170 likes | 178 Views
This study presents a method to perform secure partial reconfiguration of SRAM FPGAs by exploiting a configuration controller that enables the FPGA to dynamically reconfigure itself. The implementation includes a self-reconfiguring platform with an embedded processor core, allowing for partial reconfiguration of IP cores with encrypted data. Results show improved performance and security compared to traditional methods.
E N D
SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of Tirana, Albania
Topics Covered • INTRODUCTION • THE IMPLEMENTATION • SOFTWARE ARCHITECTURE • THE EXPERIMENT • RESULTS • CONCLUSIONS
Introduction • SRAM FPGAs are configured by loading configuration data into an internal memory. • The necessity of configuration makes it easier for attackers to • clone, • reverse engineer, or • tamper the bit-stream of the configuration • Bit-stream encryption is the most effective and practical solution to improve the security of FPGAs. • But it is not possible to use partial reconfiguration when the device is configured with an encrypted bit-stream.
The Solution that we give is… • A method to perform • a secure partial reconfiguration and • improve the security of SRAM FPGAs through exploiting a configuration controller that • enables an FPGA to dynamically reconfigure itself • under the control of an embedded processor core.
Major components of the proposed scheme: Power PC – Hard Processor Core MicroBlaze – Soft Processor Core
Major components of the proposed scheme: The embedded processor in the configuration controller is able to partially reconfigure portions of an application system with encrypted IP cores.
The Implementation (1) • Self-reconfiguration is an advanced form of configuration in which • specific circuits on the FPGA are used to control the partial reconfiguration of a subset of the FPGA resources while • the rest of device maintains correct operation. • A Self-reconfiguring platform allows an application to get reconfiguration data from a I/O inteface such as a remote network or an external memory. • In general, the design an embedded processor system needs: • hardware components, • memory map, and • software application
The Implementation (2) • The application running on the embedded processor allows the processor to • read the partial bitstream from an external memory, • authenticate the signed partial bit stream, • decrypt the encrypted partial bit stream, and • dynamically reconfigure part of the FPGA. • Also the HWICAP module, used for reconfiguration, is controlled through software which facilitates reconfiguration. • EDK (Embedded Development Kit) automatically creates the memory map of the systems.
Hardware Internal Configuration Access Port The HWICAP is used for reconfiguration. It enables the microprocessor to read and write the FPGA configuration memory as well as loading partial bit-streams from system memory through ICAP Port. PLB (Processor Local Bus) OPB (On chip Peripheral Bus)
Software Architecture • The program running on the processor core uses • some basic standard C libraries, • VHDL code and • device drivers since there is no operating system between the software and the hardware platform. • The software performs the following tasks: • Authentication. Verifying the signed partial bit-stream with the stored MAC value. • Decryption. Decrypting the encrypted partial bit-stream using the stored key. • Configuration.Partially reconfiguring the other active system on FPGA using the decrypted partial bit-stream.
The Main Self-Reconfiguring Advantage • Increase of flexibility. • The designer is able to partition the application according to the necessary security level and • to choose the suitable algorithms for the authentication and decryption. • to upgrade the algorithms without any change in the implemented design.
Experiment Methodology To generate a partial bit stream we had to implement a partially reconfigurable design consisting of : • Static Sub-system. • The self-reconfiguring system was considered to be the static module of the design. • Reconfigurable Sub-system. • An additional system was implemented in the form of a microcontroller as the target of partial reconfiguration.
The Scenario for the experiment • The self-reconfiguring system • reads an authenticated and encrypted partial bit-stream stored in an external memory, • authenticates and decrypts it, and • sends it to ICAP to change the reconfigurable system. • The secret keys is stored in the program running on the self-reconfiguring platforms even though other cases such as providing the key as a password are also possible.
Results • PowerPC system performed faster in both authentication and decryption phases of the application. • the better performance of the PowerPC system could be due to the fact that its instruction set executes most of the instructions in a single cycle • On the other hand, Micro Blaze system gives a better performance working with the HWICAP module and therefore it achieves a higher throughput for configuration. • The reason might be the presence of the extra PLB bus and PLB to OPB Bridge in the PowerPC system. • The device utilization is close for both systems.
Conclusions • This self-reconfiguring platform was realized for both hard and soft embedded processor cores. • Not so big differences between them. • A program was developed to demonstrate that the FPGA can be reconfigured with an encrypted partial bit-stream stored in an external memory using software cores for authentication and decryption. • A partial bit-stream has been generated using the module-based flow targeting an active system placed in the FPGA besides the self-reconfiguring platform. • A partially reconfigurable design was created to demonstrate the advantages and problems of this flow.
Thank You! For The Attention! Maybe You Have Questions?! fkraja@fie.upt.al