Bootware Signing and Verifying

Overview of Hardware (SCM and HSM6) and Software sign and verify

Bootware® applies updates through zymbit images or *.zi files. These files are created by using the zbcli imager tool to package up a zymbit image for the user. These images can be signed by either hardware keys stored in the HSM or with software key files generated by the ecdsa library. zbcli imager will generate both the hardware keys and the software keys based off of SECP256k1.

Hardware key generation (SCM-based products and HSM6):

zbcli imager leverages the BIP32/BIP39 wallet APIs of the SCM for key generation. The wallet is named “bootware” and will generate the signing key pair with the wallet address of “m/0/n” (where n is a random number between 0-100). The wallet address “m/0/n” info will be stored in the zymbit image: header.txt. After the zbcli imager finishes signing the image with the signing key, the tool will say what slot the “m/0/n” key is residing in, as well as prompt the user for saving the BIP39 mnemonic to file. The BIP39 mnemonic is a 24 word sentence that can be used to regenerate the master keypair or “m” of the wallet. So this is one way to re-clone the same hardware generated key between different publishing nodes. To verify the image on the node that needs to apply the update, use zbcli update-config to set the key slot number. zbcli update will use the key slot number to verify with.

The best way to transport the key over from the publishing node to the receiving node. Use the Python API:

On the publishing node:

# Save this public_key to a file
public_key = zymkey.client.get_public_key(signing_key_slot_number)

On the receiving node:

# Store the public key in the HSM to verify updates with
foreign_key_slot = zymkey.client.store_foreign_public_key("secp256k1", public_key)

Using zbcli update on receiving node:

sudo zbcli update --key-slot=foreign_key_slot

Software key generation (All products):

zbcli imager leverages the python ecdsa library to generate a SECP256K1 key pair as private_key.pem/pub_key.pem. These key files will be saved to the same location as the image that is being created. Both the zbcli imager and zbcli update tools will take in a filepath to these key files when the user specifies software keys for signing/verifying.

Warning: If using the “LOCAL DEVICE” configuration of zbcli update. Do not use a file path that points at a pub_key.pem on the local device. zbcli update will remount the local device on /etc/zymbit/zboot/mnt so the filepath will change.

Using zbcli update on receiving node:

sudo zbcli update --key-file=/home/zymbit/pub_key.pem

See also:

zbcli imager

zbcli update