Safeguard Critical Systems with X-ES’ Secure Boot for NXP Hardware

Safeguard Critical Systems with X-ES’ Turn-Key Secure Boot Implementation Package for NXP Processor-Based Hardware

As system security has increasingly become a focal point for the embedded computing industry.  Extreme Engineering Solutions (X-ES) has responded by providing their customers with a turn-key secure boot software package for use on  NXP QorIQ and LayerScape processor-based hardware from X-ES.

X-ES delivers pre-customised secure boot software for the target processor board.  Expediting development by providing a simplified, developer-friendly implementation package. Once configured, secure boot is the process through which the processor validates whether the system’s image is trusted and safe for booting.

 

NXP Trust Architecture Provides Security Assurance

Secure boot, a subset of the NXP Trust Architecture.  It is the initial point for a trusted system’s assurance that it is booting and executing only authentic code. Secure boot can be utilised alongside the other components of the Trust Architecture to provide a comprehensive, secure software computing solution. The Trust Architecture additionally includes memory access control/strong partitioning, persistent storage, security state monitoring, master secrets, security violation detection, and secure debug. All of the Trust Architecture features are supported on each of X-ES’ NXP QorIQ P-Series, T-Series, and LayerScape processor-based hardware.

 

Prevents Inauthentic Code from Executing

Secure boot provides a hardware check on software validity to determine if the bootable image is to be trusted. The ability of secure boot to make this distinction enables it to prevent the CPU from running un-trusted code, detect and reject modified security configuration values and device secrets, allow trusted code to use a device- specific, one-time programmable master key (OTPMK) when the processor is in a secure state, and prevents extraction of sensitive values from the device.

In order for secure boot to properly verify if the code is authentic and therefore trustworthy, the developer must first digitally sign the code. This is achieved by generating an RSA public and private key pair to enable the secure boot sequence hash check distinction between authentic, trusted code and inauthentic code. X-ES significantly simplifies this process for the customer by providing the NXP Code Signing Tool as well as including a revised U – Boot; boot-loader which adds the ability to validate images that are signed for X-ES processor boards. Developers are not dependent on NXP or X-ES for code-signing, and are able to accomplish this themselves with the X-ES provided software toolkit.

Another significant advantage to using the X-ES-modified secure boot software is that the developer does not require a high level of familiarity with the hardware in order to begin development, since device-specific secure boot customisations have already been completed.

 

Multiple Configurations to Meet Specific Security Requirements

The secure boot package from X-ES supports the customer’s choice of either a monolithic image including boot-loader, OS, and applications which is signed as a single package, or chain of trust where the internal secure boot code (ISBC) validates the boot-loader, the boot-loader validates the OS, and the OS validates the applications all in sequence before permitting the system software to execute code. While the monolithic image only uses a single digital signature, the chain of trust is capable of supporting unique RSA public and private key pairs for each phase of the validation.

Harden system and boot security even further by using chain of trust with confidentiality, which supports booting into an encrypted image. In this boot process, the ISBC, validates the X -ES U-Boot code, which is then followed by a boot script that runs to de-capsulate /decrypt OS images, which then allows the boot script to pass control to the OS. Monolithic can support encrypted data but cannot boot into an encrypted image.

 

Secure Boot Supported on X-ES’ Industry-Leading Embedded Hardware

X-ES provides industry-leading, ruggedised embedded computing boards supporting NXP QorIQ P-Series, T-Series, and LayerScape processors, each designed with trusted subsystems to provide security assurance in a variety of applications.

Presently available in nine COTS, industry-standard form factorssuch as Xpedite5970, Xpedite1641, Xpedite 6401, support pairing secure boot with the customer’s choice of OS, including Linux, Wind River VxWorks, or Green Hills INTEGRITY. These processor boards are capable of high-performance computing in trusted environments, providing reliability and affirmation that only trusted OEM code is being executed.

Leave a Reply

Your email address will not be published. Required fields are marked *