Articles

Trusted boot in COTS computing

October 02, 2015 | BY: Mike Slonosky

Download PDF

Military and aerospace system architects and integrators are faced with new challenges as customers implement increasing requirements for safety- and security-critical applications. Military and aerospace embedded computing applications now need to provide both high-assurance computing focused on ensuring overall mission safety along with high availability to safeguard the integrity, confidentiality, and security of the data within and between systems. Moreover, with increased interest in foreign military sales, it is becoming more important to protect critical IP from compromise or alteration.

Another factor driving the need for security assurance is the growth of embedded network-centric computing and the use of open source software in these interconnected systems. Open source software is increasingly treated like a module that can simply be downloaded and plugged into an OEM’s own software. The downside of this approach is that the use of open source code of unknown origin can pose security risks, especially if it has not been analyzed for “back doors.”

One approach to mitigating these risks is to implement secure booting so that the system will boot and execute only authentic code. Secure booting prevents the CPU from running untrusted code instead of authentic, OEM-signed code. To achieve this goal, secure booting detects and rejects modified security configuration values and device secrets.

Some examples of high-performance processors that provide secure boot capabilities for military-focused commercial off-the-shelf (COTS) embedded systems include Freescale’s QorIQ processors, including the P3041, P4080, P5020, T2080, and T4xxx. Freescale has had years of experience supporting the commercial and automotive computing markets; now the company has integrated trust architecture features into its QorIQ processors. For applications that do not require secure boot, the processors come with secure boot and other trust architecture features disabled by default. When secure boot is enabled, instructions are executed from the internal boot ROM to enable the processor to determine if the image to be loaded into ROM is safe to execute. In the secure state, the image cannot be changed maliciously and the processor can be placed into a state where unauthorized debug or JTAG access is prevented to block snooping or changes to the image to be loaded. Secure boot also prevents the extraction of sensitive values from the CPU by any means short of deprocessing. Once the CPU is in the secure state, a device-specific, one-time-programmable master key (OTPMK) can be used to encrypt and decrypt data.

The starting point for a trusted or secure boot is the creation (by the developer) of a bug-free and malware-free code base. Once the developer “trusts” the code, the developer digitally signs the code so that accidental or deliberate modifications to the code base will be detected during the secure boot cycle. To place a digital signature, an OEM first generates an RSA public and private key pair. It is the responsibility of the OEM to tightly control access to the RSA private signature key. If this key is ever exposed, attackers will be able to generate alternate images that will pass the secure-boot process. If this key is ever lost, the OEM will be unable to update the image.

The application is signed using an RSA private signature key. The digital signature and a hash of the public key is appended to the image and written to flash (or other system nonvolatile memory). When the processor boots, the signature is checked using the RSA public key; the CPU uses the hashed RSA public key to check the signed image and compares the signatures. If the values match, the image is considered authentic and is allowed to boot. QorIQ processors also enable portions of the image to be encrypted to prevent attackers from stealing the image from flash memory.

An example of a COTS single-board computer that supports secure boot is Curtiss-Wright’s dual-node VPX6-195 6U OpenVPX board. This single-board computer (SBC) provides antitamper and information security levels by leveraging Freescale’s “Trusted Boot” technologies and capabilities. The board features two fully independent processor nodes, each of which has a Freescale quad-core T2080 processor that is provided with its own power, I/O, FPGA, and XMC expansion site.  

 

Read the article on Military Embedded Systems or Download a PDF

Author’s Biography

Mike Slonosky

Senior Product Manager, Power Architecture and Arm SBCs

Michael Slonosky is the Product Manager for Power Architecture Single Board Computers in the C4 Solutions group at Curtiss-Wright. He has been with Curtiss-Wright for 13 years after spending over 20 years in the telecom industry. Mike is a graduate of the University of Manitoba with a Masters of Science in Electrical Engineering.

Share This Article

  • Share on Linkedin
  • Share on Twitter
  • Share on Facebook
  • Share on Google+
Want to add a comment? Please login
Loading...
Connect With Curtiss-Wright Connect With Curtiss-Wright Connect With Curtiss-Wright
Sales

CONTACT SALES

Contact our sales team today to learn more about our products and services.

YOUR LOCATION

PRODUCT INFORMATION

Support

GET SUPPORT

Our support team can help answer your questions - contact us today.

REQUEST TYPE

SELECT BY

SELECT Topic