Preparing Firmware Integrity Protection Files

Precautions

• Public and private key files serve as the core credentials for identity authentication and data encryption when utilizing user firmware integrity protection features. The private key file is exceptionally sensitive; its leakage will lead to unauthorized access, data breaches, or other security risks.
• You bear the sole responsibility for the safekeeping and protection of your key files. Ensure that the private key file is stored in a secure environment with restricted access permissions. You are solely responsible for the consequences caused by the leakage, loss, or misuse of the key files.
• If the private key file is leaked or misused, the following consequences may occur:
  • Unauthorized access to this development kit or related services
  • Data leakage or tampering
  • Other potential security risks or legal ramifications
• To ensure the security of the public and private key files, you are advised to take the following measures:
  • Store the private key file in a secure location and avoid sharing it with others.
  • Periodically inspect file permissions to ensure that only authorized personnel have access.
  • If you suspect that the private key file has been leaked, stop using it and replace the root certificate immediately.
  • Always store the private key file in an encrypted format. It is highly recommended to generate and use an encrypted private key file. An unencrypted private key file is extremely risky. If it is illegally obtained, attackers can use the private key for authentication or decryption without any additional information, exposing the core credentials entirely. Ensure that password encryption is enabled during key generation or conversion, and safeguard the associated password diligently.

Procedure

1. Install the Python library pycryptodome.

   pip3 install pycryptodome 

   The installation is successful if the following information is displayed:

   Successfully installed pycryptodome-3.21.0

2. If the installation fails due to network issues, use one of the following methods to install pycryptodome.
   • Downloading the required pycryptodome version from Huawei Cloud.
   • Using pip3

     pip3 install {Download path}/{pycryptodome .whl file}

     1. Select a recommended package version based on the OS architecture.

        x86 environment: pycryptodome-3.21.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

        Arm environment: pycryptodome-3.21.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl

     2. Install the package.

        The installation procedure is the same for different OSs. The following uses the Arm environment as an example.

        Upload the downloaded file to a custom directory in the compilation environment and run the pip3 install command:

        pip3 install {Custom directory}/pycryptodome-3.21.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl

3. Generate the public and private key files.
   1. Use OpenSSL to generate an encrypted RSA private key.

      openssl genrsa -aes256 -out private_key.pem 4096

      Enter the private key password as required.

      Enter PEM pass phrase:

      The following information is displayed. Enter the private key password again for verification.

      Verifying - Enter PEM pass phrase:

      After the execution is complete, the private key file rsa_private.key is generated in the current directory.

   2. Use OpenSSL to generate a public key file.

      openssl rsa -in private_key.pem -pubout -out public_key.pem

      Enter the private key password as required.

      Enter pass phrase for private_key.pem:

      If the following information is displayed, the public key is generated successfully. The public key file public_key.pem is generated in the current directory.

      writing RSA key

   3. Import the content into the generate_customer_pubkey_ne.py script.

      # ----------------------------------------------------------------------------
      # Purpose:
      # Copyright Huawei Technologies Co., Ltd. 2024-2024. All rights reserved.
      # ----------------------------------------------------------------------------
      import argparse
      import os
      from Crypto.PublicKey import RSA
      def main():
          # Create a command parameter parser.
          parser = argparse.ArgumentParser(
              description="Specifies the save directory where the public and private key files and hash files are generated.")
          # Add the public key path.
          parser.add_argument(
              '-p', '--public_key_path',
              type=str,
              required=True,
              help='The path of the generated public key file.'
          )
          # Add a command parameter for specifying the output directory.
          parser.add_argument(
              '-o', '--output_dir',
              type=str,
              required=True,
              help='The directory where the generated file is saved.'
          )
          # Parse command line parameters.
          args = parser.parse_args()
          if not os.path.exists(args.public_key_path):
              print("The public key file does not exist.")
              return
          # Obtain the specified output directory.
          output_dir = args.output_dir
          # Check whether the directory exists. If not, create it.
          if not os.path.exists(output_dir):
              os.makedirs(output_dir)  # If the directory does not exist, create the directory.
          # Generate a 4096-bit RSA key pair.
          with open(args.public_key_path, 'rb') as f:
              pub_key = RSA.import_key(f.read())
          # Extract the modulus (n) and exponent (e) from the RSA public key.
          n = pub_key.n
          e = pub_key.e
          # Convert n to the 512-byte format.
          n_bytes = n.to_bytes(512, byteorder='big')
          # Convert e to the 512-byte format with leading zero padding if necessary.
          e_bytes = e.to_bytes(512, byteorder='big')
          # Concatenate n and e into the n||e format.
          ne_bytes = n_bytes + e_bytes
          # Write the concatenated n||e into a binary file.
          file_path = os.path.join(output_dir, "public_key_ne.bin")
          with open(file_path, 'wb') as f:
              f.write(ne_bytes)
          print(f"n||e format public key has been saved to {file_path}.")
      if __name__ == '__main__':
          main()

   4. Generate the public and private key files.

      python3 generate_customer_pubkey_ne.py -p {Path to the public key file public_key.pem} -o {Storage directory}

   The public and private key files have been generated if the following information is displayed:

   n||e format public key has been saved to /public_key_ne.bin. 

4. Use the OpenSSL tool to sign the file.

   openssl dgst -sha256 -sign "$PRIVATE_KEY_PATH" -out "$SIGNATURE_FILE" -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 "$FILE_PATH"

   • PRIVATE_KEY_PATH: Path to the private key file private_key.pem
   • SIGNATURE_FILE: Signature file sig_disable.bin to be output
   • FILE_PATH: Path to the public_key_ne.bin file to be signed

   Enter the private key password as required.

   Enter pass phrase for private_key.pem:

   View the output in the file directory. If the following information is displayed, the signature file is successfully generated.

   -rw-r--r-- 1 root root  3242  Apr 27 14:12 private_key.pem
   -rw-r--r-- 1 root root  1024  Apr 27 14:12 public_key_ne.bin
   -rw-r--r-- 1 root root  512   Apr 27 17:25 sig_disable.bin