Zymbit Bootware Signing and Verifying

Bootware applies updates through zymbit images or *.zi files. These files are created by using the zb-imager tool to package up a zymbit image for the user. These images can be signed by either hardware keys stored in the HSM or with software key files generated by the ecdsa library. zb-imager will generate both the hardware keys and the software keys based off of SECP256k1.

Hardware key generation:

Zb-imager leverages the BIP32/BIP39 wallet APIs of the SCM for key generation. The wallet is named “bootware” and will generate the signing key pair with the wallet address of “m/0/n” (where n is a random number between 0-100). The wallet address “m/0/n” info will be stored in the zymbit image: header.txt. After the zb-imager finishes signing the image with the signing key, the tool will say what slot the “m/0/n” key is residing in, as well as prompt the user for saving the bip39 mnemonic to file. The BIP39 mnemonic is a 24 word sentence that can be used to regenerate the master keypair or “m” of the wallet. So this is one way to re-clone the same hardware generated key between different publishing nodes. To verify the image on the node that needs to apply the update, zb-update will ask for an existing key slot number to verify with.

The best way to transport the key over from the publishing node to the receiving node:

On the publishing node:

#Save this public_key to a file
public_key = zymkey.client.get_public_key(signing_key_slot_number)

On the receiving node:

#Store the public key in the HSM to verify updates with
foreign_key_slot = zymkey.client.store_foreign_public_key("secp256k1", public_key)

Using zb-update on receiving node:

sudo zb-update --key-slot=foreign_key_slot

Software key generation:

Zb-imager leverages the python ecdsa library to generate a SECP256K1 key pair as private_key.pem/pub_key.pem. These key files will be saved to the same location as the image that is being created. Both the zb-imager and zb-update tools will take in a filepath to these key files when the user specifies software keys for signing/verifying.

Warning: If using the “LOCAL DEVICE” configuration of zb-update. Do not use a file path that points at a pub_key.pem on the local device. Zb-update will remount the local device on /etc/zymbit/zboot/mnt so the filepath will change.

Using zb-update on receiving node:

sudo zb-update --key-file=/home/zymbit/pub_key.pem

See also: