[LEDE-DEV] automated signed firmware upgrades / hide a secret in image

Michael Richardson mcr at sandelman.ca
Wed Feb 22 10:16:47 PST 2017

Bastian Bittorf <bb at npl.de> wrote:
    > There are "automated" signatures (e.g. from builbot) and manual ones,
    > from humans. For protecting ourselfes from bad admins, there should be
    > a "secret thing" which is baked into the firmware and only seeable
    > during runtime: this way we can prevent, that a lazy admin "signs" a
    > sha256 sum, without really has flashed the image and can make sure that
    > it really runs.

Please don't use a symmetric key in the firmware.  Especially one that
anyone can download and examine.  This is what Philips did for the HUE bulb,
and it was a disaster.

    > Now the question: a secret can be e.g.  # ls -la /etc | md5sum

    > This is naive, and a dumb admin can e.g. unsquashfs the image for
    > getting the data. are there better methods? any ideas?

Yes, use an asymmetric key, and distribute the public part only.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/lede-dev/attachments/20170222/eb382116/attachment.sig>

More information about the Lede-dev mailing list