Secure boot and signed image

Hi all!
Newbie question. :slight_smile:

I want to add some security features to my device; in particoular I want to add a feature that enables to update firmware only if it is signed by me ( or my company ).

I read about secure boot or signed image, is there any tutorial from where I can start ?

Thanks

OpenWrt does not support that at the moment (and likely never will), so you'll have to implement it from scratch. General purpose distributions like Debian, Ubuntu, arch and gentoo have documented their approaches, so you can partially follow their lead and port that to OpenWrt.

You would need three elements to implement this:

  • support on pre OS level (like an UEFI)
  • a tpm module/chip (recent AMD CPU's have integrated a chip already)
  • support on OS level

1st and 2nd you could fullfill with choosing x86 platform. For ARM things are existent too. But that is not meant for end-customers which means you have to buy hardware implemented things already. I doubt you will find any end customer router device ready for secure boot.

For 3rd part (if x86 is your way) I would look into:

https://openwrt.org/docs/guide-developer/uefi-bootable-image

as a starting point.

EDIT:
A thought on this: I don't like the idea that manufacturer implement this into their routers because it would mean to have sth. like on android phones "hard locked bootloaders". You could then beg for an unlock code (if it would exist) like in the past (for phones) or you don't get anything to unlock like nowdays.
I would appriciate to see sth. like coreboot on routers. Would be a great benefit for security. But I doubt that manufacturer would choose coreboot. :confused:

1 Like

you might find this useful re: uboot tpm

2 Likes