verification in the age of integration...–threat model • verify: –c: secret not revealed to...
TRANSCRIPT
![Page 2: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/2.jpg)
Integration
2
![Page 3: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/3.jpg)
Agenda
• The changing nature of design at Intel
• Easy problems
• Hard problems
• Prospects
10/14/2015 3
![Page 4: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/4.jpg)
Market segmentation
4
![Page 5: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/5.jpg)
SoC methodology
5
Shared ingredients
![Page 6: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/6.jpg)
Bay Trail SoC
6
![Page 7: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/7.jpg)
Bay Trail SoC
7
Power Management
Controller
SilvermontCore
SilvermontCore
Shared 1M L2$
SilvermontCore
SilvermontCore
Shared 1M L2$
Imaging DSP
Intel HD Gfx
Video Decoder
Display Controller
LPDDR3/DDR3L
Controller
LPDDR3/DDR3L
Controller
Silvermont System AgentDRAM
DRAM
MPI-CSI
HDMI 1.4
DP 1.2
eDP 1.3
MPI-DSI
Primary Switching Fabric
GPIO Controller
Power Management
Controller
Legacy
Security Engine
Low Power IO Controller
Storage Hub
SDIO 3.0 Controller
SD 3.0 Controller
eMMC 4.1 Controller
USB3 OTG xHCI
Audio Engine
I2S
USB HSIC
USB2
USB3
USB3 OTG
eMMCSD CardSDIOPWMI2CHS UARTSPI
GPIO
SMBUS
LPC
Boot ROM
DD
RG
PIO
+ L
egac
yD
isplay
Au
dio
USB
1x64b
1x64b
![Page 8: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/8.jpg)
Development with shared IPs
10/14/2015 8
CPU n CPU n+1
Gfx n Gfx n+1
Img n Img n+1
Wireless n Wireless n+1
Chassis n Chassis n+1
IntegrationFirmware development
RTL development
0 2 3
Product
“IPs” - Ingredients
Each product
![Page 9: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/9.jpg)
Formal verification today
• Primary focus is on units within IPs
– Does this multiplier multiply?
– Does this decoder decode?
– etc
10/14/2015 9
CPU n CPU n+1
Gfx n Gfx n+1
Img n Img n+1
Wireless n Wireless n+1
Chassis n Chassis n+1
“IPs” - Ingredients
![Page 10: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/10.jpg)
Integration validation
• Simulation and emulation dominate
• Little/no use of formal – but opportunities exist
10/14/2015 10
IntegrationFirmware development
RTL development
0 2 3
Product
![Page 11: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/11.jpg)
Cost of a bug vs time found
10/14/2015 11
CPU n CPU n+1
Gfx n Gfx n+1
Img n Img n+1
Wireless n Wireless n+1
Chassis n Chassis n+1
IntegrationFirmware development
RTL development
0 2 3
Product
$ 103
$ 106
$ 109
![Page 12: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/12.jpg)
Agenda
• The changing nature of design at Intel
• Easy problems
– Interface protocol compliance
– Control/status register (CSR) verification
– Connectivity verification
• Hard problems
• Prospects
10/14/2015 12
![Page 13: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/13.jpg)
Bay Trail SoC
13
Power Management
Controller
SilvermontCore
SilvermontCore
Shared 1M L2$
SilvermontCore
SilvermontCore
Shared 1M L2$
Imaging DSP
Intel HD Gfx
Video Decoder
Display Controller
LPDDR3/DDR3L
Controller
LPDDR3/DDR3L
Controller
Silvermont System AgentDRAM
DRAM
MPI-CSI
HDMI 1.4
DP 1.2
eDP 1.3
MPI-DSI
Primary Switching Fabric
GPIO Controller
Power Management
Controller
Legacy
Security Engine
Low Power IO Controller
Storage Hub
SDIO 3.0 Controller
SD 3.0 Controller
eMMC 4.1 Controller
USB3 OTG xHCI
Audio Engine
I2S
USB HSIC
USB2
USB3
USB3 OTG
eMMCSD CardSDIOPWMI2CHS UARTSPI
GPIO
SMBUS
LPC
Boot ROM
DD
RG
PIO
+ L
egac
yD
isplay
Au
dio
USB
1x64b
1x64b
![Page 14: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/14.jpg)
Interface protocol compliance
• Each IP has several interfaces:
– Mainband
– DFx: test, debug, …
10/14/2015 14
UARTTx
Rx
clk rst#
OCP
![Page 15: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/15.jpg)
Interface compliance
• Given:– IP block
– Protocol configuration: data width, burst size, feature inclusion, …
• Verify:– Interface well-formedness: signals, naming
conventions
– Legality of configuration
– Adherence to protocol rules
10/14/2015 15
![Page 16: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/16.jpg)
Interface compliance
• Standard protocols– Commercial bus functional models and checkers
support simulation
– Some EDA vendor support for formal (e.g. Jasper IPKs)
• Proprietary protocols– Writing and maintaining high quality formal
compliance checkers is very labor intensive
– Need synthesis of formal compliance checkers (and simulation testbench, …) from declarative protocol specifications
10/14/2015 16
![Page 17: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/17.jpg)
Control/status register verification
• IPs configured and controlled via CSRs
• CSRs are memory or IO mapped for access by BIOS, driver, …
10/14/2015 17
Tx
Rx
clk rst#
OCP
RBR/THRIERIIRLCRMCRLSRMSRSCR
#define UART_BASE 0x03F8
enum {UART_RBR = UART_BASE + 0,UART_THR = UART_BASE + 0,UART_IER = UART_BASE + 1,UART_IIR = UART_BASE + 2,UART_LCR = UART_BASE + 3,UART_MCR = UART_BASE + 4,UART_LSR = UART_BASE + 5,UART_MSR = UART_BASE + 6,UART_SCR = UART_BASE + 7,};
SystemRDL
![Page 18: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/18.jpg)
CSR verification
• Given:– IP block
– Register specification (e.g. SystemRDL)
• Verify:– Address mapping
– Correct cold reset values
– Data integrity
– Read only/write only
– Lock bits behavior
10/14/2015 18
![Page 19: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/19.jpg)
CSR verification
• Simulation is standard approach today
• Continuous regressions required due to periodic IP drops and register spec churn
• Formal tools appearing: Cadence Jasper, OneSpin
10/14/2015 19
![Page 20: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/20.jpg)
Scaling challenge of “easy” problems
• This is an IP:
• Dozens of interfaces, 1000s of pins
• Complex protocols
• Hundreds/thousands of CSRs, some buried deep10/14/2015 20
Silvermont Core Silvermont Core
Shared 1M L2$
![Page 21: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/21.jpg)
Connectivity verification
21
Power Management
Controller
SilvermontCore
SilvermontCore
Shared 1M L2$
SilvermontCore
SilvermontCore
Shared 1M L2$
Imaging DSP
Intel HD Gfx
Video Decoder
Display Controller
LPDDR3/DDR3L
Controller
LPDDR3/DDR3L
Controller
Silvermont System AgentDRAM
DRAM
MPI-CSI
HDMI 1.4
DP 1.2
eDP 1.3
MPI-DSI
Primary Switching Fabric
GPIO Controller
Power Management
Controller
Legacy
Security Engine
Low Power IO Controller
Storage Hub
SDIO 3.0 Controller
SD 3.0 Controller
eMMC 4.1 Controller
USB3 OTG xHCI
Audio Engine
I2S
USB HSIC
USB2
USB3
USB3 OTG
eMMCSD CardSDIOPWMI2CHS UARTSPI
GPIO
SMBUS
LPC
Boot ROM
DD
RG
PIO
+ L
egac
yD
isplay
Au
dio
USB
1x64b
1x64b
ObsJTAGdbg
![Page 22: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/22.jpg)
Connectivity verification
• Given– Fullchip model including pins– Connectivity specification (spreadsheet)
• Verify– Power & ground planes connected– Clocks & resets connected with correct polarity– Fabrics connected to IPs– Mux networks correct: GPIOs– DFx infrastructure connected: observability, debug,
JTAG, misc test, …
• Scaling is the biggest challenge
10/14/2015 22
![Page 23: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/23.jpg)
Agenda
• The changing nature of design at Intel
• Easy problems
• Hard problems
– Networks on chip
– Security verification
– Power management
• Prospects
10/14/2015 23
![Page 24: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/24.jpg)
Networks on chip
24
Power Management
Controller
SilvermontCore
SilvermontCore
Shared 1M L2$
SilvermontCore
SilvermontCore
Shared 1M L2$
Imaging DSP
Intel HD Gfx
Video Decoder
Display Controller
LPDDR3/DDR3L
Controller
LPDDR3/DDR3L
Controller
Silvermont System AgentDRAM
DRAM
MPI-CSI
HDMI 1.4
DP 1.2
eDP 1.3
MPI-DSI
Primary Switching Fabric
GPIO Controller
Power Management
Controller
Legacy
Security Engine
Low Power IO Controller
Storage Hub
SDIO 3.0 Controller
SD 3.0 Controller
eMMC 4.1 Controller
USB3 OTG xHCI
Audio Engine
I2S
USB HSIC
USB2
USB3
USB3 OTG
eMMCSD CardSDIOPWMI2CHS UARTSPI
GPIO
SMBUS
LPC
Boot ROM
DD
RG
PIO
+ L
egac
yD
isplay
Au
dio
USB
1x64b
1x64b
![Page 25: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/25.jpg)
NoC verification
• Given
– NoC RTL
– Behavior/constraints at network endpoints
– Maybe: additional info like topology, queue sizes
• Verify
– Message integrity
– Deadlock freedom, livelock freedom
– QoS: latency, throughput
10/14/2015 25
![Page 26: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/26.jpg)
NoC verification
• Usually validated in fullchip simulation or emulation– Difficult to hit all important scenarios, corner
cases
• Academic traction on formal modeling and verification at architecture level, but no commercial formal tools yet
• Even with verified architecture, establishing RTL correctness extremely difficult
10/14/2015 26
![Page 27: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/27.jpg)
Security verification
• CIA: confidentiality, integrity, availability
– Focus today is on C and I
• Most effective method is careful manual review by devious experts
• Some formal tools for static security path verification
– Specify location of secrets and potential attack points
– Tool seeks to sensitize a path between adversary and secret
10/14/2015 27
![Page 28: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/28.jpg)
Use case: content protection
28
Power Management
Controller
SilvermontCore
SilvermontCore
Shared 1M L2$
SilvermontCore
SilvermontCore
Shared 1M L2$
Imaging DSP
Intel HD Gfx
Video Decoder
Display Controller
LPDDR3/DDR3L
Controller
LPDDR3/DDR3L
Controller
Silvermont System AgentDRAM
DRAM
MPI-CSI
HDMI 1.4
DP 1.2
eDP 1.3
MPI-DSI
Primary Switching Fabric
GPIO Controller
Power Management
Controller
Legacy
Security Engine
Low Power IO Controller
Storage Hub
SDIO 3.0 Controller
SD 3.0 Controller
eMMC 4.1 Controller
USB3 OTG xHCI
Audio Engine
I2S
USB HSIC
USB2
USB3
USB3 OTG
eMMCSD CardSDIOPWMI2CHS UARTSPI
GPIO
SMBUS
LPC
Boot ROM
DD
RG
PIO
+ L
egac
yD
isplay
Au
dio
USB
1x64b
1x64b
![Page 29: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/29.jpg)
Security verification
• Given:– CSR specification– IP behaviors– Use case flows: content protection, FW authentication, Intel® SGX– Threat model
• Verify:– C: secret not revealed to adversary– I: secret not tampered by adversary– [A: secret available to authorized user]
• Analysis must comprehend– dynamic nature of the computation, – the changing locations of secrets, – role and privilege of each participating IP,– evolution of access permissions
10/14/2015 29
![Page 30: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/30.jpg)
Power management
• Techniques
– Clock gating
– Dynamic voltage and frequency scaling (DVFS)
– C-states: core active, idle, various levels of powerdown
– Various system level power states
• Intricate fullchip protocols orchestrate the transitions
10/14/2015 30
![Page 31: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/31.jpg)
Power state transition
31
Power Management
Controller
SilvermontCore
SilvermontCore
Shared 1M L2$
SilvermontCore
SilvermontCore
Shared 1M L2$
Imaging DSP
Intel HD Gfx
Video Decoder
Display Controller
LPDDR3/DDR3L
Controller
LPDDR3/DDR3L
Controller
Silvermont System AgentDRAM
DRAM
MPI-CSI
HDMI 1.4
DP 1.2
eDP 1.3
MPI-DSI
Primary Switching Fabric
GPIO Controller
Power Management
Controller
Legacy
Security Engine
Low Power IO Controller
Storage Hub
SDIO 3.0 Controller
SD 3.0 Controller
eMMC 4.1 Controller
USB3 OTG xHCI
Audio Engine
I2S
USB HSIC
USB2
USB3
USB3 OTG
eMMCSD CardSDIOPWMI2CHS UARTSPI
GPIO
SMBUS
LPC
Boot ROM
DD
RG
PIO
+ L
egac
yD
isplay
Au
dio
USB
1x64b
1x64b
MWAIT
![Page 32: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/32.jpg)
Power management
• Verified in emulation or on silicon
• Formal tools to check local power management measures vs power intent (UPF)
– Clock domain crossings, level shifters
– Isolation cells
– Clock and power gating
10/14/2015 32
![Page 33: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/33.jpg)
Power management
• Really need to verify:
– Power dependencies: e.g. core pup requires fabric pup
– Flow synchronization: e.g. two cores on one PLL
– Each IP remains inside its operating envelope
– Timely response to thermal emergency and other urgent events
– Stability?
– Time scales are microseconds or milliseconds
10/14/2015 33
![Page 34: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/34.jpg)
Agenda
• The changing nature of design at Intel
• Easy problems
• Hard problems
– NoC verification
– Security verification
– Power management
• Prospects
10/14/2015 34
![Page 35: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/35.jpg)
Looking ahead
• New verification problems, new opportunities
• Need a verification approach that
– Supports executable specs and models
– Enables abstract modeling and refinement
– Scales to address system complexity
– Addresses HW, SW, protocols, concurrency
10/14/2015 35
![Page 36: Verification in the age of Integration...–Threat model • Verify: –C: secret not revealed to adversary –I: secret not tampered by adversary –[A: secret available to authorized](https://reader036.vdocuments.net/reader036/viewer/2022071608/6146b209f4263007b135581c/html5/thumbnails/36.jpg)
Thank you!
10/14/2015 36