search

prokey-io / prokey-optimum-firmware

Prokey Hardware wallet firmware
https://prokey.io
GNU Lesser General Public License v3.0
3 stars 3 forks source link

Show hash of firmware prior to installation #28

Open Giszmo opened 2 years ago

Giszmo commented 2 years ago

I'm reviewing hardware wallets for WalletScrutiny and watching the firmware update video I noticed the user has no way of knowing which binary the device is being updated to.

For verifiability, the firmware has to be not only open source but also reproducible by independent security researchers and the device has to give indication of which binary it's actually updating to.

hadideveloper commented 2 years ago

We can show the hash of installed firmware to the end user to make them able to verify the installed firmware.

hadideveloper commented 2 years ago

@mimirobo In bootloader, prior to finalize the firmware installation and after checking the signature, we also can show the hash of firmware to end user.

@Giszmo Thanks for your suggestion, We are going to add this feature to the next bootloader update.

Giszmo commented 2 years ago

We can show the hash of installed firmware to the end user to make them able to verify the installed firmware.

Wonder which hash I would make my evil firmware show :thinking:

Or did you mean to say "We can show the hash of to be installed firmware to the end user to make them able to verify the firmware prior to installing it."?

hadideveloper commented 2 years ago

Or did you mean to say "We can show the hash of to be installed firmware to the end user to make them able to verify the firmware prior to installing it."?

Yes, Correct.