As we make the shift to all things digital, security is the main concern of many. Hackers are targeting everything from nuclear facilities to bank accounts. With that in mind, embedded systems in use in different industries should incorporate better security standards for the protection of sensitive data. Contemporary systems read their software from images on a storage memory. A hacker can, therefore, alter or replace those software images to gain full control of the system and/or access sensitive data.
A perfect solution to this problem is High Assurance Boot.
HAB is an optional feature in the i.MX SOC family, which allows you to make sure only software images signed by you can be executed on the SOC.
It incorporates boot ROM level security which cannot be altered after programming the appropriate one-time electrically programmable fuses (eFuses). The boot ROM is responsible for loading the initial software image from the boot medium (usually this initial software is a bootloader such as SPL/U-Boot). HAB enables the boot ROM to authenticate the initial software image by using digital signatures. It also provides a mechanism to establish a chain of trust for the remaining software components (such as the kernel image) and thus to establish a secure state of the system.
How does it work?
HAB authentication is based on public key cryptography using the RSA algorithm.
It consists of the following stages:
1. Offline signing of the software images using private keys.
The image data is signed offline using a series of private keys. This is done using NXP’s Code Signing Tool, and Variscite’s scripts, which make the process extremely easy and simple.
2. Fusing the i.MX SOC with the corresponding public keys.
The key structure is called a PKI tree and Super Root Keys (SRK) are components of it. A table of the public SRKs is hashed and permanently written to the SOC using eFuses.
You have the option to let the processor keep running unsigned images while creating useful HAB messages until you decide to “close” it by writing a dedicated bit using another eFuse. This allows you to test the sign-authenticate process and verify that it was done correctly before completely and permanently “closing” the processor to only execute your signed images.
3. Authentication of the software images on the target during boot time.
The signed image data is verified on the i.MX processor using the corresponding public keys.
HAB evaluates the SRK table included in the signature by hashing it and comparing the result to the SRK fuse values. If the SRK verification is successful, this establishes the root of trust, and the remainder of the signature can be processed to authenticate the image.
Once the initial bootloader is authenticated and executed, the chain of trust continues by authenticating each of the next loaded images before executing them – e.g. The boot ROM authenticates SPL, SPL authenticates U-Boot, and U-Boot authenticates the Linux kernel.
High Assurance Booting (HAB) on i.MX7 and i.MX6 System on Module
Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4
i.MX Applications Processor Trust Architecture