Ardupilot Firmware tamper proofing + parameters locking

Hi All,

We have built signed ArduPilot firmware with the use of custom keypair for the OrangeCube.
We are able to build, upload the firmware to OrangeCube and secure for avoiding any unauthorised firmware upgrade. Basically it is for tamper proofing the firmware.

On top of the secure firmware, we would like to lock some of the parameters those shouldn’t be modified at later stage.
I have gone through the APJ Tools option, but it doesn’t seem to be working as expected.

Steps performed →

  1. Created a file - “param-defaults.parm”
  2. Executed - “python apj_tool.py --set-file param-defaults.parm SecureFirmwareFile.apj”
  3. Found that the parameters are loaded to SecureFirmwareFile.apj by using “python apj_tool.py --show SecureFirmwareFile.apj”
  4. Upgraded the firmware of OranceCube using “MissionPlanner” → Load Custom Firmware.

Result observed->

  1. The Cube is unable to boot-up, it is getting stuck at bootloader showing “OrangeCube-Secure-BL”
  2. If we upgrade the secure firmware (without updating the default parameter settings) to the Cube, the Cube is booting-up fine.

Expected behavior →
We expect the Cube to boot up nornally with the secure firmware + paramters as per the set param-defaults.parm. All the @READONLY parameters shouldn’t be allowed to be modified from MissionPlanner.

Could anyone which has done this help me with the details of what we are missing here ?

Content of “param-defaults.parm” file -----

Default parameter file for vehicleX

MOT_PWM_MIN 1000
ATC_RAT_RLL_P 0.100 @READONLY

Regards,
GNB

Hey there I hope you don’t mind me asking a question here. I’m also building my tamper-proof software, I keep running into this error when building my firmware.

→ task in ‘objs/AP_GPS’ failed (exit status 1):
{task 140331614375824: cxx AP_GPS_NMEA.cpp → AP_GPS_NMEA.cpp.0.o}

Would you happen to know how to resolve it?

Hi,
I remember running into similar issue.
It was resolved by changing the “strncpy” to “memcpy” in the “/libraries/AP_GPS/AP_GPS_NMEA.cpp”.
Let me know if you need any further info.

I would welcome if you have any thoughts/suggestions on my original post as well, since you are also trying to achieve the same outcome.

Regars,
GNB

Hi GNB,
I have not reached that part of the process yet, although I eventually plan on making most of the params read-only. I will make sure to get back to you when I do that. One question though, I have now successfully built secure firmware and the bootloader. I could not find clear documentation on the next part of the process though. If I upload through the ‘custom firmware’ option on Mission Planner, is that all I have to do? Once the secure firmware is installed, how do I check and if I try uploading other firmware will it outright reject it or just stay stuck in the booting up process?

Hello @gbharath and @Aryan_Ghadge, like you, I am also trying to develop a secure firmware and bootloader for my Cubeorange Copter. At present, I am using openssl rsa public/private keys (.pem) files to add a layer of security, but I’m unsure how to proceed. Would it be possible for you to provide some assistance or guidance by sharing your experience or instructions? Thank you.


hi guys i am having issue in this commond
Tools/scripts/build_bootloaders.py BOARDNAME --signing-key=NAME_public_key.dat

Its build error try to rebuild It again

Hi sir
I have been tried my times by rebuild but ,I’m getting error in this.

@gbharath
Can you share secured firmware building steps , because i am getting below error.

libraries/AP_HAL_ChibiOS/Util.cpp:288:10: error: ‘AP_CheckFirmware’ has not been declared
288 | if (!AP_CheckFirmware::check_signed_bootloader(fw, fw_size)) {
| ^~~~~~~~~~~~~~~~
compilation terminated due to -Wfatal-errors.

I tried many times to clean-build but still getting same.

Would like to connect with you in person
reach me at casca.developer@gmail.com

I believe by this time you might have resolved the issue you were facing.
We are facing issue with making the parameter readonly. Can you suggest any way for it.

@Casca_Developer
You can do this by changing flag of that parameter.

Than you so much for your reply. Could you please help me understand where to change the flag of the parameter. I mean how?

which parameter you want to make readonly?

We wanted to make max altitude, max range and max cruising speed to be fixed by OEM and read only.

@Casca_Developer
You have to change code to set parameters readonly, read code and search parameter you want to set readonly then use AP_GROUPINFO_FLAGS() group and AP_PARAM_FLAG_INTERNAL_USE_ONLY flag to set parameter in readonly mode.
for eg.

AP_GROUPINFO_FLAGS("ALT_MAX", 3, AC_Fence, _alt_max, AC_FENCE_ALT_MAX_DEFAULT,AP_PARAM_FLAG_INTERNAL_USE_ONLY)

AP_GROUPINFO_FLAGS("RADIUS",      4,  AC_Fence,   _circle_radius, AC_FENCE_CIRCLE_RADIUS_DEFAULT,AP_PARAM_FLAG_INTERNAL_USE_ONLY)

Hi @gbharath, How did you solve this problem? Can you please help.

hi @Manish , Can you please help me with the location of file where I need to change this.

The code is at GitHub - ArduPilot/ardupilot: ArduPlane, ArduCopter, ArduRover, ArduSub source and once you load it in vs code, you can use the search function.

Were you able to find a solution? Looks like I am stuck at the same place. After creating a signed firmware, use the APJ tool to embed default params and then again sign the same .apj file the bootloader does not let this new firmware run on the autopilot.