For operating systems booting from external SPI flash memory, Microchip Technology has introduced its latest cryptography-enabled microcontroller (MCU) to protect against malicious rootkit and bootkit malware, enabling secure boot with hardware root of trust protection that complies with NIST 800-193 guidelines.
With growth in 5G including new cellular infrastructure, networks and data centers supporting expanding cloud computing, developers will need to ensure operating systems remain secure and uncompromised. Rootkit malware loads before an operating system boots and can hide from ordinary anti-malware software making it very difficult to detect; one way of defending against rootkits is with secure boot. Secure boot with hardware root of trust is critical in protecting the system against threats before they can load into the system and only allows the system to boot using software trusted by the manufacturer.
Hence Microchip’s new CEC1712 MCU, it’s third generation device based on an Arm Cortex-M4, along with its Soteria-G2 custom firmware is designed to detect and stop malicious firmware prior to run time, allowing designers to quickly adopt and implement a secure boot. Soteria-G2 uses the CEC1712 immutable secure bootloader, implemented in Read-Only Memory (ROM), as the system root of trust.
In a briefing, Jeannette Wilson told embedded.com, “We’re targeting anything that can boot from an SPI flash. The CEC1712 has significant hardware cryptography built into the device which can save a lot of code space, anything up to 15k of code. This enables much faster operation, so for example all verification can be done in less than 70ms.”
While it prevents malicious malware during pre-boot in 5G and data center operating systems, Microchip’s CEC1712 and Soteria-G2 combination is also a security enabler for connected autonomous vehicle operating systems, automotive advanced driver assisted systems (ADAS) and other systems that boot out of external SPI flash.
In addition to providing secure boot with hardware root of trust protection in a pre-boot mode for operating systems booting from external SPI flash memory, the CEC1712 provides key revocation and code rollback protection during operating life enabling in-field security updates. This is important for compliance with NIST 800-193 platform firmware resiliency guidelines, which stipulates that protection, detection and recovery mechanisms are in place for:
- ensuring that platform firmware code and critical data remain in a state of integrity and are protected from corruption, such as the process for ensuring the authenticity and integrity of firmware updates.
- detecting when platform firmware code and critical data have been corrupted or otherwise changed from an authorized state.
- restoring platform firmware code and critical data to a state of integrity in the event that any such firmware code or critical data are detected to have been corrupted, or when forced to recover through an authorized mechanism. Recovery is limited to the ability to recover firmware code and critical data.
Wilson said key revocation is important when an OEM gets hacked – if private keys get taken and new keys issued, previous keys need to be rejected. “This sounds obvious, but more difficult than it sounds, since the issue is how to introduce new keys and reject keys that have been signed.”
The CEC1712 secure bootloader loads, decrypts and authenticates the firmware to run on the CEC1712 from the external SPI flash. The validated CEC1712 code subsequently authenticates the firmware stored in SPI flash for the first application processor. Up to two application processors are supported with two flash components supported for each.
Code execution starts in CEC1712 ROM, application code signed in SPI flash with OEM’s private key, holding processor in reset until code is authenticated in the MCU, after which host processor loads and executes authenticated code from SPI flash. (Image: Microchip)
Pre-provisioning of customer-specific data is an option provided by Microchip or Arrow Electronics. Pre-provisioning is a secure manufacturing solution to help prevent overbuilding and counterfeiting. In addition to saving up to several months of development time, the solution significantly simplifies provisioning logistics, making it easy for customers to secure and manage devices without the overhead cost of third-party provisioning services or certificate authorities.
Wilson added that while customers have become more sophisticated, not everyone has the expertise in security. “Soteria enables them to do the secure boot code.” Code development is carried out in the MPLAB integrated development environment (IDE) tool suite.
The CEC1712 is Microchip’s third generation MCU, so we asked: what are the key differences over the CEC1702 MCU? Wilson said that the previous generation couldn’t do complete redundant boot, while the CEC1712 fully meets the NIST 800-193 requirement in this regard. Also, in addition to key revocation and code rollback protection, the new MCU features a boot ROM supporting 4 Byte SPI address mode, uses SHA-384 hashing (as opposed to SHA-256). Another differentiation is in-circuit user programmable OTP, which enables customization via the Soteria-G2 firmware, for applications such as programmable keypads in gaming.
The CEC1712 and Soteria-G2 package offers several options for software and hardware support; software support includes Microchip’s MPLAB X IDE, MPLAB Xpress and MPLABXC32 compilers; hardware support is included in programmers and debuggers including the MPLAB ICD 4 and PICkit 4 programmer/debugger. The CEC1712H-S2-I/SX is available in volume production in 10,000 quantities starting at $4.02 (including the Soteria-G2 firmware).
Wilson said several customers are already sampling and some on the way to full scale production. She said customers include significant server companies, multi-function printer companies, and in aerospace and defense. Microchip is also targeting gaming, automotive, and computers/notebooks customers.