Trusted Design In FPGAs Steve Trimberger Xilinx Research Labs
2 Vulnerabilities During base array design and manufacture Same as custom device design and manufacture Same as custom device design and manufacture Do you trust your suppliers? Do you trust your suppliers? But FPGA application functionality is not exposed But FPGA application functionality is not exposed During application design Same as custom device design Same as custom device design Do you trust your tools and libraries? Do you trust your tools and libraries? During deployment Same as software Same as software Bitstream piracy Bitstream piracy Loading malicious bitstream Loading malicious bitstream Do you trust your customers? Do you trust your customers?
3 The IC Manufacturing Flow Concerns: Theft of the design Theft of the design Overbuilds Overbuilds Tampering with the design Tampering with the design Challenges: securing the design Through all phases Through all phases For all parties For all parties For months of elapsed time For months of elapsed time Design Mask making Wafer fabrication Sort (test) Packaging Final test
4 FPGA Flow Sensitive algorithm is in the programming. It is not exposed through the manufacturing process. It can be loaded into the device at a trusted facility. The “secret sauce” never leaves your basement in the clear. The IC manufacturing problem evaporates, but we must still secure the design in the field. Add Secret Bitstream Generic FPGAs Secure Facility Non-Secure Manfacturing Facility Non-Secure Environment
5 The Hostile Field Environment The attacker has physical access to the FPGA in the end system The attacker can observe the bitstream The attacker can observe the bitstream The attacker can tamper with the bitstream as it is being loaded The attacker can tamper with the bitstream as it is being loaded The attacker can observe the operation of the configured device The attacker can observe the operation of the configured device The attacker is a commercial entity Resources limited by potential gain Resources limited by potential gain
6 Xilinx Bitstream Security Goals What we intended to do: Prevent unauthorized copy Prevent unauthorized copy Prevent reverse engineering Prevent reverse engineering “Prevent ” means “Make it expensive” “Prevent ” means “Make it expensive” What we didn’t intend to do: Enable a cores business Enable a cores business Restrict access to the FPGA Restrict access to the FPGA Prevent malicious damage Prevent malicious damage What were our worries? Security holes Security holes Testing Testing
7 Bitstream Security Methods Plan A: program once, ship without external configuration storage Battery backup Battery backup Plan B: Bitstream Encryption (since Virtex-II) Virtex-II and Virtex-II Pro: 3DES Virtex-II and Virtex-II Pro: 3DES Virtex-4, Virtex-5: AES256 Virtex-4, Virtex-5: AES256 Keys erased if tampered Keys erased if tampered Battery backup Battery backup HW enforced restrictions HW enforced restrictions
8 The Silicon View: Hardware-Enforced Restrictions No readback if encryption used. No partial configuration if encryption used. Decrypted configuration must be alone inside the FPGA Decrypted configuration must be alone inside the FPGA No warm re-configuration if encryption used. Configuration cleared before and after encrypted bitstreams. An attempt to access keys clears the keys and configuration data. Data integrity check of decrypted data assures no modification of encrypted bitstreams. The decryptor is not available for encrypting or decrypting user’s data after configuration
9 Check Designs in the Field Manage self- reconfiguration Introspection Read back configuration internally Read back configuration internally Check configuration against ECC bits Check configuration against ECC bits Fix configuration errors Fix configuration errors ICAP – Internal Configuration Access Port ICAP
10 Trust Verification for FPGA Design Tools Compare extracted netlist with expected netlist Network comparison Network comparison Formal verification Formal verification Detects tool “defects” Detects bad libraries Design Synthesis, Place and Route Extract netlist Compare Merge IP Libraries
11 Trust of the Base Array is Easier The secret part of the design is not in others’ hands for months during manufacture. An attacker does not know which devices to attack. Most (nearly all) FPGAs will not be used in sensitive applications. Most (nearly all) FPGAs will not be used in sensitive applications. Large numbers can be (destructively) tested. Large numbers can be (destructively) tested. Statistical assurance has better statistics. Statistical assurance has better statistics. Thorough checking, if needed, can be focused on the security logic.
12 Concluding Remarks Key observation: FPGA programming does not go through the IC manufacturing process. FPGAs change design trust in the field from a physical security issue to an information security issue. Known solutions to the information security problem have been applied to FPGA bitstreams.