Page 46

EETE JUNE 2013

Data Security Extending data security to configurable SoCs By Dave Beal The requirement for security is perennial; anything with a perceived value is and most likely always will be subjected to unwelcome interest from the nefarious elements of society. Typically, the form of attack will be subject-dependent and so it follows that any form of protection should be appropriate to the subject and the expected nature of the attack. In this era of accelerated technological development, the ‘subject’ can often be described simply as ‘data’; be that security information such as passwords or encryption keys, or even the very software running on a given platform. The forms of attack now used against these ‘soft targets’ include physical probing as well as the commonly cited ‘cyber attack’; both of which have very specific defence requirements and, subsequently, solutions. In response to the general need for greater security in embedded devices, ARM developed an extension to its basic architecture, called TrustZone, which offers OEMs a platform on which to build secure solutions. For OEMs using devices that integrate the ARM architecture, such as the Zynq -7000 All Programmable SoC platform from Xilinx, TrustZone offers one way of increasing the security credentials of an end-application, but it’s important to understand how it can be used, what manufacturers like Xilinx are doing to augment TrustZone’s features, and where and how these features are most appropriately deployed. Secure boot and run Keeping embedded devices secure relies heavily on embedded software today; for FPGAs this includes the bitstream used to configure the programmable fabric. This level of security has long been understood and addressed by FPGA vendors and Xilinx devices offer a number of security features, separate from features like TrustZone, to ensure the bitstream cannot be intercepted, modified or altered during the crucial boot sequence at power-up and during run-time. In addition to the protection of the bitstream, any ASIC, SoC or FPGA that integrates powerful processing must ensure that the processor boot sequence is secure and also that the embedded software is also protected during run-time. These aspects were formerly beyond the remit of an FPGA vendor but are now key to offering security in a programmable platform like the Zynq-7000 All Programmable SoC. The very fact that the processor sub-system is integrated in to the FPGA makes this challenge less daunting; the Zynq- 7000 platform integrates physically secure on-chip memory (OCM) that is inaccessible to external probing, making the boot sequence vastly more defendable. However, Xilinx has gone beyond a simple boot case by providing 256KB of OCM as shown in figure 2; large enough to run critical safety or security functions where they are both physically inaccessible, and hidden from software behind ARM TrustZone technology. Safe and secure Product designers typically use Trust- Zone in devices like smart phones to store and run code that encrypts sensitive data, such as a PIN or password. It can also be used to implement secure key storage for decryption algorithms, Fig. 1: The Zynq-7000 integrates 256kbyte of on-chip memory (OCM) which is hidden and inaccessible to probes. supporting DRM (digital rights management) in audio/video streaming applications. These applications often use an ARM architecture but not necessarily a single chip. The particular strengths of an ARM multicore solution with TrustZone, that is tightly integrated with an FPGA fabric within the Zynq-7000 All Programmable SoC, are that it can form a complete System on a Chip (SoC); a customer and application-specific device that is capable of subsuming all of the major (and minor) functions of a system into a single device. When coupled with TrustZone, such an SoC is equipped to address a range of applications where both security and safety are paramount. Safety-critical end-applications are as vulnerable to security issues as, for example, a mobile payment device; the risk of subversive tampering could render a safety-critical application a potential hazard to life or property, making them a target which needs the same level of protection now inherent within secure devices. Fundamentally, TrustZone provides two zones or, in ARM’s terms, ‘Worlds’ for software; a ‘Secure World’ and a ‘Normal World’. Together they form a hardware platform for the creation of secure devices by allowing trusted software to run with full system access in the ‘Secure World’, while restricting untrusted software from accessing certain system functions and resources when running in the ‘Normal World’. TrustZone allows a single processor to be partitioned to create two ‘virtual processors’, one for handling typically small but critical security functions, and one for general purpose processing. Although only one of the virtual cores can run at any given time, there is a very small overhead of just a few clock cycles to switch between the secure and normal modes, managed by the TrustZone hardware and aided by commercial and open-source software, to deliver a seamless symmetric multicore processing solution. In the Zynq-7000 platform the benefits of a virtual core are extended further by the presence of two physical cores. A multicore platform is much more capable of addressing complex systems, allowing a symmetric multi-processing (SMP) solution to run secure and normal software on one physical core, and another (real-time) operating system to run on the Dave Beal is Senior Product Marketing Manager at Xilinx – www.xilinx.com 38 Electronic Engineering Times Europe June 2013 www.electronics-eetimes.com


EETE JUNE 2013
To see the actual publication please follow the link above