COVERCOVER FEATURE FEATURE SUPPLY SUPPLY-CHAIN-CHAIN SECURITY SECURITY FOR FORCYBERINFRASTRUCTURE CYBERINFRASTRUCTURE A Platform Solution for Secure Supply-Chain and Chip Life-Cycle Management Joseph P. Skudlarek, Tom Katsioulas, and Michael Chen, Mentor Graphics Fragmentation of the system-on-chip supply chain has introduced many vulnerabilities in electronic devices. A proposed platform solution lets supply-chain participants authenticate, track, provision, and analyze their products during the entire chip life cycle through a single root of trust in the form of unique chip IDs. lobalization and outsourcing have intro- distributors. We propose a platform solution that com- duced numerous vulnerabilities in elec- bines hardware, software, and protocols to let supply- tronic devices, including counterfeit inte- chain participants authenticate, track, provision, and grated circuits (ICs), by fragmenting the analyze chips during the entire life cycle. By providing Gsystem-on-chip (SoC) supply chain throughout the life end-to-end security with a reliable root of trust, it could cycle of design, manufacture, distribution, and feld signifcantly mitigate supply-chain vulnerabilities. use. The number of vulnerabilities is expected to dra- matically increase as billions of devices with SoCs, PLATFORM OVERVIEW many provided by untrusted foundries, connect to the Our proposed platform enables connection of SoCs to Internet of Things. a secure server, tracks them at each step in the supply Silicon supply-chain security is an industry-wide chain, and securely provisions them in the feld. This issue that requires a holistic approach and collabora- lets IC suppliers minimize counterfeit components as tion among IC suppliers, foundries, assembly and test well as ofer new value-added services during the SoC houses, contract manufacturers, and electronic device life cycle that were not possible before. It also provides 28 COMPUTER PUBLISHED BY THE IEEE COMPUTER SOCIETY 0018-9162/16/$33.00 © 2016 IEEE Chip supplier Untrusted supply chain Middlemen hardware ATE PCB Security Big-data analytics applications Assembly Protocol controller I/O ports + chip DNA Agents Secure server Life-cycle Field use and supply- Surrounding environment Protocol Appliances chain info Chip IDs activity logs better visibility of the SoC life cycle and DNA from design to birth to proliferation to decommissioning. Figure 1 shows a simplifed view of FIGURE 1 . Platform overview. The security controller embedded on each chip connects the platform in which there is a single to a secure server and supports the protocols that enable enrollment, authentication, security controller embedded on a chip. tracking, and in-field provisioning. Each chip has a unique ID and DNA—helper data and The controller supports the protocols a unique key to protect select data in transit—making every server connection with a chip that enable chip enrollment, authen- distinct from that of every other chip. In addition to the on-chip hardware, the platform tication, tracking, and in-feld provi- includes appliances and agents: at-server validation and configuration mechanisms and sioning. Enrollment registers the chip associated middleware that run on the supply chain’s untrusted sites. ATE: automated test with the secure server. Authentication equipment; PCB: printed circuit board. verifes that the chip is known to the system— that is, the chip has been enrolled and has a sound history. Track- at-server validation and confguration is indeed the chip it claims to be. ing establishes the chip’s provenance; mechanisms and associated middle- This operation relies on a conven- it certifes that the authentic chip has ware that runs on the untrusted sites tional challenge–response protocol a detailed chain of custody. Provision- of the supply chain—noted in Figure 1 that uses the protected chip key to ing enables and disables individual as appliances and agents, respectively. encrypt the challenge and response, chip features including intellectual In other words, it comes with the two and a cipher-based message authen- property (IP) blocks and I/O or debug self- validating ends of the protocol and tication code (MAC) to ensure the ports. One variation of provisioning a software development toolkit (SDK) integrity of the data exchanged. The is “metering,” whereby portions of the to help make the connection between multi cycle authentication protocol design or the full SoC can be provi- them. The SDK includes middleware for ensures that the chip is at the other sioned to expire either based on chip the agents (both at-fab and in-feld) as end of the connection. status in the supply chain or how often well as for the secure server. The secure server uses the chip’s the chip checks in with the server. unique key to transmit the chip’s cur- A key feature of the platform is use HARDWARE OPERATIONS rent confguration of enabled and dis- of a physically unclonable function The platform uniquely identifes and abled features, which are based on the (PUF) to provide each chip with its own reliably authenticates each chip. It chip’s unique ID. This confguration unique ID and a unique key to protect then tracks the chip and creates an update, or provisioning, can be carried select data in transit to the chip. Every audit trail that establishes its prove- out in the feld. server connection with a chip is dis- nance. In addition, selected chip func- At important stages in the supply tinct from that of every other chip, so tions, including debug modes and I/O chain the chip connects to the secure compromising one chip’s unique key ports, can be enabled or disabled in the server. The server authenticates the does not compromise other chips. feld after manufacturing in a secure chip at each stage and records that The secure protocols not only uti- way based on the chip’s unique ID. event, establishing a reliable audit lize the hardware and software pro- A one-time operation gathers en - trail for the chip’s progress and provid- vided, but also specify the participa- rollment data from the manufactured ing proof of provenance. tion of the chip author and the chip chip and stores it in a secure server, manager that controls the secure usually soon after wafer testing. This SECURITY CONTROLLER AND server. The chip manager incorporates data consists of the chip’s ID and OTHER ON-CHIP RESOURCES its own business logic and models to DNA—protected helper data and the As Figure 2 shows, the security con- authorize the enrollment, authenti- chip key—and is subsequently used to troller interfaces to the outside world cation, tracking, and provisioning of reliably identify the chip and to enable via Joint Test Action Group (JTAG) or individual chips. authentication and provisioning. other I/O ports and executes our proto- In addition to the on-chip hardware, Authentication reliably demon- cols utilizing low-level crypto graphic the platform includes the corresponding strates to the secure server that it primitives. These primitives are used AUGUST 2016 29 SUPPLY-CHAIN SECURITY FOR CYBERINFRASTRUCTURE Cryptographic primitives Interface ports /+I10 Other and cipher-based message I/0 JTAG authentication code CPU Disabled MA Integrated circuit and C Unique chip DNA intellectual property IP2 provisioning Cr SRAM PUF ypto Protocol Secure protocol Memory Nonvolatile Certifed uses /+2 memory IP3 Fingerprint ID Public chip ID Provisioning code A logical confguration register CPU Authorization code Enabled Metering codes Life-cycle control stores the enable/disable state of pro- Security controller visioned subsystems and ensures that a given chip confguration controls FIGURE 2. Embedded security controller functionality and features. A key feature is a any third-party IP. As Figure 3 shows, physically unclonable function (PUF), based on static RAM (SRAM) cells, that provides a provisioning bit sequence is loaded each chip with its own unique ID and DNA. JTAG: Joint Test Action Group; MAC: Message into the confguration register, and Authentication Code. each IP reads its portion of the register to control its provisioned features. Chip Agent Server Design goals Start provisioning In developing the hardware, we had several design goals. [ID, nonce1] To maximize detection of possible counterfeit chips, it is necessary to [ID, nonce1] minimize the trust required of various supply-chain contributors. Our solu- Use ID to look up chip info tion limits required trust to the design [PHD, MacCode, nonce2, MAC(nonce1, nonce2)] house, which adds our hardware to its chip, and the chip manager, which [PHD, MacCode, nonce2, MAC(nonce1, nonce2)] provides a secure server that connects Use the protected helper to the chip with our protocols. In gen- data (PHD) to recover eral, we do not rely on secure channels PUF or reliable intermediaries for security Covert MacCode to because we authenticate the pack- MacKey ets that are transmitted between the Verify MAC to verify server chip and server and encrypt sensitive [MAC(nonce2, nonce1)] information. [MAC(nonce2, nonce1)] To provide strong protection at modest cost, we avoid the more expen- Verify MAC to verify chip sive public-key cryptosystems like Rivest–Shamir–Adleman (RSA) or ellip- [ProvCode, MAC(msg)] tic curve cryptography (ECC); instead, [ProvCode, MAC(msg)] we use industry-standard symmetric encryption like Rijndael, the superset Verify MAC of the Advanced Encryption Standard Store ProvCode (AES), between agent and chip, cou- pled with PUF-provided secrets. We also sought to keep costs low by not FIGURE 3. Simplified provisioning protocol used to enable or disable chip features. A requiring a secure channel. Moreover, provisioning bit sequence is loaded into the logical configuration register, and each third- we leverage existing chip infrastruc- party IP reads its portion of the register to control its provisioned features. ture and design-fow methodologies; for example, our initial hardware com- munications mechanism uses a JTAG to generate pseudorandom values and cells, provides part of the secret key interconnect and the existing design MACs and to decrypt protected values.