Trusted Design In FPGAsTrusted Design In FPGAs
Steve TrimbergerSteve TrimbergerXilinx Research LabsXilinx Research Labs
3
VulnerabilitiesVulnerabilitiesDuring base array design and manufactureDuring base array design and manufacture Same as custom device design and manufactureSame as custom device design and manufacture Do you trust your suppliers?Do you trust your suppliers? But FPGA application functionality isBut FPGA application functionality is
not exposednot exposedDuring application designDuring application design Same as custom device designSame as custom device design Do you trust your tools and libraries?Do you trust your tools and libraries?
During deploymentDuring deployment Same as softwareSame as software Bitstream piracyBitstream piracy Loading malicious bitstreamLoading malicious bitstream Do you trust your customers?Do you trust your customers?
4
The IC Manufacturing FlowThe IC Manufacturing Flow
Concerns:Concerns: Theft of the designTheft of the design OverbuildsOverbuilds Tampering withTampering with
the designthe designChallenges: securing Challenges: securing the design the design Through all phasesThrough all phases For all partiesFor all parties For months ofFor months of
elapsed timeelapsed time
Design
Mask making
Wafer fabrication
Sort (test)
Packaging
Final test
5
FPGA FlowFPGA FlowSensitive algorithm is in the Sensitive algorithm is in the programming.programming.It is not exposed through the It is not exposed through the manufacturing process.manufacturing process.It can be loaded into the It can be loaded into the device at a trusted facility.device at a trusted facility.The “secret sauce” never The “secret sauce” never leaves your basement in the leaves your basement in the clear.clear.The IC manufacturing The IC manufacturing problem evaporates, but we problem evaporates, but we must still secure the design must still secure the design in the field.in the field.
Add Secret Bitstream
Generic FPGAs
Secure Facility
Non-Secure Manfacturing Facility
Non-Secure Environment
6
The Hostile Field EnvironmentThe Hostile Field Environment
The attacker has physical access to the FPGA The attacker has physical access to the FPGA in the end systemin the end system The attacker can observe the bitstreamThe attacker can observe the bitstream The attacker can tamper with the bitstream as The attacker can tamper with the bitstream as
it is being loadedit is being loaded The attacker can observe the operation of the The attacker can observe the operation of the
configured deviceconfigured deviceThe attacker is a commercial entityThe attacker is a commercial entity Resources limited by potential gainResources limited by potential gain
7
Xilinx Bitstream Security GoalsXilinx Bitstream Security GoalsWhat we intended to do:What we intended to do: Prevent unauthorized copyPrevent unauthorized copy Prevent reverse engineeringPrevent reverse engineering ““Prevent ” means “Make it expensive”Prevent ” means “Make it expensive”
What we didn’t intend to do:What we didn’t intend to do: Enable a cores businessEnable a cores business Restrict access to the FPGARestrict access to the FPGA Prevent malicious damagePrevent malicious damage
What were our worries?What were our worries? Security holesSecurity holes TestingTesting
8
Bitstream Security MethodsBitstream Security Methods
Plan A: program once, ship without external Plan A: program once, ship without external configuration storageconfiguration storage Battery backupBattery backup
Plan B: Bitstream Encryption (since Virtex-II)Plan B: Bitstream Encryption (since Virtex-II) Virtex-II and Virtex-II Pro: 3DESVirtex-II and Virtex-II Pro: 3DES Virtex-4, Virtex-5: AES256Virtex-4, Virtex-5: AES256 Keys erased if tamperedKeys erased if tampered
Battery backupBattery backup HW enforced restrictionsHW enforced restrictions
9
The Silicon View: Hardware-The Silicon View: Hardware-Enforced RestrictionsEnforced Restrictions
No readback if encryption used. No readback if encryption used. No partial configuration if encryption used. No partial configuration if encryption used. Decrypted configuration must be alone inside the FPGADecrypted configuration must be alone inside the FPGA
No warm re-configuration if encryption used.No warm re-configuration if encryption used. Configuration cleared before and afterConfiguration cleared before and after
encrypted bitstreams.encrypted bitstreams.
An attempt to access keys clears the keys and An attempt to access keys clears the keys and configuration data.configuration data.Data integrity check of decrypted data assures no Data integrity check of decrypted data assures no modification of encrypted bitstreams.modification of encrypted bitstreams.The decryptor is The decryptor is notnot available for encrypting or available for encrypting or decrypting user’s data after configurationdecrypting user’s data after configuration
10
Check Designs in the FieldCheck Designs in the Field
Manage self-Manage self-reconfigurationreconfigurationIntrospectionIntrospection Read back Read back
configuration configuration internallyinternally
Check configuration Check configuration against ECC bitsagainst ECC bits
Fix configuration Fix configuration errorserrors
ICAP – Internal Configuration Access PortICAP – Internal Configuration Access PortICAP
11
Trust Verification for FPGA Design Trust Verification for FPGA Design ToolsTools
Compare extracted Compare extracted netlist with expected netlist with expected netlistnetlist Network comparisonNetwork comparison Formal verificationFormal verification
Detects tool “defects”Detects tool “defects”Detects bad librariesDetects bad libraries
Design
Synthesis, Place and
Route
Extract netlist Compare
Merge IP Libraries
12
Trust of the Base Array is EasierTrust of the Base Array is Easier
The secret part of the design is not in others’ The secret part of the design is not in others’ hands for months during manufacture.hands for months during manufacture.An attacker does not know which devicesAn attacker does not know which devicesto attack.to attack. Most (nearly all) FPGAs will not be used inMost (nearly all) FPGAs will not be used in
sensitive applications.sensitive applications. Large numbers can be (destructively) tested.Large numbers can be (destructively) tested. Statistical assurance has better statistics.Statistical assurance has better statistics.
Thorough checking, if needed, can be focusedThorough checking, if needed, can be focusedon the security logic.on the security logic.
13
Concluding RemarksConcluding RemarksKey observation: FPGA programming does Key observation: FPGA programming does not go through the IC manufacturing process.not go through the IC manufacturing process.FPGAs change design trust in the field fromFPGAs change design trust in the field froma physical security issue to an information a physical security issue to an information security issue.security issue.Known solutions to the informationKnown solutions to the informationsecurity problem have been applied tosecurity problem have been applied toFPGA bitstreams.FPGA bitstreams.