Introduction to SoC
Security Fundamentals; SoC Security Tutorial
SITE HOME
SoC Security -> Demystified. Security
on SoC by someone who isn't a Security Expert.
Why read this techerature? Whats different?
Agreed, there are countless articles on this topic littered all over
the internet, however when I read any of them, I realize that these
articles assume that you already a know a lot about security. So I
then wrote this one, which uses no-jargon, and no difficult words
which security guys assume you know by birth. Sometimes it helps to
follow someone on a topic who isn't an expert on that topic, for the
reason that we can talk in same language, same frequency and remain
on the same page. So here I present an article on SoC security
written in plain text as opposed to binary.
However I must say that though the article is quite general in
nature, but it does tend to be based around SoCs that use ARM's
Cortex-M class processors, so at times the ARM element would appear.
So why on earth the System-on-chip needs to be 'secured', and what
does it mean at the first place when we say that the SoC needs to be
'secured'. What is the threat?
Its very simple : Someone stealing IP. Software IP. Other threat is,
someone trying to steal data. Yet another threat, someone trying to
take control of your devices. Or Someone accessing something which
someone is not authorized to access.
The security experts call it a 'security-model'. That is to say,
what is the threat, how an hacker can attempt to steal/hack/hijack a
device. That is what a 'security-model' is.
Once the threats have been analyzed, then engineers develop ways to
protect against that. They design the SoC so that the SoC can
fend-off those attacks.
But let
it be clear. No SoC is 100% secure. By designing a SoC which can
fend-off attacks successfully, we are only making sure that the
cost of a successful attack becomes significantly higher than
the cost of developing the assets under threat. That is all what
the SoC security is all about. What's the point in spending 1
Million $ to steal something worth a tenner or so?
The other thing to note is: What is secure
today won't remain as secure in future. As the computing power
becomes cheaper, the computing power that is worth a million
today may become worth a tenner or so tomorrow. Hence no
security solution on a SoC today is a diamond. (BTW if you have
forgotten diamonds are for ever.... :)
SoC Security : Deep Dive.
The SoC designer/Manufacturer produces a SoC which has software
running on it.
Software/firmware can come from the SoC Manufacturer or from a third
party, or even from anyone. Every one on this planet is now writing
some 'app' which runs on smart phone. Imagine the threat, if an user
written app can access the camera on your smart phone, and stream
the data from camera away using phone's internet connection, you
wont' be very happy.
So this App software must only have limited rights. It must not have
right to access the phone's connectivity system and start streaming
data from it away from the phone. So in plain and simple terms, this
could be one of the objectives for the software to 'limit' the
'rights' of apps running on your device.
One thing is clear. The processor must be able to make out which
software is 'good' and which is 'bad'.
Now processor is a dumb machine, so its our job to tell it everytime
it starts to run something, that this is 'good' or 'bad'.
One way this could be done is to make the software able to
'authenticate' it self.
Another way will be to keep 'good' and 'bad' software at different
'regions' in memory, and tell the processor that if the software its
running is from 'good' region it can do everything or most of the
things, however if it is from 'bad' region, its very limited in what
in can do or access within the system.
Any software that the processor will run, must be kept somewhere in
memory (non-volatile memory, NVM), and usually the software or
portions of the software will be first copied into processor's RAM
(volatile) memory, and then the processor will execute this software
code from memory. There is also a possibility that the software may
be executed directly from NVM, i.e. without being copied into RAM.
But that is not the point here. The point is, the 'good' and 'bad'
software must be kept at different 'regions' in memory so that when
the processor executes them, it knows if it is fetching the software
from 'good' or 'bad' region. Having said this, the processor must
first be made aware of these 'regions' so that at the execution time
it can scrutinize the memory addresses it is executing the code
from, and decide if it is 'good' or 'bad' software, and then further
decide, what this software is allowed or not allowed to do.
Now when the processor first starts, i.e. comes out of reset, it has
no idea about anything 'good' or 'bad', hence the software that is
executed at startup i.e. when it boots, must be 'good' software.
So the first thing that the system designer must do is to ensure the
above.
In ARM-Cortex-M world, the software starts to execute from memory
location 0x0000_0000.
The first location is treated as a special location, and the
contents stored here are treated as the value with which the
processor's stack-pointer
must be loaded with.
The second location 0x0000_0004 : This is the location which is
called the location which points to the 'Reset_Handler'
The processor will jump to the location which is written at
0x0000_0004
For example consider the following 2 instructions.
0x0000_0000 2000_4000
0x0000_0004 0000_8000
This means that at power-up the processor will start its execution
from 0x0000_0000, it will load the value written at this memory
location i.e 0x2000_0000 into its stack pointer.
Then it will fetch the value at location 0x0000_0004 , and make a
jump there, and start executing code from this location i.e from
0x0000_8000 in this example.
Usually the program code starting from 0x0000_0000 is kept in
on-chip ROM, i.e. Read-Only-Memory which is built inside the chip.
The program is fused into this ROM at the time of manufacturing the
SoC. Hence it is 'good' code, as long as the Manufacturing process
can be trusted, which usually is trusted.
Its nearly impossible to hack the ROM cost effectively. So this is
the securest from of code that the processor will ever run. Hence it
is also called 'Root-Of-Trust (RoT)'. In a hypothetical case
if all the software is kept in ROM it will be very secure. But it
provides 0 flexibility. The whole point of the processor is to be
able to execute code written by users ages after it is manufactured.
Also the data that a processor or system using a processor will
always want to change/process the data. After all a computer is a
data processing machine. Almost all the use-cases of processors on a
computer or a smart phone or devices must be able to process the
data. So a computer with just a ROM isn't a feasible proposition.
Usually a system-on-chip will always have some ROM, but most of the
software will then be stored in some kind of non-volatile memory
either on-chip or off-chip. The ROM may have a bare-minimum code
what will allow the system to do some essential things, for example
set-up the system so that the processor can start fetching code from
non-volatile memory such as Flash memory which can be either On-Chip
or Off-Chip. OR the ROM may be big, and may do a lot more than just
bare-minimum. However all modern SoCs have some kind of NVM e.g
Flash, R-Ram etc.
Off-Chip memory is a big problem.
- Someone can just re-program the Off-Chip memory, or even
completely change/replace the off-Chip device with their 'bad'
software in it.Here comes the need for 'authentication'. Authentication
is explained in this section.
- Other problem is replacing the 'good' code device with 'bad'
code device. Someone could just change the off-chip device, to
contain 'bad-code'. Again authentication will help here.
- Yet another problem is code-copy: Someone could copy the code
from off-chip memory, then use this code to develop their own
software. This can be prevented by 'encrypting' the code.
Off-Chip Code encryption/decryption
System-on-chip will typically have some sort of non-volatile-memory
(NVM). The code in the NVM can either be directly executed
from NVM, or it can be copied from NVM to RAM before execution.
But in either condition, if the NVM is off-chip, the software in the
NVM must be encrypted.
The encryption method however will be different depending upon if XIP
(execute-in-place) from off-chip NVM Device is a required.
- If XIP
is not a requirement, then the code will be copied into on-chip
RAM before execution. Therefore the whole of the image can be
encrypted as a single 'block'. And before being copied into RAM, the
whole of the image is decrypted.
- If XIP
is a requirement, then the code is encrypted and decrypted in
very small 'blocks', so that the processor can issue any random address,
and then the block with that address will be fetched, decrypted
and then executed. This is also called in-line
encryption/decryption.
Ok, how are the ROM and NVM related?
Code in ROM being on-chip, is the most secure code. This code may be
made capable enough to do the following:
- Authenticate the off-chip NVM device
- De-crypt the off-chip NVM code.
This will enable the SoC to use the NVM code in a 'trustworthy
manner'. ROM contains secure and trusted code. The code in ROM knows
- How to 'authenticate' the off-chip NVM device.
- How to 'decrypt' the off-chip NVM code.
It is to be noted that the 'decryption' can be done by software
alone, or hardware may be used for it. If there is any hardware use,
these hardware blocks are typically called 'hardware accelerators'.
So a user may find system on chip with hardware security engines, or
hardware security accelerators or 'crypto hardware' or a name with any combinaiton of these. They are there to help in
encryption/decryption.
From hardware point of view, in addition to 'cryptography hardware
accelerators' there is another component, something
called TRNG, True Random Number Generator, which is worth taking a
note of.
The main function of this block is to generate a 'true' random
number. One of the use of the random number is to assist in
authentication, as
explained in this techerature article.
Chain of Trust:
This can now establish a chain of trust, starting with the ROM code.
Now the code in the NVM, which may be the main 'application' code
can further program other regions of the memory in the system and
designate them as 'privileged', 'non-privileged' and in addition to
it, if the processor supports secure/non-secure as in ARM processors
built on ARM v8 architecture, which is often also called ARM Trust Zone,
can partition the memory into 'secured' and 'non-secured' in
addition to 'privileged' and 'non-privileged'.
Partitioning the memory into these kind of regions, gives the power
to the designer to be able to limit the non-trusted code, as by
careful design, while executing any non-trusted code, this code will
only be assigned very limited capabilities. It wont be able to
read/write into any secure regions, read/write any critical data or
code. Hence the system is considered relatively safe.
This partitioning of memory brings us to our next chapter. Access
Protection.
Trusted/Untrusted Vs Secure/non-secure.
From the point of view of identification of the code in ARM's
world, there is no difference between Trusted and Secure software
and untrusted and non-secure software. These terms are used
interchangeably.
Click Here to Make Comments or ask Questions
<=
PREV : Debug Authentication.
Next Access
Protection =>
SITE HOME
--------------
Random Data:
Integrity Checks: Calculate hash value of memory 'blocks' at boot,
store the 'hash' values in a table. Then at run time again calculate
the hash values of the blocks then compare it with those stored in
table. If they dont match, the system has been compromised.
On a SoC, the clock control, power management flash programing
should be under controlled access. Only software running in
privileged mode is ever allowed to access these.