Cloud native EDA tools & pre-optimized hardware platforms
By Angela Raucher, Product Line Manager, ARC EM Processors
Today’s Internet of Things (IoT) edge devices require the ability to protect data being transmitted and stored throughout the network as well as prevent the connected device and network from evolving threats. Designers must now determine how to implement the required security functions into the system-on-chip (SoC) without comprising the power and size constraints of the overall design. This article discusses how designers can incorporate common security functions required in IoT edge devices while reducing area and energy consumption. It will also provide techniques that prevent system tampering and IP theft.
Cryptographic functions are critical to securing data at rest and in motion for connected devices. Popular standards for encryption and hashing, such as AES and SHA-2 are computationally intensive, creating a challenge for designers targeting IoT edge devices. There are three main options for implementing cryptographic functions and each has tradeoffs that should be considered when architecting an IoT system.
It is important to note that it is not required to use only one implementation in a system. A combination of one or more of the options can be used seamlessly on an ARC EM processor-based platform. As an example, using a dedicated AES engine with ARC CryptoPack acceleration for SHA-2 and proprietary Elliptic Curve Cryptography (ECC) software algorithms may be the most optimized solution for the IoT device.
Using the SHA-256 algorithm as an example, Figure 1 represents the performance and size trade-offs of the three options discussed in this section.
Figure 1: Relative performance for a common hash algorithm based on different implementation options
Beyond using cryptography functions to secure data transmitted and stored in IoT edge devices, there are other requirements to protect the device or platform itself. The protection ranges from detecting physical tampering and enabling countermeasures to sandboxing non-trusted applications to protect software from malware. Platform security typically starts with hardware and software Roots of Trust components that are inherently trusted. Building on that trusted starting point, a processor can securely boot and then load and verify application software before starting to execute it.
One way to create a Root of Trust is to add a dedicated security processor with complete separation of memory to perform these functions. However, this is not always feasible due to SoC area and power constraints. This method also requires a form of communication between processors that ensures security such as an additional shared isolated memory or a dedicated interface between CPUs.
Another option is to create a trusted execution environment on a single, ultra-low power core. This option reduces system cost and energy consumption by sharing the same processor and memory for performing both security functions and other system tasks. This option requires that the processor support multiple privilege levels of access control, a bus state signal denoting whether the processor is in a secure mode, and a memory protection unit that can allocate and protect memory regions based on the privilege level. An example of a trusted execution environment on an ultra-low power core is Synopsys SecureShield™ technology for ARC processors.
Although protecting the platform from attacks that can take down the IoT edge device and network is very important, there is also concern about protecting proprietary software from IP theft. It is important to consider these factors when choosing a processor solution for the SoC. Synopsys’ Enhanced Security Package for ARC EM processors with integrated SecureShield technology also incorporates tamper detection features and provides ability to encrypt and decrypt instructions in a way that they are never accessible to a potential IP thief. Additionally, the secure MPU that is part of SecureShield technology is enhanced with a per region memory encryption feature. Figure 2 provides examples of how the ARC EM processor with Enhanced Security Package protects against attacks and IP theft. Since the ARC EM processor is ideally suited for IoT edge applications, the security functionality can be added with less than 10% additional gate count and minimal impact to energy consumption.
Figure 2: Potential attacks on an IoT processor and prevention methods
When creating a chip for IoT applications, designers and architects must address the growing security requirements with minimal impact on area and power consumption. It is important to select a processor solution that can scale with evolving requirements and address common security concerns.
The ARC EM family of processors offers scalability and options that can future-proof devices for IoT markets and help create a secure, tamper-resistant environment with an ultra-low power core.