The Yocto Project is a popular choice for creating custom Linux distributions for IoT devices. When creating a custom Linux distribution one of the key challenges faced by device manufacturers is the time and expertise required to secure the distribution. Having helped multiple device manufacturers through this journey, Timesys now offers a standard product called “VigiShield Secure by Design.” This is available as a yocto layer (meta-vigishield) that delivers out-of-the box security to your Yocto-based Linux distribution. VigiShield implements the OS security features covering various security standards such as NISTIR 8259A, ETSI EN 303 and has obtained a PSA Level 1 certification through an independent security lab evaluation. By leveraging VigiShield, device manufacturers can now focus on their value-added applications instead of worrying about security.
Security Features Implemented by VigiShield
Secure boot and chain of trust
A key aspect of security is ensuring only authentic software runs on the device (i.e. malicious software is prevented from running). To achieve this, each piece of software is digitally signed at the time of building the software and the signature is verified on the device before executing that piece of software. If the signature check fails, the software is not allowed to run. The authentication of the first piece of user software i.e. bootloader is referred to as “Secure boot” and extending the authentication to all other software including user space applications is referred to as “Chain of Trust.”
Note: To achieve secure boot, there is a dependency on the hardware needing to support it.
VigiShield supports secure boot and chain of trust on various hardware platforms. Taking the NXP i.MX8 processor series as an example, VigiShield integrates and configures the code signing tools provided by NXP to create signed bootloader images as part of the build. All pieces of software that are loaded after the bootloader are signed and verified using open source technologies. For example, the kernel, device tree and initramfs (optional) are all bundled in as a signed fitImage and verified by the bootloader. Similarly a signed read-only root filesystem is authenticated using the Linux kernel dm-verity mechanism.
Secure storage ensures data confidentiality (e.g: keeps customer/application data private), prevents IP-theft, and prevents cloning/counterfeiting of the device. Data is secured by means of encryption and the encryption key is typically protected by a hardware specific mechanism.
VigiShield provides full disk encryption using the Linux dm-crypt mechanism and the encryption key is kept confidential by a hardware/processor root of trust (hardware unique key). For example, the VigiShield implementation on the i.MX8 processors achieves this by creating an encrypted blob which is protected by a unique master key residing in the one-time programmable fuses of the processor. Only authorized software can request that the processor perform decryption through the hardware cryptography engine.
VigiShield also supports a secure keystore to protect device keys and certificates. The keystore leverages OP-TEE as a PKCS#11 provider adding an additional layer of security to your IoT devices and eliminates the need for a dedicated security chip.
Software/firmware updates are required in order to provide security or feature updates to devices. Secure Updates ensures that only authentic and legitimate firmware is updated on the device.
VigiShield provides a secure and robust over-the-air (OTA) solution. This includes OTA server authentication using certificates, secure downloads over TLS1.3, installation of signed / authenticated images using Public-key cryptography (PKCS #1.5 signature validation, using 2048 bits RSA key with SHA256) and prevention of unauthorized rollback (anti-rollback) of images. Apart from authenticating the firmware update bundle, the individual images (e.g: bootloader, kernel etc.) are authenticated as part of secure boot as described in the previous section.
VigiShield uses the SWUpdate open source solution for OTA updates with an A/B update scheme. However, through our VigiShield professional services team, we can customize OTA updates to use other solutions such as OS-Tree, Mender and RAUC; all with the same set of security features.
Resources: Designing OTA Updates webinar
Secure communication protects the data-in-transit when the device communicates with external devices (e.g: cloud servers, remote sensors, etc). Secure communication is achieved using authentication between all involved parties and encrypting the data transmitted between them.
VigiShield secures external communication to/from the device by using secure protocols such as TLS1.3, which are implemented as part of open source libraries such as openSSL. The certificates/keys used to authenticate any external communication are stored in the encrypted and authenticated secure storage, to avoid any potential tampering. VigiShield further reduces the attack surface by disabling many known weak/insecure ciphers in openSSL.
Security audit logs
Security audit logs record any runtime security violations/breaches on the target system. Security events such as unauthorized access to sensitive files, opening of network connections, failed login etc. are typically logged to an access controlled, integrity protected log file for further investigation.
VigiShield supports logging security violations on the target system using the Linux audit framework and open source auditd user space utility. The log file access is restricted to root users and any unauthorized access to the logs are also recorded. VigiShield comes with baseline logging capability and can be customized to monitor specific security events based on end user requirements.
Resources: Logging with auditd blog
Incorporating hardware security is critical to mitigate physical attacks on the device. VigiShield can be easily configured to disable and/or password protect interfaces such as serial port and JTAG.
Security hardening is the act of reducing the attack surface of the device and making the device more difficult to hack. VigiShield implements a variety of system hardening techniques.
- Toolchain hardening: The toolchain used to build the target device binaries has security flags to make exploiting vulnerabilities difficult. VigiShield enables toolchain options such as stack protection, buffer overflow checks, position independent executables etc.
- Kernel hardening: The Linux kernel hardening is a broad topic since there are a myriad of security features, hardening options, and mitigations for known exploits that can be enabled via the Linux kernel configuration. VigiShield provides a detailed kernel hardening report of the recommended hardening options based on your hardware architecture and kernel version; along with a base set of options pre-enabled.
Resources: Kernel hardening blog, webinar
- U-boot hardening: VigiShield can help mitigate a wide range of threats such as tampering u-boot environment variables, overriding boot commands, access of serial console, etc.
Resources: Securing U-Boot blog
- Userspace hardening: If software such as dropbear/openssh are included on the target device, VigiShield hardens the software by disabling root access, enforces key based authentication instead of passwords, etc.
- Best practice cryptography: VigiShield disables a wide range of legacy / insecure OpenSSL ciphers by default.
- Access control: Vigishield is configured to have no root login or default hardcoded passwords. As part of VigiShield, a discretionary access control report is generated detailing the permissions of each file in the filesystem. For example, details on the actions that users and groups can perform on a file: read, write, execute.
Resources: Discretionary Access Control blog
SBOM and vulnerability report
Software Bill of Materials (SBOM) is an essential component for performing vulnerability or license analysis, both of which play an important role in software supply chain risk management.
VigiShield includes SBOM generation (SPDX), vulnerability (CVE) monitoring and management as part of Timesys Vigiles free tier offering.
Resources: Vigiles SBOM and vulnerability management
Yocto/BSP and Security Customizations
Apart from the standard PSA certified VigiShield offering, we provide customizations as part of our Professional Services which covers hardware enablement, Yocto customizations, custom security feature implementations, integration with device management / IoT cloud services, and more!
Whether you are new to security, looking for consultation to refine your security requirements or help integrating our solutions into your processes; we can help with our customized security training offerings.
Secure manufacturing assistance
We have expertise in developing the manufacturing tooling required for secure software programming and provisioning. We can help integrate your custom or 3rd party solutions for securely storing device certificates.
Trusted Applications for Secure OS
For customers seeking enhanced security, we have expertise in implementing “trusted applications” that can be deployed on a secure OS (e.g: OP-TEE, Trusty, etc) running on a trusted execution environment.
Resources: Trusted Software with OP-TEE blog, webinar
Long Term Linux OS security and maintenance
Timesys Linux OS/BSP Maintenance subscription service provides long-term security updates and maintenance of your Linux OS. Using this service, device manufacturers can rely on timely security updates that can be deployed to devices in the field with the secure and robust OTA update mechanism included in VigiShield.
The DIY route of securing a Yocto-based distribution is a tedious process and adversely affects the time-to-market for device manufacturers. Worse yet, without the right expertise and independent 3rd-party evaluation, devices might still be at risk. By leveraging off-the-shelf, security certified products such as VigiShield, device manufacturers can now bring more secure devices to the market faster and at a lower cost. To learn more, schedule a free security consultation.