Creating a Trusted Platform for Embedded Security-critical Applications

Military Embedded Systems

Published in Military Embedded Systems
By Richard Jaenicke of Green Hills Software and Steve Edwards of Curtiss-Wright


Security-critical applications, such as cross-domain solutions (CDS), require a secure, trusted platform on which to execute, spanning software, firmware, and hardware. The lowest layer that the application interacts with directly is a trusted operating system (OS). Trust in the OS is dependent on two factors: its robustness from a security perspective, and assurance that the OS was both loaded and configured correctly and never tampered with. OS trust also depends partly on trusted pre-OS functionality, such as secure boot firmware that executes before the OS.

The security robustness of computer hardware and software platforms is often specified by evaluation to the “Common Criteria for Information Technology Security Evaluation” (ISO/IEC 15408). Typically, Common Criteria targets of evaluation (TOE) are evaluated against a government-defined protection profile that includes both functional and assurance requirements. Evaluations can be done to different levels of depth and rigor, called Evaluation Assurance Levels (EAL), with EAL1 being the least rigorous and EAL7 being the most rigorous. Alternatively, a certain level of trust can be achieved through safety certifications. Although safety certifications provide a level of assurance for integrity and availability, they generally do not directly address confidentiality or other trust mechanisms.


Examples of trusted hardware and software solutions

Curtiss-Wright’s CHAMP-XD1S 3U VPX digital signal processing (DSP) module features an Intel Xeon D processor, an AMD Zynq UltraScale+ MPSoC FPGA, and a flash-based Microsemi SmartFusion2 FPGA to provide a secure processor board designed for high-performance embedded computing (HPEC). The module’s FPGA and software security features with TrustedCOTS Enhanced Trusted Boot capabilities, including an FPGA-based Root of Security to protect against malicious cyberattacks, probing, and reverse-engineering. The CHAMP-XD1S uses a TPM 2.0 security chip to support Intel TXT secure boot technology. The board also uses a PUF in the Zynq UltraScale+ MPSoC to generate the encryption key used to authenticate the boot code. That authentication can be used as the RoT to extend trust to other portions of the system. The SmartFusion 2 FPGA provides health and management functions and can integrate additional security functions.

Read the full article.