Skip to main content
sute
sute
Associate III
May 15, 2023
Solved

Strategies for storing SBSFU private key

  • May 15, 2023
  • 2 replies
  • 1514 views

Hello,

We have an STM32 project with SBSFU bootloader used for firmware updates. We have a pipeline that is triggered from GitLab that will compile and sign the firmware and update pakcage. Before taking production private keys into use, we are considering strategies for secure storage of the keys while still trying to keep things as simple and automated as possible.

One option would be to add a manual step to the pipeline where update packages are signed and encrypted in an offline computer. Other option would be to store private keys only in RAM of the machine running the pipeline which would minimize risk of leaking the keys. This would have the benefit of keeping everything automated. The problem is that I haven't figured out a way of supplying the key to the prepareimage.py script from a variable stored in RAM, it seems to require a file. Is there any way of achieving this?

Is there a way of integrating a HSM (hardware security model) to the SBSFU process?

Thanks!

This topic has been closed for replies.
Best answer by BBouw.2

" The problem is that I haven't figured out a way of supplying the key to the prepareimage.py"

The key could be stored in a secure area on the machine running the pipeline using something like HashiCorp Vault. You pull the production key out of the vault, and use a script to replace the key in ECCKEY1.txt with your production key. After the build is finished you can delete the ECCKEY1.txt file, or if the pipeline is run in a docker, then the key will be destroyed when the docker is torn down.

Brent

2 replies

BBouw.2
BBouw.2Best answer
Visitor II
May 22, 2023

" The problem is that I haven't figured out a way of supplying the key to the prepareimage.py"

The key could be stored in a secure area on the machine running the pipeline using something like HashiCorp Vault. You pull the production key out of the vault, and use a script to replace the key in ECCKEY1.txt with your production key. After the build is finished you can delete the ECCKEY1.txt file, or if the pipeline is run in a docker, then the key will be destroyed when the docker is torn down.

Brent

Fred
Fred
ST Employee
May 23, 2023

The "prepareimage.py" is a "basic tool" we provide with our package but there is no guarantee that it is production level quality software.

The signing pipeline must be studied carefully.

You can find an example of HSM integration in the process with the Secure Firmware Installation offer:

STM32Trust - STMicroelectronics

But this is not SBSFU and this is not integrated with GitLab.

Terms & ConditionsAccessibility statement