Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Enabling User Firmware Integrity Protection

Procedure

The programming framework uses the RSA-4096 asymmetric encryption algorithm to implement firmware integrity protection (currently, only SHA-256 with RSA-4096 is supported). The digital signature verification mechanism ensures the integrity of the firmware image.

This function is disabled by default for ease of use. If you have public and private key files, you are advised to enable integrity protection. If this function is not enabled, the user firmware is at risk.

  1. Before burning the firmware, prepare for enabling user firmware integrity protection. For details, see Preparing Firmware Integrity Protection Files.
    • Customer root certificate public key (1024 bytes, consisting of the concatenated modulus n and exponent e. Both n and e must be converted to 512 bytes, with zero-padding for any insufficient bits. Both values must be stored in big-endian order.)
    • User firmware signed with the private key
  2. Enable user firmware integrity protection.
    hinicadm3 integrity -i hinic0 -t enable -p pubkey.bin -f Hinic3_flash.bin

    The function is enabled successfully if information similar to the following is displayed:

    Start to update firmware. 
Run gray_npu_ver is empty. Version check succeed. 
The running version can be hot upgraded to the target version. 
Please do not remove driver or network device. 
Loading.... 
Firmware update start: 2025-04-27 15:15:31 
[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] [100%][\]
Firmware update finish: 2025-04-27 15:16:16 
Firmware update time used: 45s 
Loading firmware image succeed. 
Do not operate the device during the hot upgrade. 
Single NPU firmware is activing. Please waiting... 
Set update hot active successful! 
Fw integrity protection enabled.

Disabling User Firmware Integrity Protection

  1. By default, the firmware integrity verification function is disabled in the operating environment.
  2. If you have enabled user firmware integrity protection, prepare the following security credentials. For details, see Preparing Firmware Integrity Protection Files.
    • Customer root certificate public key imported into the device (1024 bytes, consisting of the concatenated modulus n and exponent e. Both n and e must be converted to 512 bytes, with zero-padding for any insufficient bits. Both values must be stored in big-endian order.)
    • Signature file of the public key via private key (512-byte signature data)
  3. Disable the user firmware integrity protection function.
    hinicadm3 integrity -i hinic0 -t disable -p pubkey.bin -s sig.bin

    The function is disabled successfully if information similar to the following is displayed:

    Fw integrity protection disabled. Security risk: System will accept unsigned firmware.

Replacing the Customer Root Certificate

  1. Prepare the files required by the certificate for user firmware integrity protection. For details, see Preparing Firmware Integrity Protection Files.
    • Current valid old root public key (1024 bytes, consisting of the concatenated modulus n and exponent e. Both n and e must be converted to 512 bytes, with zero-padding for any insufficient bits. Both values must be stored in big-endian order.)
    • Signature file of the new public key via current old private key (512-byte)
    • New root certificate public key (1024 bytes, consisting of the concatenated modulus n and exponent e. Both n and e must be converted to 512 bytes, with zero-padding for any insufficient bits. Both values must be stored in big-endian order.)
    • User firmware signed with the new private key
  2. Replace the customer root certificate used for user firmware integrity protection.
    hinicadm3 integrity -i hinic0 -t update -p pubkey.bin -s sig.bin -n newpubkey.bin -f Hinic3_flash.bin

    The replacement is successful if information similar to the following is displayed:

    Start to update firmware. 
Version check succeed. 
The running version can be hot upgraded to the target version. 
Please do not remove driver or network device. 
Loading... 
Firmware update start: 2025-04-27 15:17:34 
[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] [100%][\]
Firmware update finish: 2025-04-27 15:18:15 
Firmware update time used: 41s Loading firmware image succeed. 
Do not operate the device during the hot upgrade. 
Single NPU firmware is activing. Please waiting... 
Set update hot active successful! 
Root public key updated.
Parent topic: FAQs