User Keystore and Keys
As part of the ACU6 security concept, all software must be signed with trusted keys before it is allowed to run on the device. This is implemented using a concept of keystores. A keystore is essentially a set of public keys that are used to verify its corresponding software. The keystore itself is also signed, for verification in the previous system boot step.
The user software (your software) is verified using the user keystore. The user keystore is in turn verified by the ACU6 device. Hence, it needs to be signed by Actia.
For ACU6-Pro, refer to the presentation ACU6-Pro Off Highway Secure Boot Overview for an overview of Secure boot and the user keystore. The principles are the same for ACU6-Lite when it relates to user keystores.
The keystore needs to be bundled together with the software and the software needs to be signed with a matching key. This is all done as part of building the example user software, as will be shown below.
Creating Keys for signing software
The public keys stored inside keystores are created using the elliptic curve secp256r1 algorithm. The ACU6 tools accept keys in both PEM (text) and DER (binary) format.
A private/public key pair can be created in several ways, depending on the key handling security requirements. For example by using a HSM (Hardware Security Module) device or the software OpenSSL.
Typically, two key pairs are created: Development and Production.
Creating a key pair using OpenSSL
Creating the key pair using OpenSSL is done as follows. The public key is not secret, while the private key should be kept safe.
Create the private key (key pair):
$ openssl ecparam -name prime256v1 -genkey -out mycompany-dev-private.pem
Extract the public key from the key pair:
$ openssl ec -in mycompany-dev-private.pem -pubout -out mycompany-dev-public.pub
Getting a signed Keystore
Determine which keys you want to use to sign your software and send the public keys to Actia.
Make sure to clearly name each key according to its intended life-cycle stage. For example
mycompany-dev-public.pub and mycompany-prod-public.pub.
As an organization administrator, you have the ability to request a development keystore through the ACU6 Device Manager portal in the ‘Keystores’ section. Actia will then sign the keystore and an email notification will be sent to you once the keystore is ready for download. Please allow up to 5 minutes for this process to be completed.
To request a production keystore, please complete the form titled ‘User Keystore Request for Production’, which can be found in the ‘Files’ section of the ACU6 Device Manager. Afterwards, submit it to the support service desk for processing. Please note that the keystore signing process may take a few days to complete.
Actia will send back a signed keystore, named similar to mycompany_keystore_acu6_key1.bpak.
The suffix indicates which Actia key was used to sign the keystore, which determines in which life-cycle
states the keystore is valid.
Note
If you have not received the Maintenance password and Guest password for your device yet, you likely want to request them now as well. They will be needed when flashing the device via USB and accessing the virtual console serial port.
Installing the Keystore
Copy the signed keystore (<organization>_keystore_acu6_<Actia key>.bpak)
to the acu6-pro-sdk-vx.y.z directory. The build system included with the example Linux distribution
will then pick up the keystore.
Make sure you only have one keystore file in the acu6-pro-sdk-vx.y.z directory or update the Makefile
to use the keystore you want to use.
Setting up the build to sign the software
The build system is set up to call sign.sh to sign software images.
The script contains examples of how to sign the software images using a key file and how to sign
using a separate application.
By default sign.sh will find all .pem key files in acu6-pro-sdk-vx.y.z. You can modify the
PRIVATE_KEY variable to point to a specific key.