Crypto-signing custom firmware or similar?

General discussions and questions abound development of code with MicroPython that is not hardware specific.
Target audience: MicroPython Users.
Post Reply
Posts: 1
Joined: Fri Jan 08, 2021 5:14 pm

Crypto-signing custom firmware or similar?

Post by aseelye » Fri Jan 08, 2021 5:54 pm

I have a commercial hardware/software project I'm working on that we're considering making open source. One of our concerns is that if the software is done wrong, hardware damage can result. If someone decided to download the firmware, "optimize" it improperly, and break the hardware (against our objections and warranty), then we'd like to have some mechanism by which they couldn't pave over their tracks, load the original firmware back on, and then do a warranty claim.

To put it in vague but close-enough terms, it's a heating-cooling system on a PID controller. When you flip modes between heat and cool, there needs to be a ~60 second delay in firing it up in the new mode.

I've seen that in the ESP-IOT dev kit for the ESP32, you can make it so you need a crypto key to read the firmware off the esp32 (though I've not fully flushed this out). Either way, is there some mechanism by which we could see if the firmware had been messed with?

User avatar
Posts: 4804
Joined: Fri Jul 18, 2014 8:01 am
Location: UK

Re: Crypto-signing custom firmware or similar?

Post by pythoncoder » Fri Jan 08, 2021 6:16 pm

I don't know a bomb-proof solution, but there are a few ideas you might consider. One approach might be to include an undocumented and unpublished module as frozen bytecode. If a user built firmware from your published source this module wouldn't be included: the firmware would work, but you could easily detect that it was not the supplied build.

If you don't really want users changing the firmware there are obvious hardware steps that would make it difficult such as using a nonstandard connector or requiring an undocumented link to be made.

Perhaps others will come up with alternatives.
Peter Hinch

User avatar
Posts: 2072
Joined: Tue Aug 08, 2017 1:57 am
Location: Sydney, Australia

Re: Crypto-signing custom firmware or similar?

Post by jimmo » Mon Jan 11, 2021 12:53 am

I'm a little bit unsure what your goal is... if I understand correctly, I think you're asking for a way to make it such that only you (the manufacturer) can flash "official" builds, which you can tell apart from a user-generated build. (i.e. you need to prevent a user putting an official build back onto their board after damaging it).

@pythoncoder's suggestion of making your official builds different in some way from user builds would I think prevents you from publishing "official" firmware updates.

You would also need a way to prevent readout of the official build from the device -- unfortunately this is basically impossible because even if you disable flash readout, MicroPython provides machine.mem8 (/16/32) which someone could use to read this from the MicroPython REPL.

This does seem like a very difficult problem... (i.e. it's harder than the already-difficult problem of just preventing code read-out etc).

Post Reply