A Security Embedded System Base on TCM and FPGA

Huaqiang Huang Chen Hu Jianhua He

Department of Software Engineering Department of Software Engineering Computer Science and Engineering
South China University of Technology South China University of Technology South China University of Technology
Guangzhou, China Guangzhou, China Guangzhou, China
08280614@163.com chenhu@scut.edu.cn zunoka@foxmail.com

Abstract Embedded systems became more and more of application from physical attacks as well as software
pervasive in our world, whereas the security problem severely attack. Therefore, physical secure systems can be built using
influence its credibility. This paper presented a security TFSES.
solution for embedded systems, which is called TFSES This paper framework is as follows. Chapter 2
(Security Embedded Systems base on TCM and FPGA). In this introduces related solutions. Chapter 3 elaborates our
solution, a security FPGA checked the integrity of instructions proposed architecture, chapter 4 deals with the experiment
and data in flash chip before running of the embedded and benefits of this architecture. At last in chapter 5 we
processor. The result of the integrity checking was sent to TPM conclude and suggest further research.
chip. While integrity result indicated that the content in the
flash chip was modified, TCM will reject to provide trust II. RELATED SOLUTIONS
computing services invoked from embedded processor.
A. Aegis a single-chip secure processor
Keywords: Security Embedded System, Security FPGA, TPM
Aegis is an application-specific core for systems
security. Figure 1 illustrates the model which is built upon
I. INTRODUCTION Aegis [4]. Aegis integrates security kernel, encryption, and
With the development of the computer and integrity verification into a single processor. Anyone who
telecommunication technology, especially the internet want to access the systems should be verified by integrity
spreading ubiquitously, embedded systems become more and verification firstly, and then show the password, which is
more popular in our world. The embedded systems field is only created by the PUF secret, to the encryption module. Go
growing rapidly, with devices such as cellular phones, PDA, through these two strict checks, and then data could be
smart cards, and digital music players permeating society. accepted by the security kernel. Whatever info which wants
Those embedded devices are so portable and convenient that to communicate with the system should take this rule.
people prefer carrying their crucial information, such as bank Although the stringent rule keeps Aegis almost security, it
account password, telephone number and so on, with the would be complicated and wasting lots of time.
devices. As embedded devices are increasingly integrated
into personal and commercial infrastructures, security Untrusted
Part of operating system
Physical
becomes paramount issue. However the traditional software attacks Malicious applications
protection mechanism cannot protect the embedded systems Software
Attacks
safely. Attacker could bypass software-only protection easily.
Since embedded systems are resource-constrained in their
capacities leading to weak defense, adversaries can facilely
Integrity Untrusted
access the physical layer and full control the whole operating Registers Cache
Verification memory
systems. Therefore the design of security for embedded Software
systems is very important. Physical
The security of embedded systems cannot be solved at a Encryption attacks
Secutity
single security abstraction layer, but rather is a system kernel
problem spanning multiple abstraction levels. [1] We should
concern about not only the protection of systems software PUF secret
but also the defense of systems hardware. Achieving Key Sound
faultless safeguard need more effort and energy, but the board Display card
embedded device market is extremely cost-sensitive. It
should make compromise between security, cost and Figure 1 Aegis secure computing model
performance. Aegis can protect not only software attack but also
In this article, we introduce a low-cost, high- physical temper due to the congregation of all critical
performance hardware platform for the security of the components. It contain a PUF (physical unclonalbe function)
embedded systems which bases on TPM and FPGA which made with ring oscillate (ROS) that can guarantee
technology which is called TFSES. This security platform physical un- imitational. The integrity verification (VI) and
incorporates mechanisms to protect the integrity and privacy memory encryption (ME) techniques of Aegis are devised
_____________________________
978-1-4244-4520-2/09/$25.00 2009 IEEE

605
for off-ship memory protection. They are the crucial
detection of infusion in software defense. Four different
system modes, standard (STD), temper evident (TE), private
tamper-resistant (PTR) and suspended secure-processing
(SSP), make security system flexible and efficient for
ensuring program state in integrity and guaranteeing privacy
region.
Aegis is good for security protection. However, Aegis
needs integrate secure components into a traditional
processor. It is a complex and costly project. Adding
hardware mechanism in processor increases cores size and
cost which constrains Aegiss prevalent application severely.
Aegis should be redesigned and fabricate when updating its
encryption, which fitted for the scalability and flexibility of
the embedded systems badly. Whatever if wants to access
the systems should encrypt firstly and then decrypt for
authentication and encrypt again in the end. It wastes a lot of
time and degrades Aegis performance badly.
B. TrustZone a dual-virtual CPU system
TrustZone a dual-virtual processor which is specially
designed for embedded systems security by ARM.
Comparing with the conventional two separate cores
providing security through isolating, TrustZone combines the
two separate cores into one. There is only a single physical
processor, but the running software sees the TrustZone
processor as two separate virtual processors.
As figure 2 shows, TrustZone enables the security
through isolation as the two-CPU approach. One core
supports two operating world: Secure World and Normal
World. Support is provided by the memory management unit
holding two separate states, the CPU cache separating Secure
World and Normal World data and the banking of critical
registers.[5]
On SoC
TrustZone CPU
Normal Secure
World World
Normal memory and
peripherals
Secure memory and
Accepts all access Peripherals
Secure World can Blocks all Normal
access with all the World accesses
speed of a Normal
World access
Isolated
Figure 2 TrustZone processor
Integrating two CPU in one core lets TrustZone cost
less and perform better than traditional separate processor.
Isolating the execution into two world normal world and
security world can keep system far away from malicious
attacking efficiently. TrustZone also provides a monitor
mode which provides the hypervisor-like functionality and
606
stitches together transition between security system and
nonsecurity systems, so it requires significant to change the
normal system less and can adapt the world well
Comparing with the Aegis, TrustZone is devised for
more flexibility and scalability. The performance of
TrustZone is better than Aegis due to its monitor mode
which only validated the security data. However, TrustZone
should also cost much on the integrity of dual-virtual
processor. We can not improve TrustZone trust computing
module conveniently and complicatedly because of the
fabrication of ASIC.
The embedded systems are cost-sensitive whereas the
security is expensive. So the secure embedded systems
should make appropriate compromise between security, cost
and performance. Taking account of the compromise, we
propose a well-security, high-performance, well-scalability
and low cost secure embedded systems and is called TFSES
III. TFSES ARCHITECTURE
A. TFSES whole system
As figure 3 shows, TFSES contains two modules:
FPGA Controller and TPM. FPGA Controller separates the
embedded systems processor and BootROM.
TFSES
Embedded Bus FPGA Bus
Systems BootROM
Controller
Processor
UART
UART
TPM
Figure 3 TFSES whole system
BootROM security is the root of trust computing. When
the embedded system power on, the processor is firstly
suspended, FPGA Controller read content of the BootROM
and check the integrity. The result is sent to TPM chip in
encryption format. According to this result, TPM decides
whether or not provide trusting computing services invoked
from following application software on embedded processor.
There are so different between TFSES and special
secure processors such as Aegis and TrustZone which gather
general processor and security module together. TFSES is
devised as a bridge which is connected the embedded
systems processor and BootROM. This solution can support
various popular embedded processors, such as DSP, ARM,
and 8051. And it is transparent to software. So, it is
convenient to use this solution for conventional embedded
systems.
B. TFSES Trust-Blocks
TCM Architecture
TCM(Trust Computing Module). chips always include
RISC processor, DES, internal flash and Random Number
Generator, as shown in figure 4. In our system, we use a
commercial TCM which is designed by ZTEIC Corporation.
DES is used for encryption and decryption, and has the same
algorithm and key with FPGA. Random Number Generator
is devised to generate random number which is encrypted by
DES to send to another, the coordinate DES accepts the
random number and should send back the same number.
Security of Trust-Block
When FPGA and flash are manufactured, they would be
pressed a unique ID by the factory. FPGAs ID is called
Device DNA and flash is Factory ID. Every FPGA has its
own ID, TESES systems key is generated with the unique
ID which can keep the FPGA from being counterfeit.
Combining the flash Factory ID to the key let the security
become stronger. As figure 6 shows, we get the Device DNA
and Factory flash ID at the beginning, and then encrypt them
together through a special security algorithm. The security
algorithm is customer self-design and is agnostic except the
customer himself. So the key from security algorithm
generating not only can validate the FPGA authenticity but
also make the hacker hard difficult to decipher the core

Figure 4 TCM architecture

FPGA Architecture
FPGA is a crucial component in TFSES embedded
system. As figure 5 shows, our design selects a non-volatile
secure FPGA which carries an in-systems flash.
Figure 6 Key generation
FPGA SHA-1
The efficacy of in-system flash is not only its factory ID
but also its Protection and Lockdown memory. As figure 7
DES
PFIFO( 32 bit )
shows, Protection feature provides the ability to selectively
Flash Controller write-protect individual In-system flash memory, Lockdown
function permanently locks a selected memory, essentially
External
Flash
converting the Flash memory into read-only ROM. Once the
S2P memory is locked down, it cannot be erased or modified.
TFESE exactly store the key, DES, SHA and other important
P2S bitstream code into this In-system flash which provides a
robust, cost-effective solution to help prevent reveres-
PFIFO( 32 bit ) In-System Flash
engineering, cloning and overbuilding.
UART

Figure 5 FPGA architecture

There also has DES, SHA-1, PFIFO, SFIFO, UART,
serial and parallel FIFOs. This DES is the coordinate one
with TCMs DES, the application of SHA-1 in our TFSES is
another advantage. Traditional verification of some messages
should compare one by one with the authentic. If these data
were very enormous, it will waste so many time that
performance would be severely constrained. SHA (Secure
Hash Algorithm) can scan the messages rapidly to generate a
160-bit number which is used to verify the message whether
to be tampered maliciously. SHA-1 is the best established of
the existing SHA hash functions and is employed in our
Figure 7 In-system flash
TFSES. FIFO (First Input First Output) is data buffer for
TCM module can use a commercial product which is a
transferring message. Because TCM and in-system flash are
special trust computing chip and can protect attack very well.
serial transmission, TFESE needs a SFIFO (serial FIFO),
We inject the unique key into TCM initially. The key then
TFESE also needs a PFIFO (parallel FIFO) due to DES,
can guarantee TCM authenticity. Communication security
flash control and SHA. S2P is a bridge from serial data to
can be assured by Random Number Generator.
parallel data. P2S is just on the contrary.

607
C. Operation of the System
There are three phases of system operation:
Configuration Phase, Root-Trust Phase, and Application-
Trust Phase.
Configuration Phase
Before running the TFSES system, we should firstly
configure the security of TFSES. As figure 8 shows,
Flash controller loads out the external flash data in
validation area and sends into SHA to calculate the hash
value C.
TCM sends a random number R to the FPGAS DES
that is encrypted by its DES with the key.
DES decrypts the random number R.
DES encrypts these R and C with the same key with
TCMs key, then sends the encrypted data back to TCM.
TCM receives the data and decrypts it to get the R and C,
and then determine whether the R is the same value it
just sends and whether the C is equal with C0. If they are
exact then TFESE can boot up, else then TFESE would
be shut down or some special secure serviced should be
rejected.

Application-Trust Phase
When the root is trustable, we can also provide OS
Application protection. As figure 10 shows, TCM Driver is
the footstone of the secure application.

Figure 8 Configuring the TFSES

Read out FPGAs factory ID and Device DNA, and then
encrypt them with self-devised security algorithm to
generate a key K.
Download the key into the TCM and the In-System Flash
protect memory. Download the scanning address(Faddr)
and length(Flenth) of external flash which indicate the
validation memory area of BootROM.
Flash controller reads the data in validation area of
external flash and transfers into SHA unit.
Finally, SHA calculates the hash value (C0) of the data,
which is the unique evaluation criteria as the judgment
of external flash integrity, and then transfer C0 to the
TCM via PC.

Root-Trust Phase
After configuration TFEST system, we can start up our
Figure 10 TFSES OS application
embedded system. The first thing is to make sure the
integrity of system kernel. As figure 9 shows. IV. EXPERIMENT AND BENEFIT
FPGA
In our experiment, TFESE was constructed on Xilinx
Spartan-3AN FPGA and ZETIC Z3-TCM. The test of
In-System Flash
Flash Controller

embedded system device is UP-TECH S3C2410. As figure

SHA-1

UART

Embedded
DES

Bus Bus
S2P
P2S

Bootloader 11 shows,
System
We insert our TFESE between S3C2410 and flash.
When the system is power on, security FPGA firstly cuts off
UART S3C2410 external clock. After configuring TFESE, whether
we modify external flash, replace another FPGA or fabricate
Generator
Random
Number

TCM, TFESE always find these attacks. After authenticating

DES

external flash integrity, we open up clock. S3C2410 has 120

TCM
Figure 9 Running the TFSES
When system powers up, FPGA suspends the embedded
system processor, lockups the internal flash.
Then DES gets the key, Faddr and Flength from internal
protected flash.
ns to wait for the first instruction from the flash, reading out
the flash bootloader only needs 90 ns. The signal from
S3C2410 to flash consumes10 ns, the up-and-down is total
20 ns. It is enough time to communicate passing by Spartan-
3AN FPGA.
TFSES gives a well protection of trust root of
embedded systems, TCM can guarantee the integrity of
bootloader, the unique ID key can prevent TFESE from

608
being counterfeited, In-System flash can not only protect the [3] Ted Huffmire, Brett Brotherton, Timothy Sherwood, Managing
hardware being tampered but also store secure information. Security in FPGA Based Embedded Systems Design & Test of
computer, IEEE, 2008, pp.590-598
nRESET
[4] G.Edward Sut, Charles W.ODonnell, Srinivas Devadas Aegis: A
EXTCLK
Single-Chip Secure Processor Design & Test of computer, IEEE,
2007, pp.570-580
ADDR ADDR
[5] Peter Wilson, Alexandre Frey, Tom Mihm, Danny Kershaw, Tiago
nGCS[0] Spartan - nGCS[0]
S3C2410 Flash Alves Implementing Embedded Security on Dual-virtual-CPU
OE 3AN OE Systems Design & Test of computer, IEEE, 2007, pp.582-591
nCE nCE [6] Benjamin Glas, Alexander Klimm Oliver, Sander Klaus Muller-
DATA DATA
Glaser, jurgen Becker A System Architecture for Reconfigurable
Trusted Platforms Design, Automation and Test in Europe, IEEE,
2008, pp.541-544
UART
[7] Tom Milum Protecting Critical Data Design & Testof Computers,
IEEE 2007, pp.592-592
Z3-TCM [8] Steve Trimberger Security in SRAM FPGAs Design & Testof
Computers, IEEE 2007, pp.581-581
[9] Xilinx, inc Spartan-3AN FPGA In-System Flash User Guide, v2.0,
Figure 11 Experiment environment
www. Xilinx .com, 2008
TFSES can provide a flexible solution to adapt the
[10] SAMSUNG, inc S3C2410X 32-Bit RISC Microprocessor Users
embedded system application with its FPGA nature Manual, v1.2, www. samsung.com, 2003
reconfigured feature. FPGA also makes TFSES run fast
because of its hardware realizing the entire trust computing
module.
TFSES costs less. The proposed architecture can be
implemented with commercially available devices. They are
devised low-cost, low-power. However, TFSESs advantage
is not in these high-performance devices, but in its thought in
its creativity and combine those to make a good secure
solution for embedded system.
V. CONCLUSIONS AND FUTURE RESEARCH
The embedded system is so source-restricted and
security is so expensive that we should make a appropriate
balance between security, cost and performance. TFESE has
enough security, low cost and high performance. This
apparatus can inset into embedded system, needs system
change hardly and can be easy updated. TFESE can be
applied fully in embedded security system.
TCMs separating with FPGA may nourish insecurity.
TFSES mainly focuses on root-trust integrity and less cares
about OS secure application. In the future, we are going to
integrate TCM into FPGA, do more effort on the software
application security and let TFSES take good care of our
whole system.

ACKNOWLEDGMENT
This work was performed under the auspices of
Guangdong Laboratory of Fundamental Software and
Application Constructions.. We acknowledge the support of
Science and Technology Planning Project of Guangdong
Province (2006B80407001 and 2008A010100011-03).

REFERENCES
[1] Hwang,D.D Schaumont,P Tiri,K Securing Embedded Systems
Security & Privacy, IEEE, 2006, pp.40-49
[2] Najwa Aaraj, Anand Raghunathan, Srivaths Ravi and Airaj K.Jha,
Energy and Execution Time Analysis of a Software-based Trusted
Platform Module Proceedings of the Conference on Design,
Automation and Test in Europe, IEEE, 2007, pp.1128-1133

609