electronica 2014 SECURITY
Extending security to configurable SoCs
Configurable platforms can offer access to the ubiquitous ARM architecture, tightly coupled to a high-performance FPGA fabric. By including secure features like TrustZone, engineers can develop solutions capable of targeting a range of safety/security- conscious end-applications
T
he requirement for security is perennial; anything with a perceived value is subjected to unwelcome interest from the nefarious elements of society. Typically, the form of attack will be subject-dependent and so it follows that any form of protection should be appropriate to the subject and the expected nature of the attack.
In this era of accelerated technological development, the 'subject' can often be described simply as 'data'; be that security information such as passwords or encryption keys, or even the very software running on a given platform.
The forms of attack now used against these 'soft targets' include physical probing as well as the commonly cited 'cyber attack'; both of which have very specific defence requirements and, subsequently, solutions. In response to the general need for greater security in embedded devices, ARM developed an extension to its basic architecture, called TrustZone, which offers OEMs a platform on which to build secure solutions.
For OEMs using devices that integrate the
ARM architecture, such as the Zynq -7000 All Programmable SoC platform from Xilinx, TrustZone offers one way of increasing the security credentials of an end-application, but it's important to understand how it can be used, what manufacturers are doing to augment TrustZone's features, and where and how these features are most appropriately deployed.
Secure boot and run Keeping embedded devices secure relies heavily on embedded software today; for FPGAs this includes the bitstream used to configure the programmable fabric. This level of security has long been understood and addressed by FPGA vendors and Xilinx devices offer a number of security features to ensure the bitstream cannot be intercepted, modified or altered during the crucial boot sequence at power-up and during run-time.
In addition to the protection of the bitstream, any ASIC, SoC or FPGA that integrates powerful
6 CIE electronica 2014
processing must ensure that the processor boot sequence is secure and also that the embedded software is also protected during run-time (see Figure 1). These aspects were formerly beyond the remit of an FPGA vendor but are now key to offering security in programmable platforms. The very fact that the processor sub-system is integrated in to the FPGA makes this challenge
devices like smart phones to store and run code that encrypts sensitive data, such as a PIN or password. It can also be used to implement secure key storage for decryption algorithms, supporting DRM (digital rights management) in audio/video streaming applications. These applications often use an ARM architecture but not necessarily a single chip. The particular strengths of an ARM multicore solution with TrustZone, that is tightly integrated with an FPGA fabric within the SoC, are that it can form a complete System on a Chip (SoC); a customer and application-specific device that is capable of subsuming all of the major (and minor) functions of a system into a single device. When coupled with TrustZone, such an SoC is equipped to address a range of applications where both security and safety are paramount.
Safety-critical end- applications are as vulnerable to security issues as, for example, a mobile payment device; the risk of subversive tampering could render a safety-critical application a potential hazard to life or property, making them a target which needs the same level of protection now inherent within secure devices. Fundamentally, TrustZone
Figure 1: Securing ASICs, SoCs and FPGAs that integrate processor cores today comprises three aspects; hardware, software and boot
less daunting; the Zynq-7000 platform, for example, integrates physically secure on-chip memory (OCM) that is inaccessible to external probing, making the boot sequence vastly more defendable. However, Xilinx has gone beyond a simple boot case by providing 256KB of OCM; large enough to run critical safety or security functions where they are both physically inaccessible, and hidden from software behind ARM TrustZone technology.
Safe and Secure Product designers typically use TrustZone in
provides two zones or, in ARM's terms, 'Worlds' for software; a 'Secure World' and a 'Normal World' (see Figure 2). Together they form a hardware platform for the creation of secure devices by allowing trusted software to run with full system access in the 'Secure World', while restricting untrusted software from accessing certain system functions and resources when
running in the 'Normal World'. TrustZone allows a single processor to be partitioned to create two 'virtual processors', one for handling typically small but critical security functions, and one for general purpose processing. Although only one of the virtual cores can run at any given time, there is a very small overhead of just a few clock cycles to switch between the secure and normal modes, managed by the TrustZone hardware and aided by commercial and open-source software, to deliver a seamless symmetric multicore processing solution.
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70