Securing IoT devices throughout their lifecycle is gaining more attention as the risks and penalty of compromise increase rapidly. To support this development, Arm has released TrustZone security extensions for Cortex-M: the Armv8-M architecture. TrustZone enables separation of processes and isolation of critical resources and brings the necessary hardware support for this to M-class CPU-based IoT devices. Let's take a look at how SRAM PUF, enabled through software, is a powerful addition to the security features offered by TrustZone.
In an earlier blog we discussed how an SoC that is designed using Platform Security Architecture (PSA) guidelines can benefit from a strong physical root of trust that is immutable and intrinsic to the device. In this case, SRAM PUF (Physical Unclonable Function) provides the trust- and root key anchor for the device security. The main advantages of this approach are:
Fundamentally, the approach uses the fact that every chip is unique, resulting in device-specific behavior of SRAM memory during power-up. This provides a device-unique pattern, or “silicon fingerprint”, that is impossible to clone or predict, and serves as a basis for secure key generation and storage. Please refer to the Intrinsic ID website for more information.
TrustZone components such as TZMA, TZPC and TZASC provide a basis to build a TEE, which is used to separate processes and prevent unauthorized access to resources such as crypto engines, protected memory regions, etc. Since this essentially constitutes a barrier between security domains, some security concerns can be only partially addressed. In particular, protecting secrets such as root keys typically relies on storing these in a secure flash region. It is well known that this protection has its limits, since physical attacks have been reported that allow the read-out of even protected flash.
In a recent blog, the Role of Physical Security in IoT, the growing need to address these physical attack threats is explained. As the “easier,” software-level attacks are becoming harder by virtue of protection mechanisms such as TrustZone, attackers will naturally look for other ways to compromise a system including physical attacks. Furthermore, while these physical attacks were once the exclusive domain of advanced hackers, technology advancements will inevitably result in more advanced, and more broadly available, tools over time.
The good news is that SRAM PUF technology can address these concerns. SRAM PUF can be implemented in two ways: via hardware (RTL design-in) or via software.
A hardware implementation is a good option when architecting a new chip. By integrating RTL and instantiating an SRAM, a secure storage capability is added that can be used to handle sensitive key material and directly feed this into a crypto engine. Good examples of recently announced products that integrate both SRAM PUF and TrustZone are LPC55S6x and i.MXRT600
When the design is already fixed, or silicon already exists, a software implementation is a feasible approach. This implementation makes use of a region of an existing SRAM structure that is dedicated to the PUF through TrustZone mechanisms. This is interesting if you think about it: by embedding a software library into the boot image, every chip is able to extract its own unique secret root key using the exact same code. Since the software code itself contains no secrets, it is sufficient to protect this code from modification – typically part of the secure boot flow. The software itself lives in the secure world and can be called from the normal, non-secure world, but the root key and secrets that are generated stay within the secure world.
Several products have been announced recently using this type of integration, including a Tyrion IIoT Gateway device and Nexell IoT device for medical and automotive.
At the 2018 TechCon event Intrinsic ID partnered with Nuvoton to demonstrate a software implementation on the M2351, and more recently we ported the PUF software to the MUSCA-A development platform. Expect to see more information on this in this community and at upcoming arm events.
Regarding a software implementation, the picture below gives a high-level overview of the concepts discussed. The SRAM PUF software is part of the secure world, typically protected by secure boot. It has access to an SRAM region to “store” – or, more precisely, extract – its secrets as required. The normal world can access the PUF functionality through a controlled interface that prevents direct access to secret keys.
SRAM PUF can be used as a TrustZone-complementary component to protect the root credentials. It is possible to do this either in hardware by integrating RTL IP, or in software by integrating the software code in the boot flow.
When implementing SRAM PUF in software, integrity of the software code needs to be safeguarded. The TrustZone architecture provides the necessary hooks to protect the software, separation and secure boot mechanism. This offers a cost-effective way to harden the device against current and future threats. Most importantly, it enables deployment on pre-existing silicon.
Simply put, TrustZone protects the integrity of the SRAM PUF software via secure boot, and in turn, the SRAM PUF software provides strong root key storage without the need to store secrets in flash or fuses.
[CTAToken URL = "https://www.intrinsic-id.com/" target="_blank" text="Visit Intrinsic ID website" class ="green"]
Very informative of the advantages of using SRAM PUF in combination with TrustZone.