USB Armory: High Assurance Boot (HABv4) bypass

Security advisory: High Assurance Boot (HABv4) bypass

The NXP i.MX53 System-on-Chip, main processor used in the USB armory Mk I board [1] design, suffers from vulnerabilities that allow bypass of the optional High Assurance Boot function (HABv4). The HABv4 [2] enables on-chip internal boot ROM authentication of the initial bootloader with a digital signature, establishing the first trust anchor for further code authentication. This functionality is commonly known as Secure Boot [3] and it can be activated by users who require authentication of the bootloader (e.g. U-Boot) to further maintain, and verify, trust of executed code. Quarkslab reported [4] to NXP, and subsequently to Inverse Path, two different techniques for bypassing HABv4 by means of exploiting validation errors in the SoC internal boot ROM [5], which are exposed before bootloader authentication takes place. While the two vulnerabilities have been initially reported for the i.MX6 SoC, Inverse Path evaluated that both issues also apply to the i.MX53 SoC, used on the USB armory Mk I.
Technical details under embargo until July 18th, by mutual agreement between
reported and NXP.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s