Upload
donhi
View
231
Download
1
Embed Size (px)
Citation preview
TM
October 2013
2 TM
Freescale’s definition:
A Trustworthy system is a system which does what its
stakeholders expect it to do, resisting attackers with both remote
and physical access, else it fails safe.
Freescale Trust Architecture SoCs provide OEM controlled
silicon features which simplify the development of trustworthy
systems. The Trust Architecture is an opt in scheme, with OEM
controlled trade-offs in cryptographic strength, debug visibility,
sensitivity of tamper detection, and anti-cloning mitigation.
3 TM
• Hardware security policy enforcement
− Irreversible configuration of major policy decisions
Secure Boot/Image Validation
Integrity of the image validation key
Debug Permissions
− Resettable (by trusted SW) secondary policy decisions
Content of image to be validated
Key to be used for validation
HW security violation sources & consequences
Memory access controls
• Secure Storage
− Device secrets only usable by hardware
− Locked out/wiped out on security violation
− User secrets protected by device secrets
• Protected Storage
− Access controlled on-chip and off-chip memory
• Hardware security state tracking
− Security violation detection and reaction
• Anti-cloning mitigation with FSL Unique ID per device
4 TM
CoreNet™ Coherency Fabric
Peripheral
Access Mgmt Unit PAMU PAMU PAMU
Security Fuses
Power Mgmt
SD/MMC
USB w/PHY
DUART
SPI
GPIO
PreBoot Loader
Security Monitor
Internal BootROM
CCSR
IFC
SERDES
PME
SEC QMan
BMan
RMAN
Watchpoint Cross Trigger
Perf Monitor
CoreNet Trace
Aurora
Real Time
Debug
SA
TA
DCE
FMan Complex
Inte
rlaken L
A-1
Clocks/Reset
RMan
Parse, Classify, Distribute
Buffer
MAC MAC
FMan
PC
Ie
PC
Ie
sR
IO
sR
IO
PC
Ie
PC
Ie
SA
TA
DMAx2
Battery Back-up
Plat
Cache
DDR Controller
Power Arch™
CPU
HV MMU
SDC
Tamper
Detect(s)
Power Arch™
CPU
HV MMU
Power Arch™
CPU
HV MMU
Power Arch™
CPU
HV MMU
MAC MAC I2C
5 TM
Code Signing Signature Verification
Public Key(s)
Private Key Private Key
Encryption
Public Key(s)
Message
Digest Hash Pass/Fail Compare
Hash Sum
Fuse Box
Public Key
/List Hash
Signature
Verify
Key/List
Public Key
Decryption
Public Key(s)
Signature
D, N
E, N HashE mod N
Fuse Box
Public Key
/List Hash
Hash
Key/List
CSF Header
Code Signing
Tool Internal Secure Boot Code (on-chip ROM)
Image Image
S/G Table
CSF Header
S/G Table
Message
Digest Hash
6 TM
FSL Section
1b - FSL Section Write Protect
32b - FSL Unique ID
32b - FSL Scratchpad 0
32b - FSL Scratchpad 1
OEM Section
1b - OEM Section Write Protect
1b - Intent to Secure
1b - Clear_SFF (disable Scan)
1b - SEC disable
3b - Key Revocation (Trust 2.0 only)
2b - Debug mode
Open
Conditionally closed w/o notification
Conditionally closed w/ notification
Locked
256b – Super Root Key Hash (2.0 supports list)
64b - Debug Challenge Value
64b - Debug Response Value
256b - One Time Programmable Master Key
32b - OEM Unique ID
32b - OEM Scratchpad
32b - OEM Scratchpad
Persistent device secrets
Root of Trust for Verification
7 TM
• Key Select:
− OTPMK
− ZMK
− Combined MK
SEC
AESA
SFP One Time Programmable
Master Key RNG
Zeroizable Master
Key
Blob
Key
32b General Purpose
Registers 0-3
48b Monotonic
Counter
8 TM
45 SOI products, including P3041, P5020, P5040, C29x (45nm
devices with support for the battery backed LP section)
1.0v supply, worst case process, at two different ambient temps.
• 132uW @ 40C
• 195uW @ 70C
28HPM products, including T4240, T2080, LS1020A
1.0v supply, worst case process, at two different ambient temps
• 40uW @ 40C
• 55W @ 70C
9 TM
Init
Check
Non-
Secure
Hard
Fail
Trusted
Secure
No HW_Sec_Vio +
SW writes Trust bit
No HW_Sec_Vio +
SW writes Secure bit
If Hard Fail Enabled
HW_Sec_Vio
or SW Soft
Fail
HW_Sec_Vio or SW Soft Fail
SW health check/
signature fail
Soft
Fail
External Boot, or
HW_Sec_Vio
SW Soft Fail
Test Key
OTPMK
KEK
OTPMK
KEK
No Key Usage,
OTPMK and KEK
cleared
No Keys SEC Key
Usage
No Key Usage,
OTPMK and KEK
cleared, SoC
RESET Req
10 TM
• Public Key Hardware Accelerator (PKHA)
− RSA and Diffie-Hellman (to 4096b)
− Elliptic curve cryptography (1024b)
− Supports Run Time Equalization
• Random Number Generators (RNG4)
− DRBG with True RNG for seeding
• Snow 3G Hardware Accelerators (STHA)
− Implements Snow 3.0
− Two for Encryption (F8), two for Integrity (F9)
• ZUC Hardware Accelerators (ZHA)
− EEA-1 (encryption) & EIA-2 (integrity)
• ARC Four Hardware Accelerators (AFHA)
− Compatible with RC4 algorithm
• Kasumi F8/F9 Hardware Accelerators (KFHA)
− F8 , F9 as required for 3GPP
− A5/3 for GSM and EDGE
− GEA-3 for GPRS
• Message Digest Hardware Accelerators (MDHA)
− SHA-1, SHA-2 256,384,512-bit digests
− MD5 128-bit digest
− HMAC with all algorithms
• Advanced Encryption Standard Accelerators (AESA)
− Key lengths of 128-, 192-, and 256-bit
− ECB, CBC, CTR, CCM, GCM, CMAC, OFB, CFB, XCBC-MAC, and XTS
• Data Encryption Standard Accelerators (DESA)
− DES, 3DES (2K, 3K)
− ECB, CBC, OFB modes
• CRC Unit
− CRC32, CRC32C, 802.16e OFDMA CRC
• Header & Trailer off-load for the following Security Protocols:
− IPSec, SSL/TLS, 3G RLC, PDCP, SRTP, 802.11i, 802.16e, 802.1ae
Job Queue
Controller
Descriptor
Controllers
DM
A
RT
IC
Queue
Interface
Job Ring I/F
DESA AESA
CHAs
MDHA
AFHA PKHA STHA
RNG4
KFHA
ZHA
11 TM
CSF Header
ESBC Uboot PubKey
ESBC Uboot
Normal Uboot stuff
End normal Uboot stuff
Validate
[Boot Script address]
[Boot Script PubKey Hash]
QorIQ
ISBC
CSF Header
BootScript PubKey
Validate [Image 1 address],
[PubKey Hash 1]
Success case
Fail case
Validate [Image 2 address],
[PubKey Hash 2]
Success case
Fail case
Validate [Image 3 address],
[PubKey Hash 2]
Success case
Fail case
BootM [Image 1], [Image 2], [Image 3]
CSF Header
Image 1 PubKey
Image 1
CSF Header
Image 2 PubKey
Image 2
CSF Header
Image 3 PubKey
Image 3
• Validate command include functionality for parsing CSF header and validating each image AND handling failure cases.
• In progress: Blob encryption/decryption on images by bootscript.
12 TM
Data AES-CCM
encryption
B0 CTR0
RNG
Blob key
256 AES-ECB
encryption
Blob key encryption key
Enc. Key
Enc. Data
MAC
Cryptographic blob
Plaintext
Ciphertext
Plaintext
Memory
Ciphertext
OTPMK or ZSK
13 TM
Partition 1
Private Memory
Partition 2
Private Memory
Partition 3
Private Memory
Partition 4
Private Memory
HV
Private Memory
Command
Control
Status
Registers
CoreNet™ Coherency Fabric
Peripheral
Access Mgmt Unit PAMU PAMU PAMU
SERDES
PME
SEC QMan
BMan
RMAN
Watchpoint Cross Trigger
Perf Monitor
CoreNet Trace
Aurora
Real Time
Debug S
AT
A
DCE
FMan Complex
Inte
rlaken L
A-1
RMan
Parse, Classify, Distribute
Buffer
MAC MAC
FMan
PC
Ie
PC
Ie
sR
IO
sR
IO
PC
Ie
PC
Ie
SA
TA
DMAx2
Plat
Cache
DDR Controller
SDC
Power Arch™
CPU
HV MMU
MAC MAC
Partition 1
Qman Portal
Power Arch™
CPU
HV MMU
Partition 2
Qman Portal
Power Arch™
CPU
HV MMU
Partition 3
Qman Portal
Power Arch™
CPU
HV MMU
Partition 4
Qman Portal
Shared
TM
15 TM
• Hardware:
− External Tamper Detection via TMP_DETECT and LP_TMP_DETECT
− Secure Debug Controller (if set to Conditionally Closed with Notification)
− Run Time Integrity Checker (in SEC)
− Security Fuse Processor (if fuse array read fails, including hamming code check)
− Security Monitor (OTPMK and ZMK hamming code check)
− All sensitive flops upon detection of scan entry and exit (expert mode debug)
− Power Glitch
− In Trust 2.0:
Monotonic counter roll-over
• Software:
− ISBC (Boot 0)
− ESBC/Trusted-Uboot (Boot 1)
− Any SW with write access to the Security Monitor can declare a security violation.
16 TM
1. Open – Debug interfaces have full access to the QorIQ memory space. If the device is already in Secure state, device secrets remain usable. This setting is only appropriate in a lab environment.
2. Conditionally Closed without Notification – Debug interfaces are blocked until the user passes a challenge/response sequence.
− PASS = full debug access, as in the Open case
− FAIL = Access denied. 3 fails locks out chal/resp mechanism and reports Sec_Vio to Sec_Mon.
3. Conditionally Closed with Notification - Debug interfaces are blocked until the user passes a challenge/response sequence.
− PASS = Sec_Mon notified of active debug, ephemeral device secrets cleared, persistent secrets locked out, followed by full debug access, as in Open case.
− FAIL = Access denied. 3 fails locks out chal/resp mechanism and reports Sec_Vio to Sec_Mon.
4. Locked – All debug operations are blocked. The JTAG interface can still be used for boundary scan physical interconnect testing.
17 TM
DMA
controller
Zone 1
Zone 1
Zone 2
Zone 2
Zone 3
Zone 4
Zone 4
SHA-256
SHA-256
SHA-256
SHA-256
comparator
comparator
comparator
comparator
Zone 1 stored hash
Zone 2 stored hash
Zone 3 stored hash
Zone 4 stored hash
to Sec_MON
mismatch
mismatch
mismatch
mismatch
System Memory Map
DMA
controller
Zone 1
Zone 1
Zone 2
Zone 2
Zone 3
Zone 4
Zone 4
SHA-256
SHA-256
SHA-256
SHA-256
comparator
comparator
comparator
comparator
Zone 1 stored hash
Zone 2 stored hash
Zone 3 stored hash
Zone 4 stored hash
to Sec_MON
mismatch
mismatch
mismatch
mismatch
System Memory Map
Throttle
Register
Watchdog
Register
18 TM
• QorIQ processors with Trust Arch include tamper detect inputs (TMP_DETECT, LP_TMP_DETECT) which provide a hardware security violation signal to the Sec_Mon. External tamper detection circuitry must maintain TMP_DETECT(s) at the specified voltage until a tamper event occurs.
• If no external tamper detection circuits are defined, TMP_DETECT(s) should be tied high.
• Upon detection of a tamper event, the external logic should drive TMP_DETECT(s) low. Use pull-down resistor to ensure that TMP_DETECT(s) go low immediately if power is cut.
• The tamper response is configurable.
− Soft Fail – Persistent Device Secrets are locked out, ephemeral device secrets (if in use) is cleared, all SEC registers containing sensitive data are cleared, Sec_Mon generates IRQ.
− Hard Fail – Soft Fail consequences plus:
Battery backed Device Secret and non-secret values are cleared: active zeroization of the device platform caches and system main memory, while concurrently triggering the RESET_REQ signal. System designer must ensure that the RESET_REQ output signal triggers a device reset (HRESET or PORESET).
19 TM
• Freescale’s focus on side channel attack resistance is focused
in 2 areas:
• Timing analysis against public key and symmetric operations
− All QorIQ Trust Arch devices incorporate PKHAs with run-time
equalization
− All symmetric CHAs perform run-time equalization
• Differential power analysis against AES operations
− Many QorIQ Trust Arch devices incorporate the AESA-DPA, a
special version of the AES accelerator with DPA resistance
20 TM
• New Flags for:
− Key vs Key List
− Key Number (0-3)
− Write Protect
SRKH (Key or Key List)
K0 K1 K2
Security Fuse Processor
Compare
Hash (computed by ISBC)
Key 0
Key 1
Key 2
Key 3 (irrevocable)
CSF Header
KL, KN, WP
ESBC Uboot PubKey or Key List
ESBC Uboot
Normal Uboot stuff
End normal Uboot stuff
Validate
[Boot Script address]
[Boot Script PubKey Hash]
CPU 0
ISBC
21 TM
• Trust 2.0 will support a primary and secondary image, where failure to find a valid image at the primary location will cause the ISBC to check a configured secondary location.
• To execute, the secondary image must be validated using a non-revoked public key as defined by its CSF Header. A valid secondary image has same rights and privileges as a valid primary image.
• Purpose is to reduce risk of corrupting single valid image during firmware update or as a result of Flash block wear-out.
CSF Header
KL, KN, LW
ESBC Uboot PubKey or Key List
ESBC Uboot
Normal Uboot stuff
End normal Uboot stuff
Validate
[Boot Script address]
[Boot Script PubKey Hash]
CPU 0
ISBC
Primary Image
CSF Header
KL, KN, LW
ESBC Uboot PubKey or Key List
ESBC Uboot
Normal Uboot stuff
End normal Uboot stuff
Validate
[Boot Script address]
[Boot Script PubKey Hash]
Secondary Image
22 TM
Leadership
High
Performance
25W+ TDP
Mid-Range
Performance
10-25W TDP
Volume
Value
Performance
<10W TDP
Small Form
Factor
Production Proposal Planning Execution
2012 2013 2Q 3Q 4Q Existing 1Q 4Q
P3041
P2041/40
P1023/17
P1010/14
T4160
T4240
P1021/12
P1022/13
P2020/10
MPC8569
P4080/40
P5040
P5020/10
P5021
P1020//11
2014 2Q 3Q 4Q 1Q
2015
2Q 3Q 4Q 1Q
2016
2H 1H 2H 1H
LS2100A
LS3240A
LS1040A
LS1xxx
Production
Execution
Production
Proposal
Product Qual
Samples
Planning
Production
T1042
T2080
LS2xxx
LS1080A
T2081
T1040
LS3xxxP
Innovative solution with
ARM Cortex A7:
Dual-Core with ECC
Industry
Highest
CoreMark/W
LS1020A
LS2060A
T1023
SEC
Trust
C29x
TM