In our increasingly connected world, the proliferation of IoT devices across industries, including healthcare, agriculture, and smart cities, emphasizes the critical need for robust cyber security measures. The rapid growth of IoT and Industrial IoT has unveiled vulnerabilities in security implementation, with the secure boot process emerging as a pivotal concern. Imagine an IIoT device booting on tampered code—a scenario that renders higher-layer protections ineffective. This blog explores the imperative of secure boot in IIoT.
Executing trusted and authentic code starts with securely booting the device. Secure boot is the process that ensures that only genuine, manufacturer-validated software runs on the device. Without Secure boot, a malicious actor could load its own Operating System or spoofed software into the device or even intercept secrets by interfering between the various stages of boot.
With the choice of an i.MX processor and its High Assurance Boot (HAB) functionality, and thanks to the SE050, the Ewon Cosy+ remote access gateway offers a fully secure boot sequence guaranteeing that only Ewon-signed code is executed.
High Assurance Boot is based on asymmetric cryptography algorithms called signatures in which image data is signed offline using a private key. The resulting signed image is then verified on the i.MX processor using the corresponding public keys.
Public keys on the i.MX are made unalterable thanks to electrically programmable fuses (eFuses) that can’t be modified after programming.
Two prerequisites are necessary:
- The elements to be identified are signed by the private keys of Ewon.
- The hashed version public keys (SHA256 SRK) used to verify this signature are written in the eFuses.
On boot, the (not tamperable) bootROM code checks the eFuses status to choose only the secure boot method. The bootROM fetches the boot loader itself, its signature and the public key used to sign it. It computes the hash of the public key and checks it against its own hash version burnt in the eFuses (SHA256 SRK) to determine it may verify the signature.
Only if public keys match, the signature is checked. If the signature matches, the boot loader is then loaded. The boot loader uses the same approach to load a signed Linux which in turn launch the signed Ewon application.
This previously described sequence of verification is the "chain of trust". Any interruption in this chain, i.e. any lack of signature verification, results in the failure of the boot process.
Again, we can see that the Ewon Cosy+ remote access gateways implements even the most advanced hardware security measures.