Paper 2017/625
How to Break Secure Boot on FPGA SoCs through Malicious Hardware
Nisha Jacob, Johann Heyszl, Andreas Zankl, Carsten Rolfes, and Georg Sigl
Abstract
Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.
Note: Camera ready version for CHES 2017
Metadata
- Available format(s)
- Publication info
- Published by the IACR in CHES 2017
- Keywords
- FPGA SoCssecure boothardware designoutsourcedthreat
- Contact author(s)
- nisha jacob @ aisec fraunhofer de
- History
- 2017-06-27: received
- Short URL
- https://ia.cr/2017/625
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2017/625, author = {Nisha Jacob and Johann Heyszl and Andreas Zankl and Carsten Rolfes and Georg Sigl}, title = {How to Break Secure Boot on {FPGA} {SoCs} through Malicious Hardware}, howpublished = {Cryptology {ePrint} Archive, Paper 2017/625}, year = {2017}, url = {https://eprint.iacr.org/2017/625} }