My department of the company I am working at is in charge of developing a circuit for production, and security in the embedded system is a crucial requirement. The current prototype of our embedded system runs Linux on a micro SD card (with a MPU, Am335x). My job right now is to change the design into something more secure — something that can't be easily modified by the user. However, I haven't done this in the past so I am not really sure what are the guidelines.
My thoughts so far:
Look for an EMCC chip on a BGA package with an internal layer on the PCB for the traces. That way it would be impossible to reprogram unless the user destroys the PCB. However, I am having difficulties finding an emmc chip on Digikey, apparently they are not very common and they are all sold out.
Other thing I was thinking was not using an EMMC at all but a secure NOR flash. However, I am not really sure if that would increase the development time in my department because I suppose that would require modifying the device trees on our AM335x so that it works with a secure NOR instead of an EMMC or a micro SD card.
Edit:
The security requirement I am referring to on this post is related to hardware only. We are using a TPM for secure boot and a remote attestation protocol to assert the state of the PCRs remotely. All software (new firmware) must be code signed to run. Also, all sensitive data in flash is encrypted. Thus I am not worried about someone desoldering and reading the EMMC. I am concerned however, about all the communication that goes from the EMMC to the AM335x, so I need to make sure it would be hard for someone to connect a test probe to the PCB traces. And of course, reflashing the chip and/or resoldering a new one. Those are the two basic requirements I am in need of.
Any guidance on this would be greatly appreciated.
Thanks in advance.
Best Answer
If the attacker has physical access to your device, you've basically already lost. A state-level attacker can do whatever they want. A well-off corporation won’t be too far behind. Even a well-equipped hobbyist with basic tools at home can do a lot.
If you have a vulnerability in which physical access to the path between your storage device and processor compromises your design, I argue that you need to try and change to a device and protocol that transmits encrypted data over the wire. I'd assume storing encrypted images on eMMC would be decrypted in memory on the processor, so perhaps capturing SD traffic would not be the biggest deal, but your decryption key has to be stored somewhere secure.