In part 1 of our series looking at secure boot on the iMX6, we examined the process itself in detail.
Leveraging the hardware and authentication were covered extensively in part 2.
And we have top tips on the procedure to help you get through it as smoothly as possible in this final instalment – so read on…
Top Tips for Secure Boot on the iMX6
Our top 5 tips for a successful secure boot on the iMX6 are:
- (Sounds obvious, but) Make your process secure
- Keep your encryption strong
- Check your code
- Authenticate as much as possible
- Confirm the process is authenticating correctly
Ok – let’s break this down step by step.
1. Make Your Process Secure
Well, once you’ve decided you need to go boot; first step is make sure that your process is secure. You don’t allow your keys to leak out of your production environment or any of the rest of your process details.
2. Keep Your Encryption Strong
Make sure you keep your encryption strong. Secure Boot on the iMX6 supports keys of varying strengths. It is possible to generate an SSL certificate with a 1024-bit public key and using SHA-1 as the encryption; they’re both comparatively weak compared to the current norm. So make sure your algorithms are properly secure. Keep your process secure.
And in order for Secure Boot to mean anything, the rest of your code in the bootloader, OS, and other software also has to be properly written for secure boot, and lack security holes.
These days, popular towards boot loader U-boot supports HAB (High Assurance Boot) which is the name of the i.MX6 Secure Boot.
And so, it’s a relatively simplified process compared to what it could be on other processors that supports either a similar security mechanism or just the other processors in the i.MX line that support this Secure Boot mechanism.
3. Check Your Code
You need to make sure that your code does, in fact, actually fall. Once you’re out of the CPU’s internal boot loader, you have to make sure your code does follow the procedure for continuing the chain of authentication.
It is very well and good to say that you have Secure Boot but if your software boot loader does not actually check your Linux boot image or it only checks a small part of the Linux (or other OS) boot image, then you haven’t really made it secure.
4. Authenticate As Much As Possible
For genuine security, authenticate as much of the code you want to load as possible and do ensure that it follows the practices established for the libraries available as it can.
U-boot does support the Secure Boot mechanism, so the burden has been lessened for people coming into it today compared to when this sort of process in the embedded space was new.
You need to keep the process, i.e. how you generate and store your keys, secure. Because if your secure keys leak out and anyone can sign code against them, they can write that code to your device and your operating system now is no longer secure. Secure Boot only checks the signing, and any signed image can be considered secure by the processor.
You can’t just have your secured OS image and forget about other forms of security. You need to keep internal security as well as external security.
Make sure that the additional code you’ve written for further authentication since Secure Boot on the iMX6 is implemented as a library in the processor. You pull into that library to continue authenticating your images because almost all iMX6 boards has a multi-stage boot process where you have the CPU internal boot loader which loads an SPL which loads a full boot loader and the full boot loader loads an operating system. Each of these jumps needs to be authenticated by the proceeding step.
5. Confirm the Process Is Authenticating Correctly
It’s essential to ensure that your code is genuinely performing the Secure Boot. It’s not just authenticating a small part of memory or it’s not authenticating at all. It is possible, that even from a secure piece of code, to jump to an arbitrary location in memory and continue execution because that’s just how processors work. You need to actually ensure your code is authenticating the next step of code.
Most people use U-Boot. U-Boot does support Secure Boot on the iMX6. It does need to be configured but it’s a lot easier with a lot less space for getting it wrong when a lot of the work has already been done for you. Writing the security from scratch is a good way to not do it right.
It would be best if you took a known, good implementation and matched it to your needs. U-Boot does have an implementation. It’s a better idea to work from a proven start, than roll your own as it were.
We hope this series has been helpful. Connect with us on social media – we’d love to hear your feedback and any tips you have on secure boot.
Our software consultants can help if you need support with Secure Boot on the iMX6 or require extra resources for your embedded systems project. Feel free to reach out to our award-winning experts today.