With the ever-increasing presence of Linux implementations in embedded devices (mobile handsets, set-top boxes, headless computing devices, medical equipments, etc.), there is a strong demand for defining the security requirements and augmenting, enhancing, and hardening the operating environment. Currently an estimated 70% of new semiconductor devices are Linux-enabled; such a high growth is accompanied by inevitable security risks, hence the requirement for hardware-based trusted and secure computing environment, enhanced with MAC (Mandatory Access Control) mechanisms for such devices in order to provide appropriate levels of protection. Due to stringent security requirements for resource-constrained embedded devices, establishing trust-chain on hardware root of trust, and deploying MAC mechanisms to balance performance and control are particularly challenging tasks.
This paper presents the status of MontaVista Software's efforts to implement such solutions based on ARM cores that provide separated computing environment, as well as SELinux (Security Enhanced Linux) to provide MAC for embedded devices. The focus will be on practical aspects of hardware integration as well as porting SELinux to resource-constrained devices.