NetBurner 3.5.6
PDF Version
Signed Application

Signed Application Example

Overview

This is a NetBurner embedded application that demonstrates the signed application update capability. The application creates a web server that can receive and validate signed firmware updates using RSA public/private key cryptography.

Key Features

  • Signed Application Updates: Validates firmware updates using RSA 1024-bit key pairs
  • Web Server: Runs an HTTP server on port 80 with a simple web interface
  • Network Stack: Full TCP/IP networking capabilities
  • Security: Public key verification to ensure only authorized updates can be installed

How It Works

The application initializes the network stack, starts an HTTP web server, and registers a public key for validating signed application updates. After 20 seconds of runtime, it registers the signing public key with the system to enable secure firmware updates.

Main Application Flow

  1. Initialize the network stack
  2. Start HTTP web server on port 80
  3. Wait for active network connection (5 second timeout)
  4. Display system information
  5. After 20 seconds, register the application signing public key
  6. Continue running with 1-second heartbeat messages

Security Model

CRITICAL SECURITY NOTE**: The private key (signkey.pem) must NEVER be stored on the target device. It should be kept in a secure location separate from the device. Loss of the private key means you will never be able to update the device firmware again.

Key Requirements

  • Public Key: Stored in the application binary and used to verify update signatures
  • Private Key: Kept secure and separate from the device, used only for signing updates
  • Key Isolation: Signing keys must be different from any other certificates/keys used on the device (e.g., HTTPS certificates)

Setup Instructions

1. Generate Key Pair

You can use the provided makekey.bat script or run these commands manually:

openssl genrsa -out signkey.pem 1024
openssl rsa -in signkey.pem -pubout -out src/public.key
set NB_SIGN_KEY=%cd%\signkey.pem

2. Command Line Build

For command line compilation and deployment:

make sign # Create signed application
make loadsign # Load signed application to device

3. NBEclipse IDE Setup

If using NetBurner's NBEclipse IDE:

  1. Generate the key pair as described above
  2. In the directory with your public key, run:
    compfile public.key codekey_array codekey_len codekey.cpp
  3. Include the generated codekey.cpp file in your NBEclipse project
  4. Build your project normally

External Tool Configuration for Signing

After building your project in NBEclipse:

  1. Go to Run > External Tools > External Tools Configurations
  2. Create a new configuration with these settings:
    • Name: Sign
    • Location: ${env_var:NNDK_ROOT}\pcbin\nbsign.exe
    • Working Directory: Browse to your project workspace
    • Arguments: -k <full_path_to_private_key.pem> -in Release\${project_name}.bin -o Release\${project_name}.signed.bin
  3. Run the "Sign" external tool to create signed binaries

File Structure

  • main.cpp - Main application source code
  • makekey.bat - Script to generate RSA key pair
  • signkey.pem - RSA private key (1024-bit) - KEEP SECURE
  • public.key - RSA public key for signature verification
  • index.html - Simple web page served by the HTTP server
  • htmlvar.h - Header file for HTML variables
  • ReadMe.txt - Original documentation

Web Interface

The application serves a simple web page at the device's IP address that displays:

  • NetBurner logo
  • Device IP address
  • "Thank you for NetBurning!" message

Runtime Output

The application provides console output showing:

  • Application name and NNDK revision
  • Network status
  • 1-second heartbeat with timestamp
  • Confirmation when signing key is registered

Important Security Considerations

  1. Private Key Security: Never store the private key on the target device
  2. Key Backup: Securely backup your private key - loss means permanent inability to update
  3. Key Uniqueness: Use different keys for signing than for other device functions
  4. Secure Key Storage: Store private keys in a hardware security module or other secure location
  5. Update Validation: All firmware updates must be properly signed with the corresponding private key

Dependencies

  • NetBurner NNDK (NetBurner Network Development Kit)
  • OpenSSL (for key generation)
  • Standard NetBurner libraries: init, nbrtos, system, config_obj, nbupdate, iosys

Compilation Requirements

  • NetBurner toolchain
  • Access to NetBurner system libraries
  • Properly generated public key compiled into the application

This example demonstrates the foundation for a secure firmware update system suitable for production IoT and embedded applications where remote update capability with cryptographic verification is essential.