Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

System security takes on SoC approach

Posted: 16 Oct 2007 ?? ?Print Version ?Bookmark and Share

Keywords:secure SoC? hypervisor? software cryptography?

A system is only as secure as its weakest link, and security becomes ever more important as more equipment embraces the SoC approach. This article looks at the security options available to SoC designers.

Designing a secure system requires a chipwide approachretrofitting a system with security functions is only a temporary fix. Protecting a device's secret key and content as well as understanding the basic requirements of a secure SoC are vital to creating leading-edge products.

Three elements are vital to a secure system: secure peripherals that prevent unauthorized access, ideally with multiple levels of access; a trusted environment to run trusted software and securely store sensitive data; and cryptographic acceleration.

Securing peripherals
One way to provide multiple levels of security to peripherals is to create a hypervisor, a thin layer of software that has greater priority than the supervisor in a system. Supplied by companies such as Trango Systems Inc., the hypervisor's tiny 20Kbytes create virtual processors that allow multiple operating systems to run on one CPU. This works because the hypervisor guarantees separation and time slicing among the virtual CPUs.

The hypervisor approach provides an efficient thin layer of code that allows system designers greater flexibility. Some system designers choose a dual-CPU approach when performing secure operations in a trusted environment. With the hypervisor, a single CPU keeps the OS and multiple environments separate. A system designer working with an existing system can create trusted areas where secure processes such as key management or secure boot can run without adding another CPU. Or, in systems where there is more than one CPU, the hypervisor can extend functionality without major hardware changes. This approach is applicable to a wide range of systems.

A new generation of standards is enabling a slew of secure peripherals with individualized access levels. This avoids the problems that can occur with a single trusted environment, where a breach of one peripheral can be used to access all the others. With multiple levels of access, the peripherals and assets that require the most security (such as those handling credit card numbers) can still be kept secure from other peripherals.

The Open Core Protocol International Partnership specification is establishing a standard for building secure peripherals based on a signal on the bus. To set different levels of access, the signal can be defined by an arbitrary number of bits. That will allow processor cores to incorporate capabilities similar to those of secure machines, and chip designers can use various peripherals to build secure systems.

Trusted environment
So far, trusted environments have been built with proprietary technology as closed systems and only on new processor cores. Consequently, new applications are time-consuming to develop and verify, and are not backward-compatible. But there are better ways to build them.

For instance, the MIPS32 4KSd core augments the 4KEc embedded core with a secure memory management unit. The unit scrambles the cache interface and adds cryptographic acceleration through the SmartMIPS instruction extensions, and is designed with anti-analysis features. This mix of hardware and software adds less than 10 percent to the size of the core but provides a secure system that has already been used in smart cards.

The cryptography enhancements hasten public-key data security algorithms, providing three to 10 times the speed of a software-only implementation. Secret-key operations also benefit, but to a lesser extent.

Software cryptography allows easy field upgrades of cryptography algorithms. Therefore, a potential breach in the security algorithm doesn't require a recall of the actual cards, and the accelerated software cryptography enables a choice of algorithm on a per-application basis.

Secure memory spaces protect sensitive consumer data by application, preventing unauthorized data access by rogue applications. Built-in code-compression minimizes memory use, preserving scarce memory resources.

Because the core is synthesizable and has a high maximum frequency, the SoC designer has many floor-planning options. This is important, since some analysis can determine the activity patterns of particular execution units and deduce some of the code activity. So avoiding noticeable hotspots is a standard technique in secure processor design.

The 4KSd core can be used as a secure second core alongside a 24k core as host, providing digital rights management (DRM) and certificate handling. This arrangement requires minimal caches, so the core can be a negligible 1.5mm square.

Host controller
Another option is to use the core as a secure system controller. This can save area in the SoC, but it requires that secure applications have a higher level of privilege than the OS. Since most operating systems run in kernel mode, the OS has to be ported to run in supervisor mode, leaving the secure applications to run in kernel mode. That allows the same core to be used for non-secure functions in a point-of-sale terminal, for example, while a secure application in the kernel mode handles the payment.

The 4KSd core provides handling of digital rights management and certificates.

The virtualization approach from Trango Systems can be used on any MIPS core. The technique creates a secure virtual second CPU that runs in kernel mode while the main OS runs in a "virtual kernel" mode, which is instantiated in user mode.

The core then switches contexts between the two environments, with the hypervisor virtualization layer handling address protection, interrupt vectors and exception handling to keep the system secure. The additional load required for this approach is nominal, with the context switch taking no more than 60 cycles and typically 16 cycles.

Such a system has been demonstrated running Linux concurrently with two real-time operating systems on a single MIPS core. The approach provides the much-needed flexibility in integrating new functionality, including adding security to the existing system while preserving the software or hardware investment.

Security and content protection are becoming increasingly important not only in enterprise networking devices, but also in the digital home. Safe-SOC is a platform through which providers of software and hardware IP solution providers integrate their technology to provide the basics of a secure SoC.

Such SoCs should provide trusted execution to secure boot verify code integrity before booting; protection of the expiration date of content/constraints in the hidden secure storage area, protection of signature keys, and cloning protection.

Secure HW domain
M-Systems has created a tightly coupled, modular and configurable secure hardware domain based on its mSafe cores. The secure hardware domain is directly connected to the MIPS-dedicated coprocessor interface (CoP2) with direct access to any MIPS core. The domain is protected by the CPU.

The CoP2 is not shared by other peripherals or traffic and is physically isolated from access by potentially malicious software and hardware attacks. This isolation results in higher throughput and less latency than would be provided by a shared bus interface.

The cryptographic functions provided by M-Systems include the required implementation of secured memory, where secret system assets can be stored and protected during algorithm execution. The crypto cores such as the hardware-based Advanced Encryption Standard (AES) provide a fast yet efficient solution based on the highly robust and silicon-proven mSafe cores from M-Systems. The approach offers an improved response time, a significant savings in power, and a much higher level of resilience to analysis and other attacks. These advantages are particularly effective in portable products.

Another key advantage of this approach is its configurability. Cryptographic functionality and performance levels can be selected based on specific requirements, thereby providing maximum cost-effectiveness, as opposed to the higher cost of a general-purpose encryption coprocessor.

In summary, a core designed for security from the ground up provides the best platform for these additional technologies and enables the design of secure SoCs capable of running backward- and forward-compatible applications. Only a systemwide approach can make the next generation of devices truly secure.

- Albert Chiang
Strategic Marketing Manager
MIPS Technologies Inc.

Article Comments - System security takes on SoC approac...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top