Detect, Protect, and Recover with Mach-NX Secure Control FPGAs
Posted 12/08/2020 by PJ Chiang
If you’ve been longing for the ability to protect your system firmware and provide secure boot capability with a NIST PFR compliant design that you can develop quickly and easily, then I’m about to make you very happy indeed.
Without wanting to boast, I should perhaps start by noting that Lattice has carved out a leadership position when it comes to implementing control functions in the servers used in data centers. The flash-based configuration of Mach FPGAs provides “instant-on” capabilities that allow them to be the platform’s first-on, last-off devices. In fact, Mach FPGAs have an attach rate of over 80 percent on current shipping server platforms.
Unfortunately, we live in a highly connected world that is subject to cyberattack from myriad sources. Cybersecurity has developed into an “arms race” in which hackers and other nefarious players are constantly trying to gain access and take control of systems in order to steal data and intellectual property, destroy data and crash systems, or pressure companies, institutions, and individuals to pay ransoms. One can only imagine how the manager of a factory would feel to receive a message saying something like, “We’ve cracked your security. We have control of your servers. Unless you transfer a bitcoin ransom in the next 24 hours, we will shut down your production and wipe all your files.”
It’s no longer sufficient to attempt to “bolt-on” security solutions “after the fact.” Instead, it has become mission-critical and safety-critical for security to be implemented and maintained at the lowest possible levels of the system in the form of a hardware root of trust (HRoT). In order to address this requirement, Lattice first introduced the MachXO3D™ family of FPGAs, which augment traditional Mach control capabilities with wide variety of security features, including an Immutable Security Engine that offers pre-verified cryptographic functions such as ECDSA, ECIES, AES, SHA, HMAC, TRNG, Unique Secure ID, and public/private key generation.
The Mach-NX family is the third FPGA family based on the Lattice Nexus™ FPGA development platform that Lattice released earlier this year. In order of release, these families are as follows:
- CrossLink™-NX: Video bridging and processing for a wide range of imaging, machine vision, and artificial intelligence (AI) applications.
- Certus™-NX: General-purpose FPGAs suited for a wide variety of applications.
- Mach™-NX: Next-generation hardware security for programmable system control.
As defined by NIST SP 800-193, platform firmware resiliency (PFR) involves protection, detection, and recovery. Protection includes protecting the platform’s firmware and critical data from corruption and ensuring the authenticity and integrity of any firmware updates. Detection includes cryptographically detecting corrupted platform firmware and critical data, both when the system is first powered on and following any in-system updates. Recovery includes initiating a trusted recovery process and restoring any corrupted platform firmware and critical data to its previous value.
Mach-NX devices fully address PFR requirements. The combination of Mach-NX programmable logic, a 384-bit crypto engine, and a secure dual-boot configuration block provides flexibility during design implementation and enables secure updates after the system has been deployed.
The Mach-NX family is processor agnostic and supports processors from all the major vendors, including Intel, AMD, and ARM. At the time of this writing, most PFR implementation s use 256-bit encryption, decryption, public/private key generation, and so forth. Next-generation platforms will use 384-bit crypto-engines. The Mach-NX FPGAs support both 256-bit and 384-bit cryptographic applications meeting requirements both today and in the future.
Mach-NX devices are equipped with a state-of-the-art hard RISC-V processor core, which can be used to configure and control all of the security features. In turn, the Lattice Propel™ graphical design environment can be used to quickly and easily configure and program the RISC-V subsystem.
This configuration includes the number of PFR Channels, the number of SPI memories, the number of monitors, the assignment of GPIO pins to be used by the processor or the programmable fabric, and so forth. Propel also provides design templates that make it easy to start software development and it includes an Eclipse-based IDE and compiler to build the system and package all of the hardware and software files.
Using Mach-NX FPGAs to control and secure systems results in dynamic, real-time, end-to end coverage that addresses PFR protection, detection, and recovery from the instant the system is powered up to the moment it is powered down again.
In the case of power-up protection, in addition to authenticating its own firmware, the Mach-NX can monitor and authenticate the firmware associated with each of the other devices typical found in a system. This authentication is typically 2X to 6X faster than implementations based on other FPGAs, MCUs, or board management controllers (BMCs). Your knee-jerk reaction may be that the difference between 5 seconds and 10 to 30 seconds is no big deal, but this difference becomes extremely substantial in the case of equipment needing to achieve 99.999% (5 nines) uptime where only 5 minutes of downtime is allowable each year.
Building secure systems from the ground up is expensive, time-consuming, resource-intensive, and involves a substantial amount of compliance testing and certification. Mach-NX devices implement cutting-edge security features in hardware that is based on pre-certified IP building blocks that already meet robust standards and protocol compliance requirements.
Another aspect of security we should at least touch on here is that of the supply chain, which commences with the component supplier and includes system developers, system integrators, manufacturers, distributors, and dealers. There are attack points throughout the supply chain where a system can be hacked with the possibility of compromised firmware being uploaded. In order to address this, each Mach-NX device is equipped with a unique, hard-coded ID. Furthermore, the Lattice SupplyGuard™ service provides customers with factory-locked devices that can only be programmed using a configuration bitstream that has been developed, signed, and encrypted by the intended customer.
Although I’ve concentrated on “Big Iron” servers in the data centers forming the heart of the cloud in this blog, there is increasing interest in deploying PFR across multiple markets, including communications, industrial, and automotive, all the way to client computers and edge devices. This means that every developer is going to be faced with the problem of addressing security concerns in the not-so-distant future. If (when) you find yourself in this position, we are ready to help.
Additional Resources
Mach-NX Press Release
Mach-NX Whitepaper