-
-
Notifications
You must be signed in to change notification settings - Fork 423
Add keys generate command #1695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is an exported object, this will be a breaking change and so the standard procedure should be followed to communicate that to the users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not though about it, but you are right
Co-authored-by: per1234 <accounts@perglass.com>
e55e6ac to
0ff01b7
Compare
In the end, we decided to keep it simple and do not add key generation to the arduino-cli. We decided instead to write a guide on how to do it using imgtool (along with download links to it).
This was a difficult decision, but the reasons in favor of the guide were multiple:
- Feature Creep
- The CLI should be a tool able to interact with sketches/libraries/cores. Key generation has little to do with it for now, since the only board to support it is the Portenta H7
- There are already tools able to generate security keys. For example imgtool is already available, we built it and use it to sign and encrypt binaries, we could use it even for key generation, extraction...
- It would not make sense to reimplement imgtool in Golang to basically do what it already does: generate PEM keys, extract pub/priv keys, and encode the key in a C header file
- The procedure for uploading the keys to the board’s flash cannot be made fully automatic and still requires some manual steps. Thus, it does not make sense to replace the imgtool procedure.
- Adding such code in the cli means also maintaining it, and at the moment we do not have the capacity to do that. Even implementing another tool to do that would result in the same issue.
Things could change in the future. If/When there will be other boards supporting secure-boot maybe this topic will be faced again. But we would have users with clear requirements, and we could better develop this
Guide here arduino/docs-content#129
Please check if the PR fulfills these requirements
before creating one)
our contributing guidelines
UPGRADING.mdhas been updated with a migration guide (for breaking changes)feature
add
keys generatecommand to generate the encryption keys required for secure boottitled accordingly?
See how to contribute