Embedded Designs: Building in Security from Day 1
The challenges developers face in building secure product designs are increasing. Security attacks can occur at many points in the lifecycle of an embedded product design. This means developers must have a robust strategy for embedded security that addresses the wide range of security vulnerabilities.
This recorded webcast by Open Systems Media shares deep insights on embedded security building blocks by experts from both Digi and NXP. Watch this recording to learn about these building blocks and how they help to simplify the process of developing products that are secure by design. Digi International offers embedded system-on-modules and developer kits based on NXP i.MX processors to support design security, without requiring extensive security expertise on the part of the developer.
Want to learn more about how Digi can help you? Here are some next steps:
Thank you again for attending our session on Embedded Security. Here are the questions that followed the presentation and their answers. If you have additional questions, be sure to reach out.
NXP: Yes, all i.MX processor families support secure boot utilizing either HAB or AHAB depending on the processor family. Newer processors also support ECDSA key support for High Assurance Boot.
NXP: Yes, you need secure boot before you can do the encrypted boot step. You do not want to encrypt an image that has not been authenticated first to prevent executing untrusted code containing malware. The encrypted boot feature adds an extra security operation on top of secure boot.
NXP: Yes, secure boot can be used with mainline u-Boot and Linux kernel versions and we have step-by-step guides to walk users through this process: Secure boot - step-by-step guides for both HAB and AHAB enabled devices.
Note: Please switch to the BSP version required.
NXP: Yes, OPTEE or any other TEE can be authenticated to extend the root of rust.
Digi: Well, it really depends on your end application. As all i.MX processors and Digi ConnectCore® SOMs support the secure boot features we discussed today, you would need to see what additional functionality is required. The new i.MX 8 processors are certainly very popular and provide a range of security and processing to fit your application.
You can find a list of ConnectCore SOM options as well as a product comparison tool on the Digi SOMs page. Or get in touch with a Digi representative from the Contact Us link.
NXP: We have detailed documentation such as application notes on our website and step-by-step guides on Code Aurora for a secure and encrypted boot to get your system securely booted and establishing the root of trust:
Digi: We have fully integrated secure boot as part of the Digi TrustFence® security building blocks for Linux and Android. You can find the information you need for enabling and using it as well as explanations on the concepts and infrastructure is in the Digi documentation.
NXP: Users need to perform secure boot before you can do the encrypted boot step. You do not want to encrypt an image that has not been authenticated first to prevent executing untrusted code containing malware. The encrypted boot feature adds an extra security operation on top of secure boot.
NXP: All things related to firmware management and OS management is currently performed by our partners (clouds and 3rd party). NXP does not currently have in house service for that but can provide partner information.
Digi: For Digi devices, you can perform secure firmware updates with Digi TrustFence®. See the TrustFence documentation.
NXP: NXP Linux software GA releases use the Vigiles™ tool to ensure patches are correctly applied and validated. For customer specific software, Vigiles™ relies on upstream validations. In addition, Vigiles™ provides reference links to exploits/mitigation when available so customers can set up to validate the fix or apply the respective mitigations. See the Vigiles™ content for more information.
NXP: Secure manufacturing is key. Our manufacturing webinar provides some useful information to address this.
NXP also offers Manufacturing Protection features on select i.MX processors. See our manufacturing information on securing the edge.
NXP: The initial Secure Boot starting from the Internal immutable On chip ROM can not be updated/upgraded. The secondary bootloader used by the customer however can be updated using various mechanism. An example of performing Secure Over the Air updates is provided in the Secure Over-the-Air Prototype for Linux Using CAAM and Mender or SWUpdate application note.
Digi: We provide instructions for performing secure firmware updates (which can include a signed / encrypted bootloader image) in the Digi TrustFence® documentation.
NXP: Yes, the service uses a pay as you go model (fee per keys / certificate issuance, revocation). NXP can provide budgetary quote for your specific application. See the EdgeLock 2GO page for details.
NXP: EdgeLock™ 2GO is a SaaS service whereas the i.MX is a secure processor, so they do not compare. EdgeLock™ 2GO is available on i.MX and other SoC’s attached to a SE050 SE. EL 2GO can manage certificates on i.MX + SE050 devices on behalf of the customers; SE050 + EL 2GO enhances the security capabilities of the i.MX (keys management, root of trust, zero touch cloud onboard). See the EdgeLock 2GO white paper.
Digi: Yes, Digi Remote Manager provides full flexibility on updates. It can be just applications, selected partitions or a full system update.
NXP: While NXP has implemented advanced security features, all products may be subject to unidentified vulnerabilities. Customers are responsible for the design and operation of their applications and products to reduce the effect of these vulnerabilities on customers’ applications and products, and NXP accepts no liability for any vulnerability that is discovered. Customers should implement appropriate design and operating safeguards to minimize the risks associated with their applications and products.
Digi: Agreed. We have excellent support and documentation to help customers build in security into their products, as well as a Wireless Design Services team that can provide expert engineering support along the way. Contact us to learn more.