We take care of your projects –
With increasing digitalization and networking, the protection of embedded systems against unauthorized access and targeted attacks is more important than ever. Guaranteeing this type of security, along with functional security, is a major challenge in electronics design.
PHYTEC supports you in minimizing risks by considering security requirements during the development of our hardware and board support packages. On top of these deployment ready solutions, we support you with individual project consulting on complex security principles.
We will be happy to discuss the various deployment methods and support you in establishing the appropriate processes.
Basic Security Requirements
When it comes to communicating with your devices in networks, secure device identification is a fundamental prerequisite. Among other things, we are working on a process for secure crypto-chip initialization for device identification.
Secure boot is used to ensure that only trustworthy, signed software can be launched on the controller. This is the first stage of the Chain-of-Trust. With the Chain-of-Trust, signed programs are always started by other previously verified programs. This ensures that even the end application at the highest layer is trustworthy.
- Trusted ROM Bootloader verifies software image before they are executed
- Use of RSA-4096 key pairs and SHA-256 signatures
- We already meet future BSI (Bundesamt für Sicherheit in der Informationstechnik) and NIST (National Institute of Standards and Technology) requirements up to 2030 and beyond.
- Basis for a Trusted Execution Environment (TEE) set up
TPM und Secure Elements
TPM chips (or Crypto-chips) are a good way to store and manage cryptographic keys, but cannot be used for secure boot with ARM. The ROM Bootloader must first verify the software and has no way to communicate with the TPM chip to perform this verification.
Benefits of Secure Elements
- Suitable for a Secure Boot from the bootloader
- Tamper-proof unique identification number (Unique ID) for device identification
- Secure storage option for symmetric encryption keys and/or private keys
- Manipulation pins to detect physical attacks
- Certified Random Number Generator (RNG)
- Cryptographic acceleration (CPU relief)
- Key Generator & Encryption algorithms
Crypto-chips have the advantage of taking over these functions regardless of the operating system used later. Many processors already support similar functions.
When devices communicate with a server or with each other, the connection must be secure. TLS offers a protocol and applicationindependent solution. The TLS handshake is the most common method for establishing an encrypted connection.
- Establish secure connection independent of used application or protocol
- TLS (SSL) is recognized as a best practice and industry standard for encrypted communication
- Run only the services you really need on your device
- Close all ports and open ports selectivity as needed
- Always use password login (including COM & Telnet interfaces)
- Use standard protocols for transferring data
- Use known (open-source) implementation of encryption methods (no proprietary developments)
Linux is our first choice as an operating system for industrial series use. One of PHYTEC's clear goals is to provide our customers with the advantages of a Mainline board support package as early as possible: stable code, fast bug/security fixes, and the maintenance and further development of Mainline drivers by the community. Mainline guarantees the maintenance of current operating system versions many years after they have been installed. We often provide both a vendor and Mainline BSP at the same time. This way, you can decide when you want to start with Mainline.
- Mainline BSPs for PHYTEC Boards
o Annual BSP updates with all security patches from the Mainline
o The latest kernel version with current security patches included
o The latest Yocto-Minor releases
- LTS-Kernel in the BSPs for the PHYTEC products
- Customer-specific Continuous Integration Testing
All interfaces accessible in the end product are a potential security risk for embedded systems. Our recommendations for basic protection of the interfaces include:
- Connect only the interfaces you really need
- User-dependent access control to the interfaces
- Always use communication encryption
- Protect sensitive data such as Encryption or Private Keys
- Permanently deletes data when device is tampered
- Several operating modes supported
Encapsulation (Resin Casting)
- Physical access to components is impossible
- Chip-Identification (recognizing used components) is more difficult
- Electrical Measurements are impossible to reverse engineer
Most methods for securing devices and software are based on asymmetric cryptography using a connected public key infrastructure (PKI). To do this, you often need a different number of certificates, with public and private keys. Managing and protecting these certificates and private keys is a big challenge. The private keys must be protected throughout their entire lifecycle.
PHYTEC is your partner for these tasks and can guarantee the security of your private keys and other secrets with its production concept.
Ensuring security requires the ability to respond to current and future threats. Benefit from PHYTEC Lifecycle Management for your board support packages throughout their entire lifecycle.
Benefit from our security services throughout the entire lifecycle of your products.
Do you have questions about security or need specific support for your project? Our security experts will be happy to help you!