Secure Boot

Embedded system root of trust

 MTH | Whitepaper

CONTENTS

Abstract 01

Introduction 01

What Is Secure Boot? 02

Why is Secure Boot Important? 03

How Does It Work? Secure Boot Details 04

Secure Boot Challenges 06

Recommendations and Best Practices 06

Conclusion 07

About the Author 07

2
 MTH | Whitepaper

Abstract
Security continues to be an increasingly important concern in the design of modern systems. This
white paper is based on secure boot which provides a foundation for the security architecture of a
device. The paper attempts to introduce this concept and lists the processes involved, challenges
faced, and best practices recommended.

Introduction
Connected IoT devices can be found in every can originate from anywhere. Devices must
aspect of modern digital life, from autonomous be capable of adapting to an evolving threat
and connected vehicles to medical devices, landscape. With the exponential increase
smart meters, and smartwatches. in connected devices and the value of data
stored in them, security has to be multifaceted,
While exposing a device to the external world, “baked-in” from the lowest levels of system-on-
trust needs to be established in the system. chip (SoC) design through to the applications
Hence, security is fundamental to successful that run on them and in communications
adoption of connectivity. Connected devices between devices and services.
operate in an environment where attacks

The first step to ensure security at the device level is through secure boot in an IoT-embedded
system.

01
 MTH | Whitepaper

What is Secure Boot?

Secure boot is a process where your OS boot images and code are authenticated against a trusted
hardware before they are allowed to be used in the boot process.

The hardware is set up beforehand such that it only authenticates code generated using security
credentials you trust.

Secure boot is applicable for any single-use device, something that is not intended to be
a general-purpose computing.

02
 MTH | Whitepaper

Why Is Secure Boot Important?

Secure boot is a key component of protection Secure boot ensures a root of trust that is
against physical and remote attacks and accomplished using a hardware state machine.
hardware and software failures. The goal of a hardware root of trust is to verify
that the software installed in every component
The proliferation of IoT devices embedded of the hardware is the intended software. This
into business-critical systems makes the use way you can verify and know without a doubt
of secure boot an important factor in securing whether a machine's hardware or software has
these devices and safeguarding their reliable been hacked or overwritten by an adversary.
operation. Any malicious code inserted into Thus, it helps prevent supply chain attacks,
the device could make this device part of a physical attacks, cloud provider vulnerabilities in
botnet or be used as a launching pad for attacks hardware components, and other attack vectors
targeting other, more sensitive systems. by ensuring hardware and software integrity.

Reliability

in
y C ha
pl
p
Su

Sa
fety
Critical

Secure
Boot
Ke
yM
gmt
Physical
Attack
Remote
Attack

03
 MTH | Whitepaper

How Does It Work?

Verifying the authenticity of a bootloader is crucial Once the bootloader file is checked
for assuring and executing the rest of the boot successfully for authenticity, the secure boot
process. Verification of the bootloader executable process checks the validity of the operating
file is done using public/private keys. During system and other functional applications. The
secure development, the bootloader is digitally signed application code is verified against the
signed with the manufacturer’s private key. embedded public key to ensure it is genuine.
If the operating system and the applications
When the bootloader firmware is installed on the are assured, they can start running.
device, it is checked against the embedded public
key on the device to confirm that it is genuine. The series of steps involved in the secure
The same process is repeated whenever the boot process is depicted below.
device boots or installs an update.

Additional data and

steps for secure boot

Additional Code used

in secure boot

04
 MTH | Whitepaper

To summarize, the device start-up process is initiated by a trusted bootloader file and every phase is
run only after the previous phase is verified for authenticity and started successfully.
Secure boot is based on the hardware root of trust offered by OEMs.

Encryption Standard
Execution Environment
At minimum, it must
Protective hardware that
perform one or more proven
provides a trusted execution
cryptographic functions such
environment (TEE) for the
as implementation of Advanced
privilege software to run.
Encryption Standard (AES).
Key chip
components to
accomplish the
root of trust Easy Accessibility
Runtime Protection A flexible, yet simple user
A form of tamper protection interface that the host can
must be present and available interact with, through either
for the entire runtime. the host CPU and/or a host
controller toggling GPIOs.

Key Programming and Signing Process:

The two major implementation steps in building the secure boot process and are outlined below.

Key Programming Image Signing

• The keys are programmed into the one- • The starting point for a trusted
time programmable eFuse region of platform is the creation (by the
the chip. Care must be taken to ensure developer) of a bug-free and malware-
that the right key is programmed free code base.
as the same key will be used for the
• Once the developer “trusts” the
signing process. A single error in
code, the developer digitally signs the
key programming will make the chip
code so that accidental or deliberate
unusable for any future task.
modifications to the code base will be
detected during the secure boot cycle.

05
 MTH | Whitepaper

Secure Boot Challenges

• Every processor has a different mechanism
to achieve root of trust. Understanding this
domain is complex and involves hardware,
software, and cryptography skills.
• The key programming must be performed
with zero mistakes at one shot as this is one-
time programmable memory and an error
may ruin the board.
• Maintenance of keys is critical as the image-
signing process needs these keys for any
firmware upgrade process.
• There is a possibility of keys getting
compromised outside the company.

Recommendations and Best Practices

Secure all associated Use validation authority

processes involved in before releasing the
code-signing and device- software and signing the
provisioning code

Implement the best

practical solutions that
Communicate with only
can be applied for future
those external devices that
upgrades using trustworthy
you have authenticated
security such as RSS and
ECC signature schemes

Implement the key

Use a trusted execution revocation process for
environment offered by situations where keys
chip manufacturers used in the field are
compromised

06
 MTH | Whitepaper

Conclusion
When properly configured, secure boot lays capabilities. Therefore, it is critical this be
the foundation for a root of trust and is a factored into the early-stage design phase.
requisite for system security. We believe Cyient offers a comprehensive range of
security is an integral part of IOT adoption services and solutions for securing embedded
and connected systems. Secure boot IOT devices across multiple industry verticals.
implementation requires specific hardware

About the Authors

Sumeet Das is Sr. Solution Architect at Vishwanath Pratap leads solutions

Cyient with experience in embedded for medical devices at Cyient. He has
design and development of medical valuable experience in design and
devices. He has implemented secure development of medical devices
boot for different semiconductor chips. across the product development cycle.

07
 MTH | Whitepaper

About Cyient Contact Us

Cyient (Estd: 1991, NSE: CYIENT) is a leading North America Headquarters
global engineering and technology solutions Cyient, Inc.
company. We are a Design, Build, and Maintain 99 East River Drive
partner for leading organizations worldwide. 5th Floor
We leverage digital technologies, advanced East Hartford, CT 06108
analytics capabilities, and our domain USA
knowledge and technical expertise, to solve T: +1 860 528 5430
complex business problems. F: +1 860 528 5873

We partner with customers to operate as part Europe, Middle East, and Africa Headquarters
of their extended team in ways that best suit Cyient Europe Limited
their organization’s culture and requirements. Apex, Forbury Road,
Our industry focus includes aerospace and Reading
defense, healthcare, telecommunications, rail RG1 1AX
transportation, semiconductor, geospatial, UK
industrial, and energy. We are committed T: +44 118 3043720
to designing tomorrow together with our
stakeholders and being a culturally inclusive, Asia Pacific Headquarters
socially responsible, and environmentally Cyient Limited
sustainable organization. Level 1, 350 Collins Street
Melbourne, Victoria, 3000
For more information, please visit Australia
www.cyient.com T: +61 3 8605 4815
F: +61 3 8601 1180

Global Headquarters
Cyient Limited
Plot No. 11
Software Units Layout
Infocity, Madhapur
Hyderabad - 500081
India
T: +91 40 6764 1000
F: +91 40 2311 0352

Follow us on:

© 2022 Cyient. Cyient believes the information in this publication is accurate as of its publication date; such information is subject to change
without notice. Cyient acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document.

08