In an increasingly connected world, online devices now reach into every facet of modern life. From automated cars to smartwatches to the phone in your pocket, the myriad of form factors and value of the data contained in these devices has never been greater. Thus, the need to prioritize security in IoT-style embedded systems has rarely been more urgent.
Ensuring security in an embedded system necessarily involves Secure Boot as the first step. Here, we take a look at the variables, and the best practice for doing so, with a focus on one of the most popular processors in electronics—the i.MX6.
What is Secure Boot?
The process of Secure Boot is where your OS boot images and code are authenticated against the hardware before they’re allowed to be used in the actual boot process. The hardware is set up beforehand in such a way that it only authenticates code generated using security credentials you trust. In short, it ensures that the boot and OS software is the intended manufacturer version and hasn’t been tampered with by any malicious party or process.
In any single-use device, Secure Boot is an essential tool. This is especially the case in devices such as e-readers, which often integrate the i.MX6 processor (the i.MX6 Solo and DualLite have an integrated E-Ink display controller, for example). The i.MX6 is intended for specifically reading e-books, rather than general computing. Having a locked-down Linux environment at boot is particularly useful in such applications.
Other situations, such as an Android phone, may be less black-and-white. Using Secure Boot would restrict end users from running custom ROMs, for example, which might be seen as a desirable situation for a manufacturer, or a major compromise. However, a good time to use Secure Boot is any case where you don’t want another party to load an operating system or a different bootloader onto your device.
For other integrated systems, such as IP cameras running Linux, you would be well-advised to use Secure Boot. That’s because any malicious boot code or operating-system software could lead to a situation where the device is made part of a botnet, or the cameras’ output is compromised.
Deep Dive: The i.MX6 Secure Boot Process
On the i.MX6, after creating your boot images, Secure Boot can be utilized once you generate a set of secure keys against an SSL certificate generated for this purpose.