Benvenuto nel blog di Ewon

Scopri come le soluzioni Ewon possono trasformare le tue ambizioni IIoT in realtà!

The basics of cybersecurity : Secure boot

by Patrick Siméons | giu 08, 2021

Compare the number of computers you have at home with the number of IoT devices you will use today.... (think about your smartphone, your connected watch, scale, camera, speaker, home automation system…) and then compare those numbers to three years ago...

It is clear that we interact daily with more and more connected devices. This trend is visible not only in retail but also sectors such as healthcare, agriculture, education, traffic, smart cities and - of course – overall in the industry. 

Every piece of information collected sees his value increased when inter-connected to others. More and more, we let IoT devices collect and process sensitive data, not to say personal ones.

This new Eldorado attracts hackers motivated by the revenues coming from theft, extorsion, espionage, hacktivists and competitors who see potential in disruption, but also governments looking for tactical or political advantages.

Where traditional IT has reached a certain level of maturity (user awareness, well-known reliable actors, automatic patching…), the rapid growth of IoT and Industrial IoT shows more and more examples of improper implementation of security.

Imagine for instance an (I)IoT device booting on code that has been tampered by a hacker. In this case, any protections deployed at higher layers would become obsolete to protect the device.

Securing an IoT device must begin at the very moment the object is powered on.

Executing trusted and authentic code starts with securely booting the device. 
Secure Boot is the process that ensures that only genuine, manufacturer-validated software runs on the device. Without Secure Boot, a malicious actor could load its own Operating System or spoofed software into the device or even intercept secrets by interfering between the various stages of boot.

With the choice of an i.MX processor and its High Assurance Boot (HAB) functionality, and thanks to the SE050 (cfr previous article), the Ewon Cosy+ offers a completely secure boot sequence ensuring that only code signed by Ewon is executed.

High Assurance Boot is based on asymmetric cryptography algorithms called signatures in which image data is signed offline using a private key. The resulting signed image is then verified on the i.MX processor using the corresponding public keys.

Public keys on the i.MX are made unalterable thanks to electrically programmable fuses (eFuses) that can’t be modified after programming.

How the secure boot works? Two prerequisites are necessary:
• The elements to be identified are signed by the private keys of Ewon.
• The hashed version public keys (SHA256 SRK) used to verify this signature are written in the eFuses.

On boot, the (not tamperable) bootROM code checks the eFuses status to choose only the secure boot method.The bootROM fetches the bootloader itself, its signature and the public key used to sign it.
It computes the hash of the public key and checks it against its own hash version burnt in the eFuses (SHA256 SRK) to determine it may verify the signature.

Only if public keys match, the signature is checked. If the signature matches, the bootloader is then loaded.

The bootloader uses the same approach to load a signed Linux which in turn launch the signed Ewon application.

This sequence of verification is the chain of trust. Any interruption in this chain, i.e. any lack of signature verification results in the failure of the boot process.

There is no doubt, the Cosy+ sets up a new security standard in the industry. 

Cybersecurity needs to be taken seriously !

Dispositivi industriali

Dispositivi industriali Ewon per una connettività facile e sicura

Sfrutta i vantaggi dell'accesso remoto on-demand, raccogliendo e aggregando i dati delle operazioni industriali a livello locale o centrale nel cloud.
Il tuo portale macchine

Dashboard Web: M2Web

Il portale Web white label gratuito di Talk2M che offre un accesso mobile sicuro basato su HMI remote, server Web, computer e pannelli di controllo.
Client VPN per l'accesso remoto

Smart VPN Client: Ewon eCatcher

Il software di Talk2M per l'accesso remoto che consente di connettersi in un ambiente estremamente sicuro a tutti i dispositivi.
Connettività come servizio

Cloud industriale: Ewon Talk2M

Scopri Talk2M, un cloud industriale scalabile, affidabile e completamente ridondante.