8 hours 10 minutes
Hi, I'm Matthew Clark. This is lessened 4.3 Foundations of trust. Part three in this lesson will look at a hardware based root of trust, including external ships, integrated ships, the bus architecture, er, an extended security services.
Then we're gonna look at different levels of security.
They could be added to integrated chips. So let's get started.
Let's begin our discussion by examining a silicone based hardware root of trust. There, Really. Two categories of processors that will discuss the first category are fixed function processors, and these are more like state machines. They're small, simple devices meant to perform very limited functions
very, very well,
and they could provide cryptographic services such as encryption and decryption and key management.
But it's going to do a certain thing a certain way, and that's just what it does.
The second category are programmable processors. This is the category that will spend most of our time discussing in these lessons.
He's built a root of trust around the CPU, and it could either be a dedicated, secure microprocessor or a system on a chip.
Unlike a state machine, it is up datable and provides robust functionality, depending on the chip functionality programming and resource is
let's talk about CPU bus architecture. ER,
we have two different types. We're gonna talk about external and integrated.
An external or discrete are dedicated hardware which combined a secure processor with a normal processor.
These air to external chips that communicate over the bus and requires architecture considerations to protect the chips and the communications on external TPM is a good example of this.
Integrated are part of a system This combined security components with processors on a system on a chip
and temper resistance is usually provided by the system on a chip,
and it could be a dedicated security processor such as an HSM or dice
hardware. Roots of trust provides security services such as identification, authentication, confidentiality, integrity and measurement,
as well as extended security services such as encryption and security certificate storage, signing and hashing
authorization verification, reporting and secure updates as well.
Common capabilities of the harbor root of trust include a layered security which combines controls such as defense in depth protected storage, secure communications and physical security, and implements security domains, which separate trusted from untrusted,
and this is commonly referred to as a trusted execution environment or a T E.
They're generally resistant to attack both from anti tamper physical properties or protected, such as tamper resistance found in the epoch sing the CPU or ball grid array and tamper detection such as secure boot.
They're generally resistant default injection attacks, side channel resistance, information gathering attacks, passive timing attacks.
This drawing depicts AH, hardware root of trust that's external,
an external roots of trust or standalone ships, which are integrated with other microprocessors.
This provides security services to chips that wouldn't otherwise have, UM,
which is a good thing. But the communication channel between the security chip and the general purpose chip is subject to exploitation.
It is more preferred to have an integrated ship.
Integrated chips give you the ability to customize security according to device requirements. You could design security proportional to the risk. For example, if you needed just a little security, you might consider options such as a ball grid array, which provides physical security as a method to solder the silicon
to the PCB. They're printed circuit board
or including one time programmable memory memory that cannot be altered after programming. With this level of security, you could inject identity and firmware into the device and not worry about it being changed later on.
But every choice you make in regards to security adds cost and complexity,
and you should start the project project off always with the risk assessment and make your security choices based off of that assessment based on the requirements.
As a matter of full disclosure, I don't take credit for putting all these functions together in this way of low, medium and high security. Originally, Bruce saw all this presented, I think, in a webinar, um, many moons ago, and I took great notes for internal use and have used it internally. But I didn't write the source down because I never considered I'd be teaching a class
search the last three months for that webinar on the notes, and I can't find it anywhere. It's like it's disappeared. So whoever created this stuff for organized these things in this way. Great job. I wish I knew who you were, so I could give you credit. But this isn't me. This is someone else in the next few slides, will just kind of I'll present what I what I found
in the course of my job.
This simplistic drawing represents the lowest level security that you might expect on a system on a chip. And quite frankly, you're never going to design a system on chip with just these few items or even in this particular way that I'm going to show you.
Really. What I'm trying to do is just show the how security components can be organized and how you can increase the level of security on a system on the chip
as you have different requirements.
So something that's not shown here. RJ tags on DWhite, your common hardware interfaces that provides your computer with a way to communicate directly with the chips on the board.
And it's originally developed in the mid eighties to test printed circuit boards. But today J tags are generally used for debugging.
Another component that you could at this layer would be a one time programmable fuse, so burning a fuse is an irreversible process. Once a fuses Barnes, you can't un burn it
if you burn a fuse and you could prevent the J tax from being used. That's the point of it, which sets the device in a secure state because the threat Actor cannot then use that fuse to enable device debugging.
So when the devices being developed, it's common for the J tag test access ports or taps to be open. And generally the tap is fused off by the chip of supplier as part of its manufacturing process.
But if the tap is left open, then the OM will need to secure it.
This trawling represents a medium level security that you might expect and would include things like Secure boot, which ensures the device boots from a secure state. We're gonna go much deeper into this in a following lesson
Memory protection unit. This prevents a process from accessing memory that has been allocated to it,
separating data between processing tasks and protecting vital data. By allowing memory regions to be defined as read only
generally, the memory protection unit needs to be programmed and enable before use.
And if the unit is not enabled, the memory system behavior is the same as though no memory protection unit is present.
True random number generator thes random numbers are integral to cryptographic processes. It's used in challenge responses and nuances.
The true random number generator ensures that random numbers just can't be predicted
of security. Bug is another one. It adds authentication so that Onley authorized users can use debug.
It protects G tec access, and you are That's universal asynchronous receiver and transmitter. It's a lot of words
on Does Air used for serial device communication, such as Rs 2 32
which takes us to our higher level of security and would include things such as Advanced Crypto, which adds asymmetric or public key cryptography.
You'll need a key vault to go along with that replaced the store keys,
trusted execution environment, A T, partitions the system and implements isolation, and we're gonna go into that in detail. The next lesson.
Hardware obfuscation, obfuscation means hiding something. So modifying the hardware to hide functionality. Uh, the idea is that if you can't see something, that it makes it difficult to reverse engineering
an anti tamper, which detects in Tampa ships have been tampered with so you could take appropriate action. Um, it may make the product non operational or may enter a safe mode. It may display a message on the product screen saying Take it to the nearest authorized dealer or may destroy the keys
Well that's it for this lesson. We covered hardware based root of trust. Specifically, we looked at internal and integrated chips, bus architecture, er, extended security services, and we discussed high medium and low security of integrated chips.