IOT2050 Secure Boot

Preface

Security information 1

Introduction 2

Secure Boot Infrastructure 3

IOT2050 Secure Boot Example for IOT2050
4
Secure Boot

Secure Boot advanced

topics 5
Operating Instructions

04/2023
A5E52411777-AA
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG A5E52411777-AA Copyright © Siemens AG 2023.

Digital Industries Ⓟ 04/2023 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Preface

Preface
This document contains information for using Secure Boot features for IOT2050.
It is intended both for programming and testing personnel who commission the device and
connect it with other units (automation systems, programming devices), as well as for service
and maintenance personnel who install add-ons or carry out fault/error analyses.

Basic knowledge requirements

Knowledge of personal computers, operating systems and programming is required to
understand this manual. General knowledge in the field automation control engineering is
recommended.

Scope of validity of this document

This manual applies to the IOT2050 devices of the device family SIMATIC IOT2000.
• 6ES7647-0BA00-1YA2 (FS04)
• 6ES7647-0BA01-1YA2
• 6ES7647-0BB00-1YA2

Conventions
The following generic terms are used in this documentation:

Generic term Specific name

Device IOT2050 device

Figures
This manual contains figures of the described devices. The supplied device might differ in
some details from the figures. Within some of the figures, one device is used to represent all
devices.

History
The following editions of these operating instructions are published:

Edition Comment
08/2022 First edition

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 3
Preface

Data protection
Siemens observes the data protection guidelines, especially the requirements regarding data
minimization (privacy by design). This means the following for this SIMATIC product: The
product does not process / save any personal information, but only technical functional data
(e.g. time stamps). If the user links this data to other data (e.g. shift plans) or if the user saves
personal information on the same medium (e.g. hard disk) and therefore creates a personal
reference in the process, the user has to ensure meeting the guidelines regarding data
protection.

IOT2050 Secure Boot

4 Operating Instructions, 04/2023, A5E52411777-AA
Table of contents

Preface ................................................................................................................................................... 3
1 Security information .............................................................................................................................. 6
2 Introduction ........................................................................................................................................... 7
3 Secure Boot Infrastructure..................................................................................................................... 9
3.1 OTP area .............................................................................................................................. 9
3.2 SEBoot ............................................................................................................................... 10
4 Example for IOT2050 Secure Boot ....................................................................................................... 11
4.1 Implementing IOT2050 secure boot example ..................................................................... 11
4.2 Check the example implementation ................................................................................... 13
4.3 Example Kernel .................................................................................................................. 15
5 Secure Boot advanced topics ............................................................................................................... 16

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 5
Security information 1
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be connected
to an enterprise network or the internet if and to the extent such a connection is necessary
and only when appropriate security measures (e.g. firewalls and/or network segmentation)
are in place.
For additional information on industrial security measures that may be implemented, please
visit (https://www.siemens.com/industrialsecurity).
Siemens' products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customers' exposure to
cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed visit (https://www.siemens.com/cert).

IOT2050 Secure Boot

6 Operating Instructions, 04/2023, A5E52411777-AA
Introduction 2
The Secure Boot features on IOT2050 are developed to help make sure that IOT2050 boots
using only firmware and software that are trusted by Siemens or you. When the device starts,
the firmware checks the signature of each piece of boot software. If the signatures are valid,
the device boots, and the firmware gives control to the operating system.
The integrity protection is achieved by the digital signature: the cryptographic key sign the
binary under protection first, then IOT2050 validate the binary with the same key during
booting stage. If the validation is passes, it means the binary is intact and can be boot.
Otherwise, the binary is suspicious and the device cannot be boot.

Note
Secure Boot is only for IOT2050 PG2 and PG2 later variants (for example IOT2050 M.2).

Chain of trust
IOT2050 use RSA key pair as cryptographic key which is also the most common
cryptographic algorithm for digital signature in industry.
An RSA key pair has two keys, a public key and a private key. In the digital signature
scenario, the private key signs the binary, meanwhile the device validate the binary with the
public key. The private key must be kept securely. On the contrary, the public key could be
distributed freely.
Private key signs the following items:
• Firmware, including U-Boot, TF-A and OPTee
• The OS loader EFI Boot Guard

• The Linux kernel, and any other UEFI binary that is part of the boot chain
To validate the binary signature, Siemens provides a tool to program the public key hash into
the one time programming (OTP) area into IOT2050.
Chain of trust: During boot, the first bootloader, for example SEBoot, validates the u-boot
with the public key hash stored in OTP area of IOT2050. Then the u-boot validates the EFI
Boot Guard which in turn validates the Linux kernel together with the device tree blobs.
Root of trust: Root of trust refers to the public key hash stored in the device OTP area and the
SEBoot.

Note
The SEBoot is validated against the Siemens public key hash by the ROM bootloader.

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 7
Introduction

Note
Keep private key securely
Once private key leaks, hacker could sign their malicious u-boot or kernel that Secure Boot
could not tell from the proper ones, which may put the device in danger.

Siemens provides three key slots in the OTP area. When the key in-use leaks, you can switch
to the next key in the slots as the key in-use to invalidate the leaked key. Three slots
guarantee that you have two opportunities to save the Secure Boot from key leakage.

IOT2050 Secure Boot

8 Operating Instructions, 04/2023, A5E52411777-AA
Secure Boot Infrastructure 3
3.1 OTP area

OTP (One Time Programmable)

Siemens opens the extended OTP area to you for implementing Secure Boot. The access to
this OTP area is managed by the SEBoot. There are three main parts stored in the OTP:
• Public key hashes
• Secure Boot enable bit
• Secure version

Public key hashes

There are three slots to store the public key hashes. You can choose the number of public key
hashes that to be programmed (one, two or three).
Siemens recommends you to use at least two keys. In case one key is leaked, you can use
another key.
1. MPK: the first key for signing customized firmware and image.
2. SMPK: the second key for signing customized firmware and image. If the first key is leaked,
user can switch to use this key.
3. BMPK: the third key for signing customized firmware and image. If the second keys is leaked
as well, user can switch to use this key.

Secure Boot enable bit

Secure Boot enable bit indicates whether the Secure Boot is enabled or disabled. This bit is
programmable via the same tool for key provisioning. Once this bit is programmed, the
SEBoot will validate the next stage bootloader against the programmed OTP keys.
You can choose to program this bit together with the public key hashes, or separately after
the keys are programmed.

Note
If the Secure Boot on IOT2050 is enabled, you cannot disable the Secure Bsotoot.
The Secure Boot enable bit only controls the SEBoot to verify the immediately following
bootloader, which is the combination of TF-A, OPTee and u-boot SPL in most cases.
You can still disable the image validation in SPL to break the chain of the validating
afterwards even if Secure Boot enable bit is flipped.

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 9
Secure Boot Infrastructure
3.2 SEBoot

Secure version
After you implemented the Secure Boot on IOT2050, secure version can detect and prevent
Downgrade Attack.
Secure version is also signed by the private key. Once a newer secure version firmware is
detected and validated, a Non-Volatile (NV) counter on the device is updated with the newer
version number. When the device is attacked by an older buggy firmware which has a lower
secure version, SEBoot will detect and reject the downgrade attack.
The NV counter is also implemented in the extended OTP area. The secure version ranges
from 0 to 127, which means you can have up to 127 security releases to fix the security bugs.

3.2 SEBoot
SEBoot is the first stage bootloader right after the RBL (ROM Boot Loader), for example, the
CPU. It is signed with the Siemens root key and is validated by the RBL. During booting, the
main task for SEBoot is to validate the later stage image that are signed with the customer
key. SEBoot also prevents the downgrade attack by comparing the secure version of the
image and the one defined in the OTP.

Note
For IOT2050, the SEBoot must be the first stage bootloader. Otherwise the device rejects to
boot.

IOT2050 Secure Boot

10 Operating Instructions, 04/2023, A5E52411777-AA
Example for IOT2050 Secure Boot 4
4.1 Implementing IOT2050 secure boot example
Based on the provided infrastructure, you can implement the secure boot for IOT2050 in
multiple ways.

Requirements
• linux machine is ready
• meta-iot2050 repository is cloned
• Two storage media, either SD card or USB stick is OK
• One build image, it can be stored on SD card or USB stick

Procedures

1. Generate the RSA key pairs.

Note
Siemens recommends you use at least two sets of keys, for example MPK and SMPK.

openssl req -x509 -newkey rsa:4096 -keyout custMpk.pem -nodes -

outform pem -out custMpk.crt -sha256 -days 3650
openssl req -x509 -newkey rsa:4096 -keyout custSmpk.pem -nodes -
outform pem -out custSmpk.crt -sha256 -days 3650
# only if you want to have the third key
# openssl req -x509 -newkey rsa:4096 -keyout custBmpk.pem -nodes -
outform pem -out custBmpk.crt -sha256 -days 3650
2. Delete the e existing demonstration key sets in <path-meta-iot2050>/recipes-bsp/secure-
boot-otp-provisioning/files/keys.
rm -rf <path-meta-iot2050>/recipes-bsp/secure-boot-otp-
provisioning/files/keys/*

Note
Keep the private keys securely. Do not commit your keys into the git repository.

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 11
Example for IOT2050 Secure Boot
4.1 Implementing IOT2050 secure boot example

3. Copy the generated *.pem and *.crt to <path-meta-iot2050>/recipes-bsp/secure-boot-otp-

provisioning/files/keys
cp *.pem <path-meta-iot2050>/recipes-bsp/secure-boot-otp-
provisioning/files/keys/
cp *.crt <path-meta-iot2050>/recipes-bsp/secure-boot-otp-
provisioning/files/keys/
4. Build the signed firmware and OS image:
cd <path-meta-iot2050>
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-
boot.yml:kas/opt/otpcmd/key-provision.yml
./kas-container build kas-iot2050-swupdate.yml:kas/opt/secure-
boot.yml

Note
Before building the signed images, make sure the certificate for the signing key is within
the validity term.
Renew the certificate if it is expired.

– The generated signed firmware is located at <path-meta-

iot2050>/build/tmp/deploy/images/iot2050/iot2050-pg2-imageboot.bin
– The generated signed OS image is located at <path-meta-
iot2050>/build/tmp/deploy/images/iot2050/iot2050-image-swu-example-iot2050-
debian-iot2050.wic.img.
5. Insert a storage media into the build machine, and copy the generated iot2050-pg2-image-
boot.bin to it.
6. Insert the storage media in step 5 to IOT2050 and boot IOT2050 with the boot image you
prepared.
7. Connect the build machine and IOT2050 with UART cable, enter the shell, and issue the
following commands to program the flash.
iot2050-firmware-update -f iot2050-pg2-image-boot.bin
8. Power off IOT2050, and remove the example image.
9. Power on IOT2050 and enter "yes" to program keys to OTP when you get the prompt
message.

Note
Once Secure Boot is enabled, you cannot program new key into OTP, even if empty slot
exists in OTP.

Note
Once secure boot is enabled, to improve security, the u-boot console is disabled.

IOT2050 Secure Boot

12 Operating Instructions, 04/2023, A5E52411777-AA
 Example for IOT2050 Secure Boot
4.2 Check the example implementation

10.Insert another storage media into the build machine, and make the boot media with the
signed OS image with the following command.
dd if=<path-meta-iot2050>/build/tmp/deploy/images/iot2050/iot2050-
image-swu-example-iot2050-debian-iot2050.wic.img \
of=/dev/<device-name> bs=100M oflag=direct status=progress
11.Insert the boot media with the signed OS image, and boot IOT2050.
Result: Both firmware image and the OS image are signed and validated by the generated
key set.

4.2 Check the example implementation

The example implementation is based on the firmware and example image configuration
provided in <path-meta-iot2050>.

The signed firmware image includes:

• SEBoot
• Signed TF-A
• Signed OPTee
• Signed U-Boot
• OTP programming data
The signed OS image contains a signed kernel PE image, that contains the kernel, device tree
blobs, kernel command line parameter, and a ramdisk. The file system includes:
• EFI system partition holds the EFI bootloader EFI Boot Guard
• Boot partitions hold the signed kernel PE images
• Randomly filesystem mounted as /usr

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 13
Example for IOT2050 Secure Boot
4.2 Check the example implementation

• Readable/writable filesystem mounted as /var

• Readable/writable filesystem mounted as /home

Boot sequence
All of the mentioned image validations use the same key set as the one programmed into the
OTP area.
1. After the device is turned on, the SEBoot validates the combined image of TF-A, OPTee and
U-Boot SPL.
2. U-Boot SPL validates U-Boot proper, and then U-Boot proper validates the EFI Boot Guard.
3. EFI Boot Guard validates kernel PE image.
Step 1 and 2 mainly use verified boot and X.509 certificate, and step 3 mainly uses UEFI
Secure Boot.

Key sets and keys used in the example implementation

• The key sets for OTP programming: <path-metaiot2050>/recipes-bsp/secure-
boot-otp-provisioning/files/keys.
These keys are intend to be programmed into the OTP area.
• The key set for signing and validating the U-Boot (both U-Boot SPL and U-Boot proper):
<path-meta-iot2050>/recipes-bsp/u-boot/files/keys
These are symbolic links to the OTP keys.
• The key set for signing and validating in the UEFI Secure Boot, i.e. EFI Boot Guard and
kernel: <path-meta-iot2050>/recipes-devtools/secure-boot-
secrets/files
These are also symbolic links to the OTP keys.
In the example implementation, a same key set is used for signing and validating all boot
chains. However you can use different keys for different validating stage, as long as:
• The key used for SEBoot to validate the TFA/OPTee/U-Boot SPL combined image must
be identical with the OTP key currently in-use.
• Together with the image-binary, the key used to validate the next stage image-binary
must be validated against the key of the previous stage. And when the current stage
image binary is validated and booted, the validation for next stage image-binary against
the validated key starts.

IOT2050 Secure Boot

14 Operating Instructions, 04/2023, A5E52411777-AA
 Example for IOT2050 Secure Boot
4.3 Example Kernel

4.3 Example Kernel

The reference implementation has seven partitions.

Partition Function Redundant Remark

design?
EFI System parti- hold UEFI application, N Standard partition defined in the UEFI specification
tion such as EFI bootloader
BOOT0/BOOT1 hold unified kernel PE Y
images
ROOTFS0/ROOTS hold read-only (dm- Y Expect for those separate mounts on top, the other rootfs are
F1 verity based) rootfs read-only.
that mounted on /usr. During boot, the initrd in the unified kernel PE image is invoked
by the kernel to find and verify the correct read-only roots via
dm-verity. The correct digest of the roofts is stored in the initrd
and are validated by the UEFI secure boot, together with the
unified kernel PE image.
Var mounted to /var N When the secure boot example is implemented on IOT2050, the
Home mounted to /home N dynamic content goes to /var and /home.

Note
Since the /usr is mounted as read-only and validated, /usr can only be updated with
SWUpdate. Command, such as apt install and upgrade, are not allowed.

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 15
Secure Boot advanced topics 5
Key provision
The example implementation is using two key sets by default. You can adjust it as you need.
For example, if you need three key sets, create the third key and put it into meta-iot2050
repository.
cd <path-meta-iot2050>
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-
boot.yml:kas/opt/otpcmd/key-provision-3keys.yml

Incident processing: key leaked

When the key in-use leaks, you can switch to the next key set as follows:
1. Copy or link the new key to <path-meta-iot2050>/recipes-bsp/u-boot/files/keys/custMpk...
2. Build the new key signed firmware together with the key switching otpcmd data.
cd <path-meta-iot2050>
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-
boot.yml:kas/opt/otpcmd/key-switch.yml

TUI way
When the key in-use leaks, you can also switch to the next key set with TUI.
cd <path-meta-iot2050>
./kas-container menu
1. Set Firmware image for PG2 devices as the Image type
2. Check Secure Boot and OTP provisioning in Image features
3. Select OTP provisioning command type
4. Check your selection in generated .config.yaml.

Incident processing: secure version

In the example implementation, you can set the secure version as follow.
1. Issue the following command.
cd <path-meta-iot2050>
./kas-container menu
2. Set the Firmware image for PG2 devices as Image type, and set Secure Boot as the
Image features.

IOT2050 Secure Boot

16 Operating Instructions, 04/2023, A5E52411777-AA
 Secure Boot advanced topics

3. Set a higher value for Use specific firmware secure version under Build options.
You must set a higher value than the old value when you need to bump the secure version
to fix secure bug. For example: if the current in-use secure version is 3, you need to use 4
as the new secure version.
4. Navigate to Save & Build and press Enter.

Note
Only SEBoot checks the secure version to validate the tispl container image. By replacing
the tispl container image, a new Secure Boot chain could be established for the rest. This
Secure Boot chain can prevent downgrade attacks for those rest images.

Secure policy of SEBoot

SEBoot defines three secure polices for different secure status:

Secure policy Status of Key Status of Secure Validate the im- Behavior when
programmed Boot enable bit age during boot? validation is
failed
none No key pro- No
grammed
soft 1 MPK is pro- Untouched Yes Continues to boot
grammed
enforced Both MPK and Flipped Yes Stops to boot
SMPK are pro-
grammed
1 You can set the device to soft policy as a final gate to check if everything is working as
expected before enabling the Secure Boot.

Note
The default secure status of SEBoot is none.

IOT2050 Secure Boot

Operating Instructions, 04/2023, A5E52411777-AA 17