Best Practice 2.3 - Use protected boot and persistent storage encryption - IoT Lens Checklist

Best Practice 2.3 - Use protected boot and persistent storage encryption

When a device performs a secure boot, it validates that the device is not running unauthorized code from the filesystem. This helps ensure that the boot process starts from a trusted combination of hardware and software, and continues until the host operating system has fully booted and applications are running.

Choose devices with TPM (or TEE) for new deployments. Secure boot also ensures that if even a single bit in the software boot-loader or application firmware is modified after deployment, the modified firmware will not be trusted, and the device will refuse to run this untrusted code.

Full disk encryption ensures that the storage and cryptographic elements are secured in absence of a TPM or secure element. The disk controller needs to ensure that all read accesses to the disk are transparently decrypted at-runtime.

Recommendation 2.3.1 - Boot devices using a cryptographically verified operating system image

Use digitally signed binaries that have been verified using an immutable root of trust, such as a master root key (MRK) that’s stored securely in a non-modifiable memory, to boot devices.

Recommendation 2.3.2 – Create separate filesystem partitions for the boot-loader and the applications

As an example, configure the device boot-loader to use a read-only partition, and applications to use a separate writable partition for separation of concerns and reduce the surface area of the attack.

Recommendation 2.3.3 – Use encryption utilities provided by the host operating system to encrypt the writable filesystem

For example, use crypt utilities for Linux such as dm-crypt or GPG, and use BitLocker or Amazon EFS for Microsoft Windows.

Recommendation 2.3.4 - Use services that enable you to push signed application code from a trusted source to the device

You can use AWS IoT Jobs to push signed software binaries from the cloud to the device. For microcontrollers using Amazon FreeRTOS, ensure that the firmware images are signed before deployment.