Security Aspects for COM-based IoT Systems

Peter EckelmannProduct Marketing Manager, Embedded Boards & Modules

Introduction | x86 Hardware - BIOS | ARM Hardware - Bootloader | Conclusion |Introduction

3

Security is highly important for the safe and reliable operation of IoT connected devicesSecurity is one of the backbones of the IoT and requires attention from the beginningSecurity must start in the core of the processing elements and in the first step of firmware (not software) operation

Introduction

4

• IoT = large numbers of interconnected devices • “A chain is only as strong as its weakest link”• Unsecured devices connecting to the Internet = potential risk• In 2013, a researcher at Proofpoint, an enterprise security

firm, discovered the first IoT botnet− According to Proofpoint, more than 25 percent of the botnet was

made up of devices other than computers, including smart TVs, a refrigerator and other household appliances

• For IoT, security is of paramount importance!• Percentage of security breaches involving end-user devices

doubled year-on-year (Verizon/US Secret Service)

Security Risks of IoT

5

• Malware− Rootkits, trojans, viruses, worms, keyloggers, bots,...− Risk enhanced by rich & open OS− Countermeasures: trusted execution, high assurance boot

• Hacking− Reverse engineering, brute force− Countermeasures: secure storage, secure debug, encryption

• Physical attack− Bus snooping, glitching− Countermeasures: secure storage, tamper detection

Threats

Introduction | x86 Hardware - BIOS | ARM Hardware - Bootloader | Conclusion |X86 Hardware & BIOS

77

Key Features• Highest Performance• Intel® Core™ i7-4700EQ (quad-core)• Intel® Core™ i5-4400, i5-4402, i3-4100, i3-

4102, Celeron 2000E and 2002E (dual-core)• Intel® HD Graphics 4600• Up to 16GB DDR3L SDRAM, dual channel • Supports digital display interfaces DisplayPort/

HDMI/DVI/eDP and USB3.0 (on Type 6) • Supports legacy interfaces PATA, PCI (on

Type 2)• LVDS (24 Bit, dual channel) and VGA

interface • Triple independent display support • Resolution up to 3800 x 2400• Basic Format (95mm x 125 mm)

Intel® Haswell Type 6 / Type 2

Typical COM Module based on x86MSC C6B-8S / CXB-8S

MSC COM Express Type 6 “Haswell”Block Diagram

99

Embedded SecurityMSC’s Trusted Embedded Computing Initiative

• The Goal: Enabling safer Embedded Solutions

• Protection against:− tampering− illegal copying of data and software− cloning of complete systems

• Based on open Standards− Trusted Computing Group

• Based on well-known components• 3rd Party Software Stacks and drivers • Customer can choose from a growing

variety of OSs and Applications

embedded

secur it y

1010

Embedded SecurityTrusted Embedded Computing Architecture

• Latest security technologies developed for secure computing− prohibiting theft or loss of sensitive data (notebooks)− enabling secure data exchange over the internet, e-commerce, DRM, …

• Based on TCG (Trusted Computing Group) standards− fully TCG compliant security solutions

• Infineon TPM 1.2• AMI Aptio® V BIOS with SecureBoot based on UEFI standard• Infineon Software Package for Windows and Linux• Microsoft Windows “Bitlocker” compliant

1111

Embedded SecurityTrusted Platform Module (TPM)

• Infineon SLB 9660 1.2− TCG 1.2 compliant trusted platform module− Security architecture based on Infineon SLE66CXxxPE security

controller family− 16-bit microcontroller in CMOS technology− TCG 1.2 compliant embedded software− EEPROM for TCG firmware enhancements and for user data and keys− Advanced Crypto Engine (ACE) with RSA support up to 2048 bit key length− Hardware accelerator for SHA-1 hash algorithm− True Random Number Generator (TRNG)− Tick counter with tamper detection used for time stamps− Protection against “Dictionary Attack”− Protection shield and sensors inside chip

1212

Embedded SecurityTrusted Platform Module (TPM)

• Block Diagram

• Similar to Smart Card chip− Field proven security

1313

Embedded SecurityTrusted Platform Module (TPM)

• Endorsement Key− Unique pair of private/public keys (2048 bit)− Foundation of platform unique identification

and key generation• Infineon Software Features− TPM Professional Package availableo Supports Windows 7, Windows 8.1,

Windows Server o Linux driver supporto TSS software stack compliant to TCG specificationso TPM Cryptographic Service Provider (CSP)o Infineon's desktop management software for policy enforcement and security

feature managemento Backup of migrateable keys

1414

Embedded SecurityAMI Aptio® UEFI BIOS Firmware

• AMI Aptio V UEFI BIOS Firmware supports Trusted Boot based on TPM security features

• AMI Aptio V contains full TPM support− Initialization− Trust measurement during boot process− “Chain of trust” from the very beginning− En-/disabling TPM device in Setup program− Full support of TCG specifications− Protected update policy (SecureFlash according to NIST SP 800-147)

1515

Embedded SecurityChain of Trust

• AMI Aptio® V supports “Chain of Trust” according to TCG

− From power-on every step is monitored

− CRTM (Core root of trust for measurement) is essential

− Hash values in TPM are compared to actual values of SW modules

− Boot process stops if integrity of one chain link is doubtful

− Root of Trust cannot be modified− SecureFlash update tool allows

signed update files only

Distributed/Network Apps

Apps

OS Drivers

OS Kernel

Boot Loader

“Root of Trust”(CRTM)

TPM

BIOS (POST Phase)

“Chain of Trust”

Boot Block

Option ROMs

1616

Embedded SecurityAuthenticated Boot

• CRTM and TPM during the boot process

BIOS

measuresROMs

measures

measures

measures

sends Value sends Value

sends Value

OS Loader

OS

Other SoftwareComponents

Other SoftwareComponentsOS ComponentsOther SoftwareComponents

Other SoftwareComponentsOS Components

Execution OrderBuilding Chain of Trust

1717

Embedded Security Operating Systems

• Windows 7 / 8.1− Integrated TPM Serviceso To be used by 3rd party applications

− Secure Startup (Bitlocker)o Full encryption of boot partitiono Keys stored in TPM

− TPM Administrative Tools− Key Storage Provider

Introduction | x86 Hardware - BIOS | ARM Hardware - Bootloader | Conclusion |ARM Hardware & Bootloader

1919

Freescale® ARM Cortex-A9 i.MX6

Key Features• Freescale™ i.MX6 ARM® Cortex™-A9

quad-core, dual-core or single-core CPU• MPEG-4 Video Encoding/Decoding 1080p

HDMI graphics 1920 x 1080 x 30fps Dual-channel LVDS 1920 x 1080 x 30fps (also usable as two sep. LVDS channels)

• Up to 4GB DDR3 DRAM• Up to 32GB eMMC Flash Memory• PCI-Express x1• SATA-II (3Gbps, quad-/dual-core only)• USB 2.0 Host / Device• BT.656 Camera, MIPI_CSI-2

Typical COM Module based on ARMMSC Q7-IMX6

MSC Qseven IMX6

GbitLAN

Feature Connector

Audio

Ethernet 10/100/1000

PCI Express x1

Qse

ven

Conn

ecto

r (M

XM-2

30)

Freescale

i.MX6

SoloDualQuad

HDMI

USB Hub(opt.)

USB Host/Device

6x USB 2.0

I2C, SMBus, SPI

SPI UART MIPI CSI-2

BT.656 CAM

DDR3DRAM

eMMCFlash

USB 2.0

Dual-channel LVDS

CAN

SATA

Block Diagram

21

• Trusted Execution− Isolates execution of critical SW from possible malware− TrustZone Secure & Normal Worlds (processor modes)− Hardware firewalls between CPU & DMA masters

and memory & peripherals• High Assurance Boot

− Authenticated boot: prevents unauthorized SW execution− Encrypted boot: protects SW confidentiality− Digital signature checks embedded in on-chip boot ROM− Run every time processor is reset

• HW Cryptographic Accelerators− Symmetric: AES-128, AES-256, 3DES, ARC4− Message Digest & HMAC: SHA-1, SHA-256, MD-5

i.MX6 Trust Architecture Features

22

• Secure Storage− Protects data confidentiality and integrity− Off-chip: cryptographic protection including device binding− On-chip: self-clearing Secure RAM− HW-only keys: no SW access

• HW Random Number Generation− Ensures strong keys and protects against protocol replay− On-chip entropy generation− Cryptographically secure deterministic RNG

• Secure Clock− Provides reliable time source− On-chip, separately-powered real-time clock− Protection from SW tampering

i.MX6 Trust Architecture Features (cont’d)

23

• Secure Debug− Protects against HW debug (JTAG) exploitation for:

o Security circumventiono Reverse engineering

− Three security levels + complete JTAG disable• Tamper Detection

− Protects against run-time tampering− Monitoring of various alarm sources:

o Debug activationo External alarm (e.g. cover seal)o SW integrity checkso SW alarm flags

− HW and SW tamper response

i.MX6 Trust Architecture Features (cont’d)

24

i.MX6 Trust ArchitectureOverview

25

• High Assurance Boot ensures the boot sequence:− Uses authentic SW− Remains confidential (if required)− Establishes a “known-good” system state

• High Assurance Boot protects against:− Platform re-purposing− Rootkits and similar unauthorised SW designed to

o harvest secretso circumvent access controls

− Offline SW reverse engineering (if required)

High Assurance Boot Purpose

26

High Assurance Boot Operation

27

High Assurance Boot Encrypted

28

Your Innovative Partner

RuggedStandard Systems

Fanless

Verification

Building Blocks

System Design

ExperiencedLong term availability

3D Design

Semi Custom

Cooling-concepts

Approvals

MSC Technologies. Engineering Leadership

T H A N K Y O U