New-Tech Europe Magazine | June 2016

Figure 6 Freescale Trust Architecture

then take ownership of the TPM, which provides the ability to seal (encrypt) data using the current PCR values. The data can only be unsealed (decrypted) if the PCR values are the same as they were at the time the data was sealed. Ownership of the TPM can only be changed if the TPM is cleared, and any attempt to unseal data sealed by the previous key owner will fail. In networked so act as a root of trust for reporting (RTR) by signing a quote of its current PCR set. Freescale Trust Architecture Freescale’s QorIQ Trust Architecture provides secure boot, secure runtime, secure debug, tamper detection, and devicespecific secret key usage. This

prevents the CPU from executing untrusted code and prevents the use of modified security keys. Security features are self-contained in the QorIQ system-on-chip - no external trusted devices are required. Figure 6 shows the steps for the Freescale secure boot process. Code Signing and Provisioning: 1. The trust architecture relies on the generation by the user of a public and private key pair, which can be accomplished using Freescale code signing tools. The private key is used to digitally sign all code that is to execute on the QorIQ processor. The private key must be protected. Any modifications to the signed code can then be detected during the secure

boot process. 2. The public key is hashed and programmed into the CPU during device provisioning. This provides a basis to verify digital signatures of the external secure boot code (ESBC). Pre-Boot Phase: 3. After reset, all device activity is blocked. Fuse values are sensed by the security fuse processor (SFP) which locks down interfaces and memory and enforces security policy before boot. The pre-boot loader (PBL) then loads a reset configuration word from external non-volatile memory to begin system configuration. Internal Secure Boot Code (ISBC) Phase: 4. The CPU is allowed to boot and

46 l New-Tech Magazine Europe