trusted firmware m - amazon web...
TRANSCRIPT
Confidential©2017ArmLimited
TrustedFirmwareM
TrustedBoot
TamasBan
Linaro2018�
Arm
Non-Confidential©Arm20182
Agenda
• Conceptoftrustedboot• BootloaderinTF-M
• Firmwareupgrade• Alternativesforupgrade
• Alternativesforcrypto• Plans
• Q&A
Non-Confidential©Arm20183
Whatistrustedenvironment?
Anintegratedexecutionenvironment(HW+SW)whichcanprotectvaluableassetsagainstextraction:
• Sensitiveuserdata
• Cryptokeys
• Firmwareitself,etc.
Boot
Hardware
Exec.Env.
TrustedEnv.
Non-Confidential©Arm20184
Introductiontotrustedbootloaderconcept
What? Why? How?
SWwhoseaimistoverifytheoriginandintegrityofotherSWcomponentswhichrunonthetargetsystem.
• BootloaderrunsassoonassystemisreleasedfromresetprioranyotherSW.Incaseofsuccessfulauthenticationitpassesexecutiontotheruntimefirmware.
OnewantstoensurethatonlyacertainsetofSW,withoutanyexternalmodification,canrunonaparticulardevice.
• DevicecontainssensitiveassetswhichcouldbeextractedwiththeusageofmaliciousSW.
DevicecontainsimmutableSWanddata,whichcanbeusedforauthentication:
• IntegrityofSW:
– Checkinghashvalue
• OriginofSW:
– Checkingdigitalsignature
Non-Confidential©Arm20185
Considerationsatselectionofbootloader
Securebootrequirements
PSAspecdefinesbootandfirmwareupdaterequirements:
• Supportforfirmwareupgrade
• Supportforchain-of-trust
• SupportforNISTorNSAapprovedcryptographicalgorithm:SHA2,RSA,ECDSA,HMAC,KDF
• Etc.
Deviceconstraints
Deviceconstraintsmandate`yet-another`bootloader:
• Usuallylessthan1MBflashmemoryforcode
• Usuallylessthan256KBRAMfordata
• UsageofcryptographicacceleratorHWcomponent
• Computingpower
• NoMMU,nomemoryvirtualization
• Powerfailureawareness
• Etc.
Non-Confidential©Arm20186
BootloaderinTF-MMCUBootisutilizedtoactasBL2inTF-M:
• OpensourceprojectwithApache2.0licensing
• Lowmemoryfootprint;designedfor32bitmicrocontrollers
• Runningfromflash(currentlyXIP)
• Severalsecurebootfeaturesaresupportedforfirmwareauthentication:SHA256,RSA-2048,(ECDSA)
• Usageof3rdpartylibrariesforcryptographicoperations:mbedTLS,(TinyCrypt)
• Firmwareupdatewithimageswapping
• Powerfailureresistantupgrade
• Fallbackmechanismtostableversion
Non-Confidential©Arm20187
Firstbootloaderrelease
MCUBootintegratedwithinTF-Mrepository:
CustomizedtobeOSagnostic
CurrentlySHA256andRSA-2048aresupported
SPEandNSPEareconcatenatedtoasinglebinaryblob
Hashanddigitalsignaturetoolingandruntimecheck
SoftwareUpgradeprototypeasproofofconcept:
• EmulatingflashinterfaceandbehaviourovercodeSRAM
Systemconstraints:
• NosupportforimagesizethatdoesnotfitinavailableRAM
• CoTreducedtoverifySPEandNSPEinthesamego
Non-Confidential©Arm20188
ImmutableBL1code
Chainoftrust
HashBL2image
SIP/OEMRootofTrustPublicKey
(ROTPK)
OEM/DeveloperPublicKey(s)
UseCApublickeyifsupportingcertificate
revocation
Checksignature
Publicimagesigningkeys
canberotated
Checkintegrity
NSPEimage
SPEimage
Checksignature
PublickeyPublickey(s)
Checksignature
Non-Confidential©Arm20189
RTOS&Application
Bootprocess
Stage
PSA
(notmandatory)
TF-M
BL1
Immutablebootcodein
ROM
Bootcode
ineFlash
BL2 NSPESPE
Secureruntimefirmware
VerifyLoadStart
CoreSPMSecureservices
TBD
VerifyLoadStart
VerifyLoadStart
RTOS&Application
BL2MCUBoot Start Start
Verify
combinedhashandsignature
Non-Confidential©Arm201810
Basicoperationandmemorylayout
Non-Confidential©Arm201811
6.)CopyscratchtoSlot_0
3.)EreaseSlot_1
Imageswapping
• CodelinkedtoSlot_0memoryspace
• Dividedintorounds
• Scratch-sizeddataismovedinonego
• Statusinfosavedaftereachround
• Powerfailuresafe
Slot_1_Sector_2
Slot_1_Sector_N
Slot_1_Sector_3
ActiveimageSlot_0
NewimageSlot_1
Slot_0_Sector_2
Slot_0_Sector_N
Slot_0_Sector_3
Scratcharea
1.)Ereasescratch
Sector_0Sector_1
Slot_0_Sector_0Slot_0_Sector_1
Slot_1_Sector_0Slot_1_Sector_1
2.)CopySlot_1toscratch
4.)CopySlot_1toscratch
5.)EreaseSlot_0
Slot_1_Sector_1Slot_1_Sector_0
Saveswapstatusinfo
Slot_1_Sector_0Slot_1_Sector_1
Slot_0_Sector_0Slot_0_Sector_1
Slot_1_Sector_1Slot_1_Sector_0
Non-Confidential©Arm201812
Firmwareupgrade
• UpgradeisataskofruntimeFW
• PotentiallysplitbetweenNSPEandSPE
• XIPimages
Non-Confidential©Arm201813
Imagefallback
• Storepreviousimage
• Health-checknewimagewithBIST
• Selfconfirmation
• Rebootincaseoffailure
• Revertbackstableimage
• Setrollbackafterconfirmation
Non-Confidential©Arm201814
DesignconstraintsHeadersize-VTORalignment:
• Devicedependent512-1024bytes
Imageslot’slayoutmustbealigned
Scratchareasize:• Flashmemorywear-out
• Atleastasthelargestblocksize
Realimagesizesmallerthanimageslot:• Imageheader,TLV,swapstatusinfo,etc.
Norecoveryoption,ifbothimagesarefaulty
Non-Confidential©Arm201815
Commonthreats
Threat Mitigation ImplementedMaliciousfirmwaresentto
device Signedfirmwareimages Yes
Downgradetooldvulnerableversion
Versionorfallbackcounterscheck Notyet*
Persistentmalware(rootkits) Immutablebootcodeanddata(BL1) Notyet
Remotebrickingofthedevice Backupimage Yes
Attackergetssigningkey Keyrevocationsupport Notyet*
*:Plannedtobeaddressedin2018
Non-Confidential©Arm201816
Alternativestoimageswapping
PositionindependentcodePros:
• ReducedP/Ecycleleadstolongerlifetime• ReducedBLcomplexityandcodefootprint• Reducedboot-uptime(noswapping)
Cons:• Mightleadbiggerfirmwarecodefootprint• Somecompilerswitchesarenotcompatible
withPICcode• SomeClib(Microlib)cannotbecompiledto
bePIC
• OtherconstraintswhencompilingcodetobePIC
DualimagebuildPros:
• ReducedP/Ecycleleadstolongerlifetime• ReducedBLcomplexityandcodefootprint• Reducedboot-uptime(noswapping)
Cons:• Morecomplexbuildprocess• Extralogicinupdateclient
Non-Confidential©Arm201817
Alternativestoimageswapping
ExecutefromRAMPros:
• ReducedP/Ecycleleadstolongerlifetime
• Fasterfirmwareexecution• ReducedBLcomplexityandcodefootprint
Cons:• Usuallyinfeasible:lessRAMthanROM
Off-chipstoragePros:
• ReducedP/Ecycleleadstolongerlifetime
• ReducedBLcomplexityandcodefootprint
Cons:• Mightbeasecurityrisk:whentoverify
signature?• Mightrequireimageencryption,increased
codefootprint(includeAES)andboot-uptime
Non-Confidential©Arm201818
Alternativestoimageswapping
OverwritePros:
• ReducedP/Ecycleleadstolongerlifetime
• Noneedforscratchspace• ReducedBLcomplexityandcodefootprint
Cons:• Riskofbrickingthedevicebecausenorevert
possible
Non-Confidential©Arm201819
MCUBootasPICcode
ExperimenttocompilePICcode:
• ROandRWpositionindependent(--ropi,--rwpi)
• VectortableandIRQhandlersmustbeinRAM
• IRQhandlingunavailableuntilvectorsandhandlersrelocatedtoRAM
• Imagesizeincreased:• 29KB->38KB;Morestd.Clibwascompiled-in
• Limitationsonsourcecode:• Constantpointercannotbeused
• CMSEarmclangflagisnotcompatiblewithROPI
• Microlibcannotbecompiledtobepositionindependent
Non-Confidential©Arm201820
Comparisonofcryptoalgorithms
RSA
• Bigkeysize:upto15KB
• 128bitlevelofsecurity:RSA-3072
• ROMsize(mbedTLS):~14KB
• RAMusage(mbedTLS):~7KB
• Keygeneration:slower
• Signaturegeneration:slower
• Signatureverificationtime:faster
ECC
• Smallkeysize:upto512bits
• 128bitlevelofsecurity:ECC-256
• ROMsize(mbedTLS):
• RAMusage(mbedTLS):~13KB
• Keygeneration:faster
• Signaturegeneration:faster
• Signatureverification:slower
MovingfromRSA toECC
Non-Confidential©Arm201821
„Speedupasymmetriccrypto”SignatureverificationwithRSAorECCistimeconsumingSymmetriccryptocanspareclockcyclesReplaceasym.cryptowithsymmetric:HMAC,CMAC,etc:
• Previouslyverifiedimages(upgradetime)cangetaMAC,generatedbasedonHardwareUniqueKey(HUK)
• AtboottimethisMACisverifiedinsteadoforiginalsignature
• Boottimecanbesignificantlyreduced
Downloadnew
firmwareVerify
signatureDeployinflash
GenerateMAC
SavetoflashResetdevice Bootloader
checksMAC
Non-Confidential©Arm201822
Alternativesforcryptolibraries
HWaccelerator:• Improvedperformance/reducedcodefootprint
CryptoCell-312:• Symmetricandasymmetriccrypto• Runtimelibrary:usembedTLSAPI• Bootlibrary:
– Signatureverification
– X509certificateparsing– Imageverificationandoptional
decryption• AssetprovisioningtoOTPmemory• Rollbackcounters
Non-Confidential©Arm201823
BootloaderplansPSAcompliance:
• Anti-rollbackprotection
• CreateinterfacebetweenSPEandbootloaders
• Addsupportofmultiplechainsoftrustandmightbecertificates
ExplorepossibilitiestomakeBL2updatableIntegratecryptoHWaccelerator(CC312)withBL2
Non-Confidential©Arm201824
HowtogetinvolvedTF-AandTF-Mmastercodebases• https://git.trustedfirmware.org/
TF-MTeam@ConnectHKG18• AbhishekPandit
• AshutoshSingh
• TamasBan
• MiklosBalint
Getintouch• ComeroundLITEhackingroombetween3-4pmWednesday
• Scheduleameetingviahkg18.pathable.com
Moreinfoondeveloper.arm.com
2525 Confidential©2017ArmLimited
ThankYou!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!감사합니다धन्यवाद
Non-Confidential©Arm201826
Supportedplatforms
MCUBootwithTF-Mcanrunon:• Insimulatorenvironment(FVP)onPC.
• MPS2developmentboardwithAN521(Castor)FPGAimage
• MPS2developmentboardwithAN519(M23)FPGAimage
• Musca_Aportingisinprogress
Non-Confidential©Arm201827
Trailer(Swapstatus)
BL2-Bootloader
Securefirmware
Non-securefirmware
Header
TLV(SHA,DS)
Securefirmware
Non-securefirmware
Header
TLV(SHA,DS)
SLOT_1Placeholderfornewimage
SLOT_0Activeimage
Scratcharea
Currentlynotupdatable0x0000...
0xXXXX...Usedduringimageswapping
Non-Confidential©Arm201828
BL2-Bootloaderstarted
EraseSLOT_1
Finalizeabortedswap
Initializephase
AuthenticateSWinSLOT_1
SwapimagesbetweenSLOT_0and
SLOT_1
Finalizeimagestatusinfo
PassexecutiontoSPEinSLOT_0
CPUreleasedfromreset
IsnewSWinSLOT_1
Isthereabortedswap?
yes
no
yes
ValidSW?
no
no
Non-Confidential©Arm201829
SPENSPE
UpdateClient
TrustedUpdateFunction
FirmwareStorageServer
Runtimefirmware
BL2-Bootloader Slot_0–ActiveImage Slot_1–NewimageLocalStorage
1.Download:-firmware-manifest
2.Authentication:-sendmanifest
KeysNVcounters
3.Provisonnewimage
4.Reboot
5.Authenticateandswapimages,startimageinslot_0
Remoteserver
Non-Confidential©Arm201830
Oldimage
NewimageReboot
Newimage
Oldimage
TestNOK
Newimage
Oldimage
Newimage
Oldimage
TestOK ConfirmNewimage
Oldimage
RebootOldimage
Newimage
Setrollback