Building comprehensive hardware security
OEMs are interested in developing hardware security that addresses a number of security threats including data theft, data corruption, equipment hijacking, cloning and design theft. Moreover, security threats are no longer confined to systems in active use.
Attackers target components anywhere in the product lifecycle, from initial component manufacturing and shipment to a contract manufacturer, to system integration and on through its entire operating life. Accordingly, OEMs need a robust security solution that protects hardware from these threats across every stage of a system’s lifecycle.
How can OEMs address this problem? They must establish one or more hardware root-of-trust (RoT) devices to be used as a platform to provide cryptographic capabilities that secure their systems. These include data encryption, data authentication, firmware authentication, system authentication and code/configuration encryption.
A RoT device is the first link in a chain-of-trust that protects the entire system. Once designers have identified the first trusted device (usually a PLD, FPGA or MCU), it can serve as as the foundation that enables the cryptographic functions required to secure system hardware. RoT devices must contain the hardware necessary to verify their own configuration and should be the first digital devices to boot at power up and the last to shut down at power off.
What kind of security architecture do system designers need when both the number and sophistication of threats is constantly rising? First and foremost, any solution must be robust enough to protect against new and existing threats to firmware. To help designers measure the capability of their solution, the National Institute of Standards and Technology (NIST) recently defined a new uniform security mechanism. The NIST SP 800 193 Platform Firmware Resilience (PFR) guidelines were designed to comprehensively ensure a RoT is established to all system firmware.
Developers of the new specification were driven by three guiding principles:
- Protection: protect non-volatile firmware memory through access control
- Detection: cryptographically detects and prevents booting from malicious code
- Recovery: in case of corruption the system recovers to the latest trusted good firmware
Download the whitepaper to read more.