Secure Boot
Secure Boot is a security mechanism that ensures a device executes only authenticated, untampered firmware and software during its startup sequence. It establishes a cryptographic chain of trust — from the first instruction executed after power-on through the operating system — making it a foundational layer of embedded security.
How Secure Boot Works
The secure boot process creates a chain of verification where each stage authenticates the next:
- Immutable Boot ROM — A small, read-only bootloader burned into silicon during manufacturing. This is the hardware root of trust — it cannot be modified by any software.
- First-stage bootloader — The Boot ROM verifies the cryptographic signature (e.g., Ed25519, RSA-4096, or post-quantum ML-DSA) of the first-stage bootloader before executing it.
- Second-stage bootloader — Verified by the first stage. Loads and authenticates the kernel or RTOS.
- Application firmware — The final stage, verified before execution.
If any stage fails verification, the device halts or enters a safe recovery mode — preventing compromised firmware from running.
| Component | Role | Integrity Mechanism |
|---|---|---|
| Boot ROM | Hardware root of trust | Mask ROM — physically immutable |
| Fuse bank (OTP) | Stores root public key hash | One-time programmable, write-locked |
| Bootloader | Loads & verifies next stage | Digital signature verification |
| Firmware | Application code | Signed image with version rollback protection |
Why Secure Boot Is Critical
Without secure boot, a device is vulnerable to:
- Firmware injection attacks — Malicious code replaces legitimate firmware.
- Supply chain tampering — Modified software inserted during manufacturing or shipping.
- Persistent rootkits — Malware that survives factory resets.
- Rollback attacks — Reverting to older firmware with known vulnerabilities.
The EU Cyber Resilience Act (CRA) will require secure boot for all internet-connected products sold in the EU from 2027. Devices without it will be unable to receive CE marking.
Secure Boot vs. Measured Boot vs. Trusted Boot
| Feature | Secure Boot | Measured Boot | Trusted Boot |
|---|---|---|---|
| Action on failure | Halts execution | Logs measurements, continues | Reports to remote server |
| Verification | Pre-execution signature check | Post-execution hash measurement | Pre-execution + attestation |
| Standard | ARM PSA, UEFI | TPM-based (TCG) | Combination |
| Use case | IoT devices, embedded systems | Enterprise servers, cloud | Network appliances, critical infra |
Implementation Approaches
ARM Platform Security Architecture (PSA)
The most widely adopted framework for IoT secure boot. Defines Secure Processing Environment (SPE) and Non-Secure Processing Environment (NSPE) using ARM TrustZone.
FPGA-Based Secure Boot
For FPGA designs, secure boot involves:
- Encrypting the bitstream (AES-256-GCM)
- Authenticating with ECDSA or RSA
- Storing keys in on-chip battery-backed RAM (BBRAM) or eFUSE
Secure Elements
Hardware chips like STMicroelectronics STSAFE-A110, Infineon OPTIGA Trust M, or NXP EdgeLock SE050 provide CC EAL6+ certified environments for key storage and signature verification.
Related Terms
- HSM (Hardware Security Module) — Dedicated hardware for cryptographic key management.
- IoT — Connected devices where secure boot is essential.
- EU Cyber Resilience Act — Regulation mandating secure boot for EU-market products.