Skip to content

rpifwcrypto: Initial revision #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 18, 2025
+873 −1
Merged

rpifwcrypto: Initial revision #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ add_subdirectory(raspinfo)
add_subdirectory(vcgencmd)
add_subdirectory(vclog)
add_subdirectory(vcmailbox)
add_subdirectory(rpifwcrypto)
5 changes: 4 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,16 @@ A collection of scripts and simple applications
* [piolib](piolib/) - A library for accessing the Pi 5's PIO hardware.
* [raspinfo](raspinfo/) - A short script to dump information about the Pi. Intended for
the submission of bug reports.
* [rpifwcrypto](rpifwcrypto/) - A command line application and shared library for the
firmware cryptography service. Intended for use with Raspberry Pi Connect and
secure-boot provisioner.
* [vclog](vclog/) - A tool to get VideoCore 'assert' or 'msg' logs
with optional -f to wait for new logs to arrive.


**Build Instructions**

Install the prerequisites with "sudo apt install cmake device-tree-compiler libfdt-dev" - you need at least version 3.10 of cmake. Run the following commands to build and install everything, or see the README files in the subdirectories to just build utilities individually:
Install the prerequisites with "sudo apt install cmake device-tree-compiler libfdt-dev libgnutls28-dev" - you need at least version 3.10 of cmake. Run the following commands to build and install everything, or see the README files in the subdirectories to just build utilities individually:

- *cmake .*
N.B. Use *cmake -DBUILD_SHARED_LIBS=1 .* to build the libraries in the subprojects (libdtovl, gpiolib and piolib) as shared (as opposed to static) libraries.
Expand Down
29 changes: 29 additions & 0 deletions rpifwcrypto/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
cmake_minimum_required(VERSION 3.10...3.27)
include(GNUInstallDirs)

set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Werror")

# Set project name
project(rpifwcrypto)

# Find GnuTLS package
find_package(GnuTLS REQUIRED)

option(BUILD_SHARED_LIBS "Build using shared libraries" ON)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're changing the default build for rpifwcrypto to shared libraries then you'll need to update the top-level README. And perhaps provide rpifwcrypto/README.md as well.


# Create the shared library
add_library(rpifwcrypto rpifwcrypto.c)
target_sources(rpifwcrypto PUBLIC rpifwcrypto.h)
set_target_properties(rpifwcrypto PROPERTIES PUBLIC_HEADER rpifwcrypto.h)
set_target_properties(rpifwcrypto PROPERTIES SOVERSION 0)

# Create the executable
add_executable(rpi-fw-crypto main.c)
target_link_libraries(rpi-fw-crypto rpifwcrypto ${GNUTLS_LIBRARIES})
target_include_directories(rpi-fw-crypto PRIVATE ${GNUTLS_INCLUDE_DIRS})

# Install rules
install(TARGETS rpi-fw-crypto RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
install(TARGETS rpifwcrypto
ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})
43 changes: 43 additions & 0 deletions rpifwcrypto/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@

# rpifwcrypto

The Raspberry Pi Firmware Cryptography service is a mailbox based API
that allows a limited set of cryptographic operations to be performed
by the firmware without exposing private keys to userspace.

The initial implementation is designed to support PiConnect and
provides an ECDSA P-256 SHA256 signature API.

A SHA256 HMAC API is provided to provide basic support for derived keys
instead of using the raw device unique private key
e.g. HMAC(serial-number + EMMC CID) could be used for a LUKS passphrase.

Although this service can be used via raw vcmailbox commands the
recommended API is either the command line rpi-fw-crypto application
or the librpifwcrypto.so shared library.

**Build Instructions**
Install prerequisites with "sudo apt install cmake libgnutls28-dev"" - you need at least version 3.10.

- *mkdir build*
- *cd build*
- *cmake ..*
- *make*
- *sudo make install*

**Usage**

* rpi-fw-crypto -h (Displays usage instructions for all operations)
* rpi-fw-crypto get-num-otp-keys (Returns the number of OTP key slots)
* rpi-fw-crypto sign --in message.bin --key-id 1 --alg ec --out sig.bin (Signs message.bin with the device unique OTP key (id 1))
* rpi-fw-crypto get-key-status 1 (Gets the status of key-id 1)
* rpi-fw-crypto set-key-status 1 LOCKED (Blocks the raw OTP read API on this key until the device is rebooted)
* rpi-fw-crypto hmac --in message.bin --key-id 1 --out hmac.bin (Generates the SHA256 HMAC of message.bin and OTP key id 1)

** Notes **
The device unique private key can be provisioned with the `rpi-otp-private-key` utility.
This MUST be a raw ECDSA P-256 key and not just a random number.

This service is not a hardware security module and the current implementation
does not protect the key and/or OTP from being accessed directly with root level privileges.
It just removes the need to expose the key to userspace (e.g. initramfs) scripts.
Loading