Secure boot
Secure boot feature in the processor internal boot ROM makes sure the processor is running authenticated code. This is done by digitally signing the firmware. Signing provides integrity (an attacker cannot modify the firmware) and authenticity (firmware comes from a trusted party). The process is shown in the figure below.In simple terms, once the firmware is ready, it is digitally signed using the private key. The signature and the certificate is attached to the firmware. On the device, the digital signature is verified at load time using the public key. Usually the public key hash (rather than the key itself) is stored in device OTP memory. In the verification phase, the public key embedded in the certificate is hashed and compared against the one stored in OTP to verify the public key.
Find more about secure boot in [1] and [2].
Firmware signing and verification |
Tamper detection circuitry
A tamper can trigger immediate erasure of sensitive data stored in a tamper protected memory. This may also put the processor into a failure state where the operations it can perform are limited. An external battery source is often used to keep the tamper circuitry active during a primary power failure/removal.Tamper can be categorized into two: internal and external.
- Internal tamper
This is the monitoring of the behavior of properties internal to the chip such as voltage, temperature and RTC clock for anomalies. Stability and reliability of the system is questionable when these properties are not within their desired operating ranges.
- External tamper
This is provided through a chip input pin where the tamper circuitry compares the received signal with the desired signal. Tamper is triggered when the input signal differs from the expected signal. External tamper can be used to detect an unauthorized tampering such as opening a device enclosure.
External tamper can be categorized into two: passive and active.- Passive tamper
The desired signal to which the input is compared is fixed, that is, it expects the input signal to have a fixed level (0 or 1). - Active tamper
The desired signal to which the input is compared varies with time. An active tamper output pin generates a waveform. This is fed to the active tamper input pin. The input signal is then compared against the original waveform by the active tamper circuitry. - Another type of tamper detects the tampering of an on-chip ultra-fine mesh, also known as a shield. This is usually used to prevent microprobing of on-chip non-volatile secure memory.Find more about secure shields in [3] and [4].
- Passive tamper
Tamper protected on-chip secure memory
Secure memory is used for storing sensitive information, long-term (e.g. keys) or short-term (e.g. keys, payment card data) depending on their type.This is usually a limited amount of battery backed non-volatile secure memory, ranging from few hundred bits to few Kbs, supplemented with volatile secure memory, usually having few Kbs of storage. Their contents are rapidly erased on the event of a tamper.
As stated in the tamper detection section, the non-volatile memory can be tamper protected with an on-chip ultra-fine mesh to prevent microprobing.
Secure real-time clock (RTC), monotonic counters and watchdogs
RTCs are used for system time keeping.Monotonic counters are either decrement-only or increment-only counters. They are useful for applications that require a counter that does not repeat any of its previous values, and are often used for preventing replay attacks.
Watchdog timers are available in secure and non-secure processors. They are often used for recovering from processor malfunctions. Limiting the CPU time available for a code is another use where they can be used as a security measure against running unnecessary and potentially harmful/untrusted code.
RTCs and monotonic counters are very low power and have battery backup to retain their values over power cycles, and, they are often tamper protected.
Memory encryption, bus encryption and memory integrity checkers
Memory and bus encryption can be used for further strengthening the security of the data exchanged between the CPU and external memory by providing authenticity.Integrity checkers are used for validating the integrity of memory regions during run time.
NIST compliant true and pseudo random number generators
Any process that requires randomness integrated to it can use random numbers. They are often used for generating cryptographically secure keys and padding.A common configuration would be the construction of a NIST SP 800-90C compliant RBG (Random Bit Generator) from a NIST SP 800-90B compliant entropy source and a NIST SP 800-90A compliant DRBG (Deterministic Random Bit Generator).