MCUboot Security Part 1
By Zephyr Project
November 28, 2018
Zephyr Project member David Brown, a Senior Engineer with Linaro Ltd., shares the best practices for security in this blog post, which first ran on Brownian Motion.
This is the first in what I hope to be a series of posts about the MCUboot bootloader from a security perspective. Please note that although I work in security, I am by no means a cryptographer. I appreciate any feedback on any and all flaws in my analysis. The MCUboot Project is a secure bootloader for 32-bit MCUs. The goal of MCUboot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade. The essential problem that MCUboot seeks to solve is how to allow firmware updates, while still maintaining some kind of integrity and control over what firmware can be run on the device. The easiest way to prevent unauthorized firmware from running on a device is to configure the flash to be immutable. Unfortunately, this prevents potential security updates (as well as functionality improvements). MCUboot solves this by itself being a small amount of code that can be placed in an immutable section of flash. It then can verify the main code before allowing it to execute, as well as control updates to that code. MCUboot is configurable, and these configuration choices affect the security promises that MCUboot is able to make.[…]
There’s another embedded OS on the market. Intel, NXP, Linux Foundation, and others are involved.
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the Zephyr™ Project. This open source collaborative effort will unite leaders from across the industry to build a RTOS for the IoT. Early support for the Zephyr Project includes Intel® Corporation (including its acquired business groups Altera Corporation and Wind River), NXP Semiconductors N.V. (including its recent merger with Freescale), Synopsys, Inc. and UbiquiOS Technology Limited. Zephyr Project is inviting others interested in this technology to participate.
The Zephyr™ Kernel is a small-footprint, scalable, real-time operating system designed for use on resource-constrained systems: from simple embedded environmental sensors and LED wearables to sophisticated smart watches and IoT wireless gateways. It is designed to be supported by multiple architectures, including ARM, x86, and ARC. The Zephyr™ project associated with the kernel makes it available to users and developers under the Apache License, version 2.0.
It seems confusing that the *Linux* Foundation is pushing a new non-Linux OS, but ok. Given the current state of IoT security, it is concerning to see this comment in their press release:
“Minimal error checking. Provides minimal run-time error checking to reduce code size and increase performance. An optional error-checking infrastructure is provided to assist in debugging during application development.”
I want Maxmimal error checking in an IoT OS, not minimal! Optional means the error-checking infrastructure may not get used, and we know how security-savvy current IoT vendors are in this regard. 😦
I don’t know what kind of firmware it uses yet. 🙂