Secure and Encrypted Boot in Zephyr RTOS – Parthiban N, Linumiz
MCUboot enables secure booting of Zephyr RTOS using asymmetric cryptographic signature verification with a public key. Typically, the hash of the public key is embedded within the MCUboot binary, ensuring its integrity. For enhanced tamper protection, this hash can also be securely stored and retrieved using hardware keys. Embedded SoCs, such as the i.MX RT, offer advanced security features like High Assurance Boot (HAB), Data Co-Processor (DCP), and Trusted Firmware-M (TF-M) for implementing TrustZone in SoCs like the nRF91. These features enable secure storage with hardware crypto acceleration or external security modules (e.g., TPM, EdgeLock) to store keys in a hardware vault.
This presentation will explore MCUboot secure booting with hardware keys, using the NXP i.MX RT as an example. We’ll delve into HAB for booting signed and encrypted MCUboot, establishing a hardware root of trust, and booting Zephyr RTOS using keys from OTP for verification. Additionally, we’ll discuss using the TF-M backend and OTP for securely booting TrustZone-enabled SoCs.