrade BL SLOT 0 (Running Image) SLOT 1 (Image

    to Run) §  Revertible §  Can test images SCRATCH 1 3 2

11. Swappable Upgrade 1.  Erase Scratch 2.  Copy Slot 1 ->

    Scratch 3.  Update status 1.  Erase Slot 1 2.  Copy Slot 0 -> Slot1 3.  Update status 1.  Erase Slot 0 2.  Copy Scratch -> Slot0 3.  Update status Erases/Copies Scratch sized

12. Fallback to previous image •  Every boot status for slots

    is checked •  If there a swap was underway, finish it •  Validate slot 0 (optional) •  If slot 0 image is not marked as permanente, swap back to image in slot 1

13. Security (Crypto) •  Images are always hashed (sha256) •  Images

    can and should be signed! •  What is actually signed is the hash of image

14. Creating images • $ newt create-image k64f_slinky 1.0.1000 • ... • App image

    succesfully generated: bin/targets/k64f_slinky/app/apps/slinky/slinky.img • $ hexdump bin/targets/k64f_slinky/app/apps/slinky/slinky.img • ... • * • 000e870 00 00 00 00 00 00 00 00 00 00 00 00 01 00 20 00 • 000e880 2a 08 e1 43 1b bc 0c f6 13 b6 21 4d 17 05 9a 70 • 000e890 14 9a 21 df d7 3e 37 f2 77 e2 fd a0 85 47 84 9e • 000e8a0

15. Upload / Check image • $ newt load k64f_slinky • Loading app

    image into slot 1 • $ newtmgr --conn k64f image list • Images: •  slot=0 •  version: 1.0.1000 •  bootable: true •  flags: active confirmed •  hash: 2a08e1431bbc0cf613b6214d17059a70149a21dfd73e37f277e2fda08547849e • Split status: N/A

16. • $ newt create-image k64f_slinky 1.0.1000 key_sec.pem • ... • App image succesfully

    generated: bin/targets/k64f_slinky/app/apps/slinky/slinky.img • $ $ hexdump bin/targets/k64f_slinky/app/apps/slinky/slinky.img • ... • * • 000e870 00 00 00 00 00 00 00 00 00 00 00 00 01 00 20 00 • 000e880 a2 a7 36 f1 4c 77 ea e7 41 03 00 b8 73 f9 b5 e6 • 000e890 1f 7c 21 15 d5 3c 52 56 c6 03 82 63 9b 70 5b 3f • 000e8a0 02 00 00 01 01 a5 20 c6 24 04 bf b8 f3 d8 4e d0 • ... Signing images

17. Signing images §  Bootloader must have public key §  Key

    generation process described in boot/bootutil/ signed_images.md (or maybe doc/signed_images.md) §  Somewhat involved process, but only has to be done once §  use OpenSSL to create private, extract public, dump as C, add new file with required key vars, rebuild!

18. Porting requirements §  Flash interfacing primitives (read/write/erase) §  Flash layout

    (flash_map) §  Crypto primitives: sha256, rsa2048, ecdsa224/256 (NIST curves)

19. Simulator (mcuboot) §  Under /sim (written in Rust!) §  Emulates

    flash in memory, traps flash operations §  Can request a fail at any step between a swap §  Can test reverts, random fails

20. Roadmap §  More OS support (RIOT soon!) §  “Safe” curves

    (aka DJB curves) §  newtmgr encrypted transport? (mynewt only) §  Loading images to RAM §  Leverage crypto peripherals in MCUs §  Key revocation?

21. Thank You Twitter: @apache_mynewt (follow us!) Slides: https://speakerdeck.com/utzig/apachecon-2017-mcuboot https://mynewt.apache.org https://github.com/runtimeco/mcuboot

22. None