Mastering Secure Software Upgrades in Embedded Systems: Best Practices and TPM Integration

As embedded systems expand across industries such as automotive, healthcare, and industrial controls, securing them becomes increasingly important. A key element of this security is ensuring that only trusted software runs during the boot process. In part 1 of our Embedded Systems webinar series, “Secure Boot in Embedded Systems: The Foundation of Device Security,“ we explored Secure Boot fundamentals, its role in establishing the Root of Trust, and its importance in preventing unauthorized software from running on embedded devices.

Now, in our latest webinar, “Implementing Secure Software Upgrades in Embedded Systems: Best Practices and TPM Integration“ (part 2 of this series), we take the next step by focusing on secure software upgrades. Without robust security measures in place, these upgrades can become weak points, leaving systems open to exploitation, unauthorized access, and operational failures.

Fidus’ embedded software expert, Dawson Theroux, guides us through the essential practices for securing embedded systems during software upgrades, covering everything from Trusted Platform Module (TPM) technology to real-world demonstrations on how to design resilient systems that withstand vulnerabilities in the upgrade process. Below is a comprehensive breakdown of the webinar’s key topics and discussions, with additional resources to help you take your embedded system security to the next level.

Importance of Secure Software Upgrades

Software upgrades play a vital role in keeping embedded systems up-to-date, ensuring continued performance, and patching vulnerabilities. However, the software upgrade process itself can introduce new security risks, as attackers may exploit vulnerabilities during an upgrade to inject malicious software or manipulate the system.

In the webinar, Dawson Theroux highlights the importance of secure software upgrades, particularly in mission-critical systems like automotive control units or medical devices, where downtime or breaches are not an option. A secure upgrade process ensures that the system remains protected and operational, even as updates are applied.

How Trusted Platform Modules (TPMs) Enhance Secure Software

One of the most powerful tools for securing software upgrades is the Trusted Platform Module (TPM). The TPM is a hardware-based component that provides additional security by protecting sensitive information, such as encryption keys, in a secure environment. During the webinar, he explains how TPMs ensure that these secrets are only released when the system is verified to be in a trusted state.

This session demonstrates how Platform Configuration Registers (PCRs) play a pivotal role in this process. PCRs store measurements taken during the system boot process, and if any unauthorized changes are detected (such as tampering with the bootloader), the TPM will refuse to release encryption keys, protecting the system from exploitation.

Key Benefits of TPM Technology:

• Hardware-based security: Offers stronger protection than software-only solutions.
• System integrity: TPM releases encryption keys and secrets only if the system passes integrity checks.
• Rollback protection: Prevents older, vulnerable firmware from being installed by ensuring only trusted updates are allowed.

Learn more about our expertise in embedded software development and how Fidus can support your project from design through implementation, ensuring robust security at every step.

Secure Boot and the Root of Trust

Secure Boot is a critical security feature that ensures only trusted software is executed during the boot process, laying the foundation for system security. This webinar explains how Secure Boot establishes a Root of Trust, which underpins all subsequent security measures within the system.

In his demonstration, he discusses how PCRs are used during Secure Boot to track and verify boot components. The TPM records the boot process’s measurements in the PCRs, and if these measurements don’t match the expected values, the TPM will refuse to release secrets, thus preventing unauthorized or tampered software from running. This ensures that the firmware remains secure and free from malicious modifications.

Building a Resilient Upgrade System: A/B Upgrade Mechanism

In embedded systems, failed software upgrades can have disastrous consequences, particularly in sectors like aerospace or healthcare. Webinar focuses on the importance of creating resilient systems that can recover from potential failures by using the A/B upgrade mechanism.

In an A/B system, two software versions are maintained on the device (Version A and Version B). When an upgrade is initiated, the new software is written to the inactive partition (Version B). After verification, the system switches to the new version. If the upgrade fails or the system does not boot correctly, the device automatically reverts to the previous working version (Version A), ensuring uninterrupted functionality. This approach is particularly beneficial for over-the-air (OTA) updates, where physical access to devices may not be possible. The A/B upgrade mechanism ensures that systems remain operational and recoverable in the event of a failed update.

Recovery Mechanisms in Case of Upgrade Failure

Software upgrade failures are always a possibility, so it is essential to have recovery mechanisms in place. Webinar introduces several methods for handling failures, including minimal firmware recovery images and hardware watchdogs.

• Minimal Firmware Recovery Image: This lightweight version of the system can boot when the primary software fails, allowing the device to receive and apply new updates.
• Hardware Watchdogs: Watchdog timers monitor the system during the boot process. If the system fails to boot after a certain number of attempts, the watchdog triggers a recovery process that allows the system to attempt a new upgrade or revert to the previous state.

These strategies ensure that the system can always recover from a failed upgrade without requiring physical access to the device.

Sealing Secrets in the TPM: A Live Demonstration

One of the most engaging parts of the webinar is live demonstration of how to use TPM to seal secrets. Sealing secrets in the TPM ensures that sensitive information, such as encryption keys and firmware signing keys, is only accessible when the system is in a trusted state.

During the demonstration, Dawson Theroux walks viewers through:

• Creating a policy to seal secrets within the TPM.
• Using PCR values to define the conditions under which the secret can be unsealed.
• Showing how modifying the bootloader or other system components causes the TPM to refuse to unseal the secret, ensuring that tampered systems cannot access sensitive data.

This demonstration underscores how TPM can be used to protect the most critical parts of your system, ensuring that secrets remain secure even in the face of system changes or malicious attacks.

Additional Resources to Enhance Embedded System Security

Fidus offers a range of services and resources to help you secure your embedded systems and optimize software development. Whether you’re working to enhance security, manage multi-core environments, or implement AI-driven features, we have the expertise to support you.

• Build for AMD Embedded Plus: Discover how Fidus can help you leverage AMD’s cutting-edge technology to secure your embedded systems and enhance performance.
• Advanced Techniques in Embedded Software Development: Learn advanced techniques for optimizing embedded software, including power management, multi-core processing, and AI integration.
• Secure Boot in Embedded Systems Webinar: Watch our previous webinar for a detailed exploration of implementing Secure Boot to safeguard embedded systems.

Conclusion: Implementing Secure Software Upgrades

For a deep dive into the best practices for integrating TPM technology into your embedded systems, watch the full webinar now. You’ll gain valuable insights into:

• Best practices for creating resilient software upgrade mechanisms, including rollback protection and recovery strategies.
• TPM integration for encryption and Secure Boot.
• Live demonstrations of sealing and unsealing secrets using TPM.

FAQs About Secure Boot

Q: Can the TPM be used in conjunction with a software-only Root of Trust, or is it hardware-specific?

A: The TPM is typically hardware-specific, as it is a hardware module that provides cryptographic capabilities and secure storage. However, you can implement a software-based Root of Trust, but it’s generally considered less secure because software is more prone to tampering than hardware-based solutions. The benefit of using a TPM is that it provides a hardware Root of Trust that is much more difficult to compromise. So while software-only Roots of Trust are possible, they aren’t as robust as hardware-backed options like TPMs.

Q: How do you handle recovery if both the A and B software versions fail in an A/B upgrade mechanism?

A: If both A and B software versions fail, you typically need some sort of minimal recovery image that can be used to restore the system to a functional state. This minimal recovery image should have enough capability to receive a new upgrade package and initiate the upgrade mechanism. The minimal image is usually stored in the boot firmware or as part of the device’s ROM so that it’s always available, even if the A/B software versions both fail. This ensures that there is always a fallback option to recover the system.

Q: How does TPM handle rollback protection during software upgrades?

A: Rollback protection is one of the main benefits of using TPM during software upgrades. The TPM measures key components of the system, such as the bootloader and firmware, and stores these measurements in PCRs. If someone tries to load an older version of the software, the PCR values won’t match, and the TPM will refuse to release any secrets or keys required to boot the system. This effectively prevents the system from booting older, vulnerable versions of the software, providing strong rollback protection.

Q: Is it possible to perform over-the-air (OTA) updates securely using TPM?

A: Yes, absolutely. OTA updates can be secured using a TPM. The TPM can be used to verify the integrity and authenticity of the update package before it’s applied to the system. It can also ensure that the upgrade process follows the proper chain of trust. By using TPM, you can protect the update process and ensure that only verified updates are installed on the system. Many frameworks, like Mender and RAUC, support TPM integration for securing OTA updates.