Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output OTP decryption key JSON file for encrypted example always uses example key (00010203...) #528

Open
0xTJ opened this issue Aug 23, 2024 · 0 comments
Open

Output OTP decryption key JSON file for encrypted example always uses example key (00010203...) #528

0xTJ opened this issue Aug 23, 2024 · 0 comments
Assignees
@will-v-pi

Comments

@0xTJ
Copy link

0xTJ commented Aug 23, 2024

In the example at bootloaders/encrypted, the README.md file gives instructions on how to generate a new AES key with the command:

dd if=/dev/urandom of=privateaes.bin bs=1 count=32

However, the otp.json file in the CMake build binary directory, which contains the data to be programmed into the decryption key OTP rows , is simply a copy of the otp.json in the example directory.
This can be confusing to the user since, if (the CMake binary directory copy of) otp.json is used to program OTP, the example key will be permanently burned into OTP, when they might expect the new key to be used instead.

This is particularly confusing as the signing key is correctly filed out (by picotool) to hello_serial_enc.otp.json.
I believe that there should either be a note indicating that the key in otp.json will not be updated with a newly-generated key, or some script/instructions for generating a decryption key OTP file (from privateaes.bin) should be added.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@will-v-pi will-v-pi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xTJ @will-v-pi