Microsemi has built an FPGA-based Secure Boot Reference Design for embedded microprocessors, using security features integrated in its SmartFusion2 SoC FPGAs, to securely boot any application processor in an embedded system, and to ensure that processor code can be trusted during execution. This allows applications running on the securely booted processor to extend that trust to their system and to other connected systems.
Microsemi’s reference design implements a “chain of trust” process. At each stage of the boot-process through to the top application layer, each subsequent boot phase is validated by the previously trusted code before further code execution is allowed.
The SmartFusion2 SoC FPGA incorporates a number of security features including on-chip oscillators, accelerators for cryptographic services, secure key storage, a true random number generator, on-chip boot code storage in secure embedded flash memory (eNVM) and at-speed serial peripheral interface (SPI) flash memory emulation to enable a secure boot of an external processor at speed. The devices also claim stronger design security than other FPGAs and include differential power analysis-resistant (DPA) anti-tamper measures using technology licensed from Cryptography Research (CRI).
The reference design also provides a public instance of Microsemi’s WhiteboxCRYPTO security product, which enables transport of a symmetric encryption key in a plain text environment through complex algebraic decomposition of the crypto key and strong obfuscation.
The company says that its techniques (diagram, above) have the property that the key is, “never present in static or runtime memory. Rather, the key becomes an inert collection of data that is useless without the uniquely generated whitebox algorithm that knows how to use that data to achieve the same output as the classical crypto counterpart.”
A graphical user interface (GUI) device allows users to encrypt their application code for subsequent programming into an SPI flash and decryption in the host processor for execution. In addition, a complete user’s guide assists developers with implementing secure boot capabilities in their embedded systems.
Comparing its SmartFusion2 to other 5G SERDES-based FPGAs, tha thave under 150k logic elements (LEs), Microsemi say that its devices’ high level of integration provides the lowest total system cost versus competitive FPGAs while improving reliability, significantly reducing power and systematically protecting customers’ design IPs.
The company is presenting the design as part of a general security offering aimed at solving trusted computing challenges. The company asserts that, “Very few processors today can be booted securely and therefore are untrusted, and yet threats have never been greater, especially as the industry embeds processors into increasingly critical applications… Microsemi’s reference design can protect these systems and applications at the most basic level, reducing user risk and limiting exposure by ensuring that all system processors are executing authenticated code.”