Abstract
Critical infrastructure devices operating in unprotected end-node environments are vulnerable to malicious actors who conduct hardware attacks such as reverse engineering and side-channel analysis. Boot data is rarely encrypted and typically travels across an accessible bus, enabling the data to be easily intercepted during system start-up. Encrypting the firmware would make reverse engineering extremely difficult for malicious actors and competitors. It would improve the effectiveness of tamper detection methods and deter zero-day vulnerability discovery. Increasing boot security could be a fundamental part of decreasing attack surfaces across the critical infrastructure sectors.
This chapter describes a Talos II architecture implementation that encrypts a section of the boot image and decrypts it during initial program load. During power-on, the encrypted image travels across the Low Pin Count bus into a POWER9 module Level 3 cache and is decrypted in the processor. Boot image encryption is implemented using ciphers of different strengths. An analysis of their efficiency is conducted to determine the optimal algorithm.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks and L. Wingers, SIMON and SPECK: Block ciphers for the Internet of Things, presented at the NIST Lightweight Cryptography Workshop, 2015.
Digi International, Image Encryption, Hopkins, Minnesota (www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc8x/yocto-trustfence_t_image-encryption.html), 2019.
A. Fournaris, Using Hardware Means to Secure Critical Infrastructure Devices, CIPSEC Project, University of Patras, Patras, Greece (www.cipsec.eu/content/using-hardware-means-secure-critical-infrastructure-devices), 2020.
D. Heller and N. Sastry, OpenPower secure and trusted boot, Part 2: Protecting system firmware with OpenPOWER secure boot, IBM Developer, IBM, Armonk, New York (developer.ibm.com/articles/protect-system-firmware-openpower), 2019.
IBM, Secure Initial Program Load (IPL) Process, Armonk, New York (www.ibm.com/docs/en/power9/9009-42A?topic=9009-42A/p9ia9/p9ia9_secure_ipl_proc_concept.htm), 2021.
A. Jeffery, General Architecture of Hostboot (amboar.github.io/notes/2018/08/19/hostboot-architecture.html), 2018.
A. Jeffery, Hacking Hostboot (amboar.github.io/notes/2018/08/19/hacking-hostboot.html), 2018.
Microchip Technology, AVR231: AES Bootloader, Application Note AN2462, DS00002462A, Chandler, Arizona (ww1.microchip.com/downloads/en/AppNotes/00002462A.pdf), 2017.
C. Muramoto, S. Dunlap and S. Graham, Improving hardware security on the Talos II architecture through boot image encryption, Proceedings of the Seventeenth International Conference on Cyber Warfare and Security, pp. 489–496, 2022.
R. Nuqui and A. Phadke, Phasor measurement unit placement techniques for complete and incomplete observability, IEEE Transactions on Power Delivery, vol. 20(4), pp. 2381–2388, 2005.
Raptor Computing Systems, Default PNOR Layout, Belvidere, Illinois (git.raptorcs.com/git/pnor/tree/p9Layouts/defaultPnorLayout_64.xml), 2019.
Raptor Computing Systems, OpenPOWER Firmware, Belvidere, Illinois (wiki.raptorcs.com/wiki/OpenPOWER_Firmware), 2021.
Silicon Labs, AN0060: Booloader with AES Encryption, Revision 1.05, Austin, Texas (www.silabs.com/documents/public/application-notes/an0060-bootloader-with-aes-encryption.pdf), 2016.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Muramoto, C., Graham, S., Dunlap, S. (2022). EVALUATING THE USE OF BOOT IMAGE ENCRYPTION ON THE TALOS II ARCHITECTURE. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XVI. ICCIP 2022. IFIP Advances in Information and Communication Technology, vol 666. Springer, Cham. https://doi.org/10.1007/978-3-031-20137-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-20137-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-20136-3
Online ISBN: 978-3-031-20137-0
eBook Packages: Computer ScienceComputer Science (R0)