Intel® Makers
Intel® Edison, Intel® Joule™, Intel® Curie™, Intel® Galileo
Announcements
Welcome - This is a Peer-to-Peer Forum only. Intel has discontinued these products but you may find support from other customers on this Forum
9868 Discussions

Secure boot / signed firmware

RDrag
New Contributor I
3,203 Views

Hello everyone,

I was wondering if the Edison board supported any kind of secure boot. I'm looking for a way to make sure it only runs signed firmware or at least a guarantee that once flashed with our firmware, there's no (easy) way for an attacker to extract the firmware image. I'm not sure what tools would be used to extract an image from the internal flash memory, I just want to store some crypto keys in there and run the Edison as a trusted encryptor/decryptor.

Any ideas?

Thank you,

Razvan

0 Kudos
15 Replies
Pedro_M_Intel
Employee
219 Views

Hello drzvan,

The Edison uses Das U-boot, so I believe it can't use secure boot, because it is a feature of UEFI, but it can use verified boot as a form of secure boot, why don't you rake a look at the following document for more details:

http://lwn.net/Articles/571031/ Verified U-Boot [LWN.net]

Peter.

RDrag
New Contributor I
219 Views

Thank you Peter! I've taken a quick look, will need to check how it applies to the Edison (especially where we would need to put our public key - the root of trust).

However, I think what we're looking for is a way to make sure keys cannot be _extracted_ from the board. We don't want to prevent the users from reflashing the board with their own firmware, we just want to make sure they can't extract the one we flash (that contains our keys).

Is there any way for users to extract the current firmware (without booting it up)? JTAG maybe or access to the console?

Thanks,

Razvan

Pedro_M_Intel
Employee
219 Views

Hello drazvan,

The Edison doesn't have JTAG, but let me investigate a little bit further about this. If I find something about this I will post it here.

Peter.

AT9
Honored Contributor II
219 Views

As far as I can see from the BSP sources, there are three levels - basic firmware (so called IFWI), U-Boot and the OS itself. The latter two are stored on the eMMC and are accessible both from Linux (you can mount and/or dump the respective partitions) as well as from the U-Boot console (which is much more limited than Linux, but still you could dump or overwrite the partitions). So it looks like storing a key there wouldn't be a good idea.

IFWI is a true "firmware" here, but AFAIU (and this presentation sort of confirms: https://intel.activeevents.com/sf14/connect/fileDownload/session/210DAAEA9629A64A85EF96815CF78A67/SF... https://intel.activeevents.com/sf14/connect/fileDownload/session/210DAAEA9629A64A85EF96815CF78A67/SF...), it's distributed in a binary form, so you can't modify it. I'm not sure where it's stored either. The same presentation mentions the Trusted Boot ROM, though I haven't seen actual support notes in either of the release notes, so maybe it's saved for later or requires some sort of NDA, I'm not sure.

That's what I understand about the layout, FWIW. Let's see what Peter finds on that in addition

RDrag
New Contributor I
219 Views

Thank you Alex, Peter, I guess I'll wait to see what Peter finds. If the partitions can be dumped from U-Boot (and access to U-Boot cannot be authenticated), you are correct, we can't really store the keys there.

Is there some sort of secure storage that can only be read from Linux (where we can authenticate it) and not U-Boot? A quick alternative would be to store the keys in RAM (of course, making sure they're not swapped to disk and even then I'm not sure if RAM is cleared on reboot (and cannot be read from U-Boot).

ALitt2
New Contributor I
219 Views

IFWI gets written to one or both boot partitions in the eMMC. These partitions don't appear in the whole block device (/dev/mmcblk0), and under Linux are accessed under /dev/mmcblk0boot0 and /dev/mmcblk0boot1.

AT9
Honored Contributor II
219 Views

Yep, that's correct, just haven't had the board at hand to check at the time.

So generally speaking everything we know about is being read off of the eMMC and as such can be rewritten from Linux and most probably from U-Boot console as well (I haven't tried, but it has access to the very same eMMC and has functionality of reading files and writing them to eMMC at arbitrary places, so all the pieces are available).

But there is that Trusted ROM mentioned in the presentation and I would guess it's not a random term just thrown in there - so there's hopefully some mechanism one could use. Let's see what Peter finds out

Pedro_M_Intel
Employee
219 Views

Hi alitt,

I have been researching about secure boot on Edison, however it seems it is not available and not currently supported.

Peter.

sk23
New Contributor II
219 Views

Hi Peter ,

Is there any date for secure boot release or any planned date for secure boot release ?

Please let me know the details.

srinivas

Pedro_M_Intel
Employee
219 Views

Hi IoT_srinivas,

Unfortunately no, as I mentioned in my previous post, secure boot is not implemented on Edison and is not supported at this time.

-Peter.

sk23
New Contributor II
219 Views

Hi Peter ,

Any support how add secure boot on Yocto Linux.

Could you please provide some reference foe secure boot.

Pedro_M_Intel
Employee
219 Views

Hi IoT_srinivas,

In order to implement secure boot on Edison it is required information that is processor specific. Unfortunately that information is not publicly available, therefore it is not possible to implement it at the moment.

-Peter

sk23
New Contributor II
219 Views

Thank you peter.

We can't simply escape from client.Please provide any alternate solution.

Is there any loyalty for extra support form Intel or third party .we are ready for that.

Finally we need support or solution for issue.

sk23
New Contributor II
219 Views

Hi All ,

Can any one provide the solution for above Query (secure boot on Edison) .

We can't simply escape from client.Please provide any alternate solution.

Is there any loyalty for extra support form Intel or third party .we are ready for that.

Finally we need support or solution for issue.

Pedro_M_Intel
Employee
219 Views

Hi IoT_srinivas,

As I mentioned secure boot was not implement on Edison and it is not supported. Unfortunately, we cannot continue to assist you regarding an implementation of secure boot on the Edison as the information required for this procedure is not publicly available. We apologize for the issues this might cause.

-Peter.

Reply