Home > Turnkey secure boot software package for NXP processor-based hardw

Turnkey secure boot software package for NXP processor-based hardw

Supplier News
article image X-ES NXP processor-based boards support pairing secure boot with the customer’s choice of OS

Extreme Engineering Solutions (X-ES) has introduced a new turnkey secure boot software package for use on NXP QorIQ and LayerScape processor-based hardware from X-ES. This software package aims to address the issue of system security in the embedded computing industry.

X-ES delivers pre-customised secure boot software for the target processor board, expediting development by providing a simplified, developer-friendly implementation package. Once configured, secure boot is the process through which the processor validates whether the system’s image is trusted and safe for booting.

NXP Trust Architecture provides security assurance

Secure boot, a subset of the NXP Trust Architecture, is the initial point for a trusted system’s assurance that it is booting and executing only authentic code. Secure boot can be utilised alongside the other components of the Trust Architecture to provide a comprehensive, secure software computing solution. The Trust Architecture additionally includes memory access control/strong partitioning, persistent storage, security state monitoring, master secrets, security violation detection, and secure debug. All of the Trust Architecture features are supported on each of X-ES’ NXP QorIQ P-Series, T-Series, and LayerScape processor-based hardware.

Secure boot prevents inauthentic code from executing

Secure boot provides a hardware check on software validity to determine if the bootable image can be trusted. Secure boot is able to make this distinction, allowing it to prevent the CPU from running un-trusted code, detect and reject modified security configuration values and device secrets, enable trusted code to use a device-specific, one-time programmable master key (OTPMK) when the processor is in a secure state, and prevent extraction of sensitive values from the device.

In order for secure boot to properly verify if the code is authentic and therefore trustworthy, the developer must first digitally sign the code. This is achieved by generating an RSA public and private key pair to enable the secure boot sequence hash check distinction between authentic, trusted code and unauthentic code. X-ES significantly simplifies this process for the customer by providing the NXP Code Signing Tool as well as including a revised U-Boot boot-loader, which adds the ability to validate images that are signed for X-ES processor boards. Developers are not dependent on NXP or X-ES for code-signing, and are able to accomplish this themselves with the X-ES provided software toolkit.

Multiple configurations to meet specific security requirements

The secure boot package from X-ES supports the customer’s choice of either a monolithic image including boot-loader, OS, and applications signed as a single package, or chain of trust where the internal secure boot code (ISBC) validates the boot-loader, the boot-loader validates the OS, and the OS validates the applications all in sequence before permitting the system software to execute code. While the monolithic image only uses a single digital signature, the chain of trust is capable of supporting unique RSA public and private key pairs for each phase of the validation.

System and boot security can be hardened even further by using chain of trust with confidentiality, which supports booting into an encrypted image. In this boot process, the ISBC (Internal Secure Boot Code) validates the X -ES U-Boot code, which is then followed by a boot script that runs to de-capsulate/decrypt OS images, which in turn allows the boot script to pass control to the OS. Monolithic can support encrypted data but cannot boot into an encrypted image.

Secure boot supported on X-ES’ industry-leading embedded hardware

X-ES provides industry-leading, ruggedised embedded computing boards supporting NXP QorIQ P-Series, T-Series, and LayerScape processors, each designed with trusted subsystems to provide security assurance in a variety of applications.

Presently available in nine COTS, industry-standard form factors, X-ES NXP processor-based boards support pairing secure boot with the customer’s choice of OS, including Linux, Wind River VxWorks, or Green Hills INTEGRITY. Backed by secure boot, these processor boards are capable of high-performance computing in trusted environments, providing unparalleled reliability and affirmation that only trusted OEM code is being executed.

X-ES is represented in Australia and New Zealand by Metromatics .

For further information, please visit the Metromatics website www.metromatics.com.au or call (07) 3868-4255.

Newsletter sign-up

The latest products and news delivered to your inbox