DE102018000476A1 - SoC, which protects the intellectual property of a firmware while flashing through third parties - Google Patents

Abstract

A system-on-a-chip (SoC) is described which allows the firmware vendor to flash the firmware through a system integrator or any third party without the risk of having its firmware analyzed or more frequently than used by him. The invention uses a flash interface, which receives the firmware in asymmetric encrypted form. A SoC using the invention described herein has significant added value over conventional SoCs, as its use greatly simplifies collaboration between system integrator, firmware vendor, and any other third parties, eliminates unnecessary transportation costs, and makes secrecy agreements unnecessary.

Description

Technical field of the invention

A system-on-a-chip (SoC) is described which allows the firmware vendor to flash the firmware through a system integrator or any third party without the risk of having its firmware analyzed or more frequently than used by him.

The present invention relates to SoCs, that is to integrated circuits which contain not only a microprocessor but also the required memory in the same component. The invention describes how to extend a SoC such that the manufacturer of firmware for the SoC has the aforementioned characteristics.

A SoC using the invention described herein has significant added value over conventional SoCs because the invention allows the firmware manufacturer to control the use of its intellectual property much better than before. These advantages will be explained in detail below.

initial situation

A SoC is a programmable electronic system in which all parts essential to the function are contained in a single chip. The SoC itself usually represents only the part of a complex overall product. So that the SoC can fulfill its function in this entire product, it must be recorded with a firmware. The process of flashing (recording) with the firmware is a sub-process in the production of the entire product. In order to perform this process, a file containing the firmware is needed. This file can be analyzed for the purpose of theft of intellectual property, since it can be used to derive the machine program in a readable form. Furthermore, this file can be copied as often as you like. The firmware manufacturer therefore has no way to determine how often his product is actually used.

There are several ways to record a SoC with firmware. All have significant disadvantages. The first is to give the file with the firmware to the SoC manufacturer. This then delivers pre-recorded SoCs to the manufacturer of the complete product (system integrator). The disadvantage of this method is that the system integrator can only obtain the SoC directly from the SoC manufacturer. Furthermore, the firmware manufacturer must be confident that the SoC manufacturer takes all necessary measures to protect the firmware from unauthorized access by employees or third parties. In addition, not all SoC manufacturers offer this service at all. Furthermore, it is unclear with this method how to deal with already recorded SoCs when the firmware has to be updated.

The second possibility is that the firmware manufacturer provides the system integrator with a file with the firmware. This can then at the latest before the packaging of the entire product the SoC with the firmware record. This is usually done via a programming interface, which is located on the electronics together with the SoC. The system integrator can then send the file with the firmware to the SoC, which then copies the SoC into its program memory (usually Flash or FRAM). With this method, the firmware vendor must fully trust the system integrator. In particular, he must trust that he will not analyze or share the file with the firmware, and that the number of licenses used will not be incorrect.

The third possibility is that the system integrator supplies the electronics to the firmware manufacturer. This can then perform itself with the firmware via the programming interface. The electronics are then returned to the producer of the final product for final assembly and packaging. This method ensures that the file with the firmware remains under the sole control of the manufacturer of the firmware. He can thus ensure that the firmware does not reach third parties. In addition, the number of licenses can be determined. The disadvantage of this approach is that the electronics must be transported twice. As a rule, system integrators and firmware manufacturers are often far from each other, which makes this method very time-consuming and costly.

Only the third option is an attractive solution from the point of view of the firmware manufacturer. For the system integrator, however, it is very heavily burdened with disadvantages. What is needed are SoCs that can be flashed so that the firmware vendor can be sure that the system integrator has no way to parse or reuse the firmware. This would then be the benefits of the third option, without the need to send the hardware would be required.

Basic principle of the invention

So that each individual SoC can be recorded with an individual non-analyzable firmware file, the programming interface of the SoC equipped with an asymmetric encryption method. In an asymmetric encryption method, a different key is used for the encryption than for the decryption. The invention assumes that each individual SoC receives such a key pair from the SoC manufacturer. Only one of the keys, called a public key, can be read out via the programming interface. The other key, called a private key, remains locked in the SoC.

If a person or institution other than the firmware manufacturer wants to record a single SoC with the firmware, in the first step he reads out the public key via the SoC programming interface and then sends it to the firmware manufacturer. The firmware manufacturer then encrypts the firmware with the received public key. Subsequently, the so encrypted file of the person or institution is provided. This can then send the file again to the programming interface of the SoC. Since only this one SoC owns the private key, only this individual SoC is able to decrypt the sent file internally.

Description of the picture

The shows the basic procedure of flashing an individual SoC with a firmware. In step 1 The system integrator reads out the public key of the SoC and delivers it in step 2 to the firmware manufacturer. The firmware vendor creates an encrypted instance of its firmware with the received public key and delivers the encrypted file in step 3 to the system integrator. The system integrator directs the encrypted file in step 4 to the SoC on. The SoC is able to decrypt the received file and in unencrypted form in step by virtue of its private key known only to it 5 to copy into its program memory.

In the following, this abstract process will be described in detail by means of a concrete example. At the same time, some aspects of practical relevance are also addressed.

Specific embodiment

Furthermore, the invention is based on the SoC family LPC17xx the company NXP (LPC176x / 5x User Manual Rev. 4.1, 2016-12-19, chapter 32, https://www.nxp.com/docs/en/user-guide / UM10360.pdf) described in detail.

An LPC17xx has a bootloader, which is fixed by the manufacturer and can not be deleted or changed. This boot loader checks during the startup process, if a certain pin (P2.10) is logically zero. If this is the case and there was no watchdog reset, the boot loader initializes the serial interface 0 and waits for a connected remote station (host) to send the start symbol "?". If this symbol is received by the LPC17xx, it uses the start symbol to determine the baud rate of the host and sets its own baud rate accordingly. The SoC then sends the string "Synchronized" to the host. If the host is able to recognize this string without errors, it will in turn send back a "Synchronized" and a string with the crystal frequency, for example "10000" for 10 MHz. After successfully receiving the string, the SoC sends an "OK" and the SoC host connection is successfully established.

After the connection is established, the host can execute various commands called ISP commands. For example, by sending the string "E 0 26", the host can delete the flash sectors from 0 to 26. Subsequently, the host can describe the SoC sector by sector with a new firmware. It sends the command "P <SECTOR NUMBER> 1" to make the flash sector writable. Then it sends the data to be written to the RAM of the SoC with the help of the command "W <RAM-ADDRESS> <BYTE-NUMBER>" followed by the UU-encoded bytes and checksums. After the data have been copied to RAM for the sector, they are transferred to Flash using the command "C <FLASH-ADDRESS> <RAM-ADDRESS> <BYTE-NUMBER>". This sequence is repeated for all other flash sectors to be written until all firmware has been written to the SoC.

With the method just described, you can flexibly copy any data into the internal Flash of the SoC. At the same time, this approach requires little complexity from the boot loader. The drawback, as described, is that the person sending the data to the SoC can also read, interpret, copy and pass it on. In order to prevent this, the invention in this embodiment uses two encryption methods, namely the asymmetric RSA and the symmetric AES (Advanced Encryption Standard). Furthermore, the invention adds three new ISP commands. This is only possible by the manufacturer of the SoC, as only this can make changes to the boot loader of the SoC.

The first ISP command "K" sends the public RSA key <RSA-KEY-PUB> of the key pair stored in the chip to the host. With the second command "S <AES-KEY-ENC>", the host can deliver an AES key <AES-KEY-ENC> encoded with the public RSA key <RSA-KEY-PUB> to the SoC. The third command "Z <RAM-ADDRESSE> <BYTE-NUMBER>" is the AES-encrypted counterpart to the "W" command, which was previously explained.

In the example of the LPC17xx of the company NXP it would be necessary that each individual SoC receives a unique and individual RSA key <RSA-KEY>. This can be created with OpenSSL (www.openssl.org) through "openssl genrsa -out <RSA-KEY> 4096". From this private key, the public key <RSA-KEY-PUB> can be derived by "openssl rsa -in <RSA-KEY> -out-form PEM -pubout -out <RSA-KEY-PUB>". Subsequently, both keys must be written firmly into a ROM of the SoC by the SoC manufacturer. Alternatively, only the private key <RSA-KEY> can be stored. In this case, however, the SoC bootloader must contain a public key generation program from a private key.

The workflow for flashing an encrypted firmware is as follows: First, the system integrator connects to the SoC and reads the public key <RSA-KEY-PUB> with the ISP command "K". This public key is then forwarded to the firmware vendor. The firmware manufacturer first generates an AES key, for example with "openssl rand -base64 192 -out <AES-KEY>". He then encrypts this AES key with the public RSA key he received from the system integrator. The command is "openssl rsautl -encrypt -inkey <RSA-KEY-PUB> -pubin -in <AES-KEY> -out <AES-KEY-ENC>". In the next step, he encrypts the data for each flash sector to be written separately with the AES key <AES-KEY>. This is done with "openssl enc -aes-256-cbc -salt -in <SEC-X> -out <SEC-X-ENC> -pass file: <AES-KEY>". After this has been done, the system integrator receives the encrypted AES key <AES-KEY-ENC> as well as the encrypted <SEC-X-ENC> flash sectors as a single file. The AES key <AES-KEY>, which was used by the firmware manufacturer for encryption, keeps it secret from the system integrator.

The system integrator then sends the encrypted AES key to the SoC with "S <AES-KEY-ENC>". The SoC internally decrypts the encrypted AES key by using the private RSA key known only to it and stores the decrypted AES key to a non-readable RAM memory location. The system integrator then sends the encrypted sector data <SEC-X-ENC> to the SoC with the ISP command "Z". The SoC can decrypt them with the AES key and write the unencrypted data into the flash sector when the ISP command "C" is sent.

For the mechanism described here to be insensitive to side channel attacks, various precautions must still be taken by the SoC manufacturer. For example, the SoC manufacturer must ensure on the hardware side that the private key <RSA-KEY> can under no circumstances be read out by a firmware. Otherwise, the system integrator could write a special firmware with the sole purpose of issuing the private key. With this he could then decrypt the encrypted firmware of the firmware manufacturer outside the SoCs. Furthermore, it must be ensured by the SoC manufacturer that when using the new ISP commands "S" and "Z" immediately all possibilities are eliminated, with which the contents of the RAM and the flash could be read. Only after a reset and a complete deletion of the Flashes should this be possible again.

Claims (1)

SoC, characterized in that during flashing an interface of the SoCs is used, which receives the firmware in a coding, which can only be interpreted by a single individual SoC, but not by the executor of the flash or other SoCs same design.

Images