Impact
The MCUboot project uses hard-coded public/private keys as an aid to developers. Although documented that anyone producing a product using MCUboot should create their own keys, the build system does not encourage this, and it is very easy to produce a product using these keys.
Patches
MCUboot version 1.8.0 improves this situation in a few ways:
- The documentation is more prominent about ensuring proper management of keys
The specific development keys have been removed from the project repo, during development, the build system will generate keys, if they are missing. These are still specific keys that will not change, but will at least be different for each development tree.A .gitignore will make us difficult to check these private keys in in the future.- Potential removal of keys to be addressed in the future in #1094.
Workarounds
The documentation for the project contains instructions to generate new keys. Following these instructions will avoid using the exposed private key.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Impact
The MCUboot project uses hard-coded public/private keys as an aid to developers. Although documented that anyone producing a product using MCUboot should create their own keys, the build system does not encourage this, and it is very easy to produce a product using these keys.
Patches
MCUboot version 1.8.0 improves this situation in a few ways:
The specific development keys have been removed from the project repo, during development, the build system will generate keys, if they are missing. These are still specific keys that will not change, but will at least be different for each development tree.A .gitignore will make us difficult to check these private keys in in the future.Workarounds
The documentation for the project contains instructions to generate new keys. Following these instructions will avoid using the exposed private key.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: