



# Overview of Secure Embedded Processing in QorlQ Platforms FTF-SNT-F1234

AUG.2015





External Use

Freescale, the Freescale logo, AttiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C-Ware, the Energy Efficient Solutions logo, Kinetis, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert, QortQ, QortQ Converge, Qortive, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortUa, Vybid and Xtrinsic are trademarks of Freescale Semiconductor, Inc., Reg, U.S. Pat. & Tm. Off. Atlast, BeeKit, BeeStack, CoreNet+, Flexis, Layerscape, MXC, Platform in a Package, QUICC Engine, SMARTING, Tower, TurboLink and UMEMS are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © 2015 Freescale Semiconductor, Inc.

# Agenda

- What is Secure Embedded Processing?
- Trusted Platforms
  - QorlQ Trust Architecture
  - ARM<sup>®</sup> TrustZone<sup>®</sup>
- Secure Data Transport
  - Security Protocols
  - Security Acceleration
  - Drivers, APIs, and Stacks



#### **Embedded Processing in the Internet of Tomorrow**



| Internet of Things • | <ul> <li>Software Defined</li> </ul> | Cloud Data |
|----------------------|--------------------------------------|------------|
| End Points           | Network Infrastructure               | Centers    |









External Use 3

# **Trusted Platform and Secure Data Transport**

#### **Trusted Platform**

- Secure Boot
- Secure Debug
- Secure Storage
- Tamper Detection
- Virtualization/Containerization

Protects against:

- Theft of user & 3rd party data
- Theft of functionality
- Theft of uniqueness (cloning)

#### Secure Data Transport

- MACSEC
- PDCP
- IPsec
- SSL/TLS
- SRTP

Protects against:

- Masquerading
- Eavesdropping
- Data Manipulation
- Replay



External Use 4 #F

#### **QorlQ Security Features**



## **Trusted Platform**

- Freescale's Definition
  - A system which does what its stakeholders expect it to do, resisting attackers with both remote and physical access, else it fails safe
- Freescale Trust Architecture
  - SoCs provide OEM-controlled silicon features which simplify the development of trustworthy systems
  - The Trust Architecture is an opt in scheme, with OEM controlled tradeoffs in cryptographic strength, debug visibility, sensitivity of tamper detection, and anti-cloning mitigation



#### **Generic Trust Architecture SoC**





# **Trust Architecture Key Components**

- Secure Boot
  - A staged secure boot and chain of trust of authenticated software
- Security Fuse Processor (SFP)
  - Use the values burned into the fuses to enforce security policy in pre-boot phase, and to securely pass provisioned persistent secrets to other hardware blocks when the system is in a trusted/secure state
- Chain of Trust
  - Boot script contains information about the next level of images, e.g. Linux, dtb, etc.
- RTIC
  - Maintenance of the trusted environment during runtime
- Tamper Detection
  - Ability to define system-level, physical security policies and report violations to the security monitor
- SECMON
  - SOC's central reporting point for security-relevant events such as the success or failure of boot software validation and the detection of potential security compromises
- BLOB
  - A cryptographic data structure which provides both confidentiality and integrity protection
- Secure debug controller
  - Debug Port Challenge and Response setting (DCV and DRV)



#### Secure Boot: Verifying Code Before Execution





#### **ARM Operational Modes**



**#FTF2015** 



External Use | 10

# Trust Architecture + ARM TrustZone

External Use 11

Trust Arch provides a secure perimeter for trusted software



TrustZone provides an inner keep for especially trusted software



#### **Trust Architecture Generations & Features**

| Feature                                   | Trust 1.0                                                                                                    | Trust 1.1                                                                                                                      | Trust 2.0                                                                                                             |
|-------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| Devices                                   | P4080, P1010, BSC913x                                                                                        | P204x, P3041, P50xx                                                                                                            | C29x, T4240, T2080, T1040, B4                                                                                         |
| Secure Boot                               | Yes                                                                                                          | Yes                                                                                                                            | Yes                                                                                                                   |
| HW Acceleration<br>of Secure Boot         | No                                                                                                           | No                                                                                                                             | Yes. Only 'E' devices support secure boot                                                                             |
| Alternate Image                           | No                                                                                                           | No                                                                                                                             | Yes, failure of primary image leads to validation attempt for alternate image                                         |
| Key List & Key<br>Revocation              | No                                                                                                           | No                                                                                                                             | Yes, SRKH is hash of a list of up to 4 public keys; up to 3 can be revoked with fuses                                 |
| Blobs based on<br>Master Key              | Yes, only Master Key option is OTPMK.                                                                        | Yes, Master Key can be either OTPMK or ZMK. ZMK not available in BSC913x.                                                      | Yes, Master Key can be either OTPMK or ZMK. ZMK not available in B4                                                   |
| Ephemeral Key<br>Encryption Keys          | Yes                                                                                                          | Yes                                                                                                                            | Yes                                                                                                                   |
| Secure Debug<br>Controller                | Yes                                                                                                          | Yes                                                                                                                            | Yes                                                                                                                   |
| Security Monitor<br>High Power<br>Section | Yes, including security<br>state tracking and<br>HW_Sec_Vio inputs from<br>RTIC, SDC, SFP, &<br>TMP_DETECT_B | Yes, including security state tracking and<br>HW_Sec_Vio inputs from RTIC, SDC,<br>SFP, TMP_DETECT_B, and SecMon<br>LP section | Yes, including security state tracking and HW_Sec_Vio inputs from RTIC, SDC, SFP, TMP_DETECT_B, and SecMon LP section |



#### **Trust Architecture Generations & Features Continued**

| Feature                                  | Trust 1.0                                                                         | Trust 1.1                                                                                                         | Trust 2.0                                                                                                                                                         |
|------------------------------------------|-----------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Security Monitor<br>Low Power<br>Section | No                                                                                | Yes, including ZMK, and HW_Sec_Vio<br>detection from Power Glitch,<br>LP_TMP_DETECT_B. Not present in<br>BSC913x. | Yes, including ZMK, 4 GPRs, and<br>HW_Sec_Vio detection from Power Glitch,<br>LP_TMP_DETECT_B, and Monotonic<br>Counter Roll-Over. Not present in T1040<br>or B4. |
| Monotonic<br>Counters                    | No                                                                                | No                                                                                                                | 1 (Not present in T1040 or B4)                                                                                                                                    |
| CPU Memory<br>Access Control             | Power ISA MMU w/HV<br>(HV level not available in<br>P1010)                        | Power ISA MMU w/HV<br>(HV level not available in BSC913x)                                                         | Power ISA MMU w/HV<br>(HV level not available in C29x)                                                                                                            |
| IO Memory<br>Access Control              | Platform MMU (PAMU) in<br>P4080. CCSR Access<br>Control and PCIe ATMU in<br>P1010 | Platform MMU (PAMU) in QorIQ.<br>CCSR Access Control and PCIe ATMU<br>in BSC913x.                                 | Platform MMU (PAMU) in QorIQ.<br>CCSR Access Control and PCIe ATMU in<br>C29x.                                                                                    |



15

#### **Trust Architecture Generations & Features Continued**

| Feature                                | Trust 2.0                                                                                                                                                            | Trust 2.1                                                                                                                          | Trust 3.0                                                                                                                          |
|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|
| Devices                                | C29x, T4240, T2080, T1040, B4                                                                                                                                        | LS102xA, LS1043A                                                                                                                   | LS208xA, LS1088A,                                                                                                                  |
| Secure Boot                            | Yes                                                                                                                                                                  | Yes                                                                                                                                | Yes                                                                                                                                |
| HW Acceleration of<br>Secure Boot      | Yes. Only 'E' devices support<br>secure boot.                                                                                                                        | Yes. Only 'E' devices support secure boot.                                                                                         | Yes. Only 'E' devices support secure boot.                                                                                         |
| Alternate Image                        | Yes, failure of primary image leads to validation attempt for alternate image.                                                                                       | Yes, failure of primary image leads to validation attempt for alternate image.                                                     | Yes, failure of primary image leads to validation attempt for alternate image.                                                     |
| Key List & Key<br>Revocation           | Yes, SRKH is hash of a list of up to<br>4 public keys, where up to 3 can<br>be revoked with fuses.                                                                   | Yes, SRKH is hash of a list of up to<br>8 public keys, where up to 7 can be<br>revoked with fuses.                                 | Yes, SRKH is hash of a list of up to<br>8 public keys, where up to 7 can be<br>revoked with fuses.                                 |
| Blobs based on<br>Master Key           | Yes, Master Key can be either<br>OTPMK or ZMK. <mark>ZMK not</mark><br>available in B4.                                                                              | Yes, Master Key can be either<br>OTPMK or ZMK.                                                                                     | Yes, Master Key can be either<br>OTPMK or ZMK.                                                                                     |
| Ephemeral Key<br>Encryption Keys       | Yes                                                                                                                                                                  | Yes                                                                                                                                | Yes                                                                                                                                |
| Secure Debug<br>Controller             | Yes                                                                                                                                                                  | Yes, plus TrustZone 'Secure World' additional protections                                                                          | Yes, plus TrustZone 'Secure World' additional protections                                                                          |
| Security Monitor<br>High Power Section | Yes, including security state<br>tracking and HW_Sec_Vio inputs<br>from RTIC, SDC, SFP,<br>TMP_DETECT_B, and SecMon<br>LP section.                                   | Yes, including security state<br>tracking and HW_Sec_Vio inputs<br>from RTIC, SDC, SFP,<br>TMP_DETECT_B, and SecMon LP<br>section. | Yes, including security state<br>tracking and HW_Sec_Vio inputs<br>from RTIC, SDC, SFP,<br>TMP_DETECT_B, and SecMon LP<br>section. |
| Security Monitor<br>Low Power Section  | Yes, including ZMK, 4 GPRs, and<br>HW_Sec_Vio detection from<br>Power Glitch,<br>LP_TMP_DETECT_B, and<br>Monotonic Counter Roll-Over. Not<br>present in T1040 or B4. | Yes, including ZMK, 4 GPRs, and<br>HW_Sec_Vio detection from Power<br>Glitch, LP_TMP_DETECT_B, and<br>Monotonic Counter Roll-Over. | Yes, including ZMK, 4 GPRs, and<br>HW_Sec_Vio detection from Power<br>Glitch, LP_TMP_DETECT_B, and<br>Monotonic Counter Roll-Over. |



#### **Trust Architecture Generations & Features Continued**

| Feature                                | Trust 2.0                                                                      | Trust 2.1                                   | Trust 3.0                                                                    |
|----------------------------------------|--------------------------------------------------------------------------------|---------------------------------------------|------------------------------------------------------------------------------|
| Monotonic Counters                     | 1 (Not present in T1040 or B4)                                                 | 1                                           | 1                                                                            |
| CPU Memory Access<br>Control           | Power ISA MMU w/HV<br>(HV level not available in C29x)                         | ARM ISA MMU w/HV and<br>TrustZone           | ARM ISA MMU w/HV and<br>TrustZone                                            |
| IO Memory Access<br>Control            | Platform MMU (PAMU) in QorIQ.<br>CCSR Access Control and PCIe<br>ATMU in C29x. | Platform MMU (SMMU) in QorlQ<br>Layerscape. | Platform MMU (SMMU) in QorlQ<br>Layerscape, improved ICID<br>scheme in DPAA2 |
| Hardware Key Pair (aka<br>Trusted Mfg) | No                                                                             | Yes                                         | Yes                                                                          |



## **Major Enhancements and Their Use**

| Enhancement                            | First Appears | Benefit                                                                                                                                                                                 | Impact when used                                                                                                              |
|----------------------------------------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
| Zeroizable Master<br>Key               | Trust 1.1     | OEM can elevate the consequences of a security violation.                                                                                                                               | Requires battery back-up of portion of<br>SoC (SecMon LP section), additional<br>configuration registers and<br>LP_TMP_DETECT |
| HW Acceleration of<br>Secure Boot      | Trust 2.0     | Makes secure boot time closer to non-secure boot time                                                                                                                                   | Trust only available in 'E' devices                                                                                           |
| Alternate Image                        | Trust 2.0     | Adds resiliency to the secure boot process                                                                                                                                              | Requires signing of 2 images, additional PBI commands                                                                         |
| Key Revocation                         | Trust 2.0     | Permanently revoke flawed images<br>which were signed with a super root<br>key.                                                                                                         | Need to manage more pub/pri keys<br>Need to develop key revocation images                                                     |
| Monotonic Counter                      | Trust 2.0     | Prevent 'roll back' to a flawed image without revoking a super root key                                                                                                                 | Requires battery back-up of portion of<br>SoC (SecMon LP section), need to include<br>anti-rollback check in chain of trust   |
| Hardware Key Pair<br>(aka Trusted Mfg) | Trust 2.1     | More intrinsic method of<br>provisioning a device public/private<br>key                                                                                                                 | Requires additional steps to generate key<br>pair, export pub key. Requires database<br>of IDs + public keys.                 |
| ARM TrustZone                          | Trust 2.1     | Creates secure container (Secure<br>World) where trusted applications<br>can perform tasks on behalf of Non-<br>Secure World applications. 3 <sup>rd</sup><br>party software offerings. | Must still use Trust Arch to validate<br>TrustZone software. Additional images to<br>sign.                                    |



#### **User Datagram Protection 101**

#### SSL/TLS



#### **IPsec ESP TUNNEL MODE**





## SEC 5.0 – As Featured in QorIQ T4240 Processor

(1) Public Key Hardware Accelerator (PKHA)

- RSA and Diffie-Hellman (to 4096b)
- Elliptic curve cryptography (1024b)
- Supports Run Time Equalization
- (1) Random Number Generators (RNG4)
- NIST Certified
- (4) Snow 3G Hardware Accelerators (STHA) (~12Gbps)
  - Implements Snow 3.0 Keystream Generator
  - f8 encryption per ETSI/SAGE 128-UEA2 (and 128-EEA1)
  - f9 authentication per ETSI/SAGE 128-UIA2 (and 128-EIA1)
- (4) ZUC Hardware Accelerators (ZHA) (~10Gbps)
  - Implements ZUC Keystream Generator (per spec v1.5)
  - Authentication per ETSI/SAGE 128-EIA3 (spec v 1.5)
  - Encryption per ETSI/SAGE 128-EEA3 (spec v 1.5)
- (2) ARC Four Hardware Accelerators (AFHA)
  - Compatible with RC4 algorithm (~7.5Gbps)
- (8) Kasumi F8/F9 Hardware Accelerators (KFHA)
  - F8, F9 as required for 3GPP (~20Gbps)
  - A5/3 for GSM and EDGE, GEA-3 for GPRS
- (8) Message Digest Hardware Accelerators (MDHA)
  - SHA-1, SHA-2 256,384,512-bit digests (~40Gbps)
  - MD5 128-bit digest
- HMAC with all algorithms
- (8) Advanced Encryption Standard Accelerators (AESA)
  - Key lengths of 128-, 192-, and 256-bit (~40Gbps)
  - ECB, CBC, CTR, CCM, GCM, CMAC, XCBC, OFB, CFB, and XTS
  - Supports LTE 128-EEA2 / 128-EIA2
- (8) Data Encryption Standard Accelerators (DESA)
  - DES (~40Gbps), 3DES (2K, 3K) ~20Gbps
  - ECB, CBC, OFB modes
- (8) CRC Unit
  - CRC32, CRC32C, 802.16e OFDMA CRC (~48Gbps)

Header & Trailer off-load for the following Security Protocols:

- IPSec, SSL/TLS, 3G RLC, PDCP, SRTP, 802.11i, 802.16e, 802.1ae





## **Benefits of SEC Architecture**

Centralized engine (SEC) with protocol offload, single pass encryption and authentication (ie, AES-HMAC-SHA-2).

CPUs can perform other tasks while SEC processes packets. Many packets can be processed with CPU periodically gathering results.



Per CPU low level accelerators/special instructions. No protocol acceleration, noncrypto operations blocked during 2-pass processing.





P4080, T2080, & T4240 IPsec



P4080 data is measured, T4240 64, 390, & 1442B points measured. Other data points extrapolated.



### **Secure Handshaking**





External Use 21

# Shaking Hands with a Cloud

- Can a cloud of commodity hardware systems service all these handshakes?
  - Yes, at ~10 handshakes/sec/watt (2048b)
  - Yes, at high risk of keys being exposed
  - Criminal organizations are selling SSL keys as low as \$1,000
- Hardware Security Modules (HSMs) can address these deficiencies
  - Provide accelerated cryptographic services within a hardened boundary
    - >200 handshakes/sec/watt (2048b)
  - Protect and manage provisioned keys; keys cleared if HSM tampered



#### **C293 Crypto Coprocessor Performance Benefits**



## SEC RTA, Kernel and User-space Drivers



- Freescale provides drivers for both Linux<sup>®</sup> kernel and user-space
  - Use various means like Job-ring, QMan and PEX to access the SEC engine
- Freescale provides a SEC RTA library for bare-metal or RTOS environments
  - SEC RTA library re-used across environments



### Freescale Has World Class Support....and MORE

Global Technical Information Center Design & Support Resource

Networking Applications Team Depth of Expertise & Knowledge

Design With Freescale, Freescale Technology Forum Training

#### **Networking Software and Services Group**

- Commercial Solutions
- Engineering Services
- Guaranteed Performance
- Service Level Agreement Support...and MORE
- Visit Pedestal 415 in the Technology Lab

External Use 25







www.Freescale.com

© 2015 Freescale Semiconductor, Inc. | External Use