Self-authenticating secure boot for FPGAs

2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) Pub Date : 2018-04-01 DOI:10.1109/HST.2018.8383919

Goutham Pocklassery, Wenjie Che, F. Saqib, Matthew Areno, J. Plusquellic

{"title":"Self-authenticating secure boot for FPGAs","authors":"Goutham Pocklassery, Wenjie Che, F. Saqib, Matthew Areno, J. Plusquellic","doi":"10.1109/HST.2018.8383919","DOIUrl":null,"url":null,"abstract":"Secure boot within an FPGA environment is traditionally implemented using hardwired embedded cryptographic primitives and NVM-based keys, whereby an encrypted bitstream is decrypted as it is loaded from an external storage medium, e.g., Flash memory. A novel technique is proposed in this paper that self-authenticates an unencrypted FPGA configuration bitstream loaded into the FPGA during startup. The power-on process of an FPGA loads an unencrypted bitstream into the programmable logic portion which embeds the self-authenticating PUF architecture. Challenges are applied to the components of the PUF engine both as a means of generating a key and performing self-authentication. Any modifications made to the PUF architecture results in key generation failure, and failure of subsequent stages of the secure boot process. The generated key is used in the second stage of the boot process to decrypt the programmable logic portion of the design as well as components of the software, e.g., Linux operating system and applications, that run on the processor side of the FPGA.","PeriodicalId":6574,"journal":{"name":"2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","volume":"65 1","pages":"221-226"},"PeriodicalIF":0.0000,"publicationDate":"2018-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HST.2018.8383919","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

Secure boot within an FPGA environment is traditionally implemented using hardwired embedded cryptographic primitives and NVM-based keys, whereby an encrypted bitstream is decrypted as it is loaded from an external storage medium, e.g., Flash memory. A novel technique is proposed in this paper that self-authenticates an unencrypted FPGA configuration bitstream loaded into the FPGA during startup. The power-on process of an FPGA loads an unencrypted bitstream into the programmable logic portion which embeds the self-authenticating PUF architecture. Challenges are applied to the components of the PUF engine both as a means of generating a key and performing self-authentication. Any modifications made to the PUF architecture results in key generation failure, and failure of subsequent stages of the secure boot process. The generated key is used in the second stage of the boot process to decrypt the programmable logic portion of the design as well as components of the software, e.g., Linux operating system and applications, that run on the processor side of the FPGA.

查看原文本刊更多论文

fpga的自认证安全引导

FPGA环境中的安全引导传统上是使用硬连接的嵌入式加密原语和基于nvm的密钥来实现的，其中加密的比特流在从外部存储介质(例如闪存)加载时被解密。本文提出了一种新技术，对FPGA启动时加载的未加密FPGA配置比特流进行自我认证。FPGA的上电过程将未加密的比特流加载到可编程逻辑部分，该部分嵌入了自认证PUF架构。挑战应用于PUF引擎的组件，既作为生成密钥的手段，也作为执行自我身份验证的手段。对PUF体系结构所做的任何修改都会导致密钥生成失败，以及安全引导过程的后续阶段失败。生成的密钥在启动过程的第二阶段用于解密设计的可编程逻辑部分以及软件组件，例如，Linux操作系统和应用程序，在FPGA的处理器端运行。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

自引率

0.00%

发文量