Bienvenido al blog de Ewon

Descubra cómo las soluciones de Ewon pueden convertir sus ambiciones de IIoT en realidad.

The basics of cybersecurity : Secure boot

by Patrick Siméons | jun. 08, 2021

Compare the number of computers you have at home with the number of IoT devices you will use today.... (think about your smartphone, your connected watch, scale, camera, speaker, home automation system…) and then compare those numbers to three years ago...

It is clear that we interact daily with more and more connected devices. This trend is visible not only in retail but also sectors such as healthcare, agriculture, education, traffic, smart cities and - of course – overall in the industry. 

Every piece of information collected sees his value increased when inter-connected to others. More and more, we let IoT devices collect and process sensitive data, not to say personal ones.

This new Eldorado attracts hackers motivated by the revenues coming from theft, extorsion, espionage, hacktivists and competitors who see potential in disruption, but also governments looking for tactical or political advantages.

Where traditional IT has reached a certain level of maturity (user awareness, well-known reliable actors, automatic patching…), the rapid growth of IoT and Industrial IoT shows more and more examples of improper implementation of security.

Imagine for instance an (I)IoT device booting on code that has been tampered by a hacker. In this case, any protections deployed at higher layers would become obsolete to protect the device.

Securing an IoT device must begin at the very moment the object is powered on.

Executing trusted and authentic code starts with securely booting the device. 
Secure Boot is the process that ensures that only genuine, manufacturer-validated software runs on the device. Without Secure Boot, a malicious actor could load its own Operating System or spoofed software into the device or even intercept secrets by interfering between the various stages of boot.

With the choice of an i.MX processor and its High Assurance Boot (HAB) functionality, and thanks to the SE050 (cfr previous article), the Ewon Cosy+ offers a completely secure boot sequence ensuring that only code signed by Ewon is executed.

High Assurance Boot is based on asymmetric cryptography algorithms called signatures in which image data is signed offline using a private key. The resulting signed image is then verified on the i.MX processor using the corresponding public keys.

Public keys on the i.MX are made unalterable thanks to electrically programmable fuses (eFuses) that can’t be modified after programming.

How the secure boot works? Two prerequisites are necessary:
• The elements to be identified are signed by the private keys of Ewon.
• The hashed version public keys (SHA256 SRK) used to verify this signature are written in the eFuses.

On boot, the (not tamperable) bootROM code checks the eFuses status to choose only the secure boot method.The bootROM fetches the bootloader itself, its signature and the public key used to sign it.
It computes the hash of the public key and checks it against its own hash version burnt in the eFuses (SHA256 SRK) to determine it may verify the signature.

Only if public keys match, the signature is checked. If the signature matches, the bootloader is then loaded.

The bootloader uses the same approach to load a signed Linux which in turn launch the signed Ewon application.

This sequence of verification is the chain of trust. Any interruption in this chain, i.e. any lack of signature verification results in the failure of the boot process.

There is no doubt, the Cosy+ sets up a new security standard in the industry. 

Cybersecurity needs to be taken seriously !

Routers industriales

Routers industriales Ewon para una conectividad fácil y segura

Disfrute de las ventajas del acceso remoto bajo demanda, la recopilación de datos de operaciones industriales a nivel local o central en la nube.
El portal de su máquina.

Panel de control web: M2Web

El portal web sin marca gratuito de Talk2M que ofrece acceso a través de dispositivos móviles a su HMI, servidores web, PC y paneles remotos.
Cliente VPN de acceso remoto

Cliente VPN inteligente Ewon eCatcher

Software de conectividad remota de Talk2M con el que puede conectarse a todos sus dispositivos en un entorno de alta seguridad.
Conectividad como servicio

Nube industrial: Ewon Talk2M

Descubra Talk2M, una nube industrial escalable, fiable y totalmente redundante.