In the first parts of this series, we’ve lifted the fog step by step: we started with understanding why cybersecurity matters in embedded systems, then explored the basics of encryption and digital trust, and most recently we looked at how IT and OT worlds are merging. We’ve seen that embedded devices now sit at the center of all industries and infrastructures - and with this comes both opportunity and risk.
With this foundation, we can now ask an even deeper question: where does trust itself begin? That’s where the idea of the Root of Trust comes in.
Root of Trust – A Buzzword That Needs Explaining
Root of Trust (RoT) sounds like a strong foundation, and it is. But it’s also a buzzword that only gains meaning once you explain what is trusted, and at which stage.
At its core, RoT is the very first element of a system that is accepted as reliable without further proof. Everything else builds on this decision. Think of it as the foundation on which a house is built: if it isn’t laid solidly, even the strongest walls will crack.
Depending on design and technology, this foundation can be set at different points: in the CPU itself, in the firmware, in the operating system, or through external security hardware.
| Level | Example | Role |
|---|---|---|
| Chip-level | Intel Boot Guard, AMD Platform Secure Boot, ARM High Assurance Boot | Verifies firmware directly from silicon |
| Firmware-level | UEFI Secure Boot | Ensures only trusted operating systems are loaded |
| Software-level | Signed kernels or bootloaders | Confirms OS components are authentic |
| Dedicated hardware | Trusted Platform Module (TPM) | Adds an independent, tamper-resistant trust anchor |
Secure Boot – Not Always the Same Thing
The term Secure Boot is often used as if it describes one universal process. In reality, it can mean different things.
It’s a bit like airport security: in some cases, you only need to show a boarding pass, while in others your luggage is scanned, your ID is checked, and you pass through multiple layers of control. Both are called “security checks,” but one is far stricter than the other.
On x86 systems, UEFI Secure Boot ensures that only signed operating systems can load. Intel Boot Guard and AMD Platform Secure Boot begin earlier, verifying the BIOS itself at the processor level. On many ARM platforms, High Assurance Boot (HAB) starts directly in the processor’s ROM, verifying firmware from the very first instruction.
The earlier in the process these checks begin, the stronger the chain of trust becomes.
TPM – The Hardware Witness
Sometimes, the built-in trust anchors aren’t enough on their own. That’s where the Trusted Platform Module (TPM) comes in.
The TPM can be imagined as a security guard living inside the device. Unlike software, which can be modified, the TPM is a tamper-resistant chip designed to hold secrets safely. It can store cryptographic keys, check whether firmware and the operating system remain unchanged, and even report the system’s integrity to the outside world.
Consider a controller in a factory that restarts after a power outage. Without a TPM, there’s no guarantee it hasn’t been tampered with while offline. With a TPM, the system can verify itself and refuse to continue if something looks suspicious.
How Trust is Verified
Whether implemented in silicon, firmware, or hardware modules, all these trust anchors rely on the same principle: digital signatures.
The process begins with hashing, which creates a unique fingerprint of the code. If even a single bit changes, the fingerprint looks completely different. Algorithms like SHA-256 or SHA3-256 are commonly used for this.
Then comes asymmetric encryption, using a pair of keys: one private and one public. The private key is kept secret by the software publisher, while the public key is widely shared. It works like a wax seal on a letter: only the sender can apply it, but anyone can check whether the seal is intact.
When firmware is signed, its hash is encrypted with the private key, creating a digital signature. On startup, the device calculates its own hash of the code based on the known algorithm and compares it with the signature decrypted using the public key. If the two match, the firmware is authentic, and execution continues. If not, the boot process halts. This process ensures integrity (nothing has been altered) and authenticity (it really comes from the expected source).
Here's a summary of the process:
Signing phase
| Step | Action |
| 1. Create the key pair | The software publisher uses a cryptographic algorithm to generate two mathematically linked keys: a Private Key and Public Key. |
| 2. Generate the Hash | The publisher runs the entire firmware/code file through a cryptographic hashing algorithm (e.g., SHA-256). |
| 3. Create the signature | The publisher uses their secret Private Key to encrypt the hash. |
| 4. Bundle the files | The final firmware package is created, consisting of the original firmware code and the Digital Signature appended to it. |
Verification phase
| Step | Action |
| 1. Calculate a new hash | On startup, the device's boot process (Root of Trust) uses the exact same hashing algorithm to calculate a new hash of the installed firmware code. |
| 2. Decrypt the signature | The device takes the Digital Signature from the bundled file and uses the publisher's embedded Public Key to decrypt it. |
| 3. Compare the hashes | The device compares the local hash (calculated in step 1) with the original hash (decrypted in step 2). |
Next Time: Security is Teamwork
Digital trust starts at the root, but no system can rely on technology alone. Even the strongest foundations must be supported by the right processes and collaboration across the entire value chain.
In Part 5 of this blog series, we’ll explore why security is teamwork, and how every player from hardware and software through to integration and operations has a role in keeping systems secure. We’ll also introduce the congatec House of Cyber Security, a framework designed to help customers meet CRA requirements and build truly trustworthy systems.
Stay tuned because trust doesn’t stop at boot. It grows through collaboration.
