Supports multiple flexible bootstrap stages

Support of third-party signing through certificates

Support for hardware acceleration, key storage and anti-rollback

Product description

GUARD Secure Boot solution protects the device boot sequence by providing the following security layers:

Integrity + Authenticity:

This layer ensures that the system only boots images that are from a trusted source, without any changes introduced to the images. Thus, this layer protects against tampering.

Confidentiality + Anti-Cloning:

This layer protects images from being examined by encrypting the image using strong cryptography. By using product-line specific encryption keys, the protected images are also prevented from being used on other product lines.

Anti-Rollback:

This layer enforces a secure firmware update by protecting against installing of images that are revoked. It prevents a hacker to use an old image with known vulnerabilities, which have been fixed in maintenance updates.

Other information

GUARD Secure Boot includes 2 components:

  • Secure Boot ROM code libraries to embed in the boot loader(s)
  • The Secure Boot Image Generation Tool to sign and encrypt the images

GUARD Secure Boot implements strong cryptography:

  • Hash algorithms: SHA-244/SHA-256
  • Asymmetric Crypto algorithms: ECDSA (P224 & P256)
  • Symmetric Crypto algorithms: AES (128-256)

Secure Boot in combination with hardware crypto modules

GUARD Secure Boot solution is designed to work with various types of hardware or a combination thereof. The following INSIDE Secure Silicon IP cores are supported:

  • Asymmetric Crypto acceleration only:
    - PKA-IP-28
    - PKA-IP-150
  • Symmetric Crypto acceleration only:
    - PacketEngine-IP-93
  • Asymmetric and Symmetric Crypto acceleration with strict Asset Protection and Rollback protection:
    - Vault-IP Platform Security Solutions

Secure Boot with certificates

The SafeZone Secure Boot solution supports use of certificates. The use of certificates allow the creator of the Secure Boot Loader (the chip manufacturer) to delegate the Secure Boot Image signing to device manufacturers. The alternative to using certificates is using multiple boot loader stages.

Contact