1、The Practical Use Cases of the RISC-V IOPMP Andes SoCs Rapid-k ModelAugust 24,2023Dr.Paul Shan-�������Chyun KuAndes TechnologySpeaker:Dr.Paul Shan-Chyun KuExperience:The Chair of IOPMP Task Gro��������up(2022-)The Vice-chair of TEE TG(2021-2022)Deputy Technical Director,Andes TechTaking RISC-V Mainstream3A Typical
2、 PlatformInterconnect-1RISC-V CPUAddr,Len,R/W/XDMA,NIC,orDisplay CTLRD�������SP/GPUAddr,Len,R/W/XAddr,Len,R/Winterconnect-2devicesdevicesdevicesFlash memorySRAM/DRAMCrypto EngineAddr,Len,R/Wregionregionregionregionregionregiondevicesdevi���cesPMPTaking RISC-V Mainstream4Subject to change without noticeCopyrig
3、ht 2021 ��������Andes TechnologyVulnerability and Threat RISC-V CPUs transa������ctions are checked by PMP/ePMP:By Where,How,and Which to access The other I/O agents:DSP,GPU,DMA,NIC,LCDC Transactions from them are NOT CHECKED vulnerability!A malicious SW that can control the I/O agents to access anywhere becomes
4、the threat.EX:an attack asks the I/O agent to read the sensitive asset without PMP/ePMPs check and store it to its own legal space.IOPMP is the tool to mitigate the such a t����hreat.The IOPMP task group under the RISC-V international is working on the architecture spec.Taking RISC-V Mainstream5A Platfo
5、rm with IOPMPsInterconnect-1 w/SIDCPUSIDAddr,Len,R/W/XDMA,or OtherI/O AgentDSP/GPUSIDAddr,Len,R/W/XSIDAddr,Len,R/Winterconnect-2 w/o SIDIOPMP-3devicesdevicesdevicesIOPMP-2FlashIOPMP-1SRAM/DRAM������entries entries entries Crypto EngineSIDAddr,Len,R/WSIDSIDSIDregionregionregionregionregionregionCTRLCTRLCTR
6、LPMPTaking RISC-V Mainstream6Crypto Engine Read Privat KeyInterconnect w/SIDSID=0Addr,Len,R/W/XDMAGPUSID=1Addr,Len,R/W/XSID=3Addr,Len,R/Winterconnect-2 w/o SIDIO�������PMP-3devicesKey(RoT)devicesIOPMP-2FlashIOPMP-1SRAM/DRAMCrypto EngineSID=2Addr,Len,R/WSIDSIDSIDregionregionregionregionregionregionCTRLCTRLC
7、TRLCPUPMPTaking RISC-V Mainstream7Crypto Engine Read Privat KeyInterconnect w/SIDSID=0Addr,Len,R/W/XDMAGPUSID=1Addr,Len,R/W/XSID=3Addr,Len,R/Winterconnect-2 w/o SIDIOPMP-3devicesKey(RoT)devicesIOPMP-2FlashIOPMP-1SRA��������M/DRAMSID=2,Key(RoT),RCrypto EngineSID=2Addr,Len,R/WSIDSIDSIDregionregionregionregion
8、regionregionCTRLCTRLCTRLCPUPMPAndes IoT Platform with IOPMPLCD CTLRDMA CTLR 0I2CUART 0/1RTCGPIOPWM/PITQSPI1WDTAXI/AHB Bus MatrixPLICInterrupt RequestsCPU Core Initiator targetQSPI0Rapid-k IOPMPTRNGRoot-of-trustI/O agentTarget deviceSecurity-relate������d IPdata local memory(DLM)MMIO BridgeIOPMP CTLRFlas����h
9、CTLR flash deviceIdempotent deviceNICMMIO checkerDMA CTLR 1instruction local memory(ILM)PMPCrypto EngineIO agentsAndes IoT Platform with IOPMPLCD CTLRDMA CTLR 0I2CUART������� 0/1RTCGPIOPWM/PITQSPI1WDTAXI/AHB Bus MatrixPLICInterrupt RequestsCPU Core Initiator targetQSPI0IOPMPRapid-k IOPMPTRNGRoot-of-trustI/
10、O agentTarget deviceSecurity-related IPdata local memo�������ry(DLM)MMIO BridgeIOPMP CTLRFlash CTLR flash deviceIdempotent deviceNICMMIO checkerDMA CTLR 1instruction local memory(ILM)PMPCrypto EngineIO agentsAndes IoT Platform with IOPMPLCD CTLRDMA CTLR 0I2CUART 0/1RTCGPIOPWM/PITQSPI1WDTAXI/AHB Bus MatrixP
11、LICInterrupt RequestsCPU Core Initiator targetQSPI0IOPM������PRapid-k IOPMPTRNGRoot-of-trustI/O agentTarget deviceSecurity-related IPdata local memory(DLM)MMIO BridgeIOPMP CTLRFlash CTLR flash deviceIdempotent devic�����eNICMMIO checkerDMA CTLR 1instruction local memory(ILM)PMPCrypto EngineIOPMPIO agentsAndes
12、IoT Platform with IOPMPLCD CTLRDMA CTLR 0I2CUART 0/1RTCGPIOPWM/PITQSPI1WDTAXI/AHB Bus MatrixPLICInterrupt RequestsCPU Core Initiator targetQSPI0IOPMPRapid-k IOPMPTRNGRoot-of-trustI/O agentTarget deviceSecurity-related IPdata local memory(DLM)MMIO BridgeIOPMP CTLRFlash CTLR flash dev������iceIdempotent dev
13、iceNICMMIO checkerDMA CTLR 1instruction local memory(ILM)PMP?Crypto EngineIOPMPIO agentsTaking RISC-V Mainstream12Subject to change without noticeCopyright 2021 Andes Technology.����IOPMP Rapid-k ModelPrioritized PMP-like entriesm MD (m x k)entriesIOPMP Entry Arrayan entry=memory region,R/WMD 0MD m-1k���� e
14、ntriesk entriesSID 010.1MD 1MD m-2SID n-1Taking RISC-V Mainstr������eam13Subject to change without noticeCopyright 2021 Andes Technology.IOPMP Rapid-k ModelPrioritized PMP-like entriesm MD (m x k)entriesIOPMP Entry Arrayan entry=memory region,R/WMD 0MD m-1k entriesk entriesSID 001.10SID s10.1MD 1MD m-2SID
15、 n-1Taking RISC-V Mainstream14Why Rapid-k Model Why the rapid-k mode������l?Moderately complex:It has the bitma����p mapping from a SID to its associated MDs,but No table mapping from a MD to its entries.Compare to the full model:The full model is more flexible to manage MDs and their entries.The rapid-k mode
16、l has simpler design,s������horter the latency and/or fewer cycles to fetch entries.Compare to the compact and isolation model:The two models do not support shared MD,so more entries would be needed.Taking RISC-V Mainstre����am15Config the Rapid-k Model How many SID?A SID per I/O agent and/or per channel?How
17、to pick up k?Strongly depends on your application;rule of thumb:Average number of entries per MD:612 k=416 How many MDs?Total number of entries used by all SIDs in the runtime.Any SID switch between different memory regio������ns and permissions in a high frequency?Switc��������h SID-to-MD mapping instead of upda
18、ting entries contentsTaking RISC-V Mainstream16Concluding Remarks Introduc������ed the IOPMP rapid-k model Explained why the rapid-k model in Andes IoT Platform Analyzed the factors for configuring the rapid-k modelThank You17The practical use cases of the RISC-V IOPMP-Exemplary Usage Model Channing Tang,
19、Dr.|2023 China RISC-V S�����ummit/2023-08Speaker:Dr.Channing Tang Vice chair of the RISC-V IOPMP TG.Senior HW Architect with Nvidia,she is focuses on the hardware architecture and design of security system.Threats from and to the SoC System1.Unauthorized access from external initiators,e.g.,power uContro
20、ller,to the RISC-V sub-system local IO devices2.Unauthorized access from sub-system to SoC IO devices 3.Spoofing to the protected memory regions,e.g.,boot time data v.s.,runtime dataExternal Threats to the Secure Sub-SystemThreat ModelingWhat should������� be protected and Who wants to attackSoC System Mem
21、ory FabricRI������SC-V Sub-SystemSoC System Control FabricTimerSensorMain MemoryNon Volatile MemoryVideo Protected Memory2.1.3.Boot TimeRunTimePoweruControllerMem Enc/DecuControllerVideo uControllerEncrypted MemoryThreat ModelingWhat should be protected and Who wants to attackInternal Threat to the Secure
22、 Sub-SystemThreats Internally in the Sub-system1.Access Isolation to local memories among different devices 2.Access Isolation to loca��������l devices among different runtimesRISCV HartsRISCV HartsDMACrypto-EnginesInterrupt ControllerTimerMailboxLocal Memory FabricROMITCMDTCMTo System MemoryL������ocal Control F
23、abricTo System ControlTo System Memory FabricTo System Control FabricRISC-V based Sub-SystemFrom System Control Fabric1.2.Position of the IOPMP in SystemHow to Integrate the IOP����MP to the SystemTwo IOPMP Instances for each RISC-V based Sub-SystemAn IOPMP for Control Plane Access controls for RISC-V h
24、arts to local and System IO devices Access controls for local initiator peripherals,e.g.,DMA,to local and system IO devices.An IOPMP for Data Plane Access controls for local initiator peripherals to local memories Access controls f���or local initiator peripherals to global memories RISC-V harts access
25、ing memories can be protected by PMPs.SID Config RegistersRISC-V based Sub-SystemPMPRISC-V Hart(s��������)Other Local InitiatorsLocal Control FabricSystem Control Fab������ricLocal Data FabricSystem Data FabricSID ConfigSID ConfigControl Bus IOPMPData Bus IOPMPIOPMP Model and ParametersIOPMP Full Model is Adopted
26、 Flexible SW can determine�������� the number of entries belongs to each MD.����Less fragmentation on IOPMP entries Rapid-K or Dynamic-K model although is easier for HW implementation but may end up with entries not used or insufficient in certain MDs.Typical IOPMP Parameters Used in Different Sub-Systems Secur
27、ity Critical Configuration:Security critical requirement Frequent SW context swi������tch 12 SID(s)per SW context:a SID can be assigned to multiple HW initiators.Light Configuration:Bare metal usage model Limited access to system memory and system control fabric HW initiator to SID mapping are semi-static
28、(programmed once during boot time)#of SW contexts#of HW initiators#of SID(s)#of MD(s)#of entriesSecurity Critical Configuration896=64256Light Configuration1248481616Setting up IOPMP rules st������age by stage:Boot Loader Using highest prioritized entries and set lock Block any runtime from acce
29、ssing critical sections,e.g.,key registers and ROM.Minimal rules for Secure Monitor to run�������� Secure Monitor Common I�����OPMP rules that needed for each RTIOPMP Usage ModelExample for Security Critical ConfigurationsBoot LoaderDerive Boot-time and Runtime KeysLoad and Authenticate FWSecure MonitorRuntime S
30、WInitialize Secure MonitorInitialize RT#0Initialize RT#1Initialize RT#nSetup IOPMP Rules:1.Key Protection;2.Secure Monitor Rules.Lock the rulesSetup per Runtime IOPMP RulesIOPMP Usage ModelExample with Security Cri�������tical ConfigurationsBootITCMDTCMMemory SpaceMMIO SpaceBo�������otLoaderSecure MonitorSM DataR
31、WRT#0RT#1Ext MemCFG RegistersR,WM-mode:SID0Sub-M:SID1 SID2 SID3 SID4 SID4RT#2 SID4RT#nSM CodeROMBoot Key RegsRT#0R����T#0RWExt.Reg.Grp0Ext.Reg.Grp1R,WR,WR,WRWRWRWRWRWRT#1 Sub-system Assumption:Multi-hart RISC-V sub-system Multiple RunTimes(RT)Each RT is allocated with 12 SIDs Security critical Boot Load
32、er Can access the entire address space Secure Monitor Has no access to the Boot protected space and TCM region containing SM code.Has r/w access to the rest of the address space.RTs Only has access to each own memory region Only has access������ to limit IO spaceIOPMP Usage ModelExample with Security Crit
33、ical ConfigurationsnRWnRWnRWRWEntry01234067D-Bus IOPMPC-Bus IOPMPMD0MD1MD2MD0MD1BootITCMDTCMMemory SpaceMMIO SpaceSM DataExt MemCFG,Mailbox RegistersSM CodeROMBoot Key RegsRT#0RT#0Ext.Reg.Grp0Ext.Reg.Grp1RWRWRWRW5678RWRWRWRWRW910RW��������R0RWRWRWRWMD3MD4MD5MD2MD386364 Denylist region set at boot time,to en
34、sure privileged runtime SW cannot override:Uses the most prioritized MDs and entriesSet the regions to nR/nWCorresponding MDs and������ Entries are sticky locked.IOPMP Usage ModelExample with Security Critical ConfigurationsRWRWnRWnRWnRWRWEntry01234067D-Bus IOPMPC-Bu�������s IOPMPMD0MD1MD2MD0MD1BootITCMDTCMMemor
35、y SpaceM�����MIO SpaceSM DataExt MemCFG,Mailbox RegistersSM CodeROMBoot Key RegsRT#0RT#0Ext.Reg.Grp0Ext.������Reg.Grp1RWRWRWRW5678RWRWRWRWRW910RWR0RWRWRWRWMD3MD4MD5MD2MD386364 RTs do not share SID/MD/Entries if all rules can fit in the IOPMP,e.g.,RT#0 and RT#1 rules are configured once by the SM.IOPMP Usage Mo
36、delExample with Security Critical ConfigurationsR,WR,WRWRWRWRWnRWnRWnRWRWEntry01234������067D-Bus IOPMPC-Bus IOPMPMD0MD1MD2MD0MD1BootITCMDTCMMemory SpaceMMIO SpaceSM DataExt MemCFG,Mailbox RegistersSM CodeROMBoot Key RegsRT#0RT#0Ext.Reg.Grp0Ext.Reg.Grp1RWRWRWRW5678RWRWRWRWRW910RWR0RWRWRWRWMD3MD4MD5MD2MD38
37、6364 RT#2 RT#n will share some SID/MD/EntriesRT#2 RT#n has similar SWRT#2 RT#n may not run concurrently,depending on#of hartsMay only update MD5 for context switch among RT#2RT#nAcknowledgementI wish to ac�����knowledge the contribution of colleagues from NVIDIAHW Team:Andy Ma,Howard Zhang,Xin Lv,Y������udi LiuSW Team:Alon Shenfield,Marko Mitic,Yitian Chen
sgpjbg002
工作日 8:30 - 17:30
报告分类
