Combining OTA and Secure Boot for Application on Infineon's PSoC 6 AI Kit

Protect software updates using hardware-based security on Infineon PSoC 62 and PSoC 63.

Raul Vergara
1 month agoSensors / Internet of Things / Enterprise / Machine Learning & AI

This week's article was written by our lead MCU developer Dimi Tomov as he finishes support for PSoC 6 AI Kit — now fully supported by Thistle!

Protect software updates using hardware-based security on Infineon's PSoC 62 and PSoC 63

Over-the-air firmware updates in the industry are not always anchored to the hardware root-of-trust. This approach gives less security guarantees for IoT Edge systems working in the field. At Thistle we can offer OTA combined with Secure Boot for any embedded platform to achieve better security. Today, we will discuss the architecture specifics of the very popular Infineon PSoC 6 series of microcontrollers. Some very cool devices like the OURA rings are running thanks to the PSoC 6. Many medical devices are also using PSoC 6. Therefore, it is a battle proven solution and making use of secure boot is part of the reason why.

Why do companies avoid secure boot?

  • Enabling secure boot is difficult.
  • Secure boot on every platform is different.
  • The development process with secure boot is challenging.

This is why the mission of Thistle is to make the enablement of secure boot an easy process for any platform. The end result is secure OTA updates protected using hardware-based security. We already discussed the benefits of secure boot on the Espressif ESP32 platform in one of our previous Security Tuesday articles, so now let’s take a look at the Infineon PSoC 6.

PSoC 6 AI Kit

How is PSoC 6’s secure boot different?

PSoC 6 microcontrollers come in three flavors. There is a summary document from Infineon about some of the PSoC 6 differences, but it doesn’t capture all of them. Below is our attempt to describe how the PSoC 6 variants are different from security standpoint.

  • PSoC 61: Single-core Cortex-M4 system
  • PSoC 62 + PSoC 63: Dual-core system with Cortex-M4 and Cortex-M0
  • PSoC 64: Dual-core system with Cortex-M4, but the M0 is not available for the customer application because it comes pre-provisioned with a secure firmware by Infineon. The system owner can only use the CM4 core for application development.

A developer wanting to use PSoC 6 securely would have to read a ton of documentation and code examples to figure out how everything works together. Here are the best resources for each flavor:

  • PSoC 61 secure boot: To enable the application authentication for PSoC 61 one must adapt the Infineon example for PSoC 62. Set the TOC2 flags, add the start address, application format, and public address in the TOC2 structure. Add the digital signature for the application so that the Infineon bootloader can verify it at the boot time before starting the application on the CM4 core. It is not easy, but it is probably the most simple of the whole PSoC 6 series.
  • PSoC 62 + PSoC 63 secure boot: The requirements are described in this application note by Infineon because the CM0 core starts first and requires an additional firmware. In this case, the Infineon bootloader verifies the CM0 core and then the CM0 application decides if it should also start the CM4 application. The developer needs to add additional firmware to enable the PSoC 62/PSoC 63 security features. Infineon provides an MCUBoot example as a solution for CM0 firmware. As mentioned, when doing security alone it takes a lot of documentation and code reading.
  • PSoC 64: The PSoC 64 requires a different set of steps compared to any other flavor and those are described in this PSoC 64 application note by Infineon.

All of this only enables secure boot. Adding over-the-air updates is an additional effort and the whole update process needs to be aligned with the secure boot process. For example, as the new application is written to the device, the update procedure must also update multiple fields related to the secure boot, like the digital signature, application size, etc. Getting any one of these wrong can make a device unusable and it has to be returned to the factory. Not setting the secure boot parameters the right way (or in the right place) also can brick the device. This is why combining OTA with secure boot is so tricky.

Other challenges with secure boot?

Units entered into secure boot mode are more difficult to debug. Therefore, during development we use either secure boot with DEBUG (if the system allows it, PSoC 6 does), or we enable secure boot later in the development process, but we test it early to verify the security capability is working.

Quickly add security to your PSoC 6 project

Our Thistle C Update Client (CTUC) provides secure OTA updates to the PSoC 6 series of microcontrollers and our community plan is free of charge for individuals. Together with our public secure boot guides, a developer can quickly go through the process of enabling secure boot in development and production, using the PSoC 6 AI Kit as an example.

Thistle Control Center, view of the OTA status of one PSoC 6 device in the field.

Mission: Secure boot for all devices

At Thistle Technologies, we work hard toward the mission of bringing secure boot to all devices!

security
internet of things
automation
artificial intelligence
Raul Vergara
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles