I have a commercial hardware/software project I'm working on that we're considering making open source. One of our concerns is that if the software is done wrong, hardware damage can result. If someone decided to download the firmware, "optimize" it improperly, and break the hardware (against our objections and warranty), then we'd like to have some mechanism by which they couldn't pave over their tracks, load the original firmware back on, and then do a warranty claim.
To put it in vague but close-enough terms, it's a heating-cooling system on a PID controller. When you flip modes between heat and cool, there needs to be a ~60 second delay in firing it up in the new mode.
I've seen that in the ESP-IOT dev kit for the ESP32, you can make it so you need a crypto key to read the firmware off the esp32 (though I've not fully flushed this out). Either way, is there some mechanism by which we could see if the firmware had been messed with?
Crypto-signing custom firmware or similar?
- pythoncoder
- Posts: 5956
- Joined: Fri Jul 18, 2014 8:01 am
- Location: UK
- Contact:
Re: Crypto-signing custom firmware or similar?
I don't know a bomb-proof solution, but there are a few ideas you might consider. One approach might be to include an undocumented and unpublished module as frozen bytecode. If a user built firmware from your published source this module wouldn't be included: the firmware would work, but you could easily detect that it was not the supplied build.
If you don't really want users changing the firmware there are obvious hardware steps that would make it difficult such as using a nonstandard connector or requiring an undocumented link to be made.
Perhaps others will come up with alternatives.
If you don't really want users changing the firmware there are obvious hardware steps that would make it difficult such as using a nonstandard connector or requiring an undocumented link to be made.
Perhaps others will come up with alternatives.
Peter Hinch
Index to my micropython libraries.
Index to my micropython libraries.
Re: Crypto-signing custom firmware or similar?
I'm a little bit unsure what your goal is... if I understand correctly, I think you're asking for a way to make it such that only you (the manufacturer) can flash "official" builds, which you can tell apart from a user-generated build. (i.e. you need to prevent a user putting an official build back onto their board after damaging it).
@pythoncoder's suggestion of making your official builds different in some way from user builds would I think prevents you from publishing "official" firmware updates.
You would also need a way to prevent readout of the official build from the device -- unfortunately this is basically impossible because even if you disable flash readout, MicroPython provides machine.mem8 (/16/32) which someone could use to read this from the MicroPython REPL.
This does seem like a very difficult problem... (i.e. it's harder than the already-difficult problem of just preventing code read-out etc).
@pythoncoder's suggestion of making your official builds different in some way from user builds would I think prevents you from publishing "official" firmware updates.
You would also need a way to prevent readout of the official build from the device -- unfortunately this is basically impossible because even if you disable flash readout, MicroPython provides machine.mem8 (/16/32) which someone could use to read this from the MicroPython REPL.
This does seem like a very difficult problem... (i.e. it's harder than the already-difficult problem of just preventing code read-out etc).