Installing Secure Firmware
CAUTION: This can potentially render your hardware unusable, so do this process at your own risk.
This feature is currently only supported on Cubepilot autopilots including and released after CubeOrange. Currently this process is still in pilot mode, i.e. we don't disable the SWD on the hardware, this way if a module gets into unrecoverable state, it can be put back to original state using STLink or similar debug probes.
- Ensure that you have an account at https://discuss.cubepilot.org . If not please create one, as the account will be used to secure your cube, which means, only the users with credentials will be able to load the firmware once secured.
- To load the secure bootloader, you will need Beta Mission Planner installed on your system.
- Setup > Secure > Login
- Once logged in select Enter Bootloader Mode
- You should see Cube Serial Number show up on the window after repowering your Cube, once done, click Enter DFU Mode. This will put the cube in DFU bootloader, from where we can load secure bootloader.
- Next click Get Bootloader, this will flash the secure bootloader, and from henceforth only way to upload firmware is to sign them with your CubePilot login.
- Now every time you want to update firmware, you will need to do it through this page, updating through standard firmware update will not work.
To recover back to stock bootloader, you will need to sign and upload apj downloaded from here https://firmware.ardupilot.org using the above process, repower and then connect using Mission Planner and update bootloader.
The process of securing the firmware involves signing both the bootloader and firmware using ECC Prime256v1 keypair. The private key part of the Keypair is securely generated and stored on CubePilot's cloud server.
Keypairs are generated the first time manufacturers use CubePilot credentials to log into Mission Planner and tied to the credentials. When requested Mission Planner fetches the bootloader which is signed with manufacturer's private key including Cube's serial number. The bootloader is then flashed on to the Cube via DFU. After this step only way to flash firmware is via MissionPlanner with CubePilot credentials. Every firmware update MP uploads the firmware image provided by user signed on the server and downloaded and then flashed on to the Cube.
Every boot bootloader verifies itself and the firmware before running the autopilot.
Locking parameters via Mission Planner is will be implemented in the near future. Until then users can setup firmwares using https://ardupilot.org/dev/docs/apjtools-intro.html . Parameters that need to be locked can be done so using @READONLY flag. The .apj file generated by this tool will be the one to be provided to MP. These parameters will only be modifiable by doing a secure firmware update and hence going through manufacturer's verification.