Search

US-12626549-B2 - Electronic lock comprising a lock-core software module

US12626549B2US 12626549 B2US12626549 B2US 12626549B2US-12626549-B2

Abstract

An electronic lock for controlling access to a restricted physical space. The electronic lock comprises: electronically-controllable lock hardware; and a system-on-chip, SoC, comprising a processor and memory. The SoC comprises: a trusted environment comprising a secure data storage and a lock-core software module comprising instructions that, when executed by the processor, cause the electronic lock to: evaluate access for a user based on data stored in the secure data storage and control the lock hardware based on the evaluation; and an untrusted environment comprising untrusted software that is prevented from bypassing the lock-core software module to control the electronically-controllable lock hardware.

Inventors

  • Marko Ovaska
  • Sampo Sutela

Assignees

  • ASSA ABLOY AB

Dates

Publication Date
20260512
Application Date
20220510
Priority Date
20210511

Claims (13)

  1. 1 . An electronic lock for controlling access to a restricted physical space, the electronic lock comprising: electronically-controllable lock hardware; and a system-on-chip, SoC, comprising a processor and memory; wherein the SoC comprises: a trusted environment comprising a secure data storage and a lock-core software module comprising instructions that, when executed by the processor, cause the electronic lock to: evaluate access for a user based on data stored in the secure data storage and control the lock hardware based on the evaluation, wherein the access is evaluated based on credentials, from an electronic key of the user, that are authenticated and authorized by the lock-core software module; and an untrusted environment comprising untrusted software that is prevented from bypassing the lock-core software module to control the electronically-controllable lock hardware; wherein the lock-core software module is trusted in a trusted execution environment of the SoC, verified using a cryptographic signature of the lock-core software module and a public key for at least one of a manufacturer of the electronic lock or a manufacturer of the SoC, the public key being stored in the secure data storage.
  2. 2 . The electronic lock according to claim 1 , wherein the lock-core software module is installed during production of the electronic lock such that any unauthorized modification of the installed lock software module results in failed verification of trust in the trusted execution environment.
  3. 3 . The electronic lock according to claim 1 , wherein the electronic lock is further configured to install an update of the lock-core software module, wherein the updated lock-core software module is verified using a public key stored in the secure data storage.
  4. 4 . The electronic lock according to claim 1 , wherein the lock-core software module is configured to communicate with a remote server via the untrusted software, wherein end-to-end security is provided between the lock-core software module and the remote server based on data stored in the secure data storage.
  5. 5 . The electronic lock according to claim 4 , wherein the end-to-end security is provided using PKI, public key infrastructure.
  6. 6 . The electronic lock according to claim 1 , wherein the lock-core software module is configured to evaluate access based on verifying a credential using a public key stored in the secure data storage.
  7. 7 . The electronic lock according to claim 1 , wherein the untrusted software comprises software implementing communication protocols with devices external to the electronic lock.
  8. 8 . The electronic lock according to claim 1 , wherein all untrusted software is verified using public keys stored in the secure data storage.
  9. 9 . The electronic lock according to claim 1 , wherein the SoC is configured to prevent the untrusted software from controlling the electronically-controllable lock hardware by only allowing software in the trusted environment, verified using a cryptographic signature of the software, to control the electronically-controllable lock hardware.
  10. 10 . The electronic lock according to claim 1 , wherein the SoC is configured to prevent the untrusted software from controlling the electronically-controllable lock hardware by only allowing software in the trusted environment to access address space that is assigned for communicating with the electronically-controllable lock hardware.
  11. 11 . The electronic lock according to claim 1 , wherein the SoC is configured to prevent the untrusted software from controlling the electronically-controllable lock hardware using a low-level operating system of the SoC.
  12. 12 . The electronic lock according to claim 1 , wherein the SoC is configured to prevent the untrusted software from controlling the electronically-controllable lock hardware using physical hardware isolation.
  13. 13 . The electronic lock according to claim 1 , wherein the SoC is configured to prevent the untrusted software from controlling the electronically-controllable lock hardware using logical hardware isolation.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) This application is a national stage application under 35 U.S.C. § 371 of PCT Appl. No. PCT/EP2022/062671, titled “Electronic Lock Comprising a Lock-Core Software Module,” filed May 10, 2022, which claims priority to Swedish Patent Appl. No. 2150597-9, filed May 11, 2021, each of which is incorporated herein by reference in its entirety. TECHNICAL FIELD The present disclosure relates to the field of an electronic lock for physical access and in particular to an electronic lock comprising a lock core software module that is separate from untrusted software. BACKGROUND Locks and keys are evolving from the traditional pure mechanical locks. These days, electronic locks are becoming increasingly common. For electronic locks, no mechanical key profile is needed for authentication of a user. The electronic locks can e.g. be opened using an electronic key stored on a special carrier (fob, card, etc.) or in a smartphone. The electronic key and electronic lock can e.g. communicate over a wireless interface. Such electronic locks provide a number of benefits, including improved flexibility in management of access rights, audit trails, key management, etc. Electronic locks also need to be secure. Any bugs in software of the electronic lock should not open up the possibility of an attacker running malicious code on the lock which causes the electronic lock to be set in an unlocked state. SUMMARY One object is to provide an electronic lock that is better at preventing malicious code from accessing lock hardware. According to a first aspect, it is provided an electronic lock for controlling access to a restricted physical space. The electronic lock comprises: electronically-controllable lock hardware; a system-on-chip, SoC, comprising a processor and memory; wherein the SoC comprises: a trusted environment comprising a secure data storage and a lock-core software module comprising instructions that, when executed by the processor, cause the electronic lock to: evaluate access for a user based on data stored in the secure data storage and control the lock hardware based on the evaluation; and an untrusted environment comprising untrusted software that is prevented from bypassing the lock-core software module to control the electronically-controllable lock hardware. The lock-core software module may be trusted in a trusted execution environment of the SoC, verified using a public key stored in the secure data storage. The lock-core software module may be installed during production of the electronic lock such that any unauthorized modification of the installed lock software module results in failed verification of trust in the trusted execution environment. The electronic lock may further be configured to install an update of the lock-core software module, wherein the updated lock-core software module is verified using a public key stored in the secure data storage. The lock-core software module may be configured to communicate with a remote server via the untrusted software, wherein end-to-end security is provided between the lock-core software module and the remote server based on data stored in the secure data storage. The lock-core software module may be configured to evaluate access based on verifying a credential using a public key stored in the secure data storage. The end-to-end security may be provided using PKI (Public Key Infrastructure). The untrusted software may comprise software implementing communication protocols with devices external to the electronic lock. All untrusted software may be verified using public keys stored in the secure data storage. The SoC may be configured to prevent the untrusted software from controlling the electronically-controllable lock hardware by only allowing software in the trusted environment, verified using a cryptographic signature of the software, to control the electronically-controllable lock hardware. The SoC may be configured to prevent the untrusted software from controlling the electronically-controllable lock hardware by only allowing software in the trusted environment to access address space that is assigned for communicating with the electronically-controllable lock hardware. The SoC may be configured to prevent the untrusted software from controlling the electronically-controllable lock hardware using a low-level operating system of the SoC. The SoC may be configured to prevent the untrusted software from controlling the electronically-controllable lock hardware using physical hardware isolation. The SoC may be configured to prevent the untrusted software from controlling the electronically-controllable lock hardware using logical hardware isolation. Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to “a/an/the element, apparatus, component, means, step, etc.” are to be interpreted openly as r