Support of Secure Boot with netX90

Secure boot is used to prevent untrusted firmware from being executed on the netX90.

The netX 90 provides built-in security features based on a hardware root of trust. The security features are handled by the netX 90 ROM code, which includes:

  • management and protection of the security configuration

  • enabling secure boot via signature verification of the executed firmware

The secure configuration required by the ROM code shall be stored in the built-in secure flash memory of netX90. The security configuration includes:

  • protection options to determine the level of security which will be enforced by the ROM code

  • encryption keys which are used for signature verification when secure boot is enabled

  • device data which can be used for optional signature binding

Prerequisites

Following prerequisites exist in order to enable and use secure boot feature on netX90.

Prerequisites

Details

Explanation

Prerequisites

Details

Explanation

netX90 Hardware

requires the series netX 90 with date code 1910 and later.
If a NXHX 90-JTAG is used, hardware revision 4 or higher is required

ROM code changes to support secure boot functions

Hardware and Maintenance configuration files (HWC / MWC)

Signed "BootSwitcher" code shall be added to HWC/ MWC.

Use netX Studio CDT and/or netX 90 Tool Collection (see below)

“BootSwitcher” code is requred to support secure reset and firmware update process

Maintenance Firmware

(MFW)

Version V2.1.0.0 or later is required

Newer maintenance firmware provides support for signed firmware update container “fwupdate.nxs” files, performs signature verification before firmware installation and supports reset with secure boot activated system

The main component for firmware updates and firmware signature verification is the Maintenance firmware (MFW).

A firmware download could be done either by a running firmware or via the maintenance firmware. The firmware installation (copy the firmware to an executable area) is only done by the MFW, because only the maintenance firmware has write access to the area where the firmware is stored for execution.

If the system is in secure boot mode, the MFW first checks if the actual update container is an NXS file (special kind of zip container) before starting a verification process. The file signature is verified against the key stored in the built-in secure flash memory. Only if this verification is successful, the new firmware will be installed (copied to the FLASH execution area) of the netX90.

Compatible netX90 loadable firmware

The loadable firmware variants for netX90 was updated with new functions, e.g.

  • support the required reset handling in secure boot enabled system

  • support the signed firmware update container “fwupdate.nxs” file.

  • the loadable firmware variants which support the firmware update via integrated webserver will accept signed firmware update container “fwupdate.nxs” file.

All netX90 firmware use cases A, B, C and variants support firmware signing for secure boot.

The loadable firmware variants for netX90 starting from firmware release in following list can be used with secure boot:

Getting Started documentation

Hilscher provides comprehensive tool support for testing and activation of secure boot in netX90 based products, as well as collection of tools required to support series production process.

netX Studio CDT

most recent version is provided here

The netX Studio CDT (C/C++ Development Tooling) is an Eclipse-based IDE (Integrated Development Environment) for Hilscher netX SoCs.

The tools from the netX tool collection are integrated into netX Studio CDT and provide user guidance during development process.

The documentation netX Studio CDT for netX 90 development provides detailed descriptions and step-by-step guides, particulary for Secure Boot:

  • see chapter “Built-in Security” for basic information about secure boot functions of netX90

  • see chapter “Security” of “netX90 application tutorial” which explains the steps involved in enabling secure boot and how to setup the application project for netX 90 to run in secure boot mode.

  • see chapter “Security Tools” describes how to

    • prepare Security Configuration,

    • use Signing Tool for signing of the required files

    • Generate Test Keys for testing purpose

netX 90 Tool Collection

most recent version is provided here

The netX Tool Collection is provided to enable user to create and flash software and configuration to the netX 90 device. Furthermore, it allows to sign configuration files and software to enable secure boot on the device.

The documentation https://hilscher.atlassian.net/wiki/spaces/DL/pages/77740759 provides detailed description of tools and usage options. The tools providing command-line interface and can be used to support the series production process.

Basic workflow to enable secure boot

In order to enable the secure boot on netX90 device the following principal workflow is provided below:

Activity

Required files

Tool

Activity

Required files

Tool

Generating the firmware and master keys

 

netX Studio → Generate Test Keys

Loading the keys into the flash memory

public firmware and master keys

netX Studio → Security Configuration

Signing the files for secure boot

.mwc / .hwc / .mxf /.nxi / .nxe / .nai / private firmware key

netX Studio → Signing Tool

Flashing the signed files

signed files (.mwc / .hwc / .mxf /.nxi / .nxe / .nai)

netX Studio → Flasher

Enabling secure boot

private firmware key

netX Studio → Security Configuration

Updating a netX90 device with a nxs file

.nxs file (signed FWUPDATE.zip)

standard Web Browser

 Further activities:

Activity

Required files

Tool

Activity

Required files

Tool

Create and/or export a security configuration with a connection to the device

private master key

netX Studio → Security Configuration

Import a security configuration

.usp security configuration

netX Studio → Security Configuration

Create and export a security configuration without a connection to the device

public firmware and master keys

netX Studio → Security Configuration

Disabling secure boot

private firmware key

netX Studio → Security Configuration

Signing a .usp security configuration file

private master key

netX Studio → Security Configuration