High Assurance Booting (HAB) on i.MX6
Security is an inevitable word which we heard in our day to day life. Technologies without security are technologies without “trust” for many of us. We all know how security plays an important role in our life starting from working place to social chat. Even Embedded Systems should implement security to prevent un-authorized access to the sensitive data. How we can assure i.MX6 platforms can only boot with authorized images? Let’s have a look into the cool stuff named High Assurance Booting (HAB) which makes the booting images secure and simple.
Digital Security becomes unavoidable part of our life since from its birth. This case is not different for even any embedded systems, especially if it dealing with sensitive data. Many embedded devices which are using for bank dealings, defense, medical, industrial and automotive filed strictly implementing security.
Almost all embedded systems are working based on the certain instructions given through flashed images. Imagine if a hacker can flash his own instructions to an embedded device, then he can take full control on what need to be done on that device. If the device is using for bank purpose, then hacker will get all details including the passwords! This scenario becomes even worse if the device is using for defense or medical field. How we can prevent this case? Well the answer is not quite simple!
Embedded system OS images can flash from different mediums such as MMC, SD card, SATA, Ethernet etc. Implementing security checking on the medium will be difficult since mediums such as SD card can be easily replace one to another. Moreover, one can alter the OS images after flashed into these mediums. So, implementing a security check only before flashing the image will not be sufficient to address this issue. Then how we can implement a security check for making sure our OS images are well secure? The answer is HAB (High Assurance Boot).
Freescale provided HABv4 (latest HAB version 4) as an optional feature in i.MX6Q processor. HAB is part of Freescale security block and can work with other security features such as CAAM and TrustZone.
The advantage of using HAB includes but not limits to the following:
- HABv4 implements boot ROM level security which cannot alter once it fused.
- Security checks before images are taking control of the system.
- Allow multiple root keys.
- Make use of digital signature – most efficient way to secure the OS images.
- Appending security directly to the OS images without affecting the OS image functionalities.
- Processor level checking with OS images validation gives complete assurance of the secure booting.
How HAB works?
HAB based on the principle of digital signature. Digital signature makes the content into secure through signing the content context. This signing process shall incorporate more than one security algorithm to strengthen the final outcome.
HAB digital signature is combination of open-ssl certification, MD5 hashing and RSA-AES-DES public and private key checks.
HAB ensure security by making both boot loader (u-boot) as well as OS image (uImage) into signed images. These signed images contain normal image content and security instructions. These images also contain the public key and private key too. During HAB process, the public key hash code which derived from the combination shall fuse into the boot ROM code of i.MX6 processor. This fusing make the platform more secure and cannot be altered later.
During the booting time, first the initial parameters of boot process shall take into boot ROM code from the flash medium (say SD card). Then the HAB instructions will examine the hash values which present inside the boot ROM and signed images. When these two hash values matches, then HAB process allow the platform to boot the images. Else the system shall stop all the process and wait for the authorized images.
In this way, the system shall protect from un-authorized access, even somebody changes the signed images at later stage (this eventually change the hash value of the image and hence failed during the run-time check).
iWave has successfully implemented the HAB in our i.MX6Q iW-RainboW-G15D-Q7 Linux platform and validated the HAB to know how it can secure the platforms. However HAB is not part of the standard BSP delivered as a part of development platform purchase or module purchase. This is available only on special request.
HAB is one of the best solutions to prevent un-authorized access to the OS images. Embedded systems which are dealing with sensitive data (banking, defense etc.) should in-corporate HAB to prevent from taking control of the whole system by external sources. Though HAB is optional feature in i.MX6 platforms, it would be recommended to implementing it for making the booting process more secure.
- AN4581_HAB_Application_Note.pdf - Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4 Application Note
- i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf - i.MX 6 Linux High Assurance Boot (HAB) User's Guide
Ajith P V
Senior Engineer- Software
iWave Systems Technologies Pvt. Ltd.