# Zach Moolman

Tamara Silbergleit Lehman





# Why are we here?

To build micro-architecture systems where security is a first-class citizen.

Secure Memory in Hardware



Background

Multi discipline project NSF funded One of GHOST's goals is to operate securely through public 5G network



#### The problem

Using network – exposing your activities Data are encrypted – information can be derived Network controlled by adversary



Features

Activity shaping Sim swapping



Exposing your activities



Network device count at 6:58 am



Network device count at 12:40 pm



Hiding in Plain Sight

Weekend network activity look like weekday activity

NMF model changes the observed pattern of network activity

Tschimben, S., Bates, I., Curry, J. H., Gremban, K. D., & Siegel, A. (2023, October). Modeling and Generation of Realistic Network Activity. In MILCOM 2023-2023 7 IEEE Military Communications Conference (MILCOM) (pp. 761-766). IEEE.





# **GHOST Device Security** 0 (((III))) **Remotely Access** Require additional security

Isolation (TEE) -

Stolen

Confidentiality and Integrity -(Encryption)

# Trusted Execution Environments (TEEs)

# ✤What is a TEE?

- Isolation
- Privileged Software (OS)
- Attestation Hardware & Software
- Trust Chip/SoC Boundary

# Commercial TEEs

- Intel SGX Large TCB
- Arm TrustZone Two Worlds

**Untrusted Environment Enclave 3 Enclave 1 Enclave 2** Enclave Enclave Enclave Untrusted Untrusted App (UA) App App App App Software Trusted Trusted Trusted OS Runtime Runtime Runtime Security Monitor PMP PMP Enc OS UA UA Enc OS Enc Enc ••• Coren Core<sub>1</sub> Hardware System Bus NIC Other I/O Memory

Keystone

✤Dayeol Lee

Threat Model

Open Source

Custom TEE

Lee, D., Kohlbrenner, D., Shinde, S., Asanović, K., and Song, D. Keystone: Anopen framework for architecting trusted execution environments. In Proceedings of the Fifteenth European Conference on Computer Systems (2020), pp. 1–16.

### **RISC-V**

# Privileged Levels

- User
- Supervisory
- Reserved (Hypervisor)
- Machine
- Control Status Registers (CSR)
  - Physical Memory Protection (PMP)

#### Secure Memory

#### Isolation is not enough

- Confidentiality
  - Protect sensitive data
  - Counter-mode encryption
  - Encryption is parallelized with data requests
- ✤Data integrity
  - Active attacks
  - Bonsai Merkle trees



Our Work

Extending RISC-V

RocketChip SoC

Building Secure Memory

✤FPGA

Extra dimension



Extending RISC-VRocketChip SoCBuilding Secure MemoryFPGA

Extra dimension



### Extending SoC

- Memory Controller (MC)
- Enable Encryption (ee)
- PMPChecker
- TileLink (TL)
- Encryption Engine(EE)
- Critical Path

| Core 1                          |                   |
|---------------------------------|-------------------|
|                                 |                   |
| Bank 1                          | Bank 2<br>TL<br>2 |
| Memory Bus<br>Memory Controller |                   |
| memory controller               |                   |

### Extending SoC

# Confidentiality

- Memory Controller (MC)
- Enable Encryption (ee)
- PMPChecker
- TileLink (TL)
- Encryption Engine(EE)
- Critical Path



(1) Change the memory bus into a memory controller

Extending SoC

- Confidentiality
  - Memory Controller (MC)
  - Enable Encryption (ee)
  - PMPChecker
  - TileLink (TL)
  - Encryption Engine(EE)
  - Critical Path



- 1 Change the memory bus into a memory controller
- (2) Add encryption bit to design



PMP configure register format

# Extending SoC

- Memory Controller (MC)
- Enable Encryption (ee)
- PMPChecker
- TileLink (TL)
- Encryption Engine(EE)
- Critical Path



# Extending SoC

- Memory Controller (MC)
- Enable Encryption (ee)
- PMPChecker
- TileLink (TL)
- Encryption Engine(EE)
- Critical Path



# Extending SoC

- Memory Controller (MC)
- Enable Encryption (ee)
- PMPChecker
- TileLink (TL)
- Encryption Engine(EE)
- Critical Path



# Extending SoC

# Confidentiality

- Memory Controller (MC)
- Enable Encryption (ee)
- PMPChecker
- TileLink (TL)
- Encryption Engine(EE)
- Critical Path



- 1 Change the memory bus into a memory controller
- (2) Add encryption bit to design

#### pmpcfg L E A XWR 5 0

- PMP configure register format
- 3 PMPChecker fetch encryption bit
- 4 Update TileLink protocol to include encryption signal
- 5 Add encryption engine to memory controller
- 6 Add one LUT to critical path

Extending SoC **\***Integrity



| ePMP <sub>1</sub> | pmpaddr |
|-------------------|---------|
| ePMP <sub>2</sub> | asid    |
|                   | root    |
| $\backslash$      | key     |
| $\backslash$      | mode    |

Extending SoC **\***Integrity



Add ePMP registers to hold state of integrity tree with it respective PMP entry

| ePMP <sub>1</sub> | pmpaddr |
|-------------------|---------|
| ePMP <sub>2</sub> | asid    |
|                   | root    |
| $\backslash$      | key     |
| $\backslash$      | mode    |

(8) Update TileLink protocol to support new command

Extending SoC Integrity



| ePMP <sub>1</sub> | pmpaddr |
|-------------------|---------|
| ePMP <sub>2</sub> | asid    |
|                   | root    |
| $\backslash$      | key     |
| $\backslash$      | mode    |

- 8 Update TileLink protocol to support new command
- 9 CSRW instruction writes to pmpaddr and to ePMP control registers

Extending SoC **\***Integrity



| ePMP1             | pmpaddr |
|-------------------|---------|
| ePMP <sub>2</sub> | asid    |
|                   | root    |
| $\backslash$      | key     |
| $\backslash$      | mode    |

- 8 Update TileLink protocol to support new command
- CSRW instruction writes to pmpaddr and to ePMP control registers
- Add LUT to L2 Cache to either handle normal data request or forward request to Memory contorller

Extending SoC Integrity



| ePMP <sub>1</sub> | pmpaddr |
|-------------------|---------|
| ePMP <sub>2</sub> | asid    |
|                   | root    |
| $\backslash$      | key     |
| $\backslash$      | mode    |

- 8 Update TileLink protocol to support new command
- CSRW instruction writes to pmpaddr and to ePMP control registers
- Add LUT to L2 Cache to either handle normal data request or forward request to Memory contorller
- (1) Finally, updated memory controller to update the ePMP

#### Secure Memory Example

- ✤ On Reset ZSBL will load Keystone secure SM
- SM will configure pmpaddr and pmpcfg
- Modified Keystone that all enclave will set encryption bit
- ✤ On CSRW pmpaddr<sub>x</sub>
  - the execute stage will buffer address
  - the commit stage request is sent to MC
- On Write Load Store Unit(LSU) will invoke the PMPChecker
- ✤ Write is requested
- Assume write-through caches for this example
- Data is encrypted and integrity tree is updated
  - Up to this point data are **not** encrypted
- Encrypted data is sent to external memory
- SoC Boundary
- Caches



# **Continuing our Work**

- Complete our FPGA implementation
- Efficiency
  - Area and Power
  - Utilizing existing RISC-V primitives
  - Critical path has minimal changes