Brussels / 2 & 3 February 2019


MCU Immutable Booting

How to protect microcontroller bootloaders with immutable boot

To understand how UEFI style secure boot can be implemented in a microcontroller (MCU) powered device with no operating system, we study recent implementations of immutable boot locked chips. To illustrate a project under development to solve a real world problem, we consider the Monero Hardware Wallet and Microchip CEC1702 microcontroller.

In this half hour, we review the current state of booting on chip microcontroller firmware on low power embedded devices. These devices have no operating system, so neither BIOS nor UEFI and their secure boot implementations are relevant. To understand how immutable booting aids in securing these systems, we study a few common vulnerabilities and demonstrate the approach taken by the Monero Hardware team using the Microchip CEC1702 microcontroller.

Microcontrollers Lack of OS Lack of BIOS On chip storage Memory arrangement External programming Embedded applications Medical Financial Logistics IoT and more Secure boot practice UEFI overview Implementations Immutable boot feature Rare in microcontrollers Plugs security holes Bugs and vulnerabilities Supply chain attacks Memory protection flaws Boot loader rewriting Skipping memory regions CPA, timing, and other side channel attacks

We show that immutable boot in microcontrollers is a useful tool to improve the security of low power embedded devices by illustrating the utility of modern parts and projects using them. Demonstrations serve to encourage dialog leading to further research.


Photo of Michael Schloh von Bennewitz Michael Schloh von Bennewitz