Filter results by

Production Key Management System

The Secure Boot scheme prevents loading of undesirable firmware by using a signing mechanism.

  • During the development phase, the developer uses boot loader images signed with a default key to enable rapid prototyping. To this end, Samsung provides a local code-signing tool, available as a download.

  • For the production phase where boot images with authentic keys must be deployed, the developer will need to set up private code signing keys for their company.

The Key Management System (KMS) is used for this production signing process. The following sections first provide an overview of the KMS and then describe the steps needed to sign code with it.

Key Management System Overview

A Secure Boot solution is only effective if the private key is secure and safe. This requires the use of specific business practices to securely store and control access to the private key. Samsung ARTIK provides a secure code signing Web portal as part of its KMS.

KMS is used to sign packages using highly secure cryptography standards (SHA256wRSA2048). At the same time, signing keys are protected using highly secure signing servers equipped with FIPS-certified HSMs with proper administrator controls.

ARTIK offers the use of its highly secure signing infrastructure for customers and partners by way of the ARTIK CodeSigner Portal for the task of secure key management and code signing. The system allows for remote secured connection via the Internet. The figure illustrates the package signing process.

Using the Samsung ARTIK KMS solution:

  • The developer generates private signing keys, but shares only the public key version with Samsung.
  • The public key gets added to the first bootloader by the Samsung signing process.
  • The developer uses the private key to sign the secondary bootloader binaries.

This way, verification of the secondary bootloader is based on the key pair that is unique to the customer, allowing them to fully own and protect their firmware.

Samsung implements the required practices and infrastructure to support this process so the user doesn’t have to. The Samsung ARTIK KMS service has been customized to operate with the ARTIK development flow to provide a streamlined, seamless experience that enables customers to concentrate on their code development and not on the custom implementation of security services.

ARTIK provides a chain of trust starting from Boot-Loader-0 (ROM) until u-boot (bootloader). The developer can optionally enable the “verified boot” feature provided in the ARTIK Board Support Package (BSP) to enable verification of the binaries for kernel and subsequent stages.

Account Registration

Portal accounts are managed by the Samsung ARTIK team; OEM partners can request a portal account from the team.

You will need to provide the IP address of the computer that you will use for login and to upload images. The ARTIK team will add this IP address to a "whitelist" on the KMS system when the customer account is approved; you will be able to log in and upload images only from this machine. It is highly recommended that you designate a single individual in the company who will be responsible for loading and signing images.

Upon qualifying the request, the Samsung ARTIK team will provide the following account information, with the e-mail coming from codesigner@artik.io

  • Username
  • Password, used to log in to the portal
  • Soft-card password, used for key management

For example:

Portal ID: user0000a0
Portal Password: W9CjesU0
Softcard Password: gXOSfNv6

The overall process looks like this; so far, we've only talked about steps 1-3.

Using the KMS Portal

Once you receive your account information and usage instructions, you will be able to log in to the portal and perform tasks related to code signing as shown.

The Web pages are fairly easy to navigate. The following tables show the typical workflow. Click on any image to enlarge it.

Log in

Step Action Output Displayed
1. Log in to system in your browser.

Request a new key

Step Action Output Displayed
1. Request a new key.  
2. Select module type.  
3. Enter key name and softcard info.
4. Download the public key version of the created key.  
5. Await signed BL1 image. Arrives in secure e-mail with the public key from codesigner@artik.io  

Request Action from ARTIK Team

When you request a new key and intend to use it for production, you must send the ARTIK team the public version of your key so that they can provide you a bootloader stage 1 image to match the key.

Here's how the key request enables both of these bootloader stages.

  • Stage 1: When you send the ARTIK team the resulting public key, they generate the bootloader stage 1 (BL1) image and deliver it to you by e-mail.
  • Stage 2: The key is available immediately on the KMS portal; you can upload bootloader stage 2 (BL2) files for signing with that key, and download the signed versions.

The signed bootloader 2 files you download match the signed bootloader 1 file you received by e-mail, permitting bootloading to work.

Note that your e-mail containing the BL stage 1 image signed by the ARTIK Team may take some time to deliver, but this does not impede you from uploading and retrieving BL stage 2 files.


            

Format of e-mail request. Send the ARTIK team an e-mail in the following form, attaching your public key.


From: Developer.Name@Company.com 
Sent: Wednesday, November 15, 2017 4:28 PM
To: codesigner@artik.io
Subject: [Request]: Updated BL1 for Artik530s with custom key
Attached: a530key1.spk

Hello,

I am going through the process of building and signing an image for Artik530s.
I have created a key(a530key1) on KMS server for Artik530s. Attached is the public key I downloaded from KMS. Could you please provide the updated BL1 for the same? 

Regards,
Developer

Where the files go

For ARTIK 5XXs/7XXs, the KMS-signed BL stage 2 files are from/to the
build-artik/output/images/artikXXXs/$version/$date/
subdirectory of your working directory.

ARTIK
Type
BL Stage 1
Copy this file from
ARTIK Team e-mail
BL Stage 2
Upload to KMS, then
download signed version
5XXs loader-*.img to directory
boot-firmwares-artik53Xs
bl_mon.img
secureos.img
bootloader.img
7XXs bl1-*.img to directory
boot-firmwares-artik710s
fip-nonsecure-*.img
fip-secure.img

For ARTIK 05Xs, both BL1 and BL2 files are found in the build/configs/artik05Xs/bin/ directory.

BL Stage 1
copy this file from
ARTIK Team e-mail
BL Stage 2
upload to KMS then
download signed version
bl1.bin bl2.bin

Upload an image for signing

Step Action Output Displayed
1. Request upload.
2. Select module type.  
3. Select code image.

Sign and retrieve the image

Step Action Output Displayed
1. Request signing.  
2. Select key and enter password.
3. Retrieve signed image.  

Re-signing a file. It is permissible to submit a previously signed file to KMS for re-signing with a different key. The signature is always in the same location and of the same size, so it simply overwrites any previous one.

Building Production Hardware

For production, you will need to use the development kits as a reference to build your own board.

Recommended resources available in Downloads:

  • HW kit schematics, netlist, BOM
  • HW board layout BRD, DSN
  • Module mechanical information
  • PC board design guide
  • Thermal guide

Production Phase Workflow

Following product development, the product will move to the production phase. As developer, you set up code signing keys to ensure that the company has their customized root of trust set up for their software. For ARTIK modules, the company will need to set up separate keys for:

  • signing secure boot images (described in this article)
  • signing OTA update images (described in the Secure Update series).

You and your company will be following a workflow similar to that illustrated below; we went over these steps in the Using the KMS Portal section.

Building production software: Secure boot

During the development phase, the code signer tool signed the boot loader images with a default key. For the production phase, customers will need to set up their own private code signing keys. The following section summarizes the steps needed to achieve this.

Signing the boot loader code

  1. Create Keys. Create your boot loader signing keys. You may create one per product family.

  2. Notify the ARTIK KMS administrator by e-mail of the new keys and request the corresponding Bootloader 1 (BL1) binary.

  3. Download Code. Download the Bootloader 2 (BL2) code, U-boot source code, security code.

  4. Modify the U-boot code per your system requirements.

  5. Compiling. Build the modified boot images.

  6. Signing. Sign the images.

    1. Upload the modified boot image to the KMS system.

    2. Sign the boot image with the key for the product family.

    3. Download the signed boot image.

  7. Receive the signed BL1 image in a secure email with the public key from the KMS administrator.

Building the code

Refer to the Advanced Developers articles for your product family for details on setting up the environment and building the code.


Last updated on: