Secure IoT Firmware for RISC-V

MultiZone® IoT Firmware
The quick and safe way to build secure IoT
applications with any RISC-V processor
Cesare Garlati – Hex Five Security
Sandro Pinto – Hex Five Security

MultiZoneis a registeredtrademarkof Hex Five Security,Inc. – Patent pendingUS 16450826,PCT US1938774
Cortex-M and TrustZoneare registeredtrademarksof Arm Limited
▪ Market requirements
― Consumer products: high volume / low cost
― Battery operated: small processor / limited ram & rom
Building Secure IoT Devices Is Challenging
Resource-constrained
MCUs (no MMU)
100’ of KB of 3rd party
untrusted code base
No RISC-V specs for
TrustZone®-like TEE
▪ Basic IoT requirements
― SW foundation: multitask RTOS, peripherals drivers, ...
― Connectivity libraries: tcp/ip, dhcp, dns, sntp, mqtt, ...
― Security libraries: TLS, ECC, PKI, RoT, TEE, ...
▪ Advanced IoT requirements
― New IoT regulations, access to commercial clouds, ...
― Secure boot, remote updates, OTA provisioning, ...

Complete IoT stack that shields trusted applications from untrusted 3rd party libraries
Provides secure access to any IoT clouds, secure boot, remote firmware updates, ...
Works with any RISC-V processor: no need for proprietary TrustZone-like HW
 Rapid development: pre-integrated TEE, TCP/IP, TLS/ECC, FreeRTOS, GCC, Eclipse
 Built-in Trusted Execution Environment providing up to 4 separated HW/SW “worlds”
 Commercial open source license: no GPL contamination, no royalties, $$ per design
MultiZone® IoT Firmware

MultiZone® IoT Firmware Architecture
MultiZone Trusted Execution Environment (TEE)
Any RISC-V 32-bit or 64-bit with ‘U’ extension
‘M’ mode
‘U’ Mode
‘U’ Mode HW Drivers
Zone ...
RTOS
or
bare metal app
PMP HW
HW Drivers
Zone #3
RTOS
or
bare metal app
HW Drivers
Zone #2
RTOS
or
bare metal app
ETHERNET driver
Zone #1
MQTT Lib
TLS Lib
TCP Lib
PMP
PMP

Use case
Secure access to commercial IoT clouds
❑ Customer needs MQTT, TLS,
ECC, mutual authentication
optimized for RISC-V devices
❑ Customer is concerned about
backdoors and lack of
separation in 3rd party software
❑ Customer can’t afford time,
cost and the technology risk of
a complete system redesign
MultiZone provides built-in secure
connectivity to commercial cloud
providers like AWS, Azure, etc
✓
MultiZone provides four separated
execution environments, hardware
enforced, software defined
✓
MultiZone can retrofit existing
hardware and software, works out-
of-the-box, and it is available now
✓

Use case
Remote firmware updates
❑ Product must comply with new
IoT regulation requiring remote
firmware updates - OTA
time, cost, and security risk of
developing a DIY solution
the vendor lock-in inherent in
commercial cloud services
MultiZone provides high-grade
security OTA updates via open
standard MQTT and TLS protocols
✓
MultiZone is commercial-grade,
available immediately, and built
from the ground up for security
✓
MultiZone remote firmware updates
work with any commercial or private
IoT cloud
✓

Use case
Real-time monitoring and device management
❑ Customer needs real-time
monitoring, remote updates,
and device management
❑ Customer can’t absorb the
recurring cost of commercial
web services – i.e. AWS, Azure
❑ Project economics can’t justify
the addition of expensive IoT
modules to the BOM
MultiZone provides secure
bidirectional access to/from the
device via standard MQTT protocol
✓
MultiZone works with public and
private clouds – i.e. OEM owned
PKI and backend infrastructure
✓
MultiZone can retrofit existing
hardware, no need to redesign for
additional 3rd party IoT modules
✓

▪ Download and build the MultiZone Eclipse project
▪ Flash the MultiZone Firmware to the ARTY FPGA board
▪ Connect to public or private IoT cloud
▪ Remotely deploy individual applications
▪ Remotely control the operations of a small robotic arm
▪ Connect a local terminal to asses security and separation
MultiZone® Reference Application – Live Demo
Cloud
Private: MQTT
broker, Commercial:
AWS, ...
MQTT
TLS ECC
UART
GPIO

How To Get Started
Hardware
▪ Artix-7 35T FPGA Evaluation Kit http://www.xilinx.com/products/boards-and-
kits/arty.html
▪ Olimex debug head ARM-USB-TINY-H
http://www.olimex.com/Products/ARM/JTAG/ARM-USB-TINY-H/
▪ OWI Robot (optional) http://owirobot.com/robotic-arm-edge/
Software
▪ Eclipse IDE CDT http://www.eclipse.org/cdt/
▪ Hex Five X300 SoC bitstream http://github.com/hex-five/multizone-fpga
▪ MultiZone Firmware https://github.com/hex-five/multizone-iot-firmware
Documentation
▪ https://github.com/hex-five/multizone-iot-firmware/blob/master/manual.pdf

MultiZone Security
MultiZone Security is the quick and safe way to add security and separation to billions of IoT
devices. MultiZone can retrofit existing hardware. If you don’t have TrustZone, or if you require finer
granularity than one trusted area, you can take advantage of high security separation without the
need for a redesign – see http://hex-five.com

MultiZone® IoT Firmware – Data Sheet
Stack Component Features Size License
Reference Hardware
▪ Digilent ARTY7 35T FPGA
▪ Hex Five X300 SoC IP
▪ RISC-V core RV32ACIMU 4-way i-cahe 65MHz
▪ Ethernet: Xilinx EthernetLite Ethernet core
Apache 2.0 license
permissive
commercial use ok
IDE & Toolchain
• Eclipse IDE + openOCD debug
• GNU GCC, GDB, …
▪ GCC multi-lib rv32, rv32e, rv64, GDB, openOCD
▪ Hex Five pre-built GCC binaries (optional)
▪ Hex Five pre-built OpenOCD binaries (optional)
GNU General Public License version 3
TCP/IP library
▪ LWIP 2.1.1
▪ Hex Five security extensions
▪ IP, ICMP, UDP, TCP, ARP, DHCP, DNS, SNTP, MQTT
▪ Light weight single threaded execution
▪ Fully integrated with SSL stack
40KB ROM
16KB RAM
Modified BSD
permissive
commercial use ok
SSL library
▪ mbed TLS 2.23.0
▪ Hex Five secure configuration
▪ TLSv1.2, Cipher TLS_AES_128_GCM_SHA256
▪ ECC: prime256v1, Private Key NIST CURVE: P-256
▪ Mutual authentication, Cert expiration verification, TLS large fragment
64KB ROM
32KB RAM
Apache 2.0 license
permissive
commercial use ok
Real Time OS (optional)
▪ FreeRTOS 10.3.0
▪ Hex Five integration with TEE
▪ Secure unprivileged execution of kernel, tasks, and interrupt handlers
▪ No memory shared with TCP/IP and SSL library code
▪ No memory shared with other applications running in separate zones
32KB ROM
16KB RAM
MIT open source license
permissive
commercial use ok
Trusted Execution Environment
▪ MultiZone Security TEE 2.0
▪ RISC-V secure DMA extension
▪ RISC-V shared PLIC extension
▪ 4 separated Trusted Execution Environments (zones) enforced via PMP
▪ 8 memory-mapped resources per zone – i.e. ram, rom, i/o, uart, gpio, eth, …
▪ Secure inter-zone messaging – no shared memory, no buffers, no stack, etc
▪ Protected user-mode interrupt handlers mapped to zones – plic / clint
4KB ROM
4KB RAM
Free for evaluation,
commercial license priced per design –
perpetual, no royalties, no GPL
contamination
Minimal Attack Surface
(compare with TrustZone Secure Firmware)
4KB RAM
4KB ROM

MultiZone Security TEE Feature List
Formallyverifiable TCB ~2KB, minimal attack surface, no dynamic data
structures like stack, hype, and buffers. TCB equivalent to less than
10,000 lines of code – assuming 10-4 defects per lines of code ratio.
Zerotrust Completely self-contained runtime, no dependencies from
libraries and other runtime components including C runtime, linker
scripts, and kernel-mode drivers.
Sealedruntime, pre-built driven by statically defined user-defined
policies, that doesn’t require or even expose to the developer any other
interface than the policy configuration file itself.
Isolationof executablecode(text segments) to ensure that user
programs run in unprivileged mode so that they can’t compromise the
overall system integrity – including drivers and IRQ handlers.
Isolationof data(data segments) and memory-mapped peripherals
(typically I/O) via a hardware unit that prevents access outside statically
defined security boundaries.
Isolationof interruptsso that interrupt handlers are mapped to the
respective zone context and executed at a reduced level of privilege,
unable to compromise the isolation model.
Isolationof hardwarecomponents including all cores, bus masters,
DMA, interrupt controllers, and caches in heterogeneoussystems
where deterministic and OOO come together in a single SoC.
Pre-emptivetemporalseparationmechanism to ensure that any single
thread can’t cause a denial of service by indefinitely holding processing
cycles. This is a must for safety-critical applications.
Secureinter-zonecommunicationsinfrastructure to allow inter-zone
data transfers without relying on shared memory resources such as
buffers, stack, and heap.
Secureinter-processorcommunications infrastructure to allow zones
running on the secure core(s) to send/receive data to/from other low-
criticality/non-secure core – i.e. protected split buffers.
Softtimerfacility to multiplex the underlying single hardware timer
functionality and make it available to each zone independently from the
others.
Waitfor interruptfunctionality to allow transparent support for system
suspend and low-power states. This is a must for battery-operated
devices and low-latency deterministic applications .
Trap& Emulate functionality for secure execution of privileged
instructions. Allows porting of existing application code originally
designed to operate in a single unprotected memory space.
Secureboot 2-stage boot loader to verify the integrity and authenticity
of runtime and policies. Should boot the whole system to configure and
lock separation policies for all hardware components.
Toolchainextension cross-platform command line fully integrated with
toolchain and IDE, to combine and configure the zones binaries and to
produce the signed firmware image for the secure boot of the system.
OpensourceAPI to expose runtime micro-services such as messaging
and process scheduling. Optional helper wrappers to reduce system
calls overhead. Free and open permissive license.

MultiZone TEE Vs Arm TrustZone
Patent pending US 16450826, PCT US1938774 - Configuring, Enforcing, And Monitoring Separation Of Trusted Execution Environments.
Arm and TrustZone are registered trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
TrustZone: Two Domains Hardcoded in Silicon
Cortex-M23/M33
MPC
Memory
OS
Apps
Normal World
MPC
Peripherals
Arm Trusted
Firmware-M
Trusted Apps
Secure World
NS Bit
SAU/IDAU
U-Thread mode
P-Thread mode
TZ-M HW
MultiZone: Multiple Domains Defined In Software
MultiZone TEE
RISC-V 32-bit or 64-bit
PMP
OS
Apps
Zone #1 Zone #2
Trusted OS
Trusted Apps
PMP HW
Machine mode
User Mode
Memory Peripherals
Zone #3 Zone #4
App App
User Mode

Use case
Fit new functionality into limited RAM and ROM
❑ Customer is struggling to fit
large 3rd party libraries into
limited RAM and ROM
❑ Product economics don’t justify
platform upgrade and hardware
redesign
❑ Product economics don’t justify
platform upgrade and firmware
redesign
MultiZone is lightweight and built
from the ground up for resource
constrained MCUs – 4KB RAM ROM
✓
MultiZone can retrofit existing MCUs
– no need for hardware redesign
✓
MultiZone runs unmodified binaries
– no need for software redesign
✓

Use case
Permissive open source software (no GPL)
❑ Product needs security libraries
– i.e. TLS, ECC
❑ Customer IP can’t risk “GPL
contamination”
❑ Customer can’t afford
expensive commercial libraries
MultiZone includes pre-integrated
open source libraries providing TLS
1.2, ECC, MQTT, ...
✓
MultiZone is GPL free. Its open
source components are distributed
under permissive licensing
✓
MultiZone commercial license is
conveniently priced per design –
perpetual, no royalties ever
✓

Use case
Multitenant applications
❑ Customer needs the equivalent
of an App Store to provision
and run 3rd party IoT services
❑ The device must run physically
separated, remotely deployed,
untrusted 3rd party applications
❑ Customer can’t afford cost and
security risk of multicore, MMU-
based, Linux capable hardware
MultiZone provides up to 4+
physically separated application
environments – no interference
✓
MultiZone provides remote
deployment of individual apps via
MQTT / TLS / ECC protocols
✓
MultiZone works with the lightweight
PMP built into RISC-V MCUs – no
need for Linux & multi-coreCPUs
✓

Use case
Safety-critical applications
❑ Product must comply with
safety critical regulations – i.e.
medical devices, automotive
❑ Customers needs to shield
critical functionality from 100’s
of KB of untrusted 3rd party sw
❑ Customer looking for low-cost
alternatives to proprietary RTOS
and hypervisors
MultiZone guarantees non
interference and spatial and
temporal separation of programs
✓
MultiZone provides high-grade
security and separation for up to 8
execution environments
✓
MultiZone offers a simple
convenient license priced per
customer’s design – no royalties
✓

Use case
RISC-V alternative to a TrustZone design
❑ Product needs a mechanism to
separate critical functionality
from untrusted software
❑ Functional requirements
mandate finer granularity than
one “secure world”
time, cost, and technology risk
of a complete system redesign
MultiZone provides hardware
enforced separation via Physical
Memory Protection (PMP)
✓
MultiZone provides 4+ “secure
words” to separate multiple 3rd
party components
✓
MultiZone can retrofit standard
RISC-V hardware and software. No
system redesign is required.
✓

MultiZone® Security
MultiZone Security is the quick and safe way to add security and separation to billions of IoT
devices. MultiZone can retrofit existing hardware. If you don’t have TrustZone, or if you require finer
granularity than one trusted area, you can take advantage of high security separation without the
need for a redesign – see http://hex-five.com

Secure IoT Firmware for RISC-V

More Related Content

What's hot

Similar to Secure IoT Firmware for RISC-V

More from RISC-V International

Recently uploaded

Secure IoT Firmware for RISC-V