The technology of the disclosure relates generally to a secure boot process and associated hardware elements.
Recent hardware and firmware exploits of cloud computing assets have exposed the vulnerability of the boot process of a computer or server to persistent and undetectable malware. These vulnerabilities manifest at various points in the boot process and exploit various ports used for testing and debug early in the implementation. Accordingly, the security of a chip, processor or central processing unit (CPU) has become an important part of device and cloud security.
In conventional implementations, a boot process begins with a launch of a basic input/output system (BIOS) which can serve as a miniature operating system. The beginnings of the boot process can allow for various interventions via hardware to test, debug, update, or read various fundamental hardware and firmware elements of the chip. These hardware interventions include scans of the integrity of the hardware and circuitry via the Joint Test Action Group (JTAG) protocol. The hardware and firmware can be debugged and analyzed via various debug ports. Depending on the size and sophistication of the chip, the available hardware access may vary. In many cases regardless of implementation, these testing and debug capabilities leave the chip vulnerable to attack.
More recently, chip suppliers have attempted to harden chips against attack by permanently disabling the test and debug ports of production chips so that at no part of the boot process are these ports accessible. Alternatively, the access to these ports at boot may rely on authentication certificates being delivered at certain points in the boot process. The permanent disabling, however, prevents an assessment of hardware failures for returned chips, and the authentication certificate access modes are still subject to attack. Furthermore, full debug capability needs to be available to process a returned merchandise authorization (RMA) for a chip returned for defects. Accordingly, a boot security process is needed that enables hardware disabling of test and debug access but also enables later analysis for RMA processes.
The following presents a simplified summary in order to provide a basic understanding of some aspects described herein. This summary is not an extensive overview of the disclosed subject matter. It is intended to neither identify key nor critical elements of the disclosure nor delineate the scope thereof. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
In an example implementation, an apparatus for computer security at power-on may have at least two one-time programmable (OTP) indicators including a first programmed OTP indicator, a bootstrap controller component that controls at least two boot-time switches, and a read only memory storing at least one instruction. The bootstrap controller component may calculate an operating state based on the at least two one-time programmable indicators. The bootstrap controller component enables or prevents/disables an execution of the at least one instruction based on the operating state.
The at least two one-time programmable indicators of the apparatus may be grouped into at least a first subset and a second subset, and the first subset may be programmed and the second subset may be available for one-time programming. The first programmed OTP indicator may be programmed to enable the bootstrap controller component to receive voltage first (initialize) at power-on for entering a boot process. The second subset of the at least two one-time programmable indicators may include returned merchandise authorization (RMA) state indicators and security state indicators. The RMA state indicators and the security state indicators may control, via first logic gates, access to debug ports and test access ports for a returned merchandise authorization (RMA) process.
The bootstrap controller component may disable the execution of the at least one instruction (e.g., JTAG port authorization) based on the operating state, where the operating state is indicated by the at least two one-time programmable indicators. The at least two one-time programmable indicators may be connected to logic gates, the logic gates may be arranged such that a first programming of a first one-time programmable indicator of the at least two one-time programmable indicators is read by the bootstrap controller component as a first state (e.g., security operating state) of the operating state and a second programming of a second one-time programmable indicator of the at least two one-time programmable indicators is read by the bootstrap controller component as a second state (e.g., RMA state) of the operating state, and a third programming of a third one-time programmable indicator of the at least two one-time programmable indicators is read by the bootstrap controller component as the first state, the third programming being after the second programming. The at least two one-time programmable indicators may be electronic fuses or the like.
In an example implementation, the apparatus may include an interface to one or more test access ports, and a second one-time programmable indicator of the at least two one-time programmable indicators enables or disables the interface to the one or more test access ports. Furthermore, the execution of the at least one instruction of the read only memory may verify at least one certificate for authenticating firmware code or provides at least one certificate for authenticating firmware code or overriding the debug state.
In an example implementation, a method for ensuring computer security at power-on may include reading at least two one-time programmable (OTP) indicators including a first programmed OTP indicator, determining an operating state for a bootstrap controller component based on the at least two one-time programmable indicators, and executing at least one instruction based on the operating state (e.g. security state or RMA state), where the at least one instruction is stored in read-only memory (ROM). The at least two one-time programmable indicators may be grouped into at least a first subset and a second subset, the first subset being programmed and the second subset being available for one-time programming. The at least one instruction stored in ROM may be firmware and the at least one instruction may be signed or authenticated by one or more certificates. The at least one instruction may begin a boot process on the bootstrap controller component to initiate a boot process.
The following description and the annexed drawings set forth in detail certain illustrative aspects of the subject disclosure. These aspects are indicative, however, of but a few of the various ways in which the principles of various disclosed aspects can be employed and the disclosure is intended to include all such aspects and their equivalents. Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawings.
The disclosure herein is described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the subject innovation. It may be evident, however, that various disclosed aspects can be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing the subject innovation.
The word “exemplary” is used herein to mean “serving as an example, instance, or illustration.” Any implementation described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments. Likewise, the term “implementation” does not require that all implementations include the discussed feature, advantage, or mode of operation.
The terminology used herein describes particular implementations only and should not be construed to limit any implementations disclosed herein. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. Those skilled in the art will further understand that the terms “comprises,” “comprising,” “includes,” and/or “including,” as used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Various components as described herein may be implemented as application specific integrated circuits (ASICs), programmable gate arrays (e.g., FPGAs), firmware, hardware, software, or a combination thereof. Further, various aspects and/or embodiments may be described in terms of sequences of actions to be performed by, for example, elements of a computing device. Those skilled in the art will recognize that various actions described herein can be performed by specific circuits (e.g., an application specific integrated circuit (ASIC)), by program instructions being executed by one or more processors, or by a combination of both. Additionally, these sequences of actions described herein can be considered to be embodied entirely within any form of non-transitory computer-readable medium having stored thereon a corresponding set of computer instructions that upon execution would cause an associated processor to perform the functionality described herein. Thus, the various aspects described herein may be embodied in a number of different forms, all of which have been contemplated to be within the scope of the claimed subject matter. In addition, for each of the aspects described herein, the corresponding form of any such aspects may be described herein as, for example, “logic configured to”, “instructions that when executed perform”, “computer instructions to” and/or other structural components configured to perform the described action.
Those of skill in the art will further appreciate that the various illustrative logical blocks, components, agents, IPs, modules, circuits, and algorithms described in connection with the aspects disclosed herein may be implemented as electronic hardware, instructions stored in memory or in another computer readable medium and executed by a processor or other processing device, or combinations of both. Memory disclosed herein may be any type and size of memory and may be configured to store any type of information desired. To clearly illustrate this interchangeability, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. How such functionality is implemented depends upon the particular application, design choices, and/or design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The various illustrative logical blocks, processors, controllers, components, agents, IPs, modules, and circuits described in connection with the aspects disclosed herein may be implemented or performed with a processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices (e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration).
The aspects disclosed herein may be embodied in hardware and in instructions that are stored in hardware, and may reside, for example, in Random Access Memory (RAM), flash memory, Read Only Memory (ROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), registers, a hard disk, a removable disk, a CD-ROM, or any other form of computer readable medium known in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a remote station. In the alternative, the processor and the storage medium may reside as discrete components in a remote station, base station, or server.
In
The PMpro processor (or sub-processor) 123 may perform the power management for the SoC 100 and may connect to one or more voltage regulators (VR) that provide power to the SoC 100. The PMpro processor 123 may receive voltage readings, power readings, and/or thermal readings and may generate control signals (e.g. dynamic voltage and frequency scaling— DVFS) to be sent to the voltage regulators. The PMpro processor 123 may also report power conditions and throttling to an operating system or hypervisor running on the SoC 100. The PMpro processor 123 may provide the power for boot and may have specific power throttling and specific power connections for boot power to the system control processor (SCP) 120 and/or the SMpro processor 124. The PMpro processor 123 may receive power on control signals, voltage ramp signals, and other power control from the system control processor 120 and/or the SMpro processor 124 during boot up as hardware and firmware become activated on the SoC 100. These power-up processes and power sequencing may be automatic or may be linked to events occurring at or detected by the SMpro processor 124 and/or the PMpro processor 123.
The SMpro processor (or sub-processor) 124 may include a bootstrap controller 390 (as will be illustrated with respect to
In
The SMpro processor 124 may connect to one or more off-chip systems as well via ports 204 and/or may connect to off-chip systems via the I/O connections 122. The SMpro processor 124 may include on-board ROM 220 (or EPROM) and a trust management module (TMM) 210. The TMM 210 may operate as hardware or firmware or a combination thereof. The shared memory 121 may be on-board RAM or secured RAM which can be trusted by the TMM 210 after an integrity check or certificate check. Indeed, the components of the SoC 100 may be divided into trusted components and non-trusted components, where the trusted components may be verified by certificates in the case of software components, or are pure hardware components so that at boot the TMM 210 may ensure that the boot process is secure.
In
The bootstrap controller 390 may include hardware switches 310 which may be embodied as logic gates (e.g. OR, XOR, NOR, AND, NAND), semiconductor switches, checksum functions, and other control logic in silicon. These hardware switches 310 may be the first components on the SoC 100 to be powered-on apart from (or after) the PMpro processor 123. The hardware switches 310 may read efuses 311 which may operate as immutable ROM and/or hardware coded values. The hardware switches 310 may determine whether access to the JTAG ports 370 should be granted or denied. That is, hardware switches 310 may enable or disable the SoC JTAG ports and firmware 12, the PMpro JTAG ports and firmware 13, and SMPro JTAG ports and firmware 14 of the SoC 100. The hardware switches 310 together with efuses 311 may control access (i.e., enable/disable) to debug ports and debug reads of ROM 330 and may embed parameters that define an operating state of the TMM 210 upon boot.
The TMM 210 may access various types of memory based on the security risk and stage of the boot. For instance, before security processes may be activated the TMM 210 may operate based on immutable ROM, efuses 311, and ROM 330. Once more advanced operations are running to check the validity of code and provide software-level security measures, then the TMM 210 may then access RAM 340 or EEPROM 350 for boot functions. The TMM 210 may also output authentication failure flags or indicators and/or boot failure indicators to the baseboard management controller off-chip in the event that errors occur. The efuses 311 may provide the necessary instructions for fail over or secure boot options that enable external re-programming of the EEPROM 350 to correct errors. Upon a successful authentication and power-on of the hardware switches 310, the bootstrap controller 390 or hardware switches 310 may output a particular boot state that is based on the efuses 311. The TMM 210 may use/read this boot state to enable or disable functions and may operate different ROM/EEPROM/RAM code/instructions based on the boot state.
In
The execution of appropriate immutable code or instructions in ROM at 440 may be based on the defined state from 430 and access JTAG processes 450 in ROM or RMA processes 460 in ROM or secure state processes 470 in ROM. An operating state defined by the efuses 311 and efuse inputs 410 may be processed by activation logic within the bootstrap controller 390 such that the appropriate immutable code is executed at 440. In addition, based on the efuse inputs 410, if a secure state is defined, then one or more secure state parameters may be read from the efuse inputs 410 together with the state so as to customize the secure state. The JTAG processes 450 or RMA processes 460 or secure state processes 470 need not be exclusive of each other based on the defined state at 440. Instead, the defined state at 440 may indicate that JTAG processes 450 and secure state processes 470 may be activated or executed, for example.
After the execution of the appropriate ROM and/or EPROM instructions based on the defined secure state of the secure state processes 470, the bootstrap controller 390 may begin execution of the BIOS in RAM at 480 so that secure/trusted portions of the rest of the SoC 100 may be booted up. The BIOS may be executed in shared memory 121 of the system control processor 120 or the on-board RAM of the SMpro processor 124. The power-up sequence and execution sequence of
In
In particular, the JTAG logic gates 520 may compare an input operating state with a certificate and/or enable logic for that operating state and as a result may enable or disable test access ports 507 of the SoC 100. The SoC debug logic gates 530 may compare an input operating state with a certificate and/or enable logic for that operating state and as a result may enable or disable chip RMA ports 509 of the SoC 100. For example, an RMA state output by efuses and logic gates 510 may activate or enable test access ports 507 and RMA ports 509. A secure state output by efuses and logic gates 510 may activate or enable specific ROM instructions via ROM enable 503 after processing by the activation logic gates 540.
In
The efuses for the hardware indicators 502 and TMM enable 505 may be secured so that only the manufacturer has the capability or authorization to set or “blow” the indicators and thus change the operating state between SEC and RMA or vice versa. For example, authorization certificates may be required by the boot process (or by the operating system at a later point) in order to sign or authorize the alteration of the efuses illustrated in
In
In
The disclosed hardware indicators 502 allow a chip manufacturer to repeatedly switch between a secure state and an RMA state. The TMM enable flag 505 also provides additional state setting for the manufacturing security conditions of the JTAG and debug ports of the SoC 100. An additional flag may enable/disable JTAG and/or debug ports in a secure state. This additional flag (which could be implemented much like the TMM enable 505 line is implemented in
If the SoC 100 or other processor is a field or prototype test article, then the JTAG disable 605 may not occur so that the platform developer may test functionality and integrity of the chip while in a test state that operates like a secure state with JTAG functionality. Then the JTAG disable 605 may be set after testing by the manufacturer or by the platform developer.
After the testing is complete and any additional JTAG enable has been disabled, when the boot strap controller applies voltage to the efuses and logic gates for defining the operating state, a secure state 606 will be defined that is secured by hardware blocks on exploitable test and debug functionality. The secure state 606 may have different variations which are adjustable via TMM indicators 609 which may include hardware indicators 502. Once in the secure state 606, a manufacturer or user with the correct authorization certificate and/or hardware may blow or program an RMA indicator of the hardware indicators 502 to increment RMA 607 (i.e., may blow the next-available RMA indicator as described with respect to
The alternating or reciprocal nature of the switches between secure state 606 and RMA state 608 is based on the ordered and alternating increment or one-time programming (OTP) of RMA indicators and SEC indicators of hardware indicators 502. If RMA indicators are incremented twice or SEC indicators are incremented twice, then the bootstrap controller 390 may indicate an invalid state and may output a boot fail flag or fail over into a failsafe mode. Such an invalid state may indicate tampering or unauthorized programming of the OTP indicators. The alternating nature of the state is defined by the XOR logic of the efuses and logic gates 510.
In
The manufacturer may then re-ship the processor after one-time programming an SEC indicator. So long as the interleaved indicators connected to the logic gates of the bootstrap controller 390 are programmed in order, the processor will boot into a secure state whenever a SEC indicator is not zero (indicates 1 or TRUE) at the most recently programmed set (pair) of SEC/RMA indicators and no corresponding RMA indicator in the set is also TRUE or non-zero. Likewise, the processor will boot into an RMA state whenever an RMA indicator is not zero at the most recently programmed set (pair) of SEC/RMA indicators.
The invalid state is whenever an RMA indicator has been blown without the SEC indicator of the same pair also being blown or programmed. That is, in this implementation, if an RMA state is to be valid based on a one-time programming of the RMA indicator, then the SEC indicator of the pair must already be blown. This hardware state control illustrated in
It is also noted that the operational steps described in any of the exemplary aspects herein are described to provide examples and discussion. The operations described may be performed in numerous different sequences other than the illustrated sequences. Furthermore, operations described in a single operational step may actually be performed in a number of different steps. Additionally, one or more operational steps discussed in the exemplary aspects may be combined. It is to be understood that the operational steps illustrated in the flowchart diagrams may be subject to numerous different modifications as will be readily apparent to one of skill in the art. Those of skill in the art will also understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
The previous description of the disclosure is provided to enable any person skilled in the art to make or use the disclosure. Various modifications to the disclosure will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other variations. Thus, the disclosure is not intended to be limited to the examples and designs described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.