Secure Boot is a security standard for devices used during the boot process to ensure only software that is created and trusted by the manufacture is executed. In the embedded world, this translates to preventing malicious code created by an outside source from running on your embedded project.
Past Experiences with Secure Boot
I have worked on embedded projects where the region of the processor’s internal flash that contained the application code was just assumed to be valid and would begin to be executed as soon as the processor was powered up. This is about as far as you can get from a Secure Boot, any malicious code that is programmed onto the processor’s internal flash at the correct address will be executed.
If you add a bootloader to your embedded project you now have the option of having the bootloader validate the integrity of the application code to verify that it is authentic before starting execution of the application. At first glance, this might seem like you are on the right track for a Secure Boot. This is where Root of Trust (RoT) comes into the equation.
Building a Trust Chain with RoT
The RoT is a fundamental security component which is used as the foundation for the Secure Boot process. Think of the RoT as the first stage that you know you can always trust to be authentic during the boot process. Once you have an RoT, you can start to build a trust chain. The trust chain is a set of downstream stages that have been validated by the RoT or by a stage that was validated by the RoT. In the example above, the bootloader would be the RoT as it is doing the determination on whether the application is authentic. The problem is how do you know that your RoT (bootloader) is authentic and has not been replaced by an attacker’s modified version? In this case, you don’t, and that’s the reason the bootloader example is not a Secure Boot.
One option for moving the RoT upstream in the boot process is to have an initial boot phase verify the authenticity of the bootloader by code stored in Read-Only Memory (ROM) that compares a hash of the bootloader to a hash programmed in the processor’s One Time Programmable (OTP) flash region during manufacturing. This initial boot phase is becoming a significant benefit when using security technologies like Arm Trust Zone, which is integrated into various Arm processor families. With the addition of the initial boot phase, the trust chain would be:
Initial Boot Phase (RoT) → Bootloader → Application
Secure Boot will be critical if you are serious about protecting the integrity of your embedded system. Once a rock-solid RoT is established the embedded system will be able to detect when the trust chain is broken and prevent malicious code from being executed.
If you’d like to make sure your device is secure, reach out! At DojoFive, we have talented engineers on hand ready to help you with all aspects of your devops journey. We are always happy to help with interesting problems that need solving, from security audits to firmware development. You can reach out at any time on LinkedIn or through email!