Ellipsys Trust Framework™ for ADI Lockbox
Introduction to the Ellipsys™ Trust Framework1 for ADI Blackfin®
Lockbox™ Devices
Mike Borza – CTO Elliptic Technologies Inc.
This article introduces Standard Edition of the
Lockbox implementation of the Ellipsys Trust
Framework™ (ETF™), a set of development and
manufacturing tools for creating trusted
execution environments.
A previous article
introduced the general concepts and features of
the Ellipsys Trust Framework – interested
readers can refer to that article for more
information2. A trusted execution environment
is one means to help achieve trustworthiness in
embedded devices. In this context, trustworthiness is a statement that the device is in a state
and
behaves
as
programmed
by
its
manufacturer.
Overview
This article discusses some uses of the Ellipsys
Trust Framework™ (ETF™) with Analog Devices
Blackfin Processors incorporating Lockbox Secure
Technology. ETF allows OEMs to maintain control
of products over their entire life-cycle, including:
•
securing out-sourced manufacturing against
unauthorized production runs, legitimate
product stolen from inventory, and other
abuses in the manufacturing flow
•
securing products against reverse engineering and cloning
•
securing the execution environment against
Creating trust and trustworthiness in devices
unauthorized programs
begins early in the design process and figures in
aspects of manufacturing, service and mainten- • the ability to permanently disable products at
end of life
ance processes through their entire lifetime,
even up to their eventual end of life. Many Ellipsys Trust Framework for Lockbox makes it
devices store and process credit card and easy for OEMs to take advantage of the security
banking information, health records, service features built into Blackfin Processors that
subscriptions and similar data on behalf of their incorporate Lockbox security features.
owners that must be protected to prevent their
misuse against their rightful owners. And of
course producers of music, movies, TV programs and all other kinds of intellectual property are
often interested in preserving the value of their work by protecting it from widespread free
distribution while allowing their authorized users easy access to content.
The Ellipsys Trust Framework™ (ETF™) addresses these problems and more through a proven,
flexible set of products that work together to enable trust in the manufacturing, distribution and
operation of electronic products. Three principle products form the core of the Framework.
Ellipsys-SB for Lockbox is a secure bootstrap subsystem for processor-based devices that
provides cryptographic protection and authentication of code installed and running on those
devices. The Ellipsys-CA for Lockbox product provides manufacturing support for code signing,
services provisioning and secure installation of cryptographic keys and unique device identities in
the manufacturing flow. For applications that require carefully controlled access to in stalled keys,
identities and cryptographic operations, Ellipsys-VSM for Lockbox is an optional product that
provides a software-friendly virtual security module – essentially a software smartcard – that
1
2
Ellipsys, Ellipsys Trust Framework and ETF are trademarks of Elliptic Technologies Inc. Blackfin and Lockbox are
trademarks of Analog Devices Inc.
The whitepaper Manufacturing Trust: Enabling Embedded Device Trustworthiness Using the Ellipsys Trust Framework is
available on the Elliptic Technologies website at http://www.elliptictech.com/middleware_trust.php.
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
1
Ellipsys Trust Framework™ for ADI Lockbox
allows the embedding and binding of a virtually unlimited number
of keys in embedded system environments. Used together as
part of a manufacturing flow and system design, ETF enables a
vast array of protections of the system and its users, including:
•
•
Creation of trusted software execution environments that
trace their origin to authorized sources.
OEMs are
afforded great flexibility in their ability to authorize third
party providers, separate and distinguish classes of
systems or providers to manage different product flows
built on the same infrastructures, for example to provide
or enable different features in products built on the same
platform according manufacturer-specified criteria. Full
secure update functionality is supported, allowing software
upgrades and bug fixes to be distributed via both
networked and off-line distribution channels.
Creation of devices that contain unique, unforgeable
identities and cryptographic keys that are permanently
bound to the individual devices they are installed in.
Manufacturing tools and techniques are provided to allow
the secure installation of these data even using untrusted
outsource manufacturing flows that are so common these
days.
Glossary
ASIC – Application-specific inte­
grated circuit
CA – Certification authority
ECC – Elliptic curve cryptography
ETF™ – Ellipsys Trust Frame­
work™
IP – Intellectual property
OTP – One-time programmable
memory
PKI – Public key infrastructure
ROM – Read-only memory
SoC – System-on-chip
VPN – Virtual private network
VSM – Virtual security module
•
Tamper-proof firmware installations that prevent the system from booting if unauthorized
changes are made to the protected software environment.
•
IP protection that uses encrypted firmware to protect against dis-assembly of valuable
intellectual property in the form of algorithms and data represented in Flash memory
images in code.
The Enhanced Edition of ETF for Lockbox extends these capabilities by adding features for:
•
Anti-cloning and loss-prevention in manufacturing to protect against unauthorized
production of devices or the use of devices taken off the manufacturing floor or from
inventory without authorization.
•
Application support for services and users' identities, cryptographic keys and data that is
bound to the platform using tamper-proof operating system facilities. Both credentials
within the manufacturer's provisioning infrastructure and created in third party or public
infrastructures are supported.
•
Anticounterfeiting that provides mutual cryptographic authentication of cooperating
subsystems in larger system or network to prevent participation of or disruption caused by
counterfeit or unauthorized devices in the system.
The remainder of this paper provides an overview of the Ellipsys Trust Framework components and
examples of how those work together in actual systems.
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
2
Ellipsys Trust Framework™ for ADI Lockbox
Figure 1: Trusted execution environment with optional simple IP protection in
Lockbox devices. Authentication and decryption keys are stored in on-chip
OTP memory, while application code is stored in inexpensive unprotected
Flash memory. Code executes out of internal memory during operation.
Trusted execution environment
The most basic application for Ellipsys Trust Framework is establishment of a trusted execution
environment. This guarantees that the application executing on the Blackfin processor is the same
one supplied by the OEM and that it has not been tampered with or otherwise compromised after
release and installation in a Blackfin system. As part of the firmware release engineering process,
the application code is signed and bound together with the Ellipsys-SB secure bootstrap code. At
each restart of the processor, the code is cryptographically authenticated using the Lockbox
authentication process, discussed further below. Ellipsys-SB authenticates and loads the main
application environment and any extra components (e.g. optional features or 3 rd party
applications) installed. The use of Ellipsys-SB allows the applications environment to be as large
as the physical memory supported by the Blackfin processor, independent of the size of internal
RAM working memories. Following successful authentication, control is transferred to the entry
point of the OEM application environment. Devices that fail to authenticate correctly can be
configured by the OEM to terminate execution in an error state, or to attempt to boot an
authenticated backup application. Access to these features is almost completely transparent to
OEMs and the OEM application environment.
Protecting embedded intellectual property
OEMs that use Blackfin processors often have significant investments in intellectual property in the
form of firmware algorithms, either directly or through the use of licensed 3 rd party libraries.
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
3
Ellipsys Trust Framework™ for ADI Lockbox
Blackfin processors with Lockbox provide the means to protect these proprietary algorithms by
encrypting the firmware installed on the system. Elliptic's Lockbox implementation of ETF allows
OEMs to apply the optional code encryption features of Lockbox using keys embedded during
manufacturing and accessible only during bootstrap.
This case is typical of many small embedded systems in which encrypted firmware is installed in
an unprotected Flash memory. This makes it inexpensive to manufacture and uses high volume
production techniques and the option to have Flash memories programming done by either the
memory supplier or the contract assembler during board manufacturing. Encryption keys used to
decrypt the firmware are programmed to secure OTP memory in the Blackfin during
manufacturing. The Enhanced Edition of ETF for Lockbox provides an option to split programming
of the keys among several stages of manufacturing, which means that the entire key is never in
the possession of any one person or company outside of the OEM. This provides an extra level of
protection since the key is stored inside Lockbox and the entire key used to protect the OEM's IP is
never assembled all in one place in a way that is accessible to anyone who might wish to use it to
examine or copy the OEM's code. This feature is important in IP protection applications – if just
one copy of the software decryption key is cracked, all of the OEM's IP protected by that key
becomes known.
Ellipsys-CA provides the necessary code signing, system image formatting and encryption
capabilities to produce code images for these products. The firmware encryption keys are stored
internally in Ellipsys-CA, providing a secure repository for the all-important keys that protect the
OEM's IP. Extensions to the basic product provide protection against manufacturing over-builds
from being distributed as genuine, authorized product, as well as protection from firmware cloning
and installation in knock-off system designs.
Ellipsys Trust Framework system components
The Ellipsys Trust Framework provides the capability to bootstrap embedded devices from an
untrusted state into a trusted software environment, to authenticate software updates and thirdparty software, and to distinguish among products built by different OEMs on top of ETF
components. The ETF includes manufacturing infrastructure tools that OEMs can use to meet the
needs of high volume globalized manufacturing and distribution operations in terms of:
•
Distributed applications development operations including in-house, supply-chain and
independent third party developers.
•
Support for development of multiple products and product lines using a common suite of
manufacturing infrastructure tools.
•
High speed/high volume manufacturing support for key and identity credential injection in
embedded devices that can be deployed on the manufacturing line or remotely via secure
virtual private network.
•
Direct support for distributed manufacturing that allows operation of multiple parallel key
and credential injection systems while maintaining full traceability and accountability of
authorizations.
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
4
Ellipsys Trust Framework™ for ADI Lockbox
Figure 2: Typical complete ETF implementation.
A basic system built on the Ellipsys Trust Framework is shown in Figure 2. The heart of the
framework is the Ellipsys-SB Secure Bootstrap system. This is a firmware component installed on
the embedded device that takes control of the system at every reset. Ellipsys-SB performs system
initialization, functional validation checks, and finally cryptographic authentication and integrity
tests of the main system firmware images, which are typically an embedded operating system or
application environment for the platform.
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
5
Ellipsys Trust Framework™ for ADI Lockbox
Cryptographic signatures and identity credentials are crucial to the validation of firmware in
Ellipsys-SB operation. Likewise, the same needs often exist in the applications environment
loaded by Ellipsys-SB. Ellipsys-CA is a secure workstation based application designed to meet
these needs in both manufacturing environments and beyond to encompass the operation of
services, networks and integrated higher-level systems. At its most basic level Ellipsys-CA
provides a certification authority, code signing and encryption application, key and credential
injection application, and a firmware image formatting application.
Finally for secure environments that need it, Ellipsys-VSM is a cryptographic service provider and
key management module that runs in the application environment to use keys installed in secure
OTP memory platform during manufacturing.
Platform keys and certificates are used in
identification and authentication protocols, to bind and protect foreign keys and credentials to the
platform that they are installed in, and to provide general cryptographic functions for applications
running in the platform.
These components are described further in the sections that follow.
Figure 3: Ellipsys-SB operation in Lockbox processors.
Ellipsys-SB
Ellipsys-SB is a scalable bootstrap system that works together with Lockbox Initialization state
machine to bring the system to a known, trusted execution state, as shown in Figure 3. In the
Lockbox implementation of Ellipsys-SB the standard Phase 0 bootstrap process is replaced by the
built-in Lockbox Secure Entry mode. Ellipsys-SB implements Phase 1 and Phase 2 of the standard
Ellipsys-SB bootstrap process. The bootstrap process proceeds through its initialization phases as
follows:
•
v1.0 1007
In Secure Entry mode a minimal trusted firmware module takes control of the processor at
each reset. Phase 1 code is authenticated using a bare elliptic curve cryptography (ECC)
public key. If authentication is successful, the system transitions to Secure Mode to
execute Ellipsys-SB Phase1. If unsuccessful, the system simply reverts to open mode.
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
6
Ellipsys Trust Framework™ for ADI Lockbox
•
Phase 1 is a firmware component that includes a full processor initialization procedure to
ready the processor for the applications environment. Depending on the system designer's
objectives for the system, Phase 1 may include the entire application environment, or may
simply be an initial software environment suitable to start execution of a full application
environment later. Phase 1 uses a certificate-based PKI with ECC certificates to
authenticate Phase 2 firmware components when these are present. Phase 1 validates the
certificate chain on these components for traceability to a trusted root certificate, and loads
and transfers control of the system to this software if it authenticates successfully. Phase 1
is also where code decryption of loadable software is implemented if this optional feature is
included in the system. If application access to secret keys stored in OTP memory is
provided in the system design, Phase 1 code sets up the conditions for access to these
memory regions. Phase 1 code is generally stored unencrypted in Flash memory external
to the processor. It can be upgraded using tools provided as part of the Ellipsys-SB product
to allow for future software or firmware upgrades and bug fix releases. Code upgrades are
cryptographically authenticated prior to installation, and the new code must pass the same
startup authentication checks as the original factory firmware did.
•
Phase 2 is the OEM application environment, defined completely by the OEM's firmware
engineering team. If system control is transferred to it by Phase 1, it is guaranteed to have
passed authentication that assures that it originated from the OEM and that it was
unmodified from the version that was received from that provider. Phase 2 code can be
encrypted when stored in Flash. Decryption of Phase 2 code is automatic during Phase 1
execution. If Phase 2 resides entirely in on-chip RAM within the Blackfin, it is well protected
from simple attempts to reverse engineer it.
Smaller system designs may have all of firmware originating with the OEM engineering team, with
little need for field upgrades or third party applications support. Larger systems are often
designed for an ecosystem of software providers that may include a mix of OEM software,
authorized software suppliers, and independent third party software providers. These are ideally
suited to Ellipsys-SB implementations. Typically, the system OEM provides the basic operating
system and applications environment, while authorized suppliers and/or independent third party
suppliers provide additional functionality and applications. Software that requires authorization to
execute on the platform can be signed using the Ellipsys-CA and installed in authenticated Flash
memory images if desired.
In the Lockbox implementation of the Ellipsys-SB, separate Ellipsys-CA instances can sign different
parts of the overall application environment, while still allowing full traceability of the origin of a
firmware component and verification that it was authorized by the system OEM.
Provided with Ellipsys-SB is a set of developer's tools to implement secure firmware update
applications as part of the system application environment, configure firmware to be ready for
signing and installation in nonvolatile memory on the product, and test and debug Ellipsys-SB
environments.
Ellipsys-CA
Ellipsys-CA for Lockbox integrates with firmware engineering tools such as ADI's Visual DSP
development environment to supply the following functions:
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
7
Ellipsys Trust Framework™ for ADI Lockbox
•
Generation and management of keys and certificates for installation in embedded devices,
applications and systems;
•
Creation of signed certificates, software and data using certificate-based digital signatures
in its own PKI owned by the OEM;
•
Formatting firmware and data images for installation and use in Ellipsys-SB for Lockbox
subsystems
•
Secure creation and management of keys to be injected into secure OTP memories of
Lockbox systems.
It has a broad range of features that support deployment across a variety of product de velopment
and manufacturing flows that includes:
•
Support for multiple copies of authorized signing tools traceable to the same OEM PKI Root
key to distinguish between different authorized code signers (for example, separate
Ellipsys-CAs for firmware engineering, manufacturing and sustaining engineering).
•
Applications for code signing, code encryption, system image building, key generation and
manufacturing key injection, certificate creation and signing and more.
•
Policy-based certificates that support application enforcement of certificate usage policies,
for example restrictions on what certificates may be used to sign code vs. credentials,
distinctions between what OEM signed code may do vs. manufacturer code, and so on.
•
Foreign key and credential import capabilities.
•
Simple role based authorization of users to permit or rescind authority to operate in
specified roles within the CA. For example, code signing authority may be restricted to
users in the QA organization.
•
Full transaction logging with access controls on logs.
•
Configurable key and certificate escrows that securely store data created by the EllipsysCA.
•
Optional multi-site replication and database consolidation to provide error tolerance and
recovery capabilities in large system deployments.
•
Remote operation and connectivity capability via secure VPN connections to support
manufacturing applications and distributed operation of a collection of Ellipsys-CAs.
Ellipsys-VSM
Ellipsys-VSM is an optional product that provides a software API to a protected cryptographic
subsystem that stores and uses keys on behalf of programs that interface to it. Main features of
Ellipsys-VSM include:
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
8
Ellipsys Trust Framework™ for ADI Lockbox
•
Support for a wide range of public key and symmetric cryptography algorithms and
operations including RSA and elliptic curve asymmetric algorithms, AES, DES and RC4
symmetric ciphers, and SHA-1 and MD5 digests and HMAC message authentication;
•
High level interfaces for combination operations such as public key signature generation
and verification;
•
X.509 certificate support for credentials;
•
Support for secure use of unique-per-device keys store in secure OTP memory to protect
those keys from attempts to recover them during operation of the device;
•
Support for foreign key import, secure storage and permanent binding of foreign keys to
the platform. Foreign keys are imported and bound to the platform by encrypting them into
a “keyblob” using the embedded platform key. Protected keyblobs may be exported from
the VSM and stored in plaintext in unprotected storage without fear of compromise, either
within or outside of the module they are bound to. Once bound, keyblobs may only be used
on the device that they are bound to.
Typical applications for Ellipsys-VSM include incorporation in solutions that address the robustness
requirements for DRM and conditional access schemes, closed networks or systems in which the
authenticity of participants is required, and systems meeting high security standards such as FIPS140 validation.
Consult Elliptic Technologies for availability of Ellipsys-VSM in particular Blackfin variants and RTOS
environments.
Concluding Remarks
Ellipsys Trust Framework for Lockbox provides a comprehensive set of solutions to a range of
requirements that OEMs using ADI Blackfin processors with Lockbox Secure Technology have for
both operational security in end-use applications, as well as protection of their embedded
intellectual property and the integrity of their supply chain. For more information, see Elliptic's
website at http://elliptictech.com/middleware_ETF_Lockbox.php, or contact us at:
62 Steacie Drive, Suite 201
Ottawa, Ontario, Canada
+1-613-254-5456
or by email at info@elliptictech.com
v1.0 1007
© Copyright 2010 Elliptic Technologies Inc., all rights reserved
9
