How do I code sign an IoT firmware update?

0

I'm trying to use the OTA function to send a firmware update to a device in IoT services.

I've gotten to the point where I need to sign the file containing the firmware, but I am stuck. I am using a regular certificate (the same kind I would use on a web site) but this doesn't work. The attempt to code sign it results in an error, "Invalid EKU in Certificate. Valid EKU values are CodeSigning or ANY."

I don't understand how to create this kind of a certificate. I went into the certificate manager but don't see any option to do so. What do I need here?

  • I realized that the firmware on the device I'm working with isn't even signed. For testing purposes I obtained a number of esp32 dev boards which don't support signed firmware, so I use unsigned versions of the firmware on them. This might be why I can't deploy the OTA update.

    Looking at the build script that the other developer left, there is a line in it that is supposed to generate a new certificate if one doesn't exist, and I didn't find any existing one. This suggests that whatever certificate they used, I don't have. Is this the one I need?

1 Answer
0

Hi Frank. (Presuming that you're not using the "custom code signing" feature of the FreeRTOS OTA update), you need to create the certificate using a tool like OpenSSL, and then import it into ACM. You previously mentioned you have an ESP32 device, so here's a good guide: https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-esp.html

If you create the OTA update from the console, it will ask for a code signing profile. You can create one from the certificate, like this:

aws signer put-signing-profile --profile-name my-profile --signing-material certificateArn=arn:aws:acm:<region>:<accountId>:certificate/<id> --platform AmazonFreeRTOS-Default --signing-parameters certname="foobar",certificatePathOnDevice="foobar"

More info here: https://docs.aws.amazon.com/freertos/latest/userguide/ota-updates-esp32-ble.html#ota-updates-esp32-ble-step2

The code signing certificate also needs to be present on the device. Please take care to consider the expiry date of the certificate. In some of our reference implementations, the device doesn't check/validate the certificate expiry, but rather, only uses the public key to validate the signature. If your device validates the expiry date, you'll also need the ability to update the code signing certificate.

profile pictureAWS
EXPERT
Greg_B
answered 3 months ago
  • Thanks, I believe that I was able to create the certificate and sign the file. I also created the ota update job, however, the job failed with an error that isn't documented: 0x000000e3: 0x00000000. Do you know what this means?

  • I'm worried when you say "The code signing certificate also needs to be present on the device". How could it be, if I just created it? These devices are already built and in the distribution channel. Does this mean there is already some certificate in the device and that's the one I need to find and use?

  • You mentioned on another question that the device firmware is based on the amazon-freertos repo. If so, the code signing certificate is baked in here: https://github.com/aws/amazon-freertos/blob/main/vendors/espressif/boards/ports/ota_pal_for_aws/ota_pal.c#L81

  • If the signing certificate in the firmware hasn't expired, then yes, you can import it into ACM and create OTA updates with it. Until it expires.

    When the signing certificate in the firmware expires, you won't be able to use it in the cloud with an OTA job. I don't think the firmware is checking the certificate expiry. If that's the case, you may not need to update the signing certificate in the firmware even when it does expire. However, you would need the original private key to be able to create a new certificate (with the same public key), for the cloud to use.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions