Affiliation:
1. Department of Computer and Network Engineering, The University of Electro-Communications (UEC), Tokyo 182-8585, Japan
2. Faculty of Computer Science and Engineering, Ho Chi Minh City University of Technology (HCMUT), 268 Ly Thuong Kiet St., Dist. 10, Ho Chi Minh City 740050, Vietnam
Abstract
The Trusted Execution Environment (TEE) is designed to establish a safe environment that prevents the execution of unauthenticated programs. The nature of TEE is a continuous verification process with hashing, signing, and verifying. Such a process is called the Chain-of-Trust, derived from the Root-of-Trust (RoT). Typically, the RoT is pre-programmed, hard-coded, or embedded in hardware, which is locally produced and checked before booting. The TEE employs various cryptographic processes throughout the boot process to verify the authenticity of the bootloader. It also validates other sensitive data and applications, such as software connected to the operating system. TEE is a self-contained environment and should not serve as the RoT or handle secure boot operations. Therefore, the issue of implementing hardware for RoT has become a challenge that requires further investigation and advancement. The main objective of this proposal is to introduce a secured RISC-V-based System-on-Chip (SoC) architecture capable of securely booting a TEE using a versatile boot program while maintaining complete isolation from the TEE processors. The suggested design has many cryptographic accelerators essential for the secure boot procedure. Furthermore, a separate 32-bit MicroController Unit (MCU) is concealed from the TEE side. This MCU manages sensitive information, such as the root key, and critical operations like the Zero Stage BootLoader (ZSBL) and key generation program. Once the RoT is integrated into the isolated sub-system, it becomes completely unavailable from the TEE side, even after booting, using any method. Besides providing a secured boot flow, the system is integrated with essential crypto-cores supporting Transport Layer Security (TLS) 1.3. The chip is finally fabricated using the Complementary Metal–Oxide–Semiconductor (CMOS) 180 nm process.
Reference49 articles.
1. Quarkslab (2018). Introduction to Trusted Execution Environment: ARM’s TrustZone. Retrieved Oct., 8, 2019.
2. Oracle Corporation (2024, June 21). Working with UEFI Secure Boot. Available online: https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/sboot-OverviewofSecureBoot.html#sb-overview.
3. Sabt, M., Achemlal, M., and Bouabdallah, A. (2015, January 20–22). Trusted Execution Environment: What It is, and What It is Not. Proceedings of the IEEE Trustcom/BigDataSE/ISPA (TrustCom), Helsinki, Finland.
4. Intel Corp (2018). Intel Software Guard Extensions (Intel SGX) Developer Guide, Intel Corp.
5. Costan, V., and Devadas, S. (2024, June 21). Intel SGX Explained. Cryptology ePrint Archive, Report 2016/086, January 2016. Available online: https://eprint.iacr.org/2016/086.