Article by : Mohamed BELOUARGA & Fabien Lahoudere

The world is becoming more and more connected, and millions of devices are developed to be connected either to servers or to each other. This hyper connectivity comes with many threats and  Linux-based embedded systems are not exempt from them.

In this article, we will discuss a technique that adds security to embedded Linux devices, but the reader should be aware that this method does not protect embedded Linux devices from all threats. 

The reader should know that the author is an embedded Linux engineer and not a cybersecurity expert.

What is a secure boot?

Secure boot is all about implementing a trust chain between different software components of an embedded Linux device. This chain of trust is implemented to prevent the devices from running corrupted software, or software that does not originate from the device manufacturer.


This chain of trust is, in fact, a layered verification process that will identify the origin of these software components

Secure boot process of linux embedded systems softwares and devices

First the ROM code verifies that the bootloader comes from the manufacturer, then the bootloader verifies that the Linux kernel also comes from the manufacturer before launching it and finally the kernel verifies that the ROOTFS (the application) comes from the manufacturer.

We will see below how this trust chain works – or what we call secure boot-, and how to implement it.

How to implement secure boot

Securing the bootloader

This part is hardware dependent and realized by hardware and ROM code. The ROM code verifies that the bootloader is from the manufacturer, by checking its signature. The signature of the bootloader is usually its hash encrypted by a private key.

If the signature is corrupted, the ROM code does not launch the bootloader, thereby the device doesn’t boot.

Securing the kernel

After its verification, the ROM code launches the bootloader.

The bootloader initializes just enough hardware (at least SDRAM and serial console) to boot the kernel and to load the kernel as well as the device tree into RAM.

The bootloader checks kernel and the device tree signature’s (and other binaries if necessary), before booting the kernel.

If binaries have to be checked, a FIT image containing all these binaries, can be used to gain some efficiency in this process.

Securing the ROOTFS

To secure the ROOTFS, it is preferable to use a read-only ROOTFS and take advantage of a feature provided by the kernel, called DM-verity.

Dm-verity uses a hash tree to ensure that the ROOTFS is not corrupted. Layer0 of the hash tree contains the ROOTFS hashes -one hash for every 4k.

More detail in the schema below.

Securing the ROOTFS for secure boot in linux systems softwares and devices

  • Layer 0 contains hashes of the ROOTFS, one hash for every 4kB of memory
  • LAYER 1 contains hashes of LAYER 0
  • LAYER 2 hashes of LAYER 1 …
  • Until we finish with one hash called root hash.

In order to use DM-verity on the ROOTFS partition, it is easier to use an InitRamFS that launches DM-verity on the partition of the ROOTFS before switching to the ROOTFS.

The InitRamFS (that contains the root hash) should be added to the FIT image and should also be signed.

If DM-verity detects a corruption in the ROOTFS or if the root hash changed, the feature generates a kernel panic, which blocks the launch.

Example of imx8

To illustrate some hardware dependent aspects of the secure boot, we will take imx8 as an example:

CST tools

Before trying to implement secure boot on imx8, we need to generate some private keys that will be used to sign the binaries. NXP provides CST tools (Code Signing Tool) that generates privates and public keys, and allows us to sign the bootloader and other binaries.

Fuses and CAAM

Imx8 has a module called CAAM (Cryptographic Acceleration and Assurance Module) that will be used to speed up the verification of all signatures. Imx8 also has some registers called One-Time Programmable registers (eFuse).

In order to enable signature verification, SRK_HASH eFuses must be programmed with the generated public keys hashes, and to lock the card, another eFuse should be programmed.

All these elements will be used to implement the HAB (High Assurance Boot): the imx secure boot.

ROM code

At the boot time, The ROM code verifies if the SRK_HASH eFuses are programmed. If it is the case, it will verify the signature of the bootloader (SPL + ATF + OPTEE + U-boot). Depending on the card being locked or not, the rom code will continue the booting process, or will stop it:

ROM secure booting of linux Embedded devides

The Rom code verifies an image, as the picture below shows:

ROM Code verification of FIT Image and hash Certificate

Note: Other eFuses also need to be programmed to properly implement Secure Boot. For example, the eFuse that disables the JTAG.

Imx-boot

After verifying its signature, the ROM code launches the bootloader (SPL then ATF and OPTEE then U-boot).

U-boot should be configured to check the signature of the FIT image if the HAB is activated. The verification of the signature of the FIT image is done by making some calls to the ROM code (through ATF).

U-boot will then behave like the ROM code in the previous step: if the card is locked and the signature is corrupted, it will stop the booting process.

Fit Image and ROOTFS

The Fit Image contains at least three elements: the kernel, the device tree and the InitRamFS.

When U-boot checks the signature of the Image: it extracts these elements and launches the kernel.

When the kernel is launched with the InitRamFS, this last one applies DM-verity on the ROOTFS partition, and it gives the kernel the root hash. Finally, the kernel continues booting on the ROOTFS.

 

These different steps constituted the secure boot for imx8:

Embedded Linux base softwares devices or systems secure booting sequence

The curious reader can find more documentation about HAB implementation on internet, this second part of the article was not meant to explain the whole HAB details, but only to show the relationship between secure boot and the hardware.

Share

Our experts are a phone call away!

Ask your questions and find solutions for your product development

Contact us

Read more news

11/7/24

Why a V.I.E. Contract Can Launch Your Career: Lessons from Cérine and Meiyun

This article explores how a V.I.E. contract can jumpstart your career. Through the stories of Cérine and Meiyun, two V.I.E. employees, you'll discover how the program can help you develop essential skills, build a global network, and gain the confidence to thrive in an international work environment.

READ MORE
6/6/24

T&S Group 2023 Carbon footprint

Technology & Strategy (T&S) is committed to environmental sustainability, transforming environmental objectives into economic development drivers. T&S conducts an annual carbon footprint assessment, embracing a low-carbon approach and positioning itself as a key contributor to the ecological transition. In 2023, T&S’s total carbon footprint was 11,699 tCO2e, with emissions spanning across three scopes. T&S is deploying initiatives to control environmental impact and combat climate change, setting emission reduction targets in accordance with the Science-Based Targets Initiative (SBTi). All branches of T&S have made an environmental commitment, actively participating in assessing the company’s carbon footprint and following a low-carbon path in alignment with SBTi.

READ MORE
7/5/24

Boomerang Employees: A Rising Trend?

The article discusses the growing trend of ‘boomerang employees’ who leave a company only to return later. It explores whether this is a temporary fad or a deep-seated trend, and how companies can leverage it. In France, there’s been a 36% increase in boomerang employees over three years. The phenomenon aligns with changing employee aspirations for meaningful work-life balance. Boomerang employees bring valuable experience, deep company knowledge, and heightened motivation. Companies like Technology&Strategy are embracing this trend by fostering a strong employer brand and a supportive work environment. The article includes insights from T&S employees and HR Manager France, Cheima Hammi, on the benefits and motivations behind the boomerang trend.

READ MORE