Embedded device-care Point of View - security
MaazPatni1
20 views
10 slides
Jul 19, 2024
Slide 1 of 10
1
2
3
4
5
6
7
8
9
10
About This Presentation
Embedded device-care POV- security
Slide Content
EMBEDDED DEVICE-CARE
POV- SECURITY
www.siliconsignals.io
POV- SECURITY
www.siliconsignals.io
www.siliconsignals.io
Securing embedded devices is crucial to protect sensitive data and
ensure their reliable performance, which is highly important in our
interconnected world.
High-level look at the security features to cure your Embedded products
such as
IOT
Consumer Avionics
Wearable
Automotive
Medical
Securing embedded devices is crucial to protect sensitive data and
ensure their reliable performance, which is highly important in our
interconnected world.
High-level look at the security features to cure your Embedded products
such as
IOT
Consumer Avionics
Wearable
Automotive
Medical
www.siliconsignals.io
These are potential areas worth exploring for embedded device security
Linux Kernel
Hardware extensions
File system
SOC features
Core features
CVEs, Updates (Signed OTA), Patching
These are potential areas worth exploring for embedded device security
Linux Kernel
Hardware extensions
File system
SOC features
Core features
CVEs, Updates (Signed OTA), Patching
Linux kernel
A lot can be written but one “drop” from the sea is discussed
ASLR - Address Space Layout Randomization - buffer overflow attack
Disabling /dev/mem access to physical memory (DEVMEM=n)
SELinux, AppArmor, Kernel Hardening, cgroup, SecComp
Kernel module signing - CONFIG_MODULE_SIG_* config
Kernel Self Protection Project
Linux Audit framework
Userspace process isolation
CONFIG_HARDEN_BRANCH_PREDICTOR
www.siliconsignals.io
A lot can be written but one “drop” from the sea is discussed
ASLR - Address Space Layout Randomization - buffer overflow attack
Disabling /dev/mem access to physical memory (DEVMEM=n)
SELinux, AppArmor, Kernel Hardening, cgroup, SecComp
Kernel module signing - CONFIG_MODULE_SIG_* config
Kernel Self Protection Project
Linux Audit framework
Userspace process isolation
CONFIG_HARDEN_BRANCH_PREDICTOR
www.siliconsignals.io
Linux kernel (continue ...)
Skipping the talk, see it your self in kernel config
www.siliconsignals.io
Skipping the talk, see it your self in kernel config
www.siliconsignals.io
www.siliconsignals.io
Hardware extensions
Adding TPM (Secure element) to the design - pkcs11
one can find the our patch of enabling of TPM on imx8 processor here
- https://github.com/Rutvij-dev/Security-TPM2.0-SPI-
imx8/blob/main/0001-Security-TPM2.0-Hardware-Support-
enable.patch
Disable JTAG interface or secure debug (NXP imx8)
Tamper detection
Encrypted data exchange on the physical bus (No probing)
Hardware based Crypto engines
Security key storage element
Resource Partitioning using sandbox - NXP imx8
Hardware extensions
Adding TPM (Secure element) to the design - pkcs11
one can find the our patch of enabling of TPM on imx8 processor here
- https://github.com/Rutvij-dev/Security-TPM2.0-SPI-
imx8/blob/main/0001-Security-TPM2.0-Hardware-Support-
enable.patch
Disable JTAG interface or secure debug (NXP imx8)
Tamper detection
Encrypted data exchange on the physical bus (No probing)
Hardware based Crypto engines
Security key storage element
Resource Partitioning using sandbox - NXP imx8
www.siliconsignals.io
File system
Filesystem Mount Options
secure mount options, such as "noexec" to prevent execution of
binaries on mounted file systems and "nosuid" to disable setuid and
setgid permissions, reducing the risk of privilege escalation.
DM_VERITY, DM_CRYPT, and DM_INTEGRITY
Encrypted Swap Space
Access controlled file system (cgroup, persmissions, namespace)
File system mounting with key comparison on the device(key matching)
fscrypt - Kernel space and user space
containerize i.e Docker
File system
Filesystem Mount Options
secure mount options, such as "noexec" to prevent execution of
binaries on mounted file systems and "nosuid" to disable setuid and
setgid permissions, reducing the risk of privilege escalation.
DM_VERITY, DM_CRYPT, and DM_INTEGRITY
Encrypted Swap Space
Access controlled file system (cgroup, persmissions, namespace)
File system mounting with key comparison on the device(key matching)
fscrypt - Kernel space and user space
containerize i.e Docker
www.siliconsignals.io
SOC & Core features
Secure Boot
High Assurance/Advance assurance boot - NXP imx8
FUSE blowing
Cryptographic Acceleration
Secure debug
Hardware Root of Trust
Cryptographic Accelerator and Assurance Module (CAAM) - NXP imx8
SECO - Security Controller - NXP -imx8
Encrypted “execute in place” (XIP) capability from QSPI
TrustZone and OP-TEE - (Trusted Execution Environment (TEE))
Verified Boot & Measured boot
SOC & Core features
Secure Boot
High Assurance/Advance assurance boot - NXP imx8
FUSE blowing
Cryptographic Acceleration
Secure debug
Hardware Root of Trust
Cryptographic Accelerator and Assurance Module (CAAM) - NXP imx8
SECO - Security Controller - NXP -imx8
Encrypted “execute in place” (XIP) capability from QSPI
TrustZone and OP-TEE - (Trusted Execution Environment (TEE))
Verified Boot & Measured boot
www.siliconsignals.io
References
https://www.timesys.com/webinars/Secure-by-Design-NXP-Webinar-
Series-Kernel-Hardening-and-Security.pdf
https://community.nxp.com/t5/Technology-Days-Training/i-MX-8-
Security-Overview-SECO-HAB-BOOT-Flow-ATF-xRDC-CST/ta-p/1117940?
attachment-id=88625
https://www.linux.com/training-tutorials/overview-linux-kernel-security-
features/
References
https://www.timesys.com/webinars/Secure-by-Design-NXP-Webinar-
Series-Kernel-Hardening-and-Security.pdf
https://community.nxp.com/t5/Technology-Days-Training/i-MX-8-
Security-Overview-SECO-HAB-BOOT-Flow-ATF-xRDC-CST/ta-p/1117940?
attachment-id=88625
https://www.linux.com/training-tutorials/overview-linux-kernel-security-
features/
www.siliconsignals.io
At Silicon Signals, our team has decade of experience designing secure
embedded system and has experience working on HSM, TPM, Secure boot,
hardware crypto Linux driver writing and many more...
Want to design a Secure Embedded product secure from all levels, connect
us for the expert solution.
www.siliconsignals.io [email protected]
Lets Connect
At Silicon Signals, our team has decade of experience designing secure
embedded system and has experience working on HSM, TPM, Secure boot,
hardware crypto Linux driver writing and many more...
Want to design a Secure Embedded product secure from all levels, connect
us for the expert solution.
www.siliconsignals.io [email protected]
Lets Connect
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 20
- Slides 10
- Age 500 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views