From Fresh to Secure

Tutorial: Securing a Platform from Scratch: Step-by-Step Guide

This tutorial walks you through all the steps required to secure your embedded platform from a fresh system install, using the RidgeRun Platform Security Manual as a reference.

A secure platform follows a similar structure to the following:

1. Understand the Security Fundamentals

Before implementation, ensure you're familiar with the building blocks of platform security:

• Root of Trust (RoT): Establishes a trusted base for system validation.
• Secure Boot: Ensures only signed, verified code runs at boot.
• Trusted Execution Environment (TEE): Isolates sensitive operations in a secure CPU region.
• Disk Encryption: Keeps data secure at rest.
• Over-the-Air Updates: Keeps the system updated.

For more information on the fundamentals, please check the Platform Security section.

2. Implement Secure Boot

Secure Boot involves a series of steps. It can be considered the longest process when preparing a secure platform. Nevertheless, ensuring secure boot prevents the system from loading software components that have been altered or come from untrusted sources.

The following steps are required for NVIDIA Jetson:

• Generate cryptographic key pairs: it involves creating certificates and generating keys.
• Burn public key hashes into fuses (irreversible): it involves the use of the Factory Secure Key and Expansion Key Provisioning (FSKP) from NVIDIA and burning the fuses.
• Sign bootloaders and OS components with your private key and flash: it involves signing the bootloader, kernel, and device tree.
• Activating UEFI Secure Boot: involving the generation of the UEFI keys and the UEFI payloads.

3. Set Up a Trusted Execution Environment (TEE)

TEE Overview and Setup

• Compile OP-TEE modules and device tree: Enabling OP-TEE allows critical security components to work, from disk encryption to customer's secure apps.
• Integrate it into the build: flashing the board with the new device tree and modules, which integrate necessary parts to leverage OP-TEE.

It provides a hardware-backed, isolated environment for secure operations.

4. Enable Disk Encryption

NVIDIA Jetson Disk Encryption Setup

• Install tools like cryptsetup: this tool will help to encrypt the partitions.
• Define encrypted partitions (rootfs, data, etc.): select whether a partition should be encrypted or not.
• Generating the EKS image: EKS is a mechanism for securely storing encryption keys, typically used in systems that employ disk or file-level encryption.
• Generate and securely manage encryption keys: generate the keys used to encrypt/decrypt the partitions.
• Implement the changes: the final step is to integrate the changes through flashing.

This ensures your stored data is protected even if the device is compromised.

5. Implement Over-the-Air (OTA) Updates

OTA Security Guide

• Choose and integrate an OTA system (e.g., Mender): the first step is to choose and integrate a method. Mender is used as an example.
• Ensure it supports authentication, rollback, and verification: authentication and rollback are essential since we want to automate the process of updates.
• Integrate with Secure Boot and TEE to maintain trust throughout the update process: the integration with all the platforms to automate the process will help to update the system and mitigate threats.

6. Add Additional Security Layers

Platform Security Extensions

• Implement Trusted Platform Module (TPM) if hardware supports it: TPM provides a way to provision, process, and store keys.
• Add Kiosk Mode to the platform (optional): Restrict the usage of the platform.

If available:

• Use a secure key management system (e.g., kernel keyring).
• Apply IMA (Integrity Measurement Architecture) for file integrity checking.

7. Test and Validate Your Security Setup

• Verify Secure Boot with unauthorized code tests (in progress)
• Test TEE applications and ensure isolation: create an app and integrate it into the system
• Confirm encryption works by examining partition data externally: check the encryption of the partition.
• Simulate OTA updates to verify rollback and signature validation: test some packages to check that OTA is working.

For detailed instructions and platform-specific steps, refer to the full RidgeRun Platform Security Manual.