MAVLINKHUD

Signing & Secure Boot

Executive Summary

Secure Boot ensures that only authorized firmware can run on the flight controller. This is critical for preventing tampering, cloning, or malicious code injection.

ArduPilot uses Monocypher (Ed25519) for asymmetric cryptography. You hold the Private Key (used to sign the firmware) and the bootloader holds the Public Key (used to verify the signature).

Theory & Concepts

1. The Signed Firmware Format (.apj)

The standard .apj file is just a JSON file containing the firmware binary (base64 encoded) and metadata.

  • Signed: A signed firmware includes a cryptographic signature of the binary data.
  • Unsigned: Standard builds have no signature field or a null signature.

2. The Secure Bootloader

The standard bootloader accepts any valid firmware. The Secure Bootloader checks the signature against its embedded Public Key.

  • Valid Signature: Boot proceeds.
  • Invalid/Missing: Boot halts. The board stays in bootloader mode.

Codebase Investigation

1. Key Generation: generate_keys.py

Located in Tools/scripts/signing/generate_keys.py.

  • Generates a private_key.dat (KEEP THIS SECRET) and public_key.dat.
  • Also generates a C header file containing the public key for compiling into the bootloader.

2. Signing Script: make_secure_fw.py

Located in Tools/scripts/signing/make_secure_fw.py.

  • Takes an unsigned .apj and the private_key.dat.
  • Calculates the Ed25519 signature.
  • Outputs a new, signed .apj.

Source Code Reference

Practical Guide: Securing Your Fleet

1. Generate Keys

python3 Tools/scripts/signing/generate_keys.py MySecretKeys

2. Build the Secure Bootloader

You must compile a custom bootloader with your Public Key.

./waf configure --board=CubeOrange --bootloader --signed-fw --private-key=MySecretKeys/private_key.dat
./waf bootloader

(Note: The build system embeds the key automatically if configured correctly).

3. Sign Your Firmware

python3 Tools/scripts/signing/make_secure_fw.py --key MySecretKeys/private_key.dat --img build/CubeOrange/bin/arducopter.apj

4. Lock the Board

Flash the signed bootloader. Once installed, it will reject any unsigned firmware. Warning: If you lose your private key, you cannot update the firmware ever again (unless you use a hardware programmer to wipe the chip).