Connected IoT devices can be found in every aspect of modern digital life. From autonomous and connected vehicles to medical devices to smart meters and smartwatches. The data generated and the processes controlled by these devices have never been greater.
Because of their importance, the need to prioritize the security of IoT embedded devices is essential for the integrity and reliability of data and services.
The first step to ensuring security in an IoT embedded system is known as Secure Boot. IoT security should be based on creating a root of trust, which provides a secure foundation upon which the rest of the system can be securely built. We need to assure that this root of trust is indeed trustworthy to minimize a potential attack and its consequences.
What is Secure Boot?
Secure Boot is the process where the operating system boot images and code are authenticated against the hardware before they are authorized to be used in the boot process. The hardware is pre-configured to authenticate code using trusted security credentials.
In other words, Secure Boot ensures that the boot technology and operating system software are the legitimate manufacturer version and have not been altered or tampered with by any malicious actor or process.
Why is Secure Boot important?
Secure Boot is essential to prevent an adversary from compromising an operating system or installing a different bootloader into the IoT device.
The proliferation of IoT devices embedded into business-critical systems makes the use of Secure Boot an important factor in securing these devices and safeguarding their reliable operation. Any malicious code inserted into the device could make this device part of a botnet or it could be used as a launching pad for attacks targeting other, more sensitive systems.
For example, an adversary could penetrate an insecure device and replace a legitimate executable file with one containing malware. If the device is not protected with Secure Boot, the malicious code will be executed in the next reboot and the device will be compromised.
Through the rogue code, now running on the device, the malicious actor could manipulate the data gathered by the device or they could render any function performed by the device as illegitimate or untrustworthy. With a Secure Boot process in place, the security checks during reboot would identify the unauthorized executable file, prevent it from running and initiate remedial actions.
How does it work?
The Secure Boot process goes through a series of steps to ensure the integrity and authenticity of the installation for the device to run correctly and securely. These steps are shown in the image below:
Figure 1: Secure Boot process. Source: Electronic Design.
Verifying that the bootloader is authentic is crucial for assuring and executing the rest of the boot process. The verification of the bootloader executable file is done using public/private keys. During the secure development of the bootloader code, it is digitally signed with the manufacturer’s private key.
When the bootloader firmware is to be installed on the device, it is checked against the embedded public key on the device to confirm that it is genuine. The same process is repeated whenever the device boots or whenever there is a need to install an update.
Once the bootloader file is checked successfully to be authentic, the Secure Boot process checks the validity of the operating system and other functional applications. The signed application code is verified against the embedded public key to ensure it is genuine. If the operating system and the applications are assured, they can start running.
The sum up, the device start-up process is initiated by a trusted bootloader file and every phase is run only after the previous phase is verified for authenticity and has started successfully.
Secure Boot challenges
The foundation of the Secure Boot process are the root keys associated with the device that is used to create a unique device identity certificate. During device provisioning, a keypair should be created within the device using on device key generation (ODKG). Then a certificate signing request (CSR) is sent to the certificate authority (CA) to create a signed certificate which is then installed in the device. . The security of these device keys is the key factor of the Secure Boot process.
Therefore, the most essential challenge is to maintain the security of these keys. The device processor checks the boot image against its stored key. If those two matches, then the boot image is executed. Matches to the root key in the CPU make up the chain of root that ignites the operation of the IoT device. If the keys are compromised, the whole Secure Boot process is compromised.
Unique private keys are created per device and never leave the edge device. These private keys are recreated when the device certificate expires, and the process can be repeated for the lifetime of the IoT device.
One more issue that IoT device users need to be aware is that the Secure Boot process does not lock down the entire system. It secures only the operating system software. This is of a great importance, since if someone inserts a malware that runs on top of the operating system, they are still able to compromise the device.
Best practices for implementing Secure Boot
To secure your Secure Boot process and hence your devices, it is advised to follow these best practices
Secure the process
To secure the Secure Boot process, you will need to secure all associated processes. Key to this is to use an on device key generation capability so the private key always remains in the device as is secured. A compromise of these keys would result in the compromise of the overall process, so protection of the device private key is critical.
Use strong encryption
Encryption is the underlying foundation of Secure Boot. Make sure your encryption algorithms are up-to-date and fit for purpose. Also consider how you can update your encryption algorithms in your edge devices as crypto changes over time.
Secure your code
For Secure Boot to be effective, the code used in the bootloader, operating system, and other functional applications has to be developed securely and thoroughly checked for any security flaws. Code should always be signed with a code signing certificate, and access to that certificate should be controlled and monitored as part of the software development process.
Use strong authentication
To enhance the security of the IoT device, the code loaded must always be authenticated. Secure Boot checks the code signing, and any signed image is considered secure by the processor. In addition, you should ensure that each code component is called into the Secure Boot library in the processor.
Confirm the authentication process
Finally, it is essential to ensure that the authentication process is not disrupted and that each phase of the code boot process is properly authenticated before proceeding to the next one.
The Keyfactor IoT identity platform
Keyfactor Control provides a complete and scalable solution for IoT identity – from a secure root of trust to flexible APIs and integrations. Our platform provides a range of security functions including:
- Identity Provisioning & Lifecycle: Deploy, manage and update digital certificates across your connected devices – from provisioning and in-field commissioning to renewal and revocation.
- Secure Root of Trust: Run your PKI on-prem, in the cloud, or as-a-service with a dedicated, cloud-hosted PKI that’s purpose built for your IoT deployment and operated by our team of experts.
- Secure Firmware Signing: Get a centralized tool to secure code signing operations at scale and enable secure firmware OTA updates and implement Secure Boot.
- IoT SDK: Give developers a flexible, open-source SDK and C-Agent to implement custom functionality in devices such as key generation, key storage and digital signature verification.
You can delve further into securing your IoT devices by reading this whitepaper on why PKI is the ideal solution to secure IoT devices.