What is a secure boot? Definition and overview for embedded systems
Secure boot is a critical security mechanism designed to protect embedded systems against various threats, such as physical memory modification and malicious code injection.
When you power on an embedded device, it initiates a boot process. This process involves the execution of boot code stored on the device’s chip, and in some cases, it simultaneously launches additional code and applications. Once the boot process concludes, the device becomes operational.
However, when Secure Boot is in place, code doesn’t run simply because it resides on the device. Secure Boot’s primary function is to ensure that only code signed by the device’s manufacturer is executed.
Once the secure code begins execution, any additional code and applications will only run if their signature is valid. This creates a hierarchical “chain of trust” where each layer of code and application is executed only if the correct key validates it.
In essence, secure boot serves as a safeguard, guaranteeing that the device exclusively runs the code it was designed to run.
Why is a secure boot mechanism important for embedded systems?
In today’s interconnected world, breaches involving end-users have been on the rise. Hackers are shifting their focus from desktops to mobile users and embedded devices. Ensuring the security of these devices is critical, and secure boot mechanisms play a pivotal role in achieving this.
There are two primary threats that secure boot addresses:
– Physical memory modification: This is the simplest case where an attacker gains physical access to the device, such as an embedded system with a removable SD card. The attacker removes the SD card, makes modifications to files (e.g., changing passwords), and then reinstalls the altered SD card into the device. When the system boots up, it runs with the compromised files, allowing the attacker to compromise the device further.
– Malicious code injection: In this scenario, vulnerabilities in the device’s software, such as poorly protected web pages, can be exploited by an attacker to inject malicious code or modify files remotely.
How does the secure boot process work for MPU-based devices?
Secure boot ensures the integrity of the boot process by requiring each stage of booting to verify the signature of the next stage cryptographically.
Let’s break down the Secure Boot process:
1. Hardware initialization: At the heart of secure boot is the hardware, the microprocessor unit (MPU). To initiate it, the microprocessor must possess a symmetric key or hash of a public key stored in its internal memory, typically in a One-Time Programmable (OTP) memory. This key is unmodifiable (based on microfuse), ensuring its security.
2. Secure mode activation: To enable secure boot, the secure mode must be activated on the MPU. This is a crucial step that marks the device as secure and ready for booting.
3. Step-by-step boot verification: Secure boot requires each boot stage to verify the signature of the next stage before proceeding. Here’s how it works (based on the example of the secure boot integrated in Welma Yocto Linux):
– The ROM code has access to the root key (symmetric key or hash of a public key) in its OTP, which is impossible to modify.
– The ROM code reads the next stage, the Trusted Firmware-A (TFA), for example and verifies it against a public key corresponding to the hash key. If the verification fails, the boot process stops. If the verification succeeds, the boot process continues with the following layers (in our example OP-TEE and U-Boot).
– Each subsequent stage follows a similar pattern, where the code, signature, and key are used for verification. Any failure halts the boot process, ensuring that only trusted code is executed.
– During runtime, if any file is modified, the kernel detects it, resulting in an error. Updates must include the new files and their corresponding signatures to maintain authenticity.
Read our article on secure boot on i.MX93.
Receive technical articles in your inbox monthly
The main challenges of secure boot enablement
1 - Secure boot is vendor-specific
While some platforms (such as Intel x86 and NXP i.MX family – for instance for the i.MX8M Nano) provide complete documentation and examples for enabling secure boot, others (like Texas Instruments and Qualcomm) require non-disclosure agreements to access the necessary information. This creates a risk for OEMs, who often encounter the complexity of secure boot only when they begin implementation. To mitigate this, selecting solutions like The Embedded Kit embedded Linux distribution – which already implemented secure boot across various platforms and architectures, including NXP i.MX, STMicroelectronics STM32MP, Intel x86, and more—can be highly beneficial.
2 - Secure boot involves additional requirements
Secure boot is the process of establishing a signed boot chain from the system’s Power-On Reset to the execution of the application. However, secure boot alone does not ensure complete system security.
It often requires additional mechanisms, such as root file system protection, secure updates with A/B partitions, and operating system hardening. These measures take time and expertise to implement effectively.
3 - Device deployment becomes more complex
Secure boot requires programming firmware signatures into the device and securely storing those signatures, typically in one-time programmable and lockable fuses.
4 - Key management
Secure boot relies on private keys for signing codes. Managing these keys securely, especially for firmware updates, is critical. Hardware Security Modules (HSMs) or TPMs (Trusted Platform Modules) can be used to store and protect these keys.
5 - Key rotation
Key rotation is essential for long-term security. However, it may not be straightforward, and careful planning is required to ensure that compromised keys do not jeopardize the entire system.
Secure boot for microcontrollers
The secure boot process on microcontrollers units (MCUs) shares the same principles as on MPUs. However, there may be variations based on the specific MCU used. One significant difference is that MCUs might not support extensive code and cryptography verification processes, as MPUs do. Additionally, the concept of a root key remains the same, but rotations of keys are more challenging on MCUs.
Secure boot is a fundamental security feature for embedded systems, protecting them from unauthorized access and malicious modifications. By verifying each stage of the boot process cryptographically, the secure boot ensures that only trusted code runs on the device. While implementing a secure boot may pose challenges, it is a vital component of a robust security strategy for embedded systems. As technology evolves, adapting secure boot to different platforms and addressing emerging threats remains a priority for ensuring the integrity and security of embedded devices.
That’s why we integrated secure boot for each hardware we support in Welma Yocto Linux distribution.
