On the Integration of Physically Unclonable Functions into ARM TrustZone Security Technology

As Internet of Things (IoT) devices are increasingly used in industry and become further integrated into our daily lives the security of such devices is of paramount concern. Ensuring that the large amount of information that these devices collect is protected and only accessible to authenticated users is a critical requirement of the industry. One potentially inexpensive way to improve device security utilises a Physically Unclonable Function (PUF) to generate a unique random response per device. This random response can be generated in such a way that it can be regenerated reliably and repeatably allowing the response to be considered a signature for each device. This signature could then be used for authentication or key generation purposes, improving trust in IoT devices. The advantage of a PUF based system is that the response does not need to be stored in nonvolatile memory as it is regenerated on demand, hardening the system against physical attacks. With SoC FPGAs being inexpensive and widely available there is potential for their use in both industrial and consumer applications as an additional layer of hardware security. In this paper we investigate and implement a Trusted Execution Environment (TEE) based around a PUF solely implemented in the FPGA fabric on a Xilinx Zynq-7000 SoC FPGA. The PUF response is used to seed a generic entropy maximisation function or Pseudorandom Number Generator (PRNG) with a system controller capable of encrypting data to be useful only to the device. This system interacts with a software platform running in the ARM TrustZone on the ARM Cortex core in the SoC, which handles requests between user programs and the FPGA. The proposed PUF-based security module can generate unique random keys able to pass all NIST tests and protects against physical attacks on buses and nonvolatile memories. These improvements are achieved at a cost of fewer than half the resources on the Zynq-7000 SoC FPGA.