Freescale s definition:

Transcription

1 October 2013

2 Freescale s definition: A Trustworthy system is a system which does what its stakeholders expect it to do, resisting attackers with both remote and physical access, else it fails safe. Freescale Trust Architecture SoCs provide OEM controlled silicon features which simplify the development of trustworthy systems. The Trust Architecture is an opt in scheme, with OEM controlled trade-offs in cryptographic strength, debug visibility, sensitivity of tamper detection, and anti-cloning mitigation. 2

3 Hardware security policy enforcement Irreversible configuration of major policy decisions Secure Boot/Image Validation Integrity of the image validation key Debug Permissions Resettable (by trusted SW) secondary policy decisions Content of image to be validated Key to be used for validation HW security violation sources & consequences Memory access controls Secure Storage Device secrets only usable by hardware Locked out/wiped out on security violation User secrets protected by device secrets Protected Storage Access controlled on-chip and off-chip memory Hardware security state tracking Security violation detection and reaction Anti-cloning mitigation with FSL Unique ID per device 3

4 PCIe PCIe PCIe PCIe srio srio Interlaken LA-1 SATA SATA Power Arch CPU Power Arch CPU Power Arch CPU Power Arch CPU Plat Cache DDR Controller HV MMU HV MMU HV MMU HV MMU Battery Back-up Tamper Detect(s) Security Fuses PreBoot Loader Security Monitor Internal BootROM Power Mgmt SD/MMC SPI DUART I 2 C IFC USB w/phy Clocks/Reset GPIO CCSR SEC PME DCE CoreNet Coherency Fabric PAMU PAMU PAMU QMan BMan RMAN RMan FMan Complex FMan Parse, Classify, Distribute Buffer MAC MAC MAC MAC SERDES DMAx2 Peripheral Access Mgmt Unit SDC Real Time Debug Watchpoint Cross Trigger Perf Monitor Aurora CoreNet Trace 4

5 Code Signing Signature Verification CSF Header CSF Header S/G Table Code Signing Tool S/G Table Internal Secure Boot Code (on-chip ROM) Image Image Message Digest Hash Message Digest Hash Compare Hash Sum Pass/Fail Public Key(s) Private Key Encryption D, N Private Key E, N Hash E mod N Public Key(s) Public Key(s) Verify Key/List Public Key Decryption Signature Signature Fuse Box Public Key /List Hash Hash Key/List Fuse Box Public Key /List Hash 5

6 FSL Section 1b - FSL Section Write Protect 32b - FSL Unique ID 32b - FSL Scratchpad 0 32b - FSL Scratchpad 1 OEM Section 1b - OEM Section Write Protect 1b - Intent to Secure 1b - Clear_SFF (disable Scan) 1b - SEC disable 3b - Key Revocation (Trust 2.0 only) 2b - Debug mode Open Conditionally closed w/o notification Conditionally closed w/ notification Locked Root of Trust for Verification Persistent device secrets 256b Super Root Key Hash (2.0 supports list) 64b - Debug Challenge Value 64b - Debug Response Value 256b - One Time Programmable Master Key 32b - OEM Unique ID 32b - OEM Scratchpad 32b - OEM Scratchpad 6

7 32b General Purpose Registers b Monotonic Counter Zeroizable Master Key SFP One Time Programmable Master Key SEC AESA RNG Blob Key Key Select: OTPMK ZMK Combined MK 7

8 45 SOI products, including P3041, P5020, P5040, C29x (45nm devices with support for the battery backed LP section) 1.0v supply, worst case process, at two different ambient temps. 40C 70C 28HPM products, including T4240, T2080, LS1020A 1.0v supply, worst case process, at two different ambient temps 40C 70C 8

9 Init Test Key Non- Secure External Boot, or HW_Sec_Vio Check SW health check/ signature fail No Keys No HW_Sec_Vio + SW writes Trust bit Trusted OTPMK KEK SEC Key Usage SW Soft Fail No Key Usage, OTPMK and KEK cleared Soft Fail HW_Sec_Vio or SW Soft Fail HW_Sec_Vio or SW Soft Fail Secure No HW_Sec_Vio + SW writes Secure bit OTPMK KEK No Key Usage, OTPMK and KEK cleared, SoC RESET Req Hard Fail If Hard Fail Enabled 9

10 Public Key Hardware Accelerator (PKHA) Message Digest Hardware Accelerators (MDHA) RSA and Diffie-Hellman (to 4096b) Elliptic curve cryptography (1024b) Supports Run Time Equalization Random Number Generators (RNG4) DRBG with True RNG for seeding Snow 3G Hardware Accelerators (STHA) SHA-1, SHA-2 256,384,512-bit digests MD5 128-bit digest HMAC with all algorithms Advanced Encryption Standard Accelerators (AESA) Key lengths of 128-, 192-, and 256-bit ECB, CBC, CTR, CCM, GCM, CMAC, OFB, CFB, XCBC-MAC, and XTS Job Ring I/F Queue Interface Job Queue Controller Descriptor Controllers DMA RTIC Implements Snow 3.0 Two for Encryption (F8), two for Integrity (F9) Data Encryption Standard Accelerators (DESA) DES, 3DES (2K, 3K) ZUC Hardware Accelerators (ZHA) EEA-1 (encryption) & EIA-2 (integrity) ARC Four Hardware Accelerators (AFHA) Compatible with RC4 algorithm Kasumi F8/F9 Hardware Accelerators (KFHA) CRC Unit ECB, CBC, OFB modes CRC32, CRC32C, e OFDMA CRC Header & Trailer off-load for the following Security Protocols: IPSec, SSL/TLS, 3G RLC, PDCP, SRTP, i, e, 802.1ae CHAs PKHA RNG4 STHA ZHA AFHA KFHA MDHA AESA DESA F8, F9 as required for 3GPP A5/3 for GSM and EDGE GEA-3 for GPRS 10

11 CSF Header QorIQ ISBC CSF Header ESBC Uboot PubKey ESBC Uboot Normal Uboot stuff End normal Uboot stuff Validate [Boot Script address] [Boot Script PubKey Hash] CSF Header BootScript PubKey Validate [Image 1 address], [PubKey Hash 1] Success case Fail case Validate [Image 2 address], [PubKey Hash 2] Success case Fail case Validate [Image 3 address], [PubKey Hash 2] Success case Fail case BootM [Image 1], [Image 2], [Image 3] Validate command include functionality for parsing CSF header and validating each image AND handling failure cases. Image 1 PubKey Image 1 CSF Header Image 2 PubKey Image 2 CSF Header Image 3 PubKey Image 3 In progress: Blob encryption/decryption on images by bootscript. 11

12 Memory Blob OTPMK key encryption or ZSK key RNG CTR 0 B Plaintext AES-ECB encryption Blob key Ciphertext Data Plaintext AES-CCM encryption Ciphertext Enc. Key Enc. Data MAC Cryptographic blob 12

13 PCIe PCIe PCIe PCIe srio srio Interlaken LA-1 SATA SATA Partition 1 Power Arch CPU Partition 2 Power Arch CPU Partition 3 Power Arch CPU Partition 4 Power Arch CPU Plat Cache DDR Controller Shared HV Private Memory HV MMU Qman Portal HV MMU Qman Portal HV MMU Qman Portal HV MMU Qman Portal Partition 1 Private Memory CoreNet Coherency Fabric PAMU PAMU PAMU Peripheral Access Mgmt Unit Partition 2 Private Memory Partition 3 Private Memory SEC PME DCE QMan BMan RMAN RMan FMan Complex FMan Parse, Classify, Distribute Buffer MAC MAC MAC MAC DMAx2 SDC Real Time Debug Watchpoint Cross Trigger Perf Monitor Aurora CoreNet Trace Partition 4 Private Memory Command Control Status Registers SERDES 13

14

15 Hardware: External Tamper Detection via P_DETECT and LP_P_DETECT Secure Debug Controller (if set to Conditionally Closed with Notification) Run Time Integrity Checker (in SEC) Security Fuse Processor (if fuse array read fails, including hamming code check) Security Monitor (OTPMK and ZMK hamming code check) All sensitive flops upon detection of scan entry and exit (expert mode debug) Power Glitch In Trust 2.0: Monotonic counter roll-over Software: ISBC (Boot 0) ESBC/Trusted-Uboot (Boot 1) Any SW with write access to the Security Monitor can declare a security violation. 15

16 1. Open Debug interfaces have full access to the QorIQ memory space. If the device is already in Secure state, device secrets remain usable. This setting is only appropriate in a lab environment. 2. Conditionally Closed without Notification Debug interfaces are blocked until the user passes a challenge/response sequence. PASS = full debug access, as in the Open case FAIL = Access denied. 3 fails locks out chal/resp mechanism and reports Sec_Vio to Sec_Mon. 3. Conditionally Closed with Notification - Debug interfaces are blocked until the user passes a challenge/response sequence. PASS = Sec_Mon notified of active debug, ephemeral device secrets cleared, persistent secrets locked out, followed by full debug access, as in Open case. FAIL = Access denied. 3 fails locks out chal/resp mechanism and reports Sec_Vio to Sec_Mon. 4. Locked All debug operations are blocked. The JTAG interface can still be used for boundary scan physical interconnect testing. 16

17 to Sec_MON System Memory Map Throttle Register Watchdog Register Zone 1 SHA-256 mismatch comparator Zone 1 stored hash Zone 1 Zone 2 Zone 3 DMA controller SHA-256 mismatch comparator mismatch Zone 2 stored hash SHA-256 comparator Zone 3 stored hash Zone 4 mismatch Zone 2 Zone 4 SHA-256 comparator Zone 4 stored hash 17

18 QorIQ processors with Trust Arch include tamper detect inputs (P_DETECT, LP_P_DETECT) which provide a hardware security violation signal to the Sec_Mon. External tamper detection circuitry must maintain P_DETECT(s) at the specified voltage until a tamper event occurs. If no external tamper detection circuits are defined, P_DETECT(s) should be tied high. Upon detection of a tamper event, the external logic should drive P_DETECT(s) low. Use pull-down resistor to ensure that P_DETECT(s) go low immediately if power is cut. The tamper response is configurable. Soft Fail Persistent Device Secrets are locked out, ephemeral device secrets (if in use) is cleared, all SEC registers containing sensitive data are cleared, Sec_Mon generates IRQ. Hard Fail Soft Fail consequences plus: Battery backed Device Secret and non-secret values are cleared: active zeroization of the device platform caches and system main memory, while concurrently triggering the RESET_REQ signal. System designer must ensure that the RESET_REQ output signal triggers a device reset (HRESET or PORESET). 18

19 Freescale s focus on side channel attack resistance is focused in 2 areas: Timing analysis against public key and symmetric operations All QorIQ Trust Arch devices incorporate PKHAs with run-time equalization All symmetric CHAs perform run-time equalization Differential power analysis against AES operations Many QorIQ Trust Arch devices incorporate the AESA-DPA, a special version of the AES accelerator with DPA resistance 19

20 CPU 0 ISBC CSF Header KL, KN, WP ESBC Uboot PubKey or Key List ESBC Uboot Normal Uboot stuff Security Fuse Processor K0 K1 K2 SRKH (Key or Key List) Compare Hash (computed by ISBC) End normal Uboot stuff Validate [Boot Script address] [Boot Script PubKey Hash] New Flags for: Key vs Key List Key Number (0-3) Write Protect Key 0 Key 1 Key 2 Key 3 (irrevocable) 20

21 CPU 0 ISBC Primary Image CSF Header KL, KN, LW ESBC Uboot PubKey or Key List ESBC Uboot Normal Uboot stuff End normal Uboot stuff Validate [Boot Script address] [Boot Script PubKey Hash] Trust 2.0 will support a primary and secondary image, where failure to find a valid image at the primary location will cause the ISBC to check a configured secondary location. To execute, the secondary image must be validated using a non-revoked public key as defined by its CSF Header. A valid secondary image has same rights and privileges as a valid primary image. Purpose is to reduce risk of corrupting single valid image during firmware update or as a result of Flash block wear-out. Secondary Image CSF Header KL, KN, LW ESBC Uboot PubKey or Key List ESBC Uboot Normal Uboot stuff End normal Uboot stuff Validate [Boot Script address] [Boot Script 21 PubKey Hash]

22 Leadership High Performance 25W+ TDP P5020/10 P5040 P5021 T4240 T4160 Industry Highest CoreMark/W LS3240A LS3xxxP P4080/40 Mid-Range Performance 10-25W TDP Volume P3041 MPC8569 P2041/40 T2080 T2081 LS2100A LS2060A LS2xxx Value Performance <10W TDP Small Form Factor SEC Trust P2020/10 P1023/17 P1022/13 P1021/12 P1020//11 P1010/14 Existing 4Q 1Q Innovative solution with ARM Cortex A7: Dual-Core with ECC 2Q 3Q 4Q 1Q Product Qual C29x T1042 T1040 LS1020A 2Q 3Q 4Q 1Q 2Q 3Q 4Q 2014 T1023 LS1080A LS1040A LS1xxx 1H 2H 1H 2H Proposal Production Production Execution Planning Proposal Planning Execution Production 22 Samples

23