MID-029: Hardware Root of Trust
Mitigation Tier: Intermediate
Description
A hardware root of trust (RoT) is a piece of hardware that typically stores the software code for critical boot functions that execute before any other functions on the device can operate. For example, 1st stage bootloader code stored in a hardware RoTs can be used to check firmware or later-stage bootloader authenticity and integrity before installing and running. This then allows the device to have a degree of certainty that the low-level code it is running is secure.
Usually, a hardware RoT consists of cryptographic keys and minimal boot code that uses the keys to ensure that the next piece of code is trusted to run. In the case of an immutable RoT, the cryptographic keys are immutable, for example written in OTP (One-Time Programmable) memory, and the boot code is immutable (BootROM).
Consideration: Making a RoT immutable can provide greater assurance by preventing the RoT from being tampered with by threat actors. If the RoT can never be changed, then threat actors cannot manipulate it to perform malicious actions. However, if a RoT is immutable and a vulnerability is found in the code stored within it, there are no ways to patch the device (see TID-220). Code on RoTs should therefore have minimal complexity and should be developed and deployed with the highest possible code quality standards.
IEC 62443 4-2 Mappings
- EDR / HDR / NDR 3.12 - Provisioning product supplier roots of trust
References
[1] ARM. “Booting a secure system.” arm.com. Accessed: Aug. 28, 2024. [Online.] Available: https://developer.arm.com/documentation/PRD29-GENC-009492/c/TrustZone-Software-Architecture/Booting-a-secure-system
[2] ST. “Getting started with STiRoT (ST immutable Root of Trust) for STM32H5 MCUs.” st.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.st.com/resource/en/application_note/an6007-getting-started-with-stirot-st-immutable-root-of-trust-for-stm32h5-mcus-stmicroelectronics.pdf