Is there a process for secure firmware install/upgrade for device made offshore?

If we're talking about a connected device, then a trusted external agent could verify the signature. Preventing or faking this is non-trivial. But let's assume a non-connected device.

Skipping the check could be made non-trivial by obfuscation techniques, I guess.

Replacing the flash signature by your own is of course prohibitively difficult when an adequate cryptographic algorithm is used. Replacing the signature calculation algorithm by a function that just copies the known flash signature is indeed trivial. However, if the signature would be calculated by some peripheral when writing flash and could only be compared, and not read out, then copying would be impossible.

--
(Remove the obvious prefix to reply privately.) 
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Reply to
Boudewijn Dijkstra
Loading thread data ...

Such as a TPM chip.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
 Click to see the full signature
Reply to
Phil Hobbs

could verify the signature

I can only imagine the following algo:

  1. If there is a trusted connection (without man in the middle, etc)
  2. You have trusted person on one end of this connection and firmware on an other
  3. Then trusted person can send a random key to the firmware
  4. Firmware encrypts its entire flash and makes a hash and returns hash to the trusted person
  5. Trusted person compares the hash with a hash calculated with a known goo d copy of firmware If they are equal, then you do not know that firmware was not tampered with . But having firmware verify its own signature, as you proposed earlier, is t otally useless.

But if you have a trusted person and a trusted connection, then you can sim ply run regular JTAG and replace entire FW. Again, my question was what to do if you have to install firmware on untrus ted factory without a trusted connection.

guess

May be in a very large software, like Windows itself with gigabytes of code , but most firmwares are too small to hide anything.

Can you explain? I read some texts about TPM chip and cannot understand how they can work wi th my FW. For example:

formatting link
"... protects the device against unauthorized firmware and software modific ation by hashing critical sections of firmware and software before they are executed. When the system attempts to connect to the network, the hashes a re sent to a server that verifies that they match expected values." Questions: is TPM a separate chip? How can it read firmware before executio n? How can it work on devices without network access?

Reply to
jhnlmn

I only know about it from the Qubes Anti-Evil-Maid defense, which presents the user with a known output from an unmodified /boot file system--it makes it possible for a human to recognize immediately when the unencrypted volume has changed. _Somebody_ has to know what the signature is supposed to be.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
 Click to see the full signature
Reply to
Phil Hobbs

I read about anti evil maid at

formatting link
and they make it clear that if BIOS is compromised, then all this signature/hash/TPM scheme will not work.

This brings us back to square one: how to prevent bootloader from being compromised? To summarize: so far I heard about secure boot loaders only in 2 chip families: Microsemi FPGA and Maxim Cortex MCU with Secure Boot loader.

Reply to
jhnlmn

One queston to ask is: do you really need to ship the firmware to China ?. The reason might be so that the finished item can be tested, but why not ship e minimal firmware, just enough to show that the hardware works ?. Them do the final programming at this side of the pond.

If you don't send it, they can't copy it...

Chris

Reply to
Chris

Am 17.07.2017 um 20:52 schrieb Chris:

That will only get you back to the issue I described 3 weeks ago: installing the secret yourself is not a solution either, because then you will effectively no longer be manufacturing in China.

If you have to ship all the stuff back to home base, unwrap it, open it up far enough to get at the internal programming interface to install firmware, then put it all back together again, and re-package for final delivery. The overhead in terms of both delay and money will be considerable. You'll effectively be manufacturing at home.

And anyway: how do you know you can actually trust your local employees so much further than your overseas contractors?

And of course a criminal at the Chinese end could still side-track to the black market devices with the testing-only software still on them. Good luck explaining to "your" customers why apparently genuine devices do not work _at_all_.

Reply to
Hans-Bernhard Bröker

iPhones and most other consumer devices these days are made in China and sh ipped straight from China to final customers. Most companies do not have ev en distribution nor manufacturing facilities in US anymore.

er than your overseas contractors?

Well, US based employees and contractors can be sued, arrested, etc, Chines e contractors are completely unpunishable. It is just your brain and skills versus theirs.

o not work _at_all_.

I think if we will solve my original problem - how to securely install some secret code and/or key on our devices, then it will be trivial to determin e which devices are genuine and which are fake.

Reply to
jhnlmn

I know of a company that got its stuff built at two different Chinese manufacturers, in a way that both manufacturers would have had to collude to get the keys out. I guess that's a start.

Reply to
Paul Rubin

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.