Security Starts Right from Square Zero

July 23, 2020 Rich Nass

The first thing that happens in the operation of an embedded system, IoT device, or any other computing platform is the boot process. If you run into trouble with respect to security at that point, you may as well just shut down there. Because any action you take from that point forward is a massive security risk.

Submit your questions prior to each webinar here.

A simple definition of a secure boot is that it’s a mechanism for ensuring the integrity of firmware and software running on a computing platform. Hence, the system (or device) must guard against malicious attacks or even unauthorized software updates that could happen prior to the operating system launching.

That definition may seem like an over-simplification, but in reality, it’s not. The secure boot manager acts like a “trust anchor.” It’s the beginning of the root of trust for the device. Hence, it’s essential (put a big emphasis on the word “essential”), that you are running legitimate code right from the get-go.

The real work comes in to play here when you attempt to implement the secure boot manager. You must ensure that the boot manager runs every time the system boots—no exceptions. You must ensure that your boot manager hasn’t been altered in any way and that the boot manager has the ability to detect whether or not you are running legitimate code. And if and when any firmware updates do come in, it’s up to the boot manager to ensure that they are legitimate and authentically signed.

Securing the Security Mechanism

A key question that must be answered: how do you ensure the security of the secure boot manager? This is a much simpler question to answer if you’re running one of the latest MCUs that has hardware encryption built in. Follow the rules for that encryption, and you should be good to go.

But if you’re still using a legacy device that may not contains all the bells and whistles when it comes to security, take caution. You can still use that secure boot manager on the legacy device, and you certainly should. But to get the maximum protection from a board level, a compete hardware solution is the recommendation.

The latest Arm-based devices all have that security built in, thanks to the company’s popular embedded TrustZone technology. And the upside there is that you have a built-in mechanism, regardless of which semiconductor supplier you’ve teamed up with.

To ensure that your security is completely up to snuff, you might want to check out something like IAR Systems’ C-Trust security tool. It’s easy to use, and makes the process as close to “idiot proof” as possible, as it automates the inclusion of a secure boot manager. In many cases, you simply click a series of check boxes and the tool handles the rest. If you’d like to alter the code and/or make modifications, that’s possible too.

To see the C-Trust tool in action, check out the video of yours truly and Shawn Prestridge, IAR Systems’ US Field Applications Engineering Lead. Shawn actually runs through a quick demo of the tool during the video, using a screen share, so you see exactly what needs to occur to design in the secure boot manager.

Note that IAR Systems is also hosting a series of five webinars, each aimed at helping embedded systems developer secure a different aspect of their IoT devices.

Link to registration page -   https://bit.ly/3iKoQ4m 

About the Author

Rich Nass

Richard Nass is the Executive Vice-President of OpenSystems Media. His key responsibilities include setting the direction for all aspects of OpenSystems Media’s Embedded and IoT product portfolios, including web sites, e-newsletters, print and digital magazines, and various other digital and print activities. He was instrumental in developing the company's on-line educational portal, Embedded University. Previously, Nass was the Brand Director for UBM’s award-winning Design News property. Prior to that, he led the content team for UBM Canon’s Medical Devices Group, as well all custom properties and events in the U.S., Europe, and Asia. Nass has been in the engineering OEM industry for more than 25 years. In prior stints, he led the Content Team at EE Times, handling the Embedded and Custom groups and the TechOnline DesignLine network of design engineering web sites. Nass holds a BSEE degree from the New Jersey Institute of Technology.

Follow on Twitter Follow on Linkedin Visit Website More Content by Rich Nass
Previous Article
Wibu-Systems and CodeLock Combine Technologies to Provide a Robust Digital Document Protection Solution
Wibu-Systems and CodeLock Combine Technologies to Provide a Robust Digital Document Protection Solution

With the use of CodeLock's Encrypter tool and Wibu-Systems' encryption technology, documents are protected ...

Next Article
Avnet Introduces MaaXBoard Mini for Embedded Computing and Smart Edge IoT Applications
Avnet Introduces MaaXBoard Mini for Embedded Computing and Smart Edge IoT Applications

Production-ready single-board computer leverages NXP's i.MX 8M Mini processor, allows developers to focus o...