Quality RTOS & Embedded Software

LIBRARIES
WHAT'S NEW
New FreeRTOS Long Term Support version now available.
FreeRTOS Extended Maintenance Program (EMP) registration now open.
FreeRTOS-Plus-TCP v3.0.0 released:
Featured FreeRTOS IoT Integrations:
Delta Over-the-Air Updates:

Featured FreeRTOS IoT Integrations

The FreeRTOS IoT integrations linked to on this page demonstrate best practices to make IoT device software more secure and robust. These best practices include making sure the device:

  • only runs software approved by the original equipment manufacturer (OEM).
  • uses a verifiable, per-device identity when authenticating to cloud services.
  • helps keep network data secure using cryptography and the Transport Layer Security (TLS) protocol.
  • stays up to date with the latest, publicly available security fixes through the lifetime of the device.

These FreeRTOS IoT integrations are designed for improved security using a combination of FreeRTOS software and a partner-provided board with hardware security features. Use them in production as is, or use them as a model for your own designs. This page describes the functionality common across all boards. See these board-specific pages for the details related to each integration:

What the demo application does

Each FreeRTOS IoT integration implements a basic IoT demo application that connects to the AWS IoT Core MQTT broker to exchange messages with the cloud. The application can also download updates to its own image from the cloud. The source code demonstrates security best practices in software, and shows how to integrate hardware security features to achieve even stronger security assurance.

How the FreeRTOS IoT integrations implement security

Each of these integrations includes code that demonstrates how to use hardware features that support secure operation. Each board has two key capabilities implemented in its hardware: keeping critical code unchanged, and keeping cryptographic keys hidden. This core functionality is designed to create a hardware-based root of trust, a foundation that supports software security features. The FreeRTOS IoT integration software builds a more secure boot process, a verifiable device identity, and a firmware update system on top of it.

Secure boot

Secure boot means that when a device starts, its application software is checked for authenticity before it starts running. Each FreeRTOS IoT integration board embeds an unchangeable boot loader directly in hardware. This boot loader is the first code that runs when the device starts, and it can be trusted because it can't be modified due to a security vulnerability or operational mistake. The boot loader's only job is to validate the authenticity of the OEM supplied firmware image, and then run it if the image is authentic.

The validation step uses a pair of cryptographic keys to implement a code-signing system. The details of the code-signing process vary across boards, but each implementation accomplishes the same thing-- the OEM can ensure that only their own firmware will run on the board. An OEM cryptographically signs their firmware images using a private code-signing key, and the bootloader uses the corresponding public key to verify the signature. The private code-signing key is secret, and known only to the OEM. Therefore, only the OEM can sign new firmware images with this key. The public key is not secret, and can be stored on each device. The reference boards each provide a way to program the public code-signing key and then permanently freeze its value.

In the board-specific documentation provided by the manufacturer, you'll see a description of a simplified boot process with only one boot loader. The integrations add a second stage boot loader into the process, between the first stage boot loader in hardware, and the OEM firmware. The fundamentals of the two-stage process are the same. The first stage boot loader verifies a signature on the second stage boot loader, and the second stage loader verifies the OEM firmware signature. This two-stage boot allows the first boot loader to be extremely small, reducing cost and reducing the chances of building an unfixable bug into hardware. Since the second stage is a software image, it can be larger and can implement more features. For example, the second stage boot loaders can support two OEM firmware slots, one for the current firmware, and one for an update image.

Secure, per-device identity and TLS

All devices that connect with AWS IoT are uniquely identified by a TLS Client Certificate. The client certificate tells the cloud which device it is talking to. Each device stores a unique TLS private key. Using a feature of the TLS protocol called Mutual Authentication, the device uses its private key to prove that it is the owner of its client certificate. (The authentication is mutual because TLS always verifies the identity of the server with another certificate.) For this system to be secure, each device must have its own unique certificate, and the private key must not leak outside the device. Each of the reference boards provides a secure store that holds the private key and never allows it to be read, even by software running on the same board! The FreeRTOS IoT integration software shows how to make TLS work without direct access to the private key.

Over the Air (OTA) updates

Secure boot and secure networking help build in strong security from the start. OTA helps IoT devices to stay more secure. Security researchers discover and publish new security vulnerabilities all the time. Most IoT devices will be exposed to multiple vulnerabilities during their lifetime. When a new vulnerability is discovered, an OTA update can fix the issue.

The demo applications use the AWS IoT OTA library to receive updates from the AWS IoT OTA service for FreeRTOS. The OTA client software runs in a background task, waiting for update messages from the cloud. When an update notification arrives, the OTA client downloads the new image from the cloud, and validates the code-signing signature on the image. If the signature is valid, the new firmware image is marked as the active image, and the board is rebooted.

Conclusion

Secure boot, secure networking, and over the air updates built on top of a hardware root of trust are the security best practices that keep IoT devices safe. Check out these FreeRTOS IoT integration pages to see how each board implements the hardware root of trust-- follow the links to the software repositories, and find the Getting Started Guides that show how to get them up and running.

Copyright (C) Amazon Web Services, Inc. or its affiliates. All rights reserved.