Secure Boot on ESP32 Platforms (opens in new tab)

(thistle.tech)

67 pointspdubouilh2y ago17 comments

17 comments

Informative, but if you’re building ordinary consumer hardware please don’t enable secure boot on your ESP32 device. There’s a thriving ecosystem of open source software (for example ESPHome) that gives flexibility to how a device is used and long term support long after your project or company has failed. We don’t need more electronic landfill rubbish when motivated individuals could tinker with them instead.

syncomo2y ago

Secure boot is a restriction put on a device, indeed. Whether secure boot should be enabled on a device or not depends on the perspective, and also on the threat model. For example, for an ESP32-based crypto wallet product like Jade (https://github.com/Blockstream/Jade) that's to be used to store Bitcoin, it's very likely a very good idea to enable secure boot, no matter it's an official or DIY device.

xnzakg2y ago

Came here to comment the same thing. I'm also personally not a fan of not being able to own your devices (or just not being able to keep them alive once the manufacturer turns off some server...), though there are two issues: One is people who buy IoT <thing> and then complain when it gets compromised because it was connected to the internet and someone somewhere found a way to turn their device into part of their botnet. The other is pressure from shareholders/management etc to ensure the code stays secret because imagine if a competitor had access to your IoT juicer's firmware and used it in their own product, oh no!

ianlevesque2y ago

Secure boot doesn’t fix the first one because a buffer overflow exploit won’t get verified and prevented by the boot signature verification. As with all DRM schemes it mostly only hurts your legitimate customers.

The second is uninteresting because often they can just get your exact product off the same assembly line after hours.

I’ve heard of a third, which is a concern that having the option to load unapproved software somehow compromises the security of everyone else. I don’t buy it.

fragmede2y ago

Even if you don't agree with it, the two lissues for the third point are that an RCE lets an attacker irreversibly modify the firmware remotely, or that the user will intentionally install an older unsupported version that contains an RCE. Vendor controlled firmware also has this issue, but that's the "compromises the security of everyone" with #3 because the attacker can now use the device as a VPN or as part of a DDOS botnet.

bitwize2y ago

The future of computing is that all code running on a device is one of the two S's: Signed or Sandboxed.

To do otherwise presents unnecessary risk.

ianlevesque2y ago

That perception is what we need collectively to fight. It turns a world of makers into passive consumers and we’re worse off for it. There’s been a couple examples, where indeed that was the perception, and the products ultimately did get discontinued and leave millions of units to rot. Such a waste.

krasin2y ago

>The future of computing is that all code running on a device is one of the two S's: Signed or Sandboxed.

>To do otherwise presents unnecessary risk.

Unnecessary risk to whom? To monopolies that want to control the devices?

I would say the future is requiring open-source flashable firmware to every programmable chip on every piece on industrial or consumer equipment sold.

My vision of the future is farther away than the Signed&Sandboxed, but we should collectively take efforts to minimize damage from the near future of locked down devices controlled by unknown parties.

flangola72y ago

Unnecessary risk to everything and everyone else on the internet eventually.

AI will create perfect Sybil attacks. The reality dictates our need of a signal for humanness. To know an interaction is a real human and not an indistinguishable simulation of one. Picture if the internet was flooded with 100 trillion malign actors and trolls, each tireless, merciless, skilled at both social manipulation and cyber attacks, with no way to tell if they are real people or not. Even a live video call with them cannot be trusted, not even if they look and sound like someone you know.

We're not there yet, but how far out do you feel confidant in saying that will still be the case? Two years? Five?

4 more replies

abelsson2y ago

That’s fine, assuming we pass laws mandating that signing keys can be controlled by end users. Otherwise we end up where no-one really owns their devices any more, every device would be merely temporarily rented.

420official2y ago

How could that work? A consumer would be required to build the firmware and flash it to the product themselves?

1 more reply

syncomo2y ago

This post is a follow-up to the first blog post (https://thistle.tech/blog/esp32-secure-boot-v2-enablement-1) on the topic of secure boot v2 enablement on ESP32 platforms

j / k navigate · click thread line to collapse

17 comments

ianlevesque2y ago

syncomo2y ago

xnzakg2y ago

ianlevesque2y ago

The second is uninteresting because often they can just get your exact product off the same assembly line after hours.

I’ve heard of a third, which is a concern that having the option to load unapproved software somehow compromises the security of everyone else. I don’t buy it.

fragmede2y ago

bitwize2y ago

The future of computing is that all code running on a device is one of the two S's: Signed or Sandboxed.

To do otherwise presents unnecessary risk.

ianlevesque2y ago

krasin2y ago

>The future of computing is that all code running on a device is one of the two S's: Signed or Sandboxed.

>To do otherwise presents unnecessary risk.

Unnecessary risk to whom? To monopolies that want to control the devices?

I would say the future is requiring open-source flashable firmware to every programmable chip on every piece on industrial or consumer equipment sold.

flangola72y ago

Unnecessary risk to everything and everyone else on the internet eventually.

We're not there yet, but how far out do you feel confidant in saying that will still be the case? Two years? Five?

4 more replies

abelsson2y ago

420official2y ago

How could that work? A consumer would be required to build the firmware and flash it to the product themselves?

1 more reply

syncomo2y ago

This post is a follow-up to the first blog post (https://thistle.tech/blog/esp32-secure-boot-v2-enablement-1) on the topic of secure boot v2 enablement on ESP32 platforms

j / k navigate · click thread line to collapse