Cryptology ePrint Archive: Report 2017/625

How to Break Secure Boot on FPGA SoCs through Malicious Hardware

Nisha Jacob and Johann Heyszl and Andreas Zankl and Carsten Rolfes and Georg Sigl

Abstract: Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.

Category / Keywords: FPGA SoCs, secure boot, hardware design, outsourced, threat

Original Publication (in the same form): IACR-CHES-2017

Date: received 26 Jun 2017, last revised 27 Jun 2017

Contact author: nisha jacob at aisec fraunhofer de

Available format(s): PDF | BibTeX Citation

Note: Camera ready version for CHES 2017

Version: 20170627:194732 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]