Inside Secure Root-of-Trust solution provides the hardware trust anchor, the cryptographic functions, the key management and derivation services, the APIs and the off-chip tools to secure the SoC and the ecosystem it belongs to.
It provides the device with the capability to securely:
- be provisioned
- boot and manage software update
- execute software and applications
- control test and debug enablement
- protect data at rest
- authenticate and be authenticated
- protect against reverse-engineering and cloning
2 scalable engines
The Root-of-Trust Engine is the ideal component to create an embedded HSM for IoT, automotive, datacenter and governmental applications within an optimized silicon footprint and power envelope.
Root-of-Trust Engine and Programmable Root-of-Trust Engine
The Root-of-Trust Engine provides a rich set of symmetric, asymmetric, hashing and true random number generation (TRNG) services to the OS and applications running on the SoC. Its Secure Asset Store controls the use of keys and enforces authorization policies by identifying service requesters through a combination of hardware signaling and software identity. It gives developers peace of mind that secret data can never be visible to the OS or applications and that sensitive assets can never be extracted off-chip.
The Programmable Root-of-Trust Engine features a RISC-V 32-bit CPU and is delivered with its application development framework. It effectively enables developers to extend or customize the Secure Asset Store, the cryptographic algorithms or implement a custom key ladder. Embedded in the SoC, it hosts the platform most sensitive applications such as software update or provisioning components and it secures communications with the cloud. The programmable engine can also authenticate the images and controls the boot of application CPUs to establish a chain of trust in the SoC.
Secure Boot and software update
Inside Secure Root-of-Trust Secure Boot Toolkit provides developers with the essential components for securing the SoC boot sequence. The signing tool formats and adds protection layers to the executables to ensure their integrity, authenticity and confidentiality. It ultimately generates the protected images. Developers integrate the Boot Library into the SoC boot loader, optionally adding anti-cloning and anti-rollback protections.
Differentiate through security and reduce your time to market
Inside Secure Root-of-Trust Engine is the first FIPS 140-2 level 2 validated silicon IP (certificate #2272 – registered as VaultIP) that tightly combines a rich set of cryptographic services together with a Secure Asset Store within a clearly identifiable physical entity that minimizes the attack surface.
Inside Secure customers can apply for incremental revalidation of their chip. While full FIPS-140-2 Level 2 validation typically takes a year to achieve, revalidation using the initial validation as a base allows for process efficiencies by both the laboratory and NIST, and significantly reduces the time and cost.
While consumer IoT, automotive, data centers, smart metering and other applications have all different set of requirements and because one size does not fit all, Inside Secure Root-of-Trust Engine is available in a wide range of configurations allowing for size-feature-performance trade-offs. For instance, Chacha20 and Poly1305 support be added on top of the commonly used AES and SHA2 algorithms. Bus interfaces can also be interchanged for a smooth integration into the SoC architecture.
Provisioning and device lifecycle management
Securing devices requires SoCs to be provisioned with assets such as unique identifiers, keys or certificates. This can be achieved at various stages in the device lifecycle: during the chip manufacturing, the device integration or in the field, and may be a multi-stop process.
Inside Secure Root-of-Trust Engine provides built-in capabilities that facilitates the implementation of a secure provisioning scheme with policies configurable based on the device lifecycle.
Inside Secure Provisioning Platform allows Inside Secure to serve as an independent License Authority provisioning secret values into SoCs/Modules. Inside Secure Provisioning Platform allows Production line certificate generation and tracking to ensure the integrity of the manufacturing and licensing process.
Beyond software attacks, connected devices may be subject to side channel attacks that exploit the power or electromagnetic signature generated by the cryptographic operations to extract key values. Furthermore, semi-invasive or invasive attacks can attempt to compromise the device behavior and secrets.
Inside Secure Circuit Camouflage Technology, also known as SypherMedia Library (SML), protects integrated circuits against Reverse Engineering and Cloning. The Circuit Camouflage Technology keeps sensitive and strategic aspects of custom designs secret from competitors and counterfeiters by significantly increasing the level of difficulty while decreasing reliability of reverse engineering efforts of a circuit.
Normal AND2 gate
Camouflage AND2 gate
Inside Secure Root-of-Trust Engine optionally implements additional protection to defend against these classes of attacks. Inside Secure protected cryptographic engines are equipped with proven countermeasures that defeat side channel attacks. Inside Secure Root-of-Trust Engine also optionally provides fault detection along with a configurable fault manager that implements the response policies.