Hardware Security – Trusted Secure Boot

social_icon_fb social_icon_twitter social_icon_line social_icon_line

Hardware platforms are getting more and more complex, and as a side effect firmware have been given even more functionalities and controls even more things than before. Thus, it is absolutely crucial to maintain the integrity of the onboard firmware to ensure the security of the data passing through the system. AEWIN has leveraged the experiences from specialized sectors where tamper resistance and firmware recovery are required.

What is Hardware Root of Trust?
A hardware root of trust (HRoT) is a security feature that is built into the hardware of a computing device. It is the foundation on which all secure operations of a computing system depend. It contains the keys used for cryptographic functions and enables a secure boot process. These keys are used to verify the authenticity of the device’s firmware and software, and to protect the device from unauthorized access.

Advantages of Trusted Secure Boot
Trusted Secure Boot (TSB) is a security feature that uses HRoT to verify the authenticity of the device’s firmware before it is loaded. This helps to protect the device from malware and other threats that can be injected into the firmware during the boot process.

TSB offers a number of advantages, including:

  • Improved security: TSB helps to protect the device from malware and other threats that can be injected into the firmware during the boot process.
  • Reduced risk of unauthorized access: TSB helps to reduce the risk of unauthorized access to the device by ensuring that only trusted firmware and software is loaded.
  • Improved performance and reliability: TSB can help to prevent unauthorized changes to the device’s firmware, which can lead to performance problems and system crashes, hence improve the performance and reliability of computing devices. It can also help businesses to comply with various security regulations and standards.

AEWIN Trusted Secure Boot Family
AEWIN launches the OT004/OT006 family of Trusted Secure Boot Module for increased firmware resilience to guard against tampering and data corruption. This is part of AEWIN’s push for a hardware system root of trust for our network and edge computing systems. We have leveraged our experiences from specialized sectors where tamper resistance and firmware hardening are required.

OT004/OT006 modules are the first chain in the root of trust security system we’ve devised to increase the firmware resiliency. They are self-contained modules equipped with a FPGA with AEWIN Trusted Secure Boot firmware, and isolated from rest of the system to reduce possible attack surfaces. The onboard logics identify and authenticate firmware digital signatures inside the system. If an anomaly has been found, it can provide automated firmware recovery or hold the boot sequence and alerting the system admins. The default behavior is programmable and can be adjusted by the administrator during the setup of the module.

To prevent tampering, the golden image stored on-board is locked from changes. Without updating the module, any firmware updates or unauthorized changes will be overwritten and restoring it to the previously known good state. There are several layers of security and algorithms to prevent an attacker from brute-force attacks on the module to compromise the system. Likewise, there module protects itself from attacks and unauthorized updates with several layers of security.

OT004A, OT004B and OT004C is designed for BMC onboard systems, Intel and AMD systems respectively to provide root of trust function starting at the BIOS. The OT006 support is being integrated into many of our products, delivering BMC firmware as well as BIOS resiliency by protecting against data corruption and tampering.

Attacks that physically manipulate the firmware used for performing hardware initialization during the boot process can invalidate many of the common secure boot features that are considered industry standard. By implementing a trusted secure boot HRoT that is used for code signing critical boot entities, the AEWIN OT004/OT006 modules become a first line of defense ensuring overall system integrity. Please let us know if you have any questions or comments about integrating firmware security into your next AEWIN systems. Our friendly sales can help you secure your next AEWIN platforms.