Secure Boot¶

A"secure boot" capability may beoffered by Arduino boards platforms.

The compiled sketch is signed and encrypted by atool before being flashed to thetarget board. The bootloader of the board is then responsible for starting the compiled sketch only if the matching keysare used.

To be able to correctly carry out all the operations at the end of the build we can leverage thepost build hooks to sign and encrypt abinary by usingrecipe.hooks.objcopy.postobjcopy.NUMBER.pattern key inplatform.txt. The security keys used are defined in theboards.txt file, this way there could be different keys for differentboards.

[...]## Create secure image (bin file)recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd}## IMGTOOL#tools.imgtool.cmd=imgtooltools.imgtool.flags=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size}[...]

By having onlytools.TOOL_NAME.cmd andtools.TOOL_NAME.flags, we can customize the behavior with acustom board option. Then in theboards.txt we can define the new option to use a differentbuild.postbuild.cmd:

[...]menu.security=Security settingenvie_m7.menu.security.none=Noneenvie_m7.menu.security.sien=Signature + Encryptionenvie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.path}/{tools.imgtool.cmd}" {tools.imgtool.flags}envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.path}/{tools.imgtool.cmd}" exitenvie_m7.menu.security.sien.build.keys.keychain={runtime.platform.path}/libraries/MCUboot/default_keysenvie_m7.menu.security.sien.build.keys.sign_key=default-signing-priv-key.pemenvie_m7.menu.security.sien.build.keys.encrypt_key=default-encrypt-pub-key.pem[...]

The security keys can be added with:

• build.keys.keychain indicates the path of the dir where to search for the custom keys to sign and encrypt a binary.
• build.keys.sign_key indicates the name of the custom signing key to use to sign a binary during the compile process.
• build.keys.encrypt_key indicates the name of the custom encryption key to use to encrypt a binary during the compile process.

It's suggested to use the property names mentioned before, because they can be overridden respectively with--keys-keychain,--sign-key and--encrypt-key Arduino CLIcompile flags.

For example, by using the following command, the sketch is compiled and the resulting binary is signed and encryptedwith the specified keys located in/home/user/Arduino/keys directory:

arduino-cli compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-keychain /home/user/Arduino/keys --sign-key ecdsa-p256-signing-priv-key.pem --encrypt-key ecdsa-p256-encrypt-pub-key.pem /home/user/Arduino/MySketch