17Ara
cryptography – BitBox02 firmware signed & public key attached to firmware image for verification
Bootloader of the BitBox02 crypto wallet verifies the main application with the public keys that are attached to the firmware update itself. Next to that, there are signatures of the public keys, signed by the company's private key.
- Device holds
3
root ECC public keys (Github permalink), embedded in the bootloader and immutable - Firmware image (header part) contains:
3
signing firmware public keys (Github permalink), that correspond to some (random?) private keys used for firmware signature,3
firmware signatures, that are verified with the signing firmware public keys, attached to the image (Github permalink). These keys are used to verify a hash of a firmware image.3
Signature of the double hashed firmware public keys:signature(sha256(sha256(pubkey)))
. These are verified with the root public key (Github permalink), means are signed by the root private keys, which company holds somewhere.
Process seems to be:
- Device uses ROOT public keys to verify the signature of firmware public keys
- Device uses firmware public keys to verify the signature of the firmware itself.
Does this actually increase the security of the application, compared to directly verifying the firmware with the root public key (considering that the firmware is signed by root private key)? Image below