Firmware security through signatures

You can configure the firmware configuration in the Scout Console or on the device to have the device check signatures each time before an update is performed. An update is then only performed if the signature of the image definition file (IDF) and/or the signature of the eLux software packages have been successfully verified. The update cannot be run, however, if the IDF or one of the eLux software packages to be installed does not have a valid or verifiable signature.

A signature check of eLux software packages requires an update partition on the device. On devices without an update partition, signatures can only be checked for image definition files but not for eLux software packages. For further information on update partitions, see eLux partitions.

Activating signature check

  1. In the Scout Console, under Device configuration > Firmware, click Security....
    On the eLux RP 6 device, select Configuration panel > Firmware > Check signatures before update.

  2. Under Signature check before update, select the Image definition file option and/or the eLux software packages option.

  3. Confirm with OK and Apply.

In eLux, both options are provided in the Config panel, under Firmware.

The signature verification results are documented in the update log file on the device. After an update has been performed, the update log file is sent to the Scout Server. To view it for the selected device, in the Properties window, double-click the Update status field.

Certificates

Verifying the IDF signature on the client side requires the root certificate, but also the signature certificate in the local device directory /setup/cacerts. If you use own certificates for signing IDFs or individually composed eLux packages, configure their transfer to the devices. To do so, use the Scout feature Files configured for transfer. For eLux packages provided by Unicon, all required certificates are included in the BaseOS.

When updated code signing certificate are made available on our technical portal, download and import them into ELIAS. Instructions are included.

For further information on how to create image signatures, see Signing an image in the ELIAS 18 guide.