Beyond using cryptography functions to secure data transmitted and stored in IoT edge devices, there are other requirements to protect the device or platform itself. The protection ranges from detecting physical tampering and enabling countermeasures to sandboxing non-trusted applications to protect software from malware. Platform security typically starts with hardware and software Roots of Trust components that are inherently trusted. Building on that trusted starting point, a processor can securely boot and then load and verify application software before starting to execute it.
One way to create a Root of Trust is to add a dedicated security processor with complete separation of memory to perform these functions. However, this is not always feasible due to SoC area and power constraints. This method also requires a form of communication between processors that ensures security such as an additional shared isolated memory or a dedicated interface between CPUs.
Another option is to create a trusted execution environment on a single, ultra-low power core. This option reduces system cost and energy consumption by sharing the same processor and memory for performing both security functions and other system tasks. This option requires that the processor support multiple privilege levels of access control, a bus state signal denoting whether the processor is in a secure mode, and a memory protection unit that can allocate and protect memory regions based on the privilege level. An example of a trusted execution environment on an ultra-low power core is Synopsys SecureShield™ technology for ARC processors.
Although protecting the platform from attacks that can take down the IoT edge device and network is very important, there is also concern about protecting proprietary software from IP theft. It is important to consider these factors when choosing a processor solution for the SoC. Synopsys’ Enhanced Security Package for ARC EM processors with integrated SecureShield technology also incorporates tamper detection features and provides ability to encrypt and decrypt instructions in a way that they are never accessible to a potential IP thief. Additionally, the secure MPU that is part of SecureShield technology is enhanced with a per region memory encryption feature. Figure 2 provides examples of how the ARC EM processor with Enhanced Security Package protects against attacks and IP theft. Since the ARC EM processor is ideally suited for IoT edge applications, the security functionality can be added with less than 10% additional gate count and minimal impact to energy consumption.