Extreme Engineering Solutions (X-ES) has introduced a new turnkey
secure boot software package for use on NXP QorIQ and LayerScape
processor-based hardware from X-ES. This software package aims to address the
issue of system security in the embedded computing industry.
X-ES delivers pre-customised secure boot software for the target
processor board, expediting development by providing a simplified, developer-friendly
implementation package. Once configured, secure boot is the process through
which the processor validates whether the system’s image is trusted and safe
NXP Trust Architecture provides
Secure boot, a subset of the NXP Trust Architecture, is the initial
point for a trusted system’s assurance that it is booting and executing only
authentic code. Secure boot can be utilised alongside the other components of
the Trust Architecture to provide a comprehensive, secure software computing
solution. The Trust Architecture additionally includes memory access
control/strong partitioning, persistent storage, security state monitoring,
master secrets, security violation detection, and secure debug. All of the
Trust Architecture features are supported on each of X-ES’ NXP QorIQ P-Series,
T-Series, and LayerScape processor-based hardware.
Secure boot prevents
inauthentic code from executing
Secure boot provides a hardware check on software validity to
determine if the bootable image can be trusted. Secure boot is able to make
this distinction, allowing it to prevent the CPU from running un-trusted code,
detect and reject modified security configuration values and device secrets, enable
trusted code to use a device-specific, one-time programmable master key (OTPMK)
when the processor is in a secure state, and prevent extraction of sensitive
values from the device.
In order for secure boot to properly verify if the code is authentic
and therefore trustworthy, the developer must first digitally sign the code.
This is achieved by generating an RSA public and private key pair to enable the
secure boot sequence hash check distinction between authentic, trusted code and
unauthentic code. X-ES significantly simplifies this process for the customer
by providing the NXP Code Signing Tool as well as including a revised U-Boot
boot-loader, which adds the ability to validate images that are signed for X-ES
processor boards. Developers are not dependent on NXP or X-ES for code-signing,
and are able to accomplish this themselves with the X-ES provided software
to meet specific security requirements
The secure boot package from X-ES supports the customer’s choice of
either a monolithic image including boot-loader, OS, and applications signed as
a single package, or chain of trust where the internal secure boot code (ISBC)
validates the boot-loader, the boot-loader validates the OS, and the OS
validates the applications all in sequence before permitting the system
software to execute code. While the monolithic image only uses a single digital
signature, the chain of trust is capable of supporting unique RSA public and
private key pairs for each phase of the validation.
System and boot security can be hardened even further by using chain
of trust with confidentiality, which supports booting into an encrypted image.
In this boot process, the ISBC (Internal Secure Boot Code) validates the X -ES
U-Boot code, which is then followed by a boot script that runs to de-capsulate/decrypt
OS images, which in turn allows the boot script to pass control to the OS.
Monolithic can support encrypted data but cannot boot into an encrypted image.
Secure boot supported on
X-ES’ industry-leading embedded hardware
X-ES provides industry-leading, ruggedised embedded computing boards
supporting NXP QorIQ P-Series, T-Series, and LayerScape processors, each
designed with trusted subsystems to provide security assurance in a variety of
Presently available in nine COTS, industry-standard form factors, X-ES
NXP processor-based boards support pairing secure boot with the customer’s
choice of OS, including Linux, Wind River VxWorks, or Green Hills INTEGRITY.
Backed by secure boot, these processor boards are capable of high-performance
computing in trusted environments, providing unparalleled reliability and
affirmation that only trusted OEM code is being executed.
X-ES is represented
in Australia and New Zealand by Metromatics.
information, please visit the Metromatics website www.metromatics.com.au or call (07)