Multi-Party Firmware Signing for Projects with Shared Release Authority

In many embedded products, firmware updates are authenticated using a single private key held by one developer or system. If that key is compromised or misused—whether through a tampered build environment, unauthorized HSM access, a stolen laptop, an internal mistake, or a rogue maintainer—the device fleet has no mechanism to enforce additional approval. A single key becomes a single point of failure for every device in the field.

This talk presents a practical quorum-based (M-of-N) signing scheme that distributes trust across multiple maintainers, systems, or roles. Instead of relying on one signature, the bootloader verifies multiple independent signatures before accepting an update. The design targets general-purpose microcontrollers and does not depend on any specialized hardware modules.

To demonstrate feasibility, a reference open-source bootloader implementation is presented, validated on an STM32F4 platform using ECDSA/SHA-256 algorithms and a microSD-based update flow, highlighting the constraints typical of embedded targets such as limited flash and RAM.

Although SUIT and TUF are widely adopted standards, certain environments, like constrained MCUs or devices updated through offline or removable media methods, can benefit from a more lightweight approach. This talk presents such a model built around simple, explicit checks and balances. It also covers several operational aspects, including:

• Basics of signing ceremonies and safe key rotation.
• Key hierarchies (e.g., vendor vs. maintainer keys).
• Rollback protection and boot time optimization.
• TOCTOU (Time-of-Check to Time-of-Use) considerations when validating manifests.

Attendees will gain a clear understanding of how quorum-based signing can be integrated into existing bootloaders and update designs, what constraints apply on embedded targets, and which operational practices help keep the firmware update process trustworthy over the device’s lifetime.

Go to Session