As discussed in the earlier blog, it is becoming very important, in an embedded system, to ensure authenticity of the firmware before running it. Also, the system has to be made tamper proof against further hacking, especially for remotely managed internet connected IoT applications. To prevent breach of security, the software can be strengthened with various techniques based on the underlying MCU and peripheral set. This blog discusses in particular how it can be done for iMx RT1020 based devices using the High Assurance Boot (HAB) mechanism as recommended by NXP.

NXP’s HAB uses the mechanism of asymmetric encryption to protect its firmware. To give a quick introduction to asymmetric encryption, it is essentially creating a pair of keys in a way that one of the keys can encrypt the message and other can decrypt the message (and vice versa). It is mathematically impossible to use the same key used for encryption to decrypt the message. Also, with increased key sizes, it will be highly resource consuming to decrypt a message without the other pair.

During the device provisioning process, the public and private key pairs are generated and private key is secured in the provisioning system. Hash for the public key is generated and stored in the device OTP area, which prevents further modification. In the code signing sequence, the firmware image is hashed and encrypted using the private key. The final image generated is comprised of the firmware image, its encrypted image along with the public key and the same is programmed on to the boot memory. During the bootup sequence, the HAB logic extracts the individual components of the signed image and validates to authenticity of the public key by comparing the computed hash and that stored in the OTP fuses. It is impossible to create public key such that the hash is same there by preventing any attempt of overriding the public key by external parties. Then it proceeds to calculate the hash of the firmware. It is compared with a hash generated by decrypting the encrypted hash using the public key. If it is a match, it proceeds to boot. If it fails in any of the place, the boot is aborted.

The device can be programmed using two methods: Device Boot and Secure Boot. The Device boot mode can be used during development purposes and secure boot for final programming. If the device is once programmed in Secure boot mode, it is not possible to revert back to Dev Boot mode and all further firmware has to be signed properly. The programming process is carried out by Flashloader tools such as- elftosb tool for boot image creation, Mfg tool for boot image programming.