Git-Mirrors/tillitis-key
1
0
Fork 0
mirror of https://github.com/tillitis/tillitis-key1.git synced 2024-10-01 01:45:38 -04:00
Code Issues Packages Projects Releases Wiki Activity

Doc: fix broken links, update system_description regarding data and

Browse Source 
address randomization and fix typos
This commit is contained in:
Daniel Jobson 2024-09-20 15:38:28 +02:00
parent cacc8c5207
commit 49686be355
No known key found for this signature in database
GPG Key ID: 3707A9DBF4BB8F1A
3 changed files with 32 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/quickstart.md
View File

@ -78,7 +78,7 @@ https://github.com/tillitis/tillitis-key1-apps#readme
To learn more about the concepts and workings of the firmware, see: To learn more about the concepts and workings of the firmware, see:
[system_description/system_description.md](system_description/system_description.md) [system_description/system_description.md](system_description/system_description.md)
and [system_description/software.md](system_description/software.md). and [hw/application_fpga/fw/README.md](hw/application_fpga/fw/README.md).
## Device personalization - setting Unique Device Secret (UDS) ## Device personalization - setting Unique Device Secret (UDS)

65
doc/system_description/system_description.md
View File

@ -59,7 +59,7 @@ The derivation can also be combined with a User Supplied Secret
(USS). This means that keys derived are both based on something the user (USS). This means that keys derived are both based on something the user
has - the specific device, and something the user knows (the USS). And has - the specific device, and something the user knows (the USS). And
the derived can be trusted because of the measurement being used the derived can be trusted because of the measurement being used
by the derivation, thereby verifying the intergrity of the application. by the derivation, thereby verifying the integrity of the application.
### Execution monitor ### Execution monitor
@ -103,7 +103,7 @@ The TKey hardware includes a simple form of RAM memory protection. The
purpose of the RAM memory protection is to make it somewhat harder and purpose of the RAM memory protection is to make it somewhat harder and
more time consuming to extract application assets by dumping the RAM more time consuming to extract application assets by dumping the RAM
contents from a TKey device. The memory protection is not based on contents from a TKey device. The memory protection is not based on
encryption and should not be confused with real encryption. But the encryption and should not be confused with real encryption. The
protection is randomised between power cycles. The randomisation protection is randomised between power cycles. The randomisation
should make it infeasible to improve asset extraction by observing should make it infeasible to improve asset extraction by observing
multiple memory dumps from the same TKey device. The attack should multiple memory dumps from the same TKey device. The attack should
@ -111,50 +111,43 @@ also not directly scale to multiple TKey devices.
The memory protection is based on two separate mechanisms: The memory protection is based on two separate mechanisms:
1. Address Space Layout Randomisation (ASLR) 1. Address randomisation
2. Adress dependent data scrambling 2. Address dependent data randomization
The ASLR is implemented by XORing the CPU address with the contents of The address randomization is implemented by XORing the CPU address
the ADDR\_RAM\_ASLR register in the tk1 core. The result is used as the with the contents of the ADDR\_RAM\_ADDR\_RAND register in the tk1
RAM address core. The result is used as the RAM address
The data scrambling is implemented by XORing the data written to the The data randomization is implemented by XORing the data written to the
RAM with the contents of the ADDR\_RAM\_SCRAMBLE register in the tk1 RAM with the contents of the ADDR\_RAM\_DATA\_RAND register in the tk1
core as well as XORing with the CPU address. This means that the same core as well as XORing with the CPU address. This means that the same
data written to two different addresses will be scrambled differently. data written to two different addresses will be scrambled differently.
The same pair or XOR operations is also performed on the data read out The same pair or XOR operations is also performed on the data read out
from the RAM. from the RAM.
The memory protection is setup by the firmware. Access to the memory The memory protection is setup by the firmware. Access to the memory
protection controls is disabled for applications. During boot the protection controls is disabled for applications. Before the memory
firmware perform the following steps to setup the memory protection: protecetion is enabled, the RAM is filled with randomised data using
Xorwow. So during boot the firmware perform the following steps to
setup the memory protection:
1. Write a random 32-bit value from the TRNG into the ADDR\_RAM\_ASLR 1. Get a random 32-bit value from the TRNG to use as data state for
register. Xorwow.
2. Write a random 32-bit value from the TRNG into the 2. Get a random 32-bit value from the TRNG to use as accumulator
ADDR\_RAM\_SCRAMBLE register. for Xorwow.
3. Get a random 32-bit value from the TRNG to use as data value. 3. Fill RAM with a random sequence of values by writing to all RAM
4. Get a random 32-bit value from the TRNG to use as accumulator addresses. For each address use Xorwow to generate a new state,
value. using the accumulator.
5. Fill the RAM with sequence of value by writing to all RAM addresses 4. Write a random 32-bit value from the TRNG into the
in sequence. For each address add the accumulator value to the ADDR\_RAM\_ADDR\_RAND register.
current data value. 5. Write a random 32-bit value from the TRNG into the
6. Write a new random 32-bit value from the TRNG into the ADDR\_RAM\_DATA\_RAND register.
ADDR\_RAM\_ASLR register. 6. Receive the application sent from the client and write it in
7. Write a new random 32-bit value from the TRNG into the
ADDR\_RAM\_SCRAMBLE register.
8. Receive the application sent from the client and write it in
sequence into RAM. sequence into RAM.
This means that the RAM is pre-filled with somewhat randomised data.
The application is then written into RAM using different ASLR and data
scrambling than what was used to pre-fill the memory. This should make
it harder to identify where in RAM the application was written, and
how the application was scrambled.
Future TKey devices may implement a more secure ASLR mechanism, and Future TKey devices may implement a more secure ASLR mechanism, and
use real encryption (for example PRINCE) for memory content use real encryption (for example PRINCE) for memory content
protection. From the application point of view such a change will protection. From the application point of view such a change will be
transparent. transparent.
## Assets ## Assets
@ -330,6 +323,6 @@ libraries etc. Roughly these can be divided into:
## References ## References
More detailed information about the software running on the device More detailed information about the firmware running on the device can
(referred to firmware, SDK, and secure application), can be found in be found in the
the [software document](software.md). [hw/application_fpga/fw/README.md](hw/application_fpga/fw/README.md).

4
hw/application_fpga/core/tk1/README.md
View File

@ -133,7 +133,7 @@ bitstream. This allows us to generate these device unique FPGA
bitstreams without having to do a full FPGA build. bitstreams without having to do a full FPGA build.
### RAM memory protecion ### RAM memory protection
``` ```
ADDR_RAM_ADDR_RAND: 0x40 ADDR_RAM_ADDR_RAND: 0x40
@ -143,7 +143,7 @@ bitstreams without having to do a full FPGA build.
These write only registers control how the data in the RAM is These write only registers control how the data in the RAM is
randomized as a way of protecting the data. The randomization is randomized as a way of protecting the data. The randomization is
implemented using a pseudo random number generator with a state implemented using a pseudo random number generator with a state
initalized by a seed. initialized by a seed.
The ADDR_RAM_ADDR_RAND store the seed for how the addresses are The ADDR_RAM_ADDR_RAND store the seed for how the addresses are
randomized over the memory space. The ADDR_RAM_DATA_RAND store the randomized over the memory space. The ADDR_RAM_DATA_RAND store the