When it comes to embedded devices and IoT, security is often an afterthought — until it’s too late. But what if you could add robust cryptography and secure boot to nearly any project, even if your hardware doesn’t have built-in security features? That’s the promise of Infineon’s Optiga Trust-M module, as demonstrated by Alex Lynd in a recent Thistle Technologies video.
What is the Trust-M?
The Optiga Trust-M is a drop-in cryptographic chip designed to bring modern security standards to resource-constrained devices. It connects over I2C, meaning you only need two extra wires to add encryption, secure key storage, true random number generation, and certificate protection to your project.
Why secure boot matters
Secure boot ensures that only trusted, untampered firmware runs on your device. In the demo, Lynd uses a BeagleBone Black — a popular development board — and shows how to implement secure boot using Trust-M and a lightweight bootloader called U-Boot. The process involves:
- Generating a key pair and signing firmware images with the Thistle App.
- Storing the public key securely in the Trust-M module.
- Updating the bootloader to verify the firmware signature at startup.
This approach means that even if attackers gain access to your device, they can’t run unauthorized code without the matching cryptographic signature.
Step-by-step: Adding secure boot
1. Prepare your tools: You’ll need a BeagleBone Black, the Trust-M module, wiring for I2C, and a way to access your board (SSH or serial console).
2. Install Linux: Flash a custom Linux image to a microSD card and boot the BeagleBone Black. Default credentials get you started quickly.
3. Wire up Trust-M: Connect the Trust-M to the BeagleBone’s power and I2C pins. Confirm connectivity with a simple command-line check.
4. Generate and sign firmware: Use the Thistle App to generate a key pair, sign your firmware image, and retrieve the public key.
5. Convert and transfer Keys: Convert the public key to a format Trust-M understands and transfer both the key and signed firmware to your device.
6. Update the bootloader: Replace the bootloader and script to enable secure boot with Trust-M integration.
7. Test and verify: After rebooting, the bootloader checks the firmware signature using the Trust-M. Only valid, signed firmware will run.
Why this matters for security pros and any embedded / IoT developer
- Retrofit security: Trust-M lets you add strong security to legacy or low-power devices that lack hardware cryptography.
- Key management: Keys never leave the Trust-M, reducing risk of extraction or misuse.
- Peace of mind: Every boot is verified, making persistent malware or unauthorized updates nearly impossible on supported platforms.
Takeaway for Security Tuesdays readers
If you’re building or maintaining IoT devices, don’t wait until after a breach to think about secure boot and cryptographic protection. Infineon’s Trust-M, combined with tools like the Thistle platform, makes it practical to implement best-in-class security — even on hardware that wasn’t designed for it.
Stay secure, and keep building with confidence.
For more details and a hands-on demo, check out the full video by Thistle Technologies and consider how you can bring secure boot, secure storage and secure OTA to your next project.
Open a free account with us here and follow us in LinkedIn as well!