Author: Bob Wheeler, chief analyst of Linley group
A reliable system security mechanism needs a combination of various methods, and the trusted root must start from the secure boot process. With its leading position in this field, lattice has launched a new generation of Mach NX series products and further developed its security control platform. These new devices can quickly respond to potential threats, ensure platform security, and simplify customer design. This white paper is sponsored by lattice, but the views and analysis in this paper are owned by the author.
Ensuring system security starts with firmware
In order to deal with various threats, complex systems need security mechanisms throughout the whole life cycle. This needs to start from ensuring the safety of the supply chain to ensure that the system will not be damaged in the process of device programming, system manufacturing, transportation and installation. Once put into use, the system also needs security OTA update to repair vulnerabilities or update security protocols. Finally, the system also needs to be scrapped safely to prevent data loss.
Traditional markets focused on system security mainly include data centers, service providers and critical infrastructure. Because many attacks can be launched from within the system, the security mechanism of multi tenant and public cloud data center becomes very important. In contrast, the security of network edge is slightly outdated. Therefore, the data center system must be able to defend against software attacks from within the system. The attack targets include computing server, storage system, network switch and router. In the network of service providers, base stations, broadband access devices, routers and various gateways are also potential targets. Even if the user side data is encrypted, these attacks may endanger the management side and open the back door in the system.
Broadly speaking, industrial control systems include those deployed in key infrastructure, such as national defense, public utilities, power grid and transportation. Governments have taken action early to protect the security of systems deployed in these areas, especially when malicious attackers are increasingly rampant. However, cyber criminals are increasingly targeting similar systems in other fields to gain economic benefits. Think about the cost of blackmailing a software attack to bring a factory to a standstill. Another target of attack is the car. With the increasing degree of interconnection and automation of cars, many cars now adopt OTA firmware update.
The security of device startup starts from firmware, and complex system will have multiple stages of startup process, which will also form a larger attack surface. The system firmware needs to be authenticated and OTA update encrypted and verified at startup. When the system detects an attack or failure, it must be able to quickly recover to a stable and safe state.
Some of these systems use the trusted platform module (TPM) to create a trusted root (ROT) to store encryption keys securely. But the implementation of TPM is very different, some use special hardware module, some are based on firmware and software. Researchers have found vulnerabilities in various implementation methods, some of which are even independent authentication schemes, and they can use these vulnerabilities to find the private key. Therefore, even using TPM can not completely protect all system firmware from damage.
The Linley group, Inc. – 1 – protection, detection and recovery
One way to protect the system firmware is to monitor the serial peripheral interface (SPI) signals used to read and write to the associated flash memory. Figure 1 shows an example of a server where flash memory is connected to both the South Bridge (or PCH) and the substrate management controller (BMC). By placing the switch in the SPI path, the programmable logic device (PLD) can monitor the SPI signal. PLD can verify instructions and addresses based on authorized and unauthorized access tables. When unauthorized access is detected, it will block the instruction from reaching the flash device through the switch. It can also record these activities to run management code on BMC.
Figure 1. PFR system architecture. Safety control PLD can realize PFR function and control function such as SPI monitoring.
PLD, which is used to protect SPI access, can also realize various system control functions, mainly including power control, such as power timing, fan control, panel button and led, and many sensing functions of power consumption, heat dissipation and physical state. Since most of these functions use I2C interface, PLD can also buffer and multiplex signals for BMC.
National Institute of standards and Technology (NIST) is responsible for the development and formulation of algorithms, protocols and frameworks to ensure network and system security. Recently, nistsp800-193 platform firmware protection and recovery specification (PFR) was released by nistsp800-193. Its core principle is to protect the platform firmware from damage, detect the firmware damage and restore the damaged firmware to the complete state.
To protect the boot image of BMC and CPU, the security control PLD can verify the firmware before allowing the associated host to exit the reset state, including reading firmware data from flash memory, generating summary, reading digital signature from flash memory, and using appropriate asymmetric encryption to verify the result. PFR only recommends the specified encryption algorithm, but in fact, elliptic curve cryptography (ECC) is the first choice because the traditional algorithm needs a long key. NIST’s benchmark requirement is 112 bit security, which requires 2048 bit RSA signature key. In contrast, elliptic curve DSA
(ECDSA) only needs 224 bits prime field to achieve the same encryption strength. For 192 bit equivalent strength,
ECDSA only needs 384 bits, while RSA needs 7680 bits.
Firmware protection also includes an updated verification mechanism. Although PFR specification does not make detailed provisions, OTA updates can be encrypted for transmission. Firmware image encryption adopts symmetric algorithm, and the current implementation adopts advanced encryption standard (AES). Benchmark security strength requires 128 bit keys (AES-128), but nowadays 256 bit keys are more common in some security sensitive applications. By using AES-256, batch encryption exceeds the strength of 384 bit ECC hash (sha-384) and message authentication (hmac-384). After image decryption, the digital signature can be verified before writing to flash memory. PFR specification includes a trusted root detection (RTD) function. The idea behind this function is: attacks on system firmware or key data should not damage RTD. Through the above SPI monitoring, PLD can not only act as RTD, but also prevent those attacks that violate the preset flash access rules. At startup, it can detect intrusion by verifying a valid firmware image. When it detects that the firmware is damaged, the system will give priority to the firmware image stored locally and recover to the previously authorized state. It should be noted that the backup image cannot be static, because previous firmware versions may include known vulnerabilities.
Since lattice provided PLD to realize system control function, its chip, IP and software have developed rapidly. Now it can integrate rot, system firmware protection and control function into a single device. The new generation of Mach NX is based on the proven machxo3d, combined with dedicated IP, software and services.
Powerful encryption with Mach nx
Secure enclave is an important module to ensure system security. It can implement encryption protocol, true random number generator (TRNG) and generate unique and unchangeable ID for each device. It also processes ECC protocols including ECDSA and ecdh, and supports up to 384 bit prime domains. It also supports AES batch encryption using a maximum 256 bit key. In this area, TRNG is used to generate private and public key pairs, and standard authentication interface is provided through security protocol and data model (spdm) transmitted under management component transport protocol (MCTP).
As shown in Figure 2, Mach NX adds a risc-v hard core to run the management and control firmware. This compact 32-bit microcontroller executes rv32i instruction set, integrates interrupt controller, timer and JTAG debugger. Lattice used to provide the core with soft IP, but now it uses hard core to release programmable logic and realize other functions. Mach NX has a total of 11K logic units. The combination of available logic units and UFM provides space for on-site upgrade to meet the future security requirements.
Figure 2. Mach NX block diagram. The chip includes hard core risc-vcpu, hard core security module, flash memory, programmable logic unit and abundant io. Another new feature of Mach NX is the enhanced SPI (ESPI) interface, which replaces the traditional LPC bus to connect BMC. ESPI adds a new protocol layer on the basis of SPI’s electrical and timing specification, so it can be downward compatible with SPI. Like the previous generation products, the new device includes flexible I / O for control function, with a maximum of 379 pins. It can realize lvcmos, LVTTL, LVDS and other standards, and supports the voltage range from 1.2V to 3.3V. All package schemes adopt 0.8mm pin spacing to simplify PCB layout.
Mach NX is the latest product based on lattice nexus platform, which is manufactured by Samsung’s 28nm fully depleted silicon on insulator (fd-soi) process. Although fd-soi is known for its low leakage current, power consumption is only a secondary consideration for most security control applications. However, another advantage of this process is that the soft errors caused by radiation are greatly reduced. Since device configurations are stored in SRAM, single event upset (SEU) may lead to failure that is difficult to recover. In this logic density device, fd-soi technology can almost eliminate SEU.
More perfect solutions
In order to simplify the design of customers, lattice improves its security control platform through IP, software and various services to realize PFR and other more solutions. In order to use pfrip to configure Mach NX, lattice provides a drag and drop development tool named propelbuilder. The soft IP needed in PFR design includes SPI master controller, SPI monitor, I2C monitor and register based interface between risc-vcpu and PLC. SPI monitor is connected with external SPI switch to monitor the access between SPI and flash memory and block unauthorized commands. The soft core PFR module needs 2.6k logic units, and the remaining 8.4k can be used for user logic.
Lattice also provides firmware source code running on embedded risc-v core as part of sentry PFR reference design. There are three main PFR software components responsible for security management, log management and out of band communication. Each component provides a set of API for application code, while low-level API provides access to soft / hard IP modules. Lattice provides an application example to demonstrate the protection, detection and recovery functions. The propeller SDK allows customers to modify, compile, and debug PFR firmware.
For the production process, the safety of PFR design is closely related to the supply chain, so lattice also provides a security service called supplyguard, which is used with Mach NX’s unchangeable ID. The company assigns a specific part number to each customer, and uses the encryption key to program these devices at the factory. The client can program the device with the key and the signed and encrypted bit stream. The device ID enables the client’s system to program legitimate devices and prevent illegal reading of bit stream. This helps to protect the integrity of the bitstream as well as the customer’s IP. Without a customer private key, the device cannot be reprogrammed. Under this “lock-in” security mechanism, even if the security of the manufacturing location cannot be determined, there is no need to worry about the risk of tampering with the device.
Due to the particularity of Mach NX, it does not face positive competition in PFR applications. If FPGA from other manufacturers is used, customers need to obtain the encryption module authorized by the third party as the soft IP. They need to instantiate MCU with soft IP and integrate it into third-party modules. Most FPGAs also require external flash configuration memory. As shown in Table 1, the system firmware certification performance of other FPGAs is much lower than that of Mach NX. The longer the verification time is, the longer the start-up time is, and the longer the start-up time will reduce the normal operation time of the system. Many cloud services include a service level agreementSLA, which specifies the normal operation time of the system. Therefore, the start-up time will directly affect the SLA index. The “five nines” reliability (99.999%) requires that the annual downtime is less than 5.3 minutes, so the system startup time is very important in the cloud data center.
Table 1. PFR function comparison between Mach NX and other solutions. Lattice’s chip is a perfect combination of high performance and powerful security. *Time measured at 64MB firmware image and 33MHz SPI clock frequency. (source: lattice)
When the system firmware verification fails, Mach NX can recover quickly. The device supports dual SPI memory, one can store the main firmware, the other can store the gold version firmware. If the verification fails, the sentry firmware will switch from the primary SPI to the secondary SPI and continue the boot process. Then the authenticated firmware image is copied to the main SPI flash memory in the background. Other solutions must copy the firmware image before booting starts.
Another PFR implementation is to use BMC, but this method has many limitations. Firstly, manufacturers’ BMCs generally do not support ECC, so their verification is weak. Secondly, BMC relies on external flash memory, which can not avoid the supply chain vulnerabilities that Mach NX and supplyguard can prevent. Finally, they do not support SPI monitoring and need to be added with an external PLD. Mach NX can implement PFR and control functions, which need PLD in any case.
A recent trend is the development of customized platform security chips, but some of them are designed for smart phones, such as biometrics. Google has developed Titan security microcontroller for its cloud server. Although other large cloud operators can develop similar chips, most OEMs are not willing to bear the huge resources required for custom chip development. Lattice’s customized solutions provide similar functions, and customers do not have to bear the high cost of customized chip development.
Lattice now provides not only FPGA, but also a comprehensive security control platform, including optimized chips, software, tools and services. By providing security protection in the whole life cycle from system design to equipment scrapping, lattice’s solution can solve the loopholes in all stages. Based on the company’s years of security control experience, Mach NX strengthens the encryption function, upgrades the BMC interface and provides more programmable logic to realize custom functions and field updates on the basis of the proven machxo3d. At the same time, sentry reference design reduces customers’ demand for time and resources, and can quickly and easily integrate PFR into their systems.
Although the server has taken the lead in adopting a strong platform security mechanism, with the continuous growth of real-time online network connections, more and more systems are also exposed to network attacks, and the market in the security field is still expanding. Network and communications equipment, industrial control systems, aerospace systems and autonomous driving vehicles are increasingly becoming targets of threat. Lattice can help customers in these areas secure their designs throughout the entire cycle from manufacturing to on-site upgrades.
Bob Wheeler is chief analyst of linli group and senior editor of microprocessor report. Linli group provides customers with the most comprehensive analysis of microprocessor and SOC design. We analyze not only business strategy, but also technology. Topics covered in our feature articles include embedded processors, mobile processors, server processors, AI accelerators, IOT processors, processor IP cores, and Ethernet chips.