Three Ways Power Architecture SBCs Deliver Trust Architecture – and Security to Boot
January 05, 2018 | BY: Mike Slonosky
Cyber security is increasingly top of mind in the defense industry, and understandably so considering today’s technological advancements in intelligence, surveillance and mission control systems that capture and rely on large volumes of classified data. And, beyond protecting critical systems from cyberattacks, there are a variety of threats to embedded computing systems to be concerned with, such as anti-tamper and safety-critical computing. Trusted computing is the umbrella term for hardware, software, algorithms and any other design components of embedded computing systems that address these modern dangers.
Trusted hardware is a key component in any trusted computing solution, and must be designed with several layers of security considerations. In the case of single board computers (SBCs), for example, these layers include a Trusted Platform Module to keep keys secure, embedded hardware virtualization security, trusted I/O and network encryption ability.
But the very first stage in the secure chain of trust at the SBC level requires the ability to perform a trusted boot from a trusted boot code. Here we take a deeper look at the components of a trusted architecture that can be implemented on a Power Architecture processor, specifically around the boot process.
Security Fuse Processor
Using provisioned values, a Power Architecture processor’s Security Fuse Processor (SFP) enforces security policy in the pre-boot phase and securely passes provisioned keys and other secret values to other hardware blocks when the system is in a Trusted/Secure state. This includes secret values such as a device-specific One Time Programmable Master Key (OTPMK), a hash of the Super Root Key (the Public Key used for signature verification) and a debug Challenge/Response value (to prevent illegal snooping). With an embedded fuse processor, it is also virtually impossible to snoop the secret keys, adding additional security to avoid compromise.
Internal Boot ROM
The internal boot ROM contains code known as the ISBC (Internal Secure Boot Code), which is responsible for establishing the root of trust. The ISBC is unmodifiable and contained in an internal ROM to ensure that the code cannot be modified by an attacker. The ISBC is deliberately simple and its only responsibility is to validate a signature over the next code to execute.
NXP processors like the P4080 and T2080 can be configured to perform an optional Secure Boot, which is the process of determining whether the system’s image is trusted using instructions executed from the internal boot ROM. Secure Boot prevents the processor from running arbitrary code, attackers from extracting sensitive values and any modification of security and other device configurations.
Many Curtiss-Wright SBCs leverage these attributes of NXP Power Architecture processors, such as the P4080 and T2080, to provide the trusted hardware base for assured computer solutions. Designed to deliver non-throttling performance and information assurance, Curtiss-Wright SBCs add the unique values of Power Architecture processors to even severely SWaP-constrained platforms. And, Curtiss-Wright supports the long life cycle of rugged embedded and military/aerospace programs by offering new generations of SBCs with backwards pin-compatibility to allow easy system upgrades from older products.