Willkommen in Ewons Blog

Entdecken Sie, wie Ewon-Lösungen Ihre IIoT-Ambitionen in die Realität umsetzen können!

The basics of cybersecurity : Secure boot

by Patrick Siméons | Jun 08, 2021

Compare the number of computers you have at home with the number of IoT devices you will use today.... (think about your smartphone, your connected watch, scale, camera, speaker, home automation system…) and then compare those numbers to three years ago...

It is clear that we interact daily with more and more connected devices. This trend is visible not only in retail but also sectors such as healthcare, agriculture, education, traffic, smart cities and - of course – overall in the industry. 

Every piece of information collected sees his value increased when inter-connected to others. More and more, we let IoT devices collect and process sensitive data, not to say personal ones.

This new Eldorado attracts hackers motivated by the revenues coming from theft, extorsion, espionage, hacktivists and competitors who see potential in disruption, but also governments looking for tactical or political advantages.

Where traditional IT has reached a certain level of maturity (user awareness, well-known reliable actors, automatic patching…), the rapid growth of IoT and Industrial IoT shows more and more examples of improper implementation of security.

Imagine for instance an (I)IoT device booting on code that has been tampered by a hacker. In this case, any protections deployed at higher layers would become obsolete to protect the device.

Securing an IoT device must begin at the very moment the object is powered on.

Executing trusted and authentic code starts with securely booting the device. 
Secure Boot is the process that ensures that only genuine, manufacturer-validated software runs on the device. Without Secure Boot, a malicious actor could load its own Operating System or spoofed software into the device or even intercept secrets by interfering between the various stages of boot.

With the choice of an i.MX processor and its High Assurance Boot (HAB) functionality, and thanks to the SE050 (cfr previous article), the Ewon Cosy+ offers a completely secure boot sequence ensuring that only code signed by Ewon is executed.

High Assurance Boot is based on asymmetric cryptography algorithms called signatures in which image data is signed offline using a private key. The resulting signed image is then verified on the i.MX processor using the corresponding public keys.

Public keys on the i.MX are made unalterable thanks to electrically programmable fuses (eFuses) that can’t be modified after programming.

How the secure boot works? Two prerequisites are necessary:
• The elements to be identified are signed by the private keys of Ewon.
• The hashed version public keys (SHA256 SRK) used to verify this signature are written in the eFuses.

On boot, the (not tamperable) bootROM code checks the eFuses status to choose only the secure boot method.The bootROM fetches the bootloader itself, its signature and the public key used to sign it.
It computes the hash of the public key and checks it against its own hash version burnt in the eFuses (SHA256 SRK) to determine it may verify the signature.

Only if public keys match, the signature is checked. If the signature matches, the bootloader is then loaded.

The bootloader uses the same approach to load a signed Linux which in turn launch the signed Ewon application.

This sequence of verification is the chain of trust. Any interruption in this chain, i.e. any lack of signature verification results in the failure of the boot process.

There is no doubt, the Cosy+ sets up a new security standard in the industry. 

Cybersecurity needs to be taken seriously !

Industrielle Router

Industrie-Router von Ewon für einfache, sichere Verbindungen

Genießen Sie die Vorteile von Remote Access bei Bedarf und erfassen bzw. aggregieren Industrieprozessdaten lokal oder zentral in der Cloud.
Ihr Maschinenportal

Web-Dashboard: M2Web

Das kostenlose White-Label-Webportal von Talk2M, das den sicheren mobilen Zugriff auf Ihre externen HMIs, Webserver, Computer, etc. ermöglicht.
VPN-Client für Fernzugriff

Intelligenter VPN-Client: EWON eCatcher

Die Fernverbindungssoftware Talk2M ermöglicht die Vernetzung aller Ihrer Router in einer hochsicheren Umgebung.
Konnektivität als Service

Industrielle Cloud: Ewon Talk2M

Talk2M ist unsere skalierbare, zuverlässige und komplett redundante industrielle Cloud.