PX4
diff --git a/‎docs/en/mavlink/message_signing.md‎
Lines changed: 79 additions & 37 deletions b/‎docs/en/mavlink/message_signing.md‎
Lines changed: 79 additions & 37 deletions
diff --git a/‎docs/en/mavlink/security_hardening.md‎
Lines changed: 18 additions & 12 deletions b/‎docs/en/mavlink/security_hardening.md‎
Lines changed: 18 additions & 12 deletions
@@ -12,26 +12,27 @@ When signing is enabled, PX4 appends a 13-byte [signature](https://mavlink.io/en
 
 Incoming messages are checked against the shared secret key, and unsigned or incorrectly signed messages are rejected (with [exceptions for safety-critical messages](#unsigned-message-allowlist)).
 
-The signing implementation is built into the MAVLink module and is always available — no special build flags are required.
-It is enabled and disabled at runtime through the [MAV_SIGN_CFG](../advanced_config/parameter_reference.md#MAV_SIGN_CFG) parameter.
+The signing implementation is built into the MAVLink module and is always available, with no special build flags required.
 
 ## Enable/Disable Signing
 
-The [MAV_SIGN_CFG](../advanced_config/parameter_reference.md#MAV_SIGN_CFG) parameter controls whether signing is active:
+Signing is controlled entirely through the standard MAVLink [SETUP_SIGNING](https://mavlink.io/en/messages/common.html#SETUP_SIGNING) message, following the [MAVLink signing specification](https://mavlink.io/en/guide/message_signing.html).
 
-| Value | Mode               | Description                                                                                            |
-| ----- | ------------------ | ------------------------------------------------------------------------------------------------------ |
-| 0     | Disabled (default) | No signing. All messages are accepted regardless of signature.                                         |
-| 1     | Non-USB            | Signing is enabled on all links **except** USB serial connections. USB links accept unsigned messages. |
-| 2     | Always             | Signing is enforced on all links, including USB.                                                       |
+- **No key on SD card**: Signing is disabled. All messages are sent unsigned and all incoming messages are accepted.
+- **Valid key on SD card**: Signing is active on **all links including USB**. Outgoing messages are signed and incoming messages must be signed (with [exceptions](#unsigned-message-allowlist)).
+
+To **enable** signing, send a `SETUP_SIGNING` message with a valid key on any link when no key is currently provisioned (see [Key Provisioning](#key-provisioning)).
+
+To **disable** signing via MAVLink, send a `SETUP_SIGNING` message with an all-zero key and timestamp. This message **must be signed with the current active key**. An unsigned blank-key message is rejected.
+
+To **disable** signing via physical access, remove the key file from the SD card (`/mavlink/mavlink-signing-key.bin`) and reboot, or remove the SD card entirely.
+
+To **change** the signing key, send a `SETUP_SIGNING` message with the new key on any link. When signing is already active, the message must be signed with the current key.
 
 ::: warning
-Setting `MAV_SIGN_CFG` alone does not enable signing — a secret key must also be present (see [Key Provisioning](#key-provisioning) below).
-If no key has been set (or the key is all zeros with a zero timestamp), all messages are accepted regardless of this parameter.
+Signing key changes (enable, disable, or rotate) are **rejected while the vehicle is armed**. The vehicle must be disarmed before signing configuration can be changed.
 :::
 
-To **disable** signing, set `MAV_SIGN_CFG` to zero.
-
 ## Key Provisioning
 
 The signing key is set by sending the MAVLink [SETUP_SIGNING](https://mavlink.io/en/messages/common.html#SETUP_SIGNING) message (ID 256) to PX4.
@@ -40,10 +41,14 @@ This message contains:
 - A 32-byte secret key
 - A 64-bit initial timestamp
 
+PX4 accepts `SETUP_SIGNING` on **any link** (USB, telemetry radio, network, and so on).
+
+When signing is **not active** (no key provisioned), the first `SETUP_SIGNING` with a valid key enables signing.
+When signing is **already active**, key changes (including disabling) require that the `SETUP_SIGNING` message is signed with the current key.
+
 ::: warning
-For security, PX4 only accepts `SETUP_SIGNING` messages received on a **USB** connection.
-The message is silently ignored on all other link types (telemetry radios, network, and so on).
-This ensures that an attacker cannot remotely change the signing key.
+`SETUP_SIGNING` is rejected while the vehicle is armed. Disarm before provisioning or changing keys.
+`SETUP_SIGNING` is never forwarded to other links (per the MAVLink specification).
 :::
 
 ## Key Storage
@@ -64,7 +69,7 @@ The file is a 40-byte binary file:
 The file is created with mode `0600` (owner read/write only), and the containing `/mavlink/` directory is created with mode `0700` (owner only).
 
 On startup, PX4 reads the key from this file.
-If the file exists and contains a non-zero key or timestamp, signing is initialized automatically.
+If the file exists and contains a non-zero key or timestamp, signing is activated automatically.
 
 ::: info
 The timestamp in the file is set when `SETUP_SIGNING` is received.
@@ -82,45 +87,82 @@ Note that this requires physical access to the vehicle, and therefore provides t
 
 1. The MAVLink module calls `MavlinkSignControl::start()` during startup.
 2. The `/mavlink/` directory is created if it doesn't exist.
-3. The `mavlink-signing-key.bin` file is opened (or created empty).
-4. If a valid key is found (non-zero key or timestamp), signing is marked as initialized.
-5. The `accept_unsigned` callback is registered with the MAVLink library.
+3. The `mavlink-signing-key.bin` file is opened if it exists.
+4. If a valid key is found (non-zero key or timestamp), signing is activated: the signing struct is wired into the MAVLink library and outgoing messages are signed.
+5. If no valid key is found, the signing struct is left disconnected, and the MAVLink library operates with zero signing overhead.
 
 ### Outgoing Messages
 
-When signing is initialized, the `MAVLINK_SIGNING_FLAG_SIGN_OUTGOING` flag is set, which causes the MAVLink library to automatically append a [SHA-256 based signature](https://mavlink.io/en/guide/message_signing.html#signature) to every outgoing MAVLink 2 message.
+When signing is active (valid key present), the `MAVLINK_SIGNING_FLAG_SIGN_OUTGOING` flag is set, which causes the MAVLink library to automatically append a [SHA-256 based signature](https://mavlink.io/en/guide/message_signing.html#signature) to every outgoing MAVLink 2 message.
+
+When no key is present, signing is completely bypassed with no CPU or bandwidth overhead.
 
 ### Incoming Messages
 
 For each incoming message, the MAVLink library checks whether a valid signature is present.
 If the message is unsigned or has an invalid signature, the library calls the `accept_unsigned` callback, which decides whether to accept or reject the message based on:
 
-1. **Signing not initialized** — If no key has been loaded, all messages are accepted.
-2. **Allowlisted message** — Certain [safety-critical messages](#unsigned-message-allowlist) are always accepted.
-3. **Sign mode** — The `MAV_SIGN_CFG` parameter determines behavior:
-   - Mode 0 (disabled): All unsigned messages are accepted.
-   - Mode 1 (non-USB): Unsigned messages are accepted only on USB links.
-   - Mode 2 (always): Unsigned messages are rejected on all links.
+1. **Signing not active**: If no key has been loaded, all messages are accepted.
+2. **Allowlisted message**: Certain [safety-critical messages](#unsigned-message-allowlist) are always accepted.
 
 ## Unsigned Message Allowlist
 
-The following messages are **always** accepted unsigned, regardless of the signing mode.
+The following messages are **always** accepted unsigned, regardless of the signing state.
 These are safety-critical messages that may originate from systems that don't support signing:
 
-| Message                                                                 | ID  | Reason                                                   |
-| ----------------------------------------------------------------------- | --- | -------------------------------------------------------- |
-| [RADIO_STATUS](https://mavlink.io/en/messages/common.html#RADIO_STATUS) | 109 | Radio link status from SiK radios and other radio modems |
-| [ADSB_VEHICLE](https://mavlink.io/en/messages/common.html#ADSB_VEHICLE) | 246 | ADS-B traffic information for collision avoidance        |
-| [COLLISION](https://mavlink.io/en/messages/common.html#COLLISION)       | 247 | Collision threat warnings                                |
+| Message                                                                   | ID  | Reason                                                   |
+| ------------------------------------------------------------------------- | --- | -------------------------------------------------------- |
+| [HEARTBEAT](https://mavlink.io/en/messages/common.html#HEARTBEAT)        | 0   | System discovery and liveness detection                  |
+| [RADIO_STATUS](https://mavlink.io/en/messages/common.html#RADIO_STATUS)  | 109 | Radio link status from SiK radios and other radio modems |
+| [ADSB_VEHICLE](https://mavlink.io/en/messages/common.html#ADSB_VEHICLE)  | 246 | ADS-B traffic information for collision avoidance        |
+| [COLLISION](https://mavlink.io/en/messages/common.html#COLLISION)        | 247 | Collision threat warnings                                |
 
 ## Security Considerations
 
-- **Physical access required for key setup**: The `SETUP_SIGNING` message is only accepted over USB, so an attacker must have physical access to the vehicle to provision or change the key.
+### Signing is enforced on all links
+
+When signing is active, **all links require signed messages**, including USB. This means:
+
+- An attacker cannot send unsigned commands on any link
+- Changing or disabling the key requires sending a `SETUP_SIGNING` message **signed with the current key**
+- Signing can be disabled via MAVLink by sending a signed `SETUP_SIGNING` with an all-zero key
+
+### Armed guard
+
+`SETUP_SIGNING` is rejected while the vehicle is armed. This prevents signing configuration from being changed during flight, whether by accident or by an attacker who has obtained the key.
+
+### Lost key recovery
+
+If the signing key is lost on the GCS side and no device has the current key:
+
+- **Remove the SD card** and delete `/mavlink/mavlink-signing-key.bin`, then reboot
+- **Reflash via SWD/JTAG** if the SD card is not accessible
+
+::: warning
+There is no software-only recovery path for a lost key. This is intentional: any MAVLink-based recovery mechanism would also be available to an attacker.
+Physical access to the SD card or debug port is required.
+:::
+
+### Other considerations
+
+- **Initial key provisioning**: When no key is provisioned, `SETUP_SIGNING` is accepted unsigned on any link. Once a key is active, subsequent changes require a signed message. Provision the initial key over a trusted connection.
 - **Key not exposed via parameters**: The secret key is stored in a separate file on the SD card, not as a MAVLink parameter, so it cannot be read back through the parameter protocol.
-- **SD card access**: Anyone with physical access to the SD card can read or modify the `mavlink-signing-key.bin` file, or just remove the card.
+- **SD card access**: Anyone with physical access to the SD card can read or modify the `mavlink-signing-key.bin` file, or remove the card entirely to disable signing.
   Ensure physical security of the vehicle if signing is used as a security control.
 - **Replay protection**: The MAVLink signing protocol includes a timestamp that prevents replay attacks.
   The on-disk timestamp is updated when a new key is provisioned via `SETUP_SIGNING`.
-  A graceful shutdown also persists the current timestamp, but since most vehicles are powered off by pulling the battery, the timestamp will typically reset to the value from the last key provisioning on reboot.
-- **No encryption**: Message signing provides authentication and integrity, but messages are still sent in plaintext.
-  An eavesdropper can read message contents but cannot forge or modify them without the key.
+  A graceful shutdown also persists the current timestamp, but since most vehicles are powered off by pulling the battery, the on-disk timestamp will typically remain at the value from the last key provisioning on reboot.
+- **No encryption**: Message signing provides **authentication and integrity only**. Messages are still sent in plaintext.
+  An eavesdropper can read all message contents (telemetry, commands, parameters, missions) but cannot forge or modify them without the key.
+- **Allowlisted messages bypass signing**: A small set of [safety-critical messages](#unsigned-message-allowlist) are always accepted unsigned. An attacker can spoof these specific messages (e.g. fake `ADSB_VEHICLE` traffic) even when signing is active.
+
+### What signing does NOT protect against
+
+| Attack | Why |
+|--------|-----|
+| Eavesdropping | Messages are not encrypted |
+| SD card extraction | Key file is readable by anyone with physical access |
+| Spoofed HEARTBEAT/RADIO_STATUS/ADSB/COLLISION | These are allowlisted unsigned |
+| Lost key without SD card access | Requires SWD reflash |
+| Key rotation | No automatic mechanism; manual reprovisioning required |
+| In-flight key changes | `SETUP_SIGNING` rejected while armed |
@@ -37,22 +37,27 @@ See [Message Signing](message_signing.md) for full details.
 
 Steps:
 
-1. Connect the vehicle via **USB** (key provisioning only works over USB).
-2. Provision a 32-byte secret key using the [SETUP_SIGNING](https://mavlink.io/en/messages/common.html#SETUP_SIGNING) message.
-3. Set [MAV_SIGN_CFG](../advanced_config/parameter_reference.md#MAV_SIGN_CFG) to **1** (signing enabled on all links except USB) or **2** (signing on all links including USB).
-4. Provision the same key on all ground control stations and companion computers that need to communicate with the vehicle.
-5. Verify that unsigned messages from unknown sources are rejected.
+1. Connect to the vehicle over a **trusted link** (USB or other secure connection).
+2. Provision a 32-byte secret key using the [SETUP_SIGNING](https://mavlink.io/en/messages/common.html#SETUP_SIGNING) message. This works on any link, but use a trusted one for initial provisioning.
+3. Provision the same key on all ground control stations and companion computers that need to communicate with the vehicle.
+4. Verify that unsigned messages from unknown sources are rejected.
 
 ::: info
-`MAV_SIGN_CFG=1` is recommended for most deployments.
-This enforces signing on telemetry radios and network links while allowing unsigned access over USB for maintenance.
-USB connections require physical access to the vehicle, which provides equivalent security to physical key access.
+Once a key is provisioned, signing is enforced automatically on **all links including USB**.
+Changing or disabling the key requires a signed `SETUP_SIGNING` message. Signing changes are rejected while the vehicle is armed.
+Signing can also be disabled by physically removing the key file from the SD card.
 :::
 
 ### 2. Secure Physical Access
 
-- Protect access to the SD card. The signing key is stored at `/mavlink/mavlink-signing-key.bin` and can be read or removed by anyone with physical access.
-- USB connections bypass signing when `MAV_SIGN_CFG=1`. Ensure USB ports are not exposed in deployed configurations.
+- **SD card**: The signing key is stored at `/mavlink/mavlink-signing-key.bin`. Anyone with physical access to the SD card can read, modify, or remove the key file.
+- **USB ports**: USB follows the same signing rules as all other links. When signing is active, USB requires signed messages.
+- **Debug ports (SWD/JTAG)**: If exposed, these allow full firmware reflash and bypass all software security. Not all vehicles expose debug connectors.
+
+::: warning
+Signing protects all MAVLink links. The primary physical attack surface is the SD card (key file extraction or deletion).
+If your threat model includes physical access, secure the SD card slot and debug ports.
+:::
 
 ### 3. Secure Network Links
 
@@ -64,8 +69,9 @@ USB connections require physical access to the vehicle, which provides equivalen
 ### 4. Understand the Limitations
 
 - **No encryption**: Message signing provides authentication and integrity, but messages are sent in plaintext. An eavesdropper can read telemetry and commands but cannot forge them.
-- **Allowlisted messages**: A small set of [safety-critical messages](message_signing.md#unsigned-message-allowlist) (RADIO_STATUS, ADSB_VEHICLE, COLLISION) are always accepted unsigned.
-- **Key management**: There is no automatic key rotation. Keys must be reprovisioned manually via USB if compromised.
+- **Allowlisted messages**: A small set of [safety-critical messages](message_signing.md#unsigned-message-allowlist) (HEARTBEAT, RADIO_STATUS, ADSB_VEHICLE, COLLISION) are always accepted unsigned on all links. An attacker could spoof these specific messages.
+- **Key management**: There is no automatic key rotation. Keys must be reprovisioned manually via a signed `SETUP_SIGNING` message.
+- **Lost key recovery**: If the signing key is lost on all GCS devices, the only recovery is physical: remove the SD card and delete the key file, or reflash via SWD/JTAG. There is no software-only recovery path. See [Message Signing: Lost Key Recovery](message_signing.md#lost-key-recovery) for details.
 
 ## Integrator Responsibility