ARM Security Technology Building a Secure System using ...

More documents

Recommendations

Info

System Security 2.1 System security System designs for embedded devices are complicated, including multiple independent processor cores, secondary bus masters such as DMA engines, and large numbers of memory and peripheral bus slaves. In addition to these functional components there is typically a parallel system infrastructure that provides invasive and non-invasive debug capabilities, as well as component boundary scan and Built-In-Self-Test (BIST) facilities. Each of these subsystems in the platform has to be designed and integrated in such a way that it works with the security solution, rather than developing each sub-system independently of the security requirements. If the threat model for a device indicates that it needs to protect against shack attacks, there is no point securing only the functional part of the system. An attacker with unrestricted access to a debug port can bypass many of the functional protections that may exist. This section aims to look at some of the security architectures that have historically been available on the market, and where they have strengths and weaknesses. GSM Modem ARM1156 DSP Memory Controller DRAM Memory Controller Flash 3G Modem Cortex-R4 DSP DMA DMA Level 3 Cache AXI Bus Boot ROM Trace Port Debug Access Port Media System Main Processor AudioDE Mali200 AXI Bus Debug Bus Cortex-A8 L2 Cache Interrupt Controller Clock Ctrl. AXI to APB Bridge Watchdog Timers Display Controller ADC / DAC KMI Trace JTAG + Boundary Scan Display Aerial Keypad Figure 2-1 : A simplified schematic of a typical cellular handset SoC design 2-2 Copyright © 2005-2009 ARM Limited. All rights reserved. PRD29-GENC-009492C Non-Confidential Unrestricted Access SRAM RTC
2.1.1 External hardware security module System Security The classic security solution for embedded applications is the inclusion of a dedicated hardware security module, or trusted element, that is outside of the main SoC. For example, a SIM card in a mobile handset, or a conditional access smartcard in a set-top box. Advantages The external security devices encapsulate the assets inside a physical device designed for robust security. The use of a completely separate design and manufacturing flow allows use of techniques and silicon processes that can give high levels of tamper resistance and physical security. The smartcard manufacture and personalization processes have frequently been formally certified through approved evaluation schemes. This makes them suitable for use in use cases that need a high degree of security assurance, such as credit card and debit card payment schemes. Disadvantages The hardware techniques and processes used for smartcards are impractical for standard SoC designs, as they would add significant effort to the design process and compromise the area, power efficiency and performance of the device. The manufacturing methods that give the physical security also force a lower processor performance, in the region of 5-20 Mhz, and small quantities of RAM within the device. These design characteristics restrict the possible use cases which can be deployed on a smartcard to relatively static programs which can be run from non-volatile memory, and which do not need continuous high-bandwidth traffic across the security perimeter. Another issue with smartcards is that they only provide a processing and secure storage function; they have no direct access to any of the user-interfaces of the parent device. A smartcard is reliant on software running outside of its security perimeter to provide these facilities, and consequently cannot protect all of the assets of interest. For example, a user’s entry of a Personal Identification Number (PIN) must be managed by the less secure software outside of the smartcard, making it vulnerable to attack. The commercial disadvantages of smartcards can be a more significant obstacle than the technical ones. Providing a smartcard alongside the main SoC is expensive, and is consequently uneconomic for most assets because they are not valuable enough. PRD29-GENC-009492C Copyright © 2005-2009 ARM Limited. All rights reserved. 2-3 Unrestricted Access Non-Confidential
Page 1 and 2: ARM Security Technology Building a
Page 3 and 4: Product Status This document is an
Page 5 and 6: Contents ARM Security Technology Pr
Page 7 and 8: Preface This preface introduces the
Page 9 and 10: Using this document This document i
Page 11 and 12: Feedback Feedback on this document
Page 13 and 14: Chapter 1 Introduction The chapter
Page 15 and 16: 1.1.2 Limitations of security solut
Page 17 and 18: Introduction ARM TrustZone technolo
Page 19 and 20: Introduction Security requirements
Page 21 and 22: 1.3.3 How are devices attacked? Int
Page 23 and 24: Remote attacker Introduction The cl
Page 25: Chapter 2 System Security The chapt
Page 29 and 30: 2.1.3 Software virtualization Syste
Page 31 and 32: 2.2 TrustZone hardware security 2.2
Page 33 and 34: Chapter 3 TrustZone Hardware Archit
Page 35 and 36: TrustZone Hardware Architecture Whe
Page 37 and 38: 3.2.3 Memory aliasing TrustZone Har
Page 39 and 40: TrustZone Hardware Architecture The
Page 41 and 42: Example TrustZone Hardware Architec
Page 43 and 44: 3.3.3 Secure interrupts TrustZone H
Page 45 and 46: 3.3.4 Secure processor configuratio
Page 47 and 48: TrustZone Hardware Architecture Any
Page 49 and 50: 3.4 Debug architecture 3.4.1 Proces
Page 51 and 52: TrustZone Hardware Architecture If
Page 53 and 54: Chapter 4 TrustZone Hardware Librar
Page 55 and 56: TrustZone Hardware Library These br
Page 57 and 58: 4.1.3 PrimeCell DMA Controller - PL
Page 59 and 60: TrustZone Hardware Library general
Page 61 and 62: Interesting features related to Tru
Page 63 and 64: 4.3 Reuse of AMBA2 AHB IP 4.3.1 Reu
Page 65 and 66: Chapter 5 TrustZone Software Archit
Page 67 and 68: Secure operating system TrustZone S
Page 69 and 70: 5.2 Booting a secure system 5.2.1 B
Page 71 and 72: Chain of trust TrustZone Software A
Page 73 and 74: 5.3 Monitor mode software 5.3.1 Con
Page 75 and 76: 5.3.3 Interrupt latency impact Trus
Page 77 and 78:
5.4 Secure software and multiproces
Page 79 and 80:
TrustZone Software Architecture Not
Page 81 and 82:
5.5.1 API availability TrustZone So
Page 83 and 84:
Chapter 6 TrustZone System Design T
Page 85 and 86:
6.2 Example use cases 6.2.1 Content
Page 87 and 88:
6.2.2 Mobile Payment TrustZone Syst
Page 89 and 90:
Assets TrustZone System Design The
Page 91 and 92:
6.3 Gadget2008 specification 6.3.1
Page 93 and 94:
TrustZone System Design is a return
Page 95 and 96:
Memory requirements 6.3.3 Mobile pa
Page 97 and 98:
Modem Cortex-R4 DMA (PL330) TZASC (
Page 99 and 100:
Chapter 7 Design Checklists The cha
Page 101 and 102:
7.2 Hardware design checklist Desig
Page 103 and 104:
7.3 Software design checklist 7.3.1
Page 105 and 106:
Glossary The items in this glossary
Page 107 and 108:
(2) The trusted virtual processor i
show all

ARM Security Technology Building a Secure System using ...

Create successful ePaper yourself

Delete template?

Save as template?