A “Secure firmware update” is the ability of a device to verify digital signatures of new firmware binaries, in order to assure that only officially approved versions can be installed from the host, the network[1] or a Board Management Controller (BMC).

The firmware of devices with “secure firmware up date” functionality (secure FW), restricts access to specific commands and registers that can be used to modify the firmware binary image on the flash, as well as commands that can jeopardize security in general. Most notably, the commands and registers for random flash access are disabled.

Secure FW verifies new binaries before activating them, compared to legacy devices where this task is done by the update tool using direct flash access commands. In addition to signature verification, secure FW also checks that the binary is designated to the same device model, that the new firmware is also secured, and that the new FW version is not included in a forbidden versions blacklist. The firmware rejects binaries that do not match the verification criteria.

Secure FW utilizes the same ‘fail safe’ upgrade procedures, so events like power failure during update should not leave the device in an unstable state. The table below lists the impact of secure FW update on mstflint tools.

Tool Flow Secure FW With CS Token Blocked Commands mstflint Burn FW Working with controlled fw update Working with controlled fw update Query Working with MCC commands Working with MCC commands Set GUIDs Working with controlled fw update Working with controlled fw update Verify Working partially (BOOT image) Working partially (BOOT image) Set DV INFO: SET MFG, SET VSD, VPD Not supported in Secure FW Not supported in Secure FW MFBA ROM OPS: BROM, DROM Not supported, BOOT image modification is not supported (MFBA) Not supported, BOOT image modification is not supported (MFBA) MFBA "-ocr" override cache replacement (Direct flash GW access) Not supported in Secure FW Not supported in Secure FW Flash GW is blocked HW SET (Set flash parameters) Flash GW is blocked Flash GW is blocked Flash GW is blocked "--no_fw_ctrl" (Legacy Flow) Not supported in Secure FW Not supported in Secure FW MFBA mstmcra Read working working working Write Read Only CR- Space working Read Only CR- Space mstregdump Read working working working mstconfig working working working working mstfwreset working working working working

The following sections describe how Secure FW updates are performed.

Signing Binary Image Files

For firmware Secure purposes, you may sign the image file using the sign command. If you do not provide the sign command with a private key and UUID, the command will only compute SHA256 digest and add it to the image signature section. The sign command supports RSA keys with lengths of 2048 and 4096 bits.

If you provide a private key with the length of 2048 bits, the command will compute SHA256 digest and encrypt it with the private key and add the result with the provided UUID to the appropriate image signature section.

If you provide a private key with the length of 4096 bits, the command will compute SHA512 digest and encrypt it with the provided key and add the result with the provided UUID to the appropriate image signature.

You can sign with two keys in the same command by providing keys with lengths of 2048 and 4096 bits. The flags to be used for the first private key and uuid are “--private_key“ and “--key_uuid”, and for the second private and uuid use “--private_key2” and “–key_uuid2”.

The motivation for signing with two keys is to allow a firmware update from both firmwares, the one that supports only 2048bit keys and the one that supports 4096bit keys.

Examples:

Copy Copied! # mstflint -i /tmp/image.bin sign --private_key privatekey.pem --key_uuid "e0129552-13ba-11e7-a990-0cc47a6d39d2"