ARRIS Enterprises, Inc. Confidential Information

Signing with PRiSM

Background

Every boot image running on an ARRIS set-top box is encrypted and protected by a signature. This means that the set-top box only accepts boot images that are verified to come from the correct source, protecting the STB from being hacked. The protection consists of a key-pair with a private and a public key. The private key is used for signing the boot image and is kept secret, and the public key is inserted into the STB during production.

In previous versions of KreaTV the private key is provided in the KreaTV SDK, and boot image signing takes place automatically when building the boot image. As of KreaTV 5 this process is changed and the private key is stored on a secure ARRIS server called PRiSM (Permission and RIghts Signing Manager).

A development key will still be available in the SDK which can be used in the development phase for signing boot images locally. The difference from previous generations of set-top boxes is that these development images will only be able to run on specific development set-top boxes.

Development STB	Production STB
Lab use and development only.	For use by home users, deployment, field trials.
Boot image is signed automatically with a development key included in the SDK.	Boot image is signed on the ARRIS secure PRiSM server.
Restricted to a limited number per company.	Unlimited volume.
Development options such as booting with an NFS mounted filesystem and the ability to test all licensed features are enabled.	Secured, with restricted possibilities to access information remotely. Requires license to run licensed features .
Support not included per default in the KreaTV development license.	Entitles the company to support, bug fixes and software updates through the KreaTV runtime license and KreaTV Service Level Agreement.

Introduction of the development STBs with a separate part number from production STBs will increase the security. Even though some options are helpful in a development environment for troubleshooting, they increase the risk of exposure to threats in the field. Therefore these options will only be available on development units. It is fully possible to use production set-top boxes in development too, as long as the boot image is signed via the PRiSM server.

When ordering set-top boxes of a specific model it is necessary to state whether it is a development or a production set-top box.

PRiSM Server

ARRIS PKI Center is one of the world's largest producers of keys and certificates for hardware devices. It is responsible for Public Key Infrastructure (PKI) lifecycle management for hundreds of millions of devices.

PRiSM is a generic code signing system designed and operated by ARRIS PKI Center that supports code signing mechanisms on ARRIS devices. It contains the secret keys that verify the authenticity of a boot image for production set-top boxes. The keys cannot be extracted from the PRiSM server, or in any other way be used for signature outside of the secure environment.

Signing Via Support

ARRIS technical support is available to assist with signing the boot images. The only prerequisite to use this service is that a valid SLA is in place. You contact support, provide the boot image that should be signed, and you will receive a signed version back. This is only needed to run boot images on production set-top boxes; boot images for development STBs will be signed automatically by the KreaTV SDK when you build them.

Signing Via PRiSM directly

ARRIS direct customers and Advanced VAR in the channel program have the possibility to get an account on the PRiSM server for handling the signing themselves. If this applies to you, please contact your ARRIS sales representative about getting access to the PRiSM server. Please be aware that the signing accounts are personal, and that each person trusted to sign the boot image needs a unique account. To log into the PRiSM server you need a hardware token for each account. Two tokens are included when signing the agreement.

The step by step process is outlined below:

Build your boot image using the KreaTV SDK.
Log into PRiSM at https://prism1.atseceng.com using your User ID and secure ID token
Select the signing options in the drop-down lists:
- PLATFORM: ARRIS
- PROJECT: KreaTV
- MODEL: <set-top box model> Customers using custom keys will see their particular STB here.
- CONFIGURATION: The private key to use. <always includes AK in the name>
Press "Choose File" and select your boot image (kreatv-bi-*.nosec)
Press "SIGN CODE" and save the returned file (kreatv-bi-*.nosec.protected)
The .protected file contains the encrypted and signed boot image, ready to deploy on production STBs.

Splash screens

The splashscreen must also be signed before it is considered valid.

For production STBs, the splash screen is handled in the very same way as the boot image. You create the bmp file, upload it to PRISM, sign it, and then deploy that signed version in the field.

For development STBs you can use the default ARRIS-signed splash image distributed in the SDK. If you want to test with your own splash image, you will need to manually sign it. The ukreatv_signtool is provided in the SDK for this purpose:

<sdk_root>/dist/bin/ukreatv_signtool sign -i <splash image to sign> -o <the resulting signed splash image> -k <signing key> [ -e aes -c <encryption key>]

Encrypting the splash image is an optional step (the -e and -c parameters can be left out if this is not wanted). The signing and encryption keys depend upon the VIP family. All bcm15 based models (VIP4302, VIP35x0 and VIP55x2) use the following keys, which are available in <sdk_root>/dist/config/keys/

Signing key: <sdk_dir>/dist/config/keys/kreatv_development_bcm15_ak_private.key
Encryption key: <sdk_dir>/dist/config/keys/kreatv_development_bcm15_ek.key

Run ukreatv_signtool without any arguments to see a short description of all available options.