AN133: SEC 4.0: Datapath Security Accelerator on the QorIQ P4080 Processor

Transcription

1 July 2009 AN133: SEC 4.0: Datapath Security Accelerator on the QorIQ P4080 Processor Geoff Waters NMG Systems Engineering - Security

2 Agenda Freescale security technology evolution Motivations for a datapath architecture Small packet challenge SEC 4.0 Hardware architecture Software architecture QorIQ trust architecture Secure boot Secure runtime Summary 2

3 Datapath Acceleration and the SEC 4.0 3

4 Networking Security Roadmap Phase 1 Phase 2 Phase 3 SEC 4.x MPC190 MPC185 SEC 1.x SEC 2.x xx 83xx 81xx SEC 3.x 85xx 83xx 81xx QorIQ 81xx MPC180 MPC Phase 1 Roll out Freescale security technology to commercial networking market through security co-processor product line Phase 2 Integrate security IP into Freescale communications processor products Phase 3 Continually improve baseline IP for integration, addition of trust architecture 4

5 Small Packet Challenge Mbps IPv4 ESP Null IPSec HW IPSec SW Packet Size (B) Relative performance of IPv4 and IPsec on Freescale MPC8548E, 1.3 GHz CPU, 533 MHz DDR, 266 MHz SEC Linux , 3 rd party IPsec stack 3DES-HMAC-SHA-1 5

6 P A Smarter Approach to Multicore P4080 Power Architecture 128KB e500-mc core Backside L2 Cache 32KB 32KB D-cache I-cache 1024KB Frontside L3 Cache 1024KB Frontside L3 Cache 64-bit DDR-2 / 3 Memory Controller 64-bit DDR-2 / 3 Memory Controller eopenpic PreBoot Loader Security Monitor Internal BootROM PAMU PAMU PAMU CoreNet coherency fabric PAMU PAMU Peripheral Access Mgmt Unit Power Mgmt SD/MMC SPI 2x DUART 4x I 2C 2x USB 2.0/ULPI Clocks/Reset elbc Test Port/ SAP SEC 4.0 Pattern Match Engine 2.0 Queue Mgr. Buffer Mgr. Frame Manager Parse, Classify, Distribute 10GE Buffer Frame Manager Parse, Classify, Distribute 10GE Buffer RapidIO Message Unit (RMU) PCIe PCIe SRIO 2x DMA PCIe SRIO Real Time Debug Watchpoint Cross Trigger Perf CoreNet Monitor Trace Aurora GPIO CCSR 18-Lane 5 GHz SERDES Designed to address embedded networking challenges Process more packets, even as instructions per packet increase Support simultaneous non-packet processing, including complex control, service overlays Compensate for growing gap between I/O and compute bandwidth vs. DDR bandwidth Massive integration to reduce total system footprint while remaining within <30W power envelope 6

7 QorIQ P4080 Performance Targets IPsec with all cores acting as datapath processors at 1.5GHz Gbps IPv4 IPv4 + FW/NAT ESP Null Asynch IPSec HW Packet Size (B) 7

8 Public Key Hardware Accelerators (PKHA) RSA and Diffie-Hellman (to 4096b) Elliptic curve cryptography (1023b) Supports runtime equalization Data Encryption Standard Accelerators (DESA) DES, 3DES (2K, 3K) ECB, CBC, OFB modes Advanced Encryption Standard Accelerators (AESA) Key lengths of 128-, 192-, and 256-bit ECB, CBC, CTR, CCM, GCM, CMAC, OFB, CFB, and XTS Message Digest Hardware Accelerators (MDHA) SHA-1, SHA , 384-, 512-bit digests MD5 128-bit digest HMAC with all algorithms Kasumi/F8 Hardware Accelerators (KFHA) F8, F9 as required for 3GPP A5/3 for GSM and EDGE GEA-3 for GPRS Snow 3G Hardware Accelerators (STHA) Implements Snow 3.0 CRC Unit CRC32, CRC32C, e OFDMA CRC Random number generator, random IV generation On-Chip System Interface CHAs Queue Manager Interface Job Queue Controller Descriptor Controllers SEC 4.0 RTIC Header and trailer offload for the following security protocols: IPSec, 802.1ae, SSL/TLS, SRTP, i, e Modular and scalable with simplified device driver 8

9 Unified Datapath Acceleration Architecture (DPAA) Frame Formats Frame Descriptor Multi-buffer (Scatter/gather) Frame D PID BPID S/G List Address Data Address 00 Length Simple Frame 100 Offset Length BPID Offset Frame Descriptor D PID BPID Address Status/Cmd 00 Address Length BPID Offset Data 000 Offset Length Status/Cmd Data 01 Address Length Data BPID Offset PID = Frame Partition ID BPID = Buffer Pool ID Buffer 9

10 DPAA Terminology Buffer Unit of contiguous memory, allocated by software Frame Buffer(s) that hold a data element (generally a packet) Frames can be single buffers or multiple buffers (using scatter/gather lists) A simple frame has one delimited data element Compound frames have more than one Frame descriptor Proxy structure used to enqueue frames. The frame memory itself is not used by the queue manager (QMan) Frame queue FIFO of related frames Frame queue descriptor Structure used to manage frame queues Work queue FIFO of frame queues Channel Set of 8 prioritized work queues, with hardware class scheduling Dedicated channel Supplies FQs to a single consumer Pool channel Can be shared by multiple consumers Packet Used more informally. A routable entity Portal Hardware interface used to access QMan facilities (e.g. enqueue or dequeue) for possibly multiple channels B B B B F = B FQ = F F WQ = Chan = Chan Chan 0 7 FQ FQ FQ B FQ Portal FQ FQ priority 10

11 SEC 4.0 Inputs FD3 PID BPID Addr Addr Offset Length Status/Cmd Buffer Decrypt Shared Descriptor Preheader 1 Preheader 2 Descriptor Header ARS Len NH Offset Options Salt (CTR mode only) Init Count (CTR mode only) Opt ESN (0s if not used) Seq Num Anti Replay Scoreboard Anti Replay Scoreboard key 2 key 1 Operation: Protocol IPsec CBC / CTR IB Dequeue Parameters Frame Queue ID Context Pointer Seq# SEC portal channel WQ7 WQ6 WQ5 WQ4 WQ3 WQ2 WQ1 FD2 PID BPID Addr Addr Offset Length Status/Cmd FD1 PID BPID Addr Addr Offset Length Status/Cmd Buffer Buffer WQ0 11

12 SEC 4.0 Protocol Processing Example - IPsec ESP Tunnel Encrypt Input Frame: Payload Crypto: Class 1 Payload padding Pad Len N Encrypted Payload padding Pad Len N Class 2 SPI Seq# Opt IV Payload padding Pad Len N Opt ESN Authenticate Output Frame: New IP Header SPI Seq# Opt IV Esp header Payload padding Pad Len N ICV SEC 4.0 adds encapsulating security payload (ESP) header, initialization vector (IV), ESP trailer, and keyed-hash message authentication code (HMAC) with integrity check value (ICV). Also adds outer header (up to 128B). Calculates IP header length field, does not calculate header checksum. 12

13 Shared Descriptor Example (Single-Pass ESP-CBC Tunnel) Descriptor header Descriptor length, attributes Protocol data block (PDB) Note: these are automatically updated after each frame Sequence numbers Association index (SPI) Blockcipher IV (immediate) Key blocks HMAC key (Class 2) Cipher key (Class 1) Both classes together enable single-pass operation Protocol operation e.g. WiMAX, IEEE , IPSec, etc. PDB Preheader 1 Preheader 2 Descriptor Header ARS Len NH Offset Options Salt (CTR mode only) Init Count (CTR mode only) Opt ESN (0s if not used) Seq Num Anti Replay Scoreboard Anti Replay Scoreboard key 2 key 1 Operation: Protocol IPsec CBC / CTR IB 13

14 SEC 4.0 Outputs Frame Buffer Res Packet Header Payload Res Res Enqueue Parameters Frame Queue ID Color Seq # Frame Descriptor Frame Address Partition ID Data Length Data Offset Status On-Chip System Interface Queue Manager Interface Job Queue Controller Descriptor Controllers RTIC DECO passes data to QMI, which outputs data into either original frame buffers or into new frame buffers (output buffer pool statically defined for flow). QMI sets all FD values. Ctx is updated as necessary. Typically Seq# or Anti-Replay state. DECO provides job completion information to the QMI, which uses the status word in the frame descriptor to inform software of success or failure. When last data is processed by an EU, DECO releases EUs and next DECO grabs them. CHAs 14

15 Job Completion Status Word SEC 4.0 can use interrupts to alert software of particular events; however, compared to prior generations of SEC, SEC 4.0 interrupts will be rare Consistent with the Request/Response model, the SEC 4.0 will inform software of the success or failure of a requested operation via a Job Completion Status Word Failures can be of several types: SEC generated output data, however a protocol error was detected LATE, REPLAY, ICV failure, FCS failure The SEC does not drop packets and clear buffers upon detection of a protocol error SEC detected an illegal/malformed command and did not output any data Moved on to a different FQ SEC detected a suspended Shared Descriptor and No-Op d the request SW can suspend Shared Descriptors asynchronously to packet processing The SEC will only generate interrupts in response to hardware failures and Trust Architecture Security Violations 15

16 SEC 4.0 Software Model Control Plane Data Plane Packet Ingress Classification Negotiation Connection Establish Session/SA Disconnect Device Driver Descriptor Construction Library Construct QI PreHeader Job Descriptor InitDescHdr Construct Shared Descriptor PDB HMAC Key Cipher Key Protocol Op Codes FQD Min IPsec Pre Processing SEC Helper Routine Oppy Mapping /Enqueue to FQ FQD FQD FQD Dequeue from SEC return queue SEC Helper Routine Oppy Min IPsec Post Processing FQDs from SEC dedicated channel Free Resources Routing Mapping /Enqueue to FQ Packet Egress Protocol Stack/LWE QMan Library Driver/DCL 16

17 QorIQ Trust Architecture 17

18 QorIQ P4080 Block Diagram External Tamper Detect eopenpic PreBoot Loader Security Fuses Security Monitor Internal BootROM Power Mgmt SD/MMC SPI DUART 2x I 2C 2x USB 2.0/ULPI Clocks/Reset QorIQ P4080 elbiu M2SB Test Port/ SAP L2 L2 128 KB L2 L2 L2 Backside L2 L2 L2 Cache PAMU Security 4.0 Pattern Match Engine 2.0 PAMU Queue Mgr. Buffer Mgr. Power Architecture e500-mc Core CoreNet Coherency Fabric 1024 KB Frontside L3 Cache 32 KB 32 KB 1024 KB D-Cache I-Cache Frontside L3 Cache PAMU Frame Manager Parse, Classify, Distribute 10GE HV MMU Buffer 10GE PAMU Frame Manager Parse, Classify, Distribute Buffer SRIO Message Unit PCIe PCIe SRIO PAMU 64-bit DDR-2 / 3 Memory Controller 64-bit DDR-2 / 3 Memory Controller Peripheral Access Mgmt Unit PCIe DMA SRIO Real Time Debug Watchpoint Cross Trigger Perf Monitor CoreNet Trace Aurora GPIO CCSR 18-Lane 5 GHz SERDES 18

19 Trusted Boot Process Code Signing Entity System Code (Plaintext) Hash Plaintext Hash = (ciphertext hash) (e) mod N Ciphertext Hash = (plaintext hash) (d) mod N E, d, and N are mathematically chosen so that RSA works (N is the product of 2 large primes) Sign and Verify are identical operations (modular exponentiation) Internal Secure Boot Code If Decrypted Hash = Generated Hash, the System Code has not been modified Decrypted Hash Generated Hash RSA Sign Private Key (d) Public Modulus (N) Public Key (e) Public Modulus (N) RSA Verify Signature System Code (Plaintext) System NV RAM Signature System Code (Plaintext) 19

20 Secure Storage Non-volatile Volatile (with zeroization option) External NV Memory Internal OTP Memory Main Memory Internal SRAM Integrity Protected Code, Data Public Values, Configuration Secret Values No Execute Region Hypervisor/PAMU access protected memory regions Session Keys Hypervisor/PAMU access protected memory regions Encrypted & Integrity Protected Code, Data Encrypted & Integrity Protected Code, Data Encrypted & Integrity Protected Code, Data Digital Signature 20

21 Run Time Integrity Checker to Sec_MON System Memory Map Zone 1 SHA-256 mismatch comparator Zone 1 stored hash Zone 1 Zone 2 Zone 3 DMA controller SHA-256 mismatch comparator mismatch Zone 2 stored hash SHA-256 comparator Zone 3 stored hash Zone 4 mismatch Zone 2 Zone 4 SHA-256 comparator Zone 4 stored hash 21

22 Power Architecture No Execute Feature The Power Architecture Book-III E Translation Look aside Buffer (TLB) includes control bits that CPUs use to determine read, write, execute and caching rules for the memory pages The 'X' bit in the TLB controls whether the page s contents can be executed as instructions The ability to define pages as non-executable provides a significant barrier against attacks that overflow data buffers into code memory space This feature is functionally equivalent to the NX bit (No execute) in the x86 architecture, although the Power Architecture Book-III E X bit predates NX by several generations 22

23 Hypervisor Symmetric Multiprocessing (SMP) with Task Affinity Local Ctl Service 1 Service 2 Service 3 I/O Ingress I/O Egress SMP Control SMP Control SMP Services Asymmetric Multiprocessing (AMP) with Hypervisor Parallel Datapath AMP with Hypervisor Parallel Datapath AMP with Hypervisor Datapath I/O Ingress I/O Egress L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache CoreNet Interconnect Fabric Front-side L3 Cache Front-side L3 Cache DDR2/3 Memory Controller DDR2/3 Memory Controller 23

24 Summary P4080 processor combines high levels of computing horsepower with efficient virtualized accelerators SEC 4.0 was designed as part of a comprehensive Datapath Acceleration Architecture to reduce CPU utilization and increase security protocol throughput The SEC 4.0 is also part of a comprehensive QorIQ Trust Architecture, enabling trusted computing in a multi-core environment 24

25 Q&A Thank you for attending this presentation. We ll now take a few moments for the audience s questions and then we ll begin the question and answer session. 25

26