How to design a zeroize sequence for a secure system

0
votes

I have an embedded system with a master and several slaves. All nodes are running in different mcus and communicating with can bus. I'd like to have a zeroize sequence now. When master sends zeroize command, slaves shall do it. But I couldnt decide the behaviour of the slaves. Here's some facts before:

  • Slaves are running on XMC1400 mcus. In XMC1400(arm m0 core) the code is loaded and ran from flash memory. Running from ram is a little complex(includes linker script and startup code modification..) and ram capacity is quite short.

  • There is a can bootloader located at the beginning of the flash(0x10001000). After power-up bootloader wakes up, waits for flash loading command from CAN, proceeds with the loading sequence if command received, or jumps to a certain flash area if no message is received in certain seconds. So if no bootloader, no jumping what so ever.

  • It is not possible for a code to erase itself when running. It jumps to exception handler if forced to do that.

Here are some possible scenarios:

  1. Erasing the bootloader section when zeroize command received. If bootloader deleted, no application can run. But if someone gets a flash dump, app code can be retained. So it is not a perfect zeroizing. This is a simple approach but in this choise, application shall know where bootloader is. This creates an unwanted dependency. If bootloader location changes due to some reason, zeroize sequence shall change as well.

  2. Giving this responsability to the bootloader. When zeroize command is received application will set a flag that is located in a certain flash area and inserts soft reset. Then bootloader will wake up and if the flag is set, it will erase the flash areas that would normally be filled with user application. This is a more complicated sequence but there are less dependency. Bootloader already knows where is the application program by its database and header of the application. Since it has a certain knowledge of the application, it can also know a flags location too.

  3. There will be a third application and it will be loaded to a certain flash area. Loading of this one can be with bootloader during production. When zeroize command is received, application will jump to this third eraser app and delete them all. This is the safest option. Because flash will be at its emptiest state with these conditions. There still will be a dependency between this third app and user app but this is less unwanted..

Here are the ones that I can think of and the pro/cons that I presume. I am not sure how a proper zeroizing operation shall be so I'd like to listen others. Thanks in advance İpek

1
embeddederasesystem-design
What's the actual question here? How to make the CAN communication safe? What should be zeroized, the whole flash or just certain data? Why would someone get a flash dump - MCU's have supported anti-copycat secure modes for some 20 years by now. - Lundin
Why do you think it's necessary to erase the flash at all? And when? After you detected that you are hacked? If you have a security problem, this isn't a solution for that. - jeb

1 Answers

0
votes

Erasing the Flash is a terminal state for your microcontroller, meaning you can bulldoze all existing state in your RAM and peripherals. With this in mind you can create a very small, very simple standalone sub-program which has no dependencies (e.g. on libraries in Flash) and only contains the erase code. You can then (during normal application operation) stop all interrupts, copy the erase sub-program into RAM and transfer execution to it.

That, or the bootloader.