Hi everyone,
I’ve been looking into how software integrity can be handled in practice in relation to CRA.
In many setups machines are not continuously connected, and updates are often handled via USB or similar.
In those cases, it becomes important to have a way to verify what is actually being installed.
Together with @johan.dehn I put together a small toolkit around signing and verification of files, which can be used for Automation Studio installation packages, or SDM Dumps for further SBOM generation (see previous post regarding the CycloneDX SBOM file).
The idea is to establish a simple link of trust, where a transfer package (RUCPackage derivate) can be signed as part of the build process (using a small Rust tool Johan made), and then verified on the target system before installation. This makes transfer independent of secure channels, and you can add authorization with eg. ArUser. As the PLC is also capable of generating key pairs via the TppSign library, you can use these keys to prove the PLCs identity, eg. for SDM dump files.
The toolkit consists of
-
B&R Automation Runtime library for Ed25519 signing and verification, as well as key generation
-
A Node.js-based CLI tool for signing and verifying files using the shared TypeScript library
-
A Rust-based CLI tool for signing and verifying files, providing a compiled implementation using the same underlying algorithms, eg in combination with the Automation Studio build process.
Project is here:
https://github.com/patricthysell/tpp-integrity-toolkit
Best regards, Patric