I am exploring possibilities of higher layers above CAN FD for a system. I like Cyphal as it provides a lot that we need. We also need a bootloader with some sort of “partial security”.
It is not possible to fully secure the firmware without complete encryption (or at least authentication) of the entire communication. We just need to prevent random users from modifying the firmware unless they break a fuse and void their warranty. The “partial security” is defined as it should not be possible to break it with 10-minute howto on stack overflow.
I have seen the certificate_of_authenticity
item of uavcan.node.GetInfo
service. What is its envisioned purpose? If it would be a hash of the firmware, the malicious firmware could just have a hardcoded hash value of the real firmware. The certificate would be useless. Do you have any advice on how this item should be used? I am thinking that the hash would have to be salted with salt obtained by the GetInfo
request. I think about copying and modifying this service.
Then the malicious firmware could have a copy of the real firmware in unused part of flash. The real firmware would have to fill the entire flash with random data. I have yet not found a better way, so ideas for this are also welcome.