Currently there is no way to ensure that firmware updates which go through Updater come from a trusted source. The proposal is to add a signature verification feature to Updater.

Plan is, roughly:

• Choose which signature algorithm to use. RSA is already part of axTLS, and can probably be exposed. ECDSA may be added in the form of micro-ecc library.
• Choose how to pass the signature along with the firmware. Options include:
  • embed signature inside the binary at a pre-determined offset. We have a lot of space between eboot and the start of firmware which is unused. We can also place it into the beginning of .irom0.text in the same manner as it is done for the core version number.
  • pass signature using a protocol-specific side channel (e.g. HTTP header).
• Choose how to embed trusted certificate or public key into the firmware.
  • Literal array (xxd -i) approach is possible but not user-friendly.
  • Placing the certificate on the file system is not very robust (FS can get corrupted due to e.g. power failure).
  • Another option is to embed the public key using the same tool which will embed the signature, to some predetermined location in firmware binary (i.e. between eboot and .irom0.text).
• Write a host-side tool in Python or Go to generate signature (and embed it into firmware binary, if needed).
• Implement signature verification in Updater.
• Update documentation and examples.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.