Difference between revisions of "Security"

From MILEDROPEDIA
Jump to: navigation, search
(Introduction)
m (M-Shield)
 
(17 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
* '''eFuse''' cells for one-time blowing to increment counter for security purposes
 
* '''eFuse''' cells for one-time blowing to increment counter for security purposes
 
* '''M-Shield''' protection, solution from Texas Instruments special for cellular networks (similar as SecureShield from Quallcomm)
 
* '''M-Shield''' protection, solution from Texas Instruments special for cellular networks (similar as SecureShield from Quallcomm)
 +
* '''L3 firewall''' protection for managing mandatory access for devices in OMAP SoC
  
=== E-Fuse ===
+
=== [[eFuse]] ===
 +
=== [[L3 firewall]] ===
  
'''Listing 1.''' Fuse blowing functions from mbmloader
+
=== [[M-Shield]] ===
<syntaxhighlight lang="asm" line>
+
048AC                ; =============== S U B R O U T I N E =======================================
+
ROM:870048AC
+
ROM:870048AC
+
ROM:870048AC                ; int __cdecl fuse_blow_BS_DIS()
+
ROM:870048AC                fuse_blow_BS_DIS
+
ROM:870048AC 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
+
ROM:870048AE 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
+
ROM:870048B0 008 01 21                      MOVS    R1, #1                              ; value
+
ROM:870048B2 008 6E 20                      MOVS    R0, #SEC_BS_DIS                    ; fuse_entry_number
+
ROM:870048B4 008 FF F7 70 FF                BL      fuse_blow_byte                      ; Branch with Link
+
ROM:870048B8 008 04 46                      MOV    R4, R0                              ; Rd = Op2
+
ROM:870048BA 008 20 46                      MOV    R0, R4                              ; Rd = Op2
+
ROM:870048BC 008 10 BD                      POP    {R4,PC}                            ; Pop registers
+
ROM:870048BC                ; End of function fuse_blow_BS_DIS
+
ROM:870048BC
+
 
+
ROM:870048E2                ; =============== S U B R O U T I N E =======================================
+
ROM:870048E2
+
ROM:870048E2
+
ROM:870048E2                ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)
+
ROM:870048E2                fuse_blow_CUSTOM
+
ROM:870048E2 000 70 B5                      PUSH    {R4-R6,LR}                          ; Push registers
+
ROM:870048E4 010 04 46                      MOV    R4, R0                              ; Rd = Op2
+
ROM:870048E6 010 0D 46                      MOV    R5, R1                              ; Rd = Op2
+
ROM:870048E8 010 10 26                      MOVS    R6, #0x10                          ; Rd = Op2
+
ROM:870048EA 010 A9 B2                      UXTH    R1, R5                              ; Unsigned extend halfword to word
+
ROM:870048EC 010 20 46                      MOV    R0, R4                              ; fuse_entry_number
+
ROM:870048EE 010 FF F7 53 FF                BL      fuse_blow_byte                      ; Branch with Link
+
ROM:870048F2 010 06 46                      MOV    R6, R0                              ; Rd = Op2
+
ROM:870048F4 010 30 46                      MOV    R0, R6                              ; Rd = Op2
+
ROM:870048F6 010 70 BD                      POP    {R4-R6,PC}                          ; Pop registers
+
ROM:870048F6                ; End of function fuse_blow_CUSTOM
+
ROM:870048F6
+
ROM:870048F8
+
ROM:870048F8                ; =============== S U B R O U T I N E =======================================
+
ROM:870048F8
+
ROM:870048F8
+
ROM:870048F8                ; int __cdecl fuse_blow_PRODUCTION()
+
ROM:870048F8                fuse_blow_PRODUCTION
+
ROM:870048F8 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
+
ROM:870048FA 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
+
ROM:870048FC 008 01 21                      MOVS    R1, #1                              ; value
+
ROM:870048FE 008 70 20                      MOVS    R0, #SEC_PROD                      ; fuse_entry_number
+
ROM:87004900 008 FF F7 4A FF                BL      fuse_blow_byte                      ; Branch with Link
+
ROM:87004904 008 04 46                      MOV    R4, R0                              ; Rd = Op2
+
ROM:87004906 008 20 46                      MOV    R0, R4                              ; Rd = Op2
+
ROM:87004908 008 10 BD                      POP    {R4,PC}                            ; Pop registers
+
ROM:87004908                ; End of function fuse_blow_PRODUCTION
+
ROM:87004908
+
ROM:8700490A
+
ROM:8700490A                ; =============== S U B R O U T I N E =======================================
+
ROM:8700490A
+
ROM:8700490A
+
ROM:8700490A                ; int __cdecl fuse_blow_ENGINEERING()
+
ROM:8700490A                fuse_blow_ENGINEERING                                      ; CODE XREF: main+20
+
ROM:8700490A 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
+
ROM:8700490C 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
+
ROM:8700490E 008 01 21                      MOVS    R1, #1                              ; value
+
ROM:87004910 008 6F 20                      MOVS    R0, #SEC_ENG                        ; fuse_entry_number
+
ROM:87004912 008 FF F7 41 FF                BL      fuse_blow_byte                      ; Branch with Link
+
ROM:87004916 008 04 46                      MOV    R4, R0                              ; Rd = Op2
+
ROM:87004918 008 20 46                      MOV    R0, R4                              ; Rd = Op2
+
ROM:8700491A 008 10 BD                      POP    {R4,PC}                            ; Pop registers
+
ROM:8700491A                ; End of function fuse_blow_ENGINEERING
+
</syntaxhighlight>
+
 
+
 
+
'''Listing 2.''' Fuse reading functions from mbmloader
+
<syntaxhighlight lang="asm" line>
+
ROM:870046DA                ; =============== S U B R O U T I N E =======================================
+
ROM:870046DA
+
ROM:870046DA
+
ROM:870046DA                ; int __cdecl fuse_read_byte(int fuse_entry_number)
+
ROM:870046DA                fuse_read_byte                                              ; CODE XREF: check_SMID+6�p
+
ROM:870046DA                                                                            ; fuse_read_BS_DIS+6�p ...
+
ROM:870046DA 000 70 B5                      PUSH    {R4-R6,LR}                          ; Push registers
+
ROM:870046DC 010 04 46                      MOV    R4, R0                              ; Rd = Op2
+
ROM:870046DE 010 9D 4D                      LDR    R5, =0xDEADBEEF                    ; Load from Memory
+
ROM:870046E0 010 A4 F1 65 00                SUB.W  R0, R4, #0x65                      ; switch 16 cases
+
ROM:870046E4 010 10 28                      CMP    R0, #0x10                          ; Set cond. codes on Op1 - Op2
+
ROM:870046E6 010 53 D2                      BCS    do_nothing                          ; default
+
ROM:870046E6                                                                            ; jumptable 10006CE8 cases 102,103,107,109,114
+
ROM:870046E8 010 DF E8 00 F0                TBB.W  [PC,R0]                            ; switch jump
+
ROM:870046E8 010            ; ---------------------------------------------------------------------------
+
ROM:870046EC 010 08          jpt_10006CE8    DCB 8                                      ; jump table for switch statement
+
ROM:870046ED 010 52                          DCB 0x52
+
ROM:870046EE 010 52                          DCB 0x52
+
ROM:870046EF 010 11                          DCB 0x11
+
ROM:870046F0 010 1A                          DCB 0x1A
+
ROM:870046F1 010 22                          DCB 0x22
+
ROM:870046F2 010 52                          DCB 0x52
+
ROM:870046F3 010 2A                          DCB 0x2A
+
ROM:870046F4 010 52                          DCB 0x52
+
ROM:870046F5 010 32                          DCB 0x32
+
ROM:870046F6 010 37                          DCB 0x37
+
ROM:870046F7 010 3D                          DCB 0x3D
+
ROM:870046F8 010 43                          DCB 0x43
+
ROM:870046F9 010 52                          DCB 0x52
+
ROM:870046FA 010 4D                          DCB 0x4D
+
ROM:870046FB 010 51                          DCB 0x51
+
ROM:870046FC                ; ---------------------------------------------------------------------------
+
ROM:870046FC 010 03 20                      MOVS    R0, #3                              ; jumptable 10006CE8 case 101
+
ROM:870046FE 010 FF F7 B5 FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004702 010 06 12                      ASRS    R6, R0, #8                          ; Arithmetic Shift Right
+
ROM:87004704 010 30 46                      MOV    R0, R6                              ; Rd = Op2
+
ROM:87004706 010 FF F7 D6 FF                BL      count_1                            ; Branch with Link
+
ROM:8700470A 010 05 46                      MOV    R5, R0                              ; Rd = Op2
+
ROM:8700470C 010 41 E0                      B      return                              ; Branch
+
ROM:8700470E                ; ---------------------------------------------------------------------------
+
ROM:8700470E 010 03 20                      MOVS    R0, #3                              ; jumptable 10006CE8 case 104
+
ROM:87004710 010 FF F7 AC FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004714 010 C6 B2                      UXTB    R6, R0                              ; Unsigned extend byte to word
+
ROM:87004716 010 30 46                      MOV    R0, R6                              ; Rd = Op2
+
ROM:87004718 010 FF F7 CD FF                BL      count_1                            ; Branch with Link
+
ROM:8700471C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
+
ROM:8700471E 010 38 E0                      B      return                              ; Branch
+
ROM:87004720                ; ---------------------------------------------------------------------------
+
ROM:87004720 010 02 20                      MOVS    R0, #2                              ; jumptable 10006CE8 case 105
+
ROM:87004722 010 FF F7 A3 FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004726 010 06 46                      MOV    R6, R0                              ; Rd = Op2
+
ROM:87004728 010 FF F7 C5 FF                BL      count_1                            ; Branch with Link
+
ROM:8700472C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
+
ROM:8700472E 010 30 E0                      B      return                              ; Branch
+
ROM:87004730                ; ---------------------------------------------------------------------------
+
ROM:87004730 010 01 20                      MOVS    R0, #1                              ; jumptable 10006CE8 case 106
+
ROM:87004732 010 FF F7 9B FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004736 010 06 46                      MOV    R6, R0                              ; Rd = Op2
+
ROM:87004738 010 FF F7 BD FF                BL      count_1                            ; Branch with Link
+
ROM:8700473C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
+
ROM:8700473E 010 28 E0                      B      return                              ; Branch
+
ROM:87004740                ; ---------------------------------------------------------------------------
+
ROM:87004740 010 00 20                      MOVS    R0, #0                              ; jumptable 10006CE8 case 108
+
ROM:87004742 010 FF F7 93 FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004746 010 06 46                      MOV    R6, R0                              ; Rd = Op2
+
ROM:87004748 010 FF F7 B5 FF                BL      count_1                            ; Branch with Link
+
ROM:8700474C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
+
ROM:8700474E 010 20 E0                      B      return                              ; Branch
+
ROM:87004750                ; ---------------------------------------------------------------------------
+
ROM:87004750 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 110
+
ROM:87004752 010 FF F7 8B FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004756 010 C5 13                      ASRS    R5, R0, #0xF                        ; Arithmetic Shift Right
+
ROM:87004758 010 1B E0                      B      return                              ; Branch
+
ROM:8700475A                ; ---------------------------------------------------------------------------
+
ROM:8700475A 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 111
+
ROM:8700475C 010 FF F7 86 FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004760 010 C0 F3 40 35                UBFX.W  R5, R0, #0xD, #1                    ; Unsigned Bit Field Extract
+
ROM:87004764 010 15 E0                      B      return                              ; Branch
+
ROM:87004766                ; ---------------------------------------------------------------------------
+
ROM:87004766 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 112
+
ROM:87004768 010 FF F7 80 FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:8700476C 010 C0 F3 80 35                UBFX.W  R5, R0, #0xE, #1                    ; Unsigned Bit Field Extract
+
ROM:87004770 010 0F E0                      B      return                              ; Branch
+
ROM:87004772                ; ---------------------------------------------------------------------------
+
ROM:87004772 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 113
+
ROM:87004774 010 FF F7 7A FF                BL      fuse_read_word                      ; Branch with Link
+
ROM:87004778 010 C0 F3 04 26                UBFX.W  R6, R0, #8, #5                      ; Unsigned Bit Field Extract
+
ROM:8700477C 010 30 46                      MOV    R0, R6                              ; Rd = Op2
+
ROM:8700477E 010 FF F7 9A FF                BL      count_1                            ; Branch with Link
+
ROM:87004782 010 05 46                      MOV    R5, R0                              ; Rd = Op2
+
ROM:87004784 010 05 E0                      B      return                              ; Branch
+
ROM:87004786                ; ---------------------------------------------------------------------------
+
ROM:87004786 010 74 48                      LDR    R0, =0x480023B4                    ; jumptable 10006CE8 case 115
+
ROM:87004788 010 00 68                      LDR    R0, [R0]                            ; Load from Memory
+
ROM:8700478A 010 85 B2                      UXTH    R5, R0                              ; Unsigned extend halfword to word
+
ROM:8700478C 010 01 E0                      B      return                              ; Branch
+
ROM:8700478E                ; ---------------------------------------------------------------------------
+
ROM:8700478E 010 00 BF                      NOP                                        ; jumptable 10006CE8 case 116
+
ROM:87004790
+
ROM:87004790                do_nothing                                                  ; CODE XREF: fuse_read_byte+C�j
+
ROM:87004790 010 00 BF                      NOP                                        ; default
+
ROM:87004790                                                                            ; jumptable 10006CE8 cases 102,103,107,109,114
+
ROM:87004792
+
ROM:87004792                return                                                      ; CODE XREF: fuse_read_byte+32�j
+
ROM:87004792                                                                            ; fuse_read_byte+44�j ...
+
ROM:87004792 010 00 BF                      NOP                                        ; No Operation
+
ROM:87004794 010 28 46                      MOV    R0, R5                              ; Rd = Op2
+
ROM:87004796 010 70 BD                      POP    {R4-R6,PC}                          ; Pop registers
+
ROM:87004796                ; End of function fuse_read_byte
+
 
+
ROM:870048BE
+
ROM:870048BE                ; =============== S U B R O U T I N E =======================================
+
ROM:870048BE
+
ROM:870048BE
+
ROM:870048BE                ; int __cdecl fuse_read_BS_DIS()
+
ROM:870048BE                fuse_read_BS_DIS                                            ; CODE XREF: check_BS_DIS+4
+
ROM:870048BE 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
+
ROM:870048C0 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
+
ROM:870048C2 008 6E 20                      MOVS    R0, #SEC_BS_DIS                    ; fuse_entry_number
+
ROM:870048C4 008 FF F7 09 FF                BL      fuse_read_byte                      ; Branch with Link
+
ROM:870048C8 008 00 B9                      CBNZ    R0, return                          ; Compare and Branch on Non-Zero
+
ROM:870048CA 008 00 24                      MOVS    R4, #0                              ; Rd = Op2
+
ROM:870048CC
+
ROM:870048CC                return                                                      ; CODE XREF: fuse_read_BS_DIS+A
+
ROM:870048CC 008 20 46                      MOV    R0, R4                              ; Rd = Op2
+
ROM:870048CE 008 10 BD                      POP    {R4,PC}                            ; Pop registers
+
ROM:870048CE                ; End of function fuse_read_BS_DIS
+
ROM:870048CE
+
ROM:870048D0
+
ROM:870048D0                ; =============== S U B R O U T I N E =======================================
+
ROM:870048D0
+
ROM:870048D0
+
ROM:870048D0                ; int __cdecl fuse_read_SECVER(int entry_number)
+
ROM:870048D0                fuse_read_SECVER                                            ; CODE XREF: check_secure_version+14
+
ROM:870048D0 000 70 B5                      PUSH    {R4-R6,LR}                          ; Push registers
+
ROM:870048D2 010 04 46                      MOV    R4, R0                              ; Rd = Op2
+
ROM:870048D4 010 00 25                      MOVS    R5, #0                              ; Rd = Op2
+
ROM:870048D6 010 20 46                      MOV    R0, R4                              ; fuse_entry_number
+
ROM:870048D8 010 FF F7 FF FE                BL      fuse_read_byte                      ; Branch with Link
+
ROM:870048DC 010 05 46                      MOV    R5, R0                              ; Rd = Op2
+
ROM:870048DE 010 28 46                      MOV    R0, R5                              ; Rd = Op2
+
ROM:870048E0 010 70 BD                      POP    {R4-R6,PC}                          ; Pop registers
+
ROM:870048E0                ; End of function fuse_read_SECVER
+
ROM:870048E0
+
ROM:870048E2
+
</syntaxhighlight>
+
 
+
=== M-Shield ===
+
  
 
This is an extended implementation of MTM (Mobile Trusted Module) of Trusted Computing Group,
 
This is an extended implementation of MTM (Mobile Trusted Module) of Trusted Computing Group,
Line 232: Line 16:
 
It's located on it's own ROM/RAM and in M-Shield only software emulation - see TrustZone specification.
 
It's located on it's own ROM/RAM and in M-Shield only software emulation - see TrustZone specification.
 
Both, Secure and Insecure world are running on one core.
 
Both, Secure and Insecure world are running on one core.
From insecure world it's called by the '''SMC'''  ARM instruction:
+
From insecure world it's called by the '''SMC'''  ARM instruction.
 +
Here all info about SMC module: [[Secure Monitor]]
  
<syntaxhighlight lang="asm" line>
+
==== OMAP3430 ====
                ; =============== S U B R O U T I N E =======================================
+
4001537C
+
4001537C                ; running in ARM mode
+
4001537C
+
4001537C                ; __int32 __cdecl security_monitor_call(__int32 ssid, __int32 proc_id, __int32 flag, __int32 params_addr)
+
4001537C                security_monitor_call                                                ; CODE XREF: security_monitor_handler+8�p
+
4001537C 000 F0 5F 2D E9          STMFD SP!, {R4-R12,LR}                                      ; Store Block to Memory
+
40015380 028 FF 60 A0 E3          MOV  R6, #0xFF                                            ; Rd = Op2
+
40015384 028 00 C0 A0 E3          MOV  R12, #0                                              ; Rd = Op2
+
40015388 028 95 0F 07 EE          MCR  p15, 0, R0,c7,c5, 4                                  ; prefetch flush
+
4001538C 028 9A 0F 07 EE          MCR  p15, 0, R0,c7,c10, 4                                  ; data synchronisation barrier
+
40015390 028 71 00 60 E1          SMC  1                                                    ; Secure Monitor Call
+
40015394 028 02 00 00 EA          B    service_end                                          ; Branch
+
40015394 028
+
40015398                ; ---------------------------------------------------------------------------
+
40015398 028 00 F0 20 E3          NOP                                                        ; No Operation
+
4001539C 028 FE C0 A0 E3          MOV  R12, #SMC_IRQ_END                                    ; Rd = Op2
+
400153A0 028 71 00 60 E1          SMC  1                                                    ; Secure Monitor Call
+
400153A0 028
+
400153A4
+
400153A4                service_end                                                          ; CODE XREF: security_monitor_call+18�j
+
400153A4 028 F0 5F BD E8          LDMFD SP!, {R4-R12,LR}                                      ; Load Block from Memory
+
400153A8 000 1E FF 2F E1          BX    LR                                                    ; Branch to/from Thumb mode
+
400153A8 000
+
400153A8                ; End of function security_monitor_call
+
</syntaxhighlight>
+
 
+
Here is full TrustZone description - [[File:prd29-genc-009492c_trustzone_security_whitepaper.pdf|TrustZone white paper]]
+
 
+
In our target device, the native handset boot starts exe-
+
cuting from an on-chip ROM, which in turns loads a signed
+
bootloader and executes it on successful verification. The
+
M-Shield architecture additionally includes on-chip RAM to
+
be used by so-called protected applications. These can either
+
persistently be present on an on-chip ROM, or be uploaded
+
to on-chip RAM as signed binaries. The system implements
+
a firewall/monitor entry point for executing these applica-
+
tions, and this firewall takes care of disabling or clearing all
+
security-critical processor features (interrupts, DMA, VM)
+
for the duration of the TrEE invocation. In this manner
+
the system provides hardware-enforced isolation for the pro-
+
tected applications. The on-chip
+
protected applications have access to a limited amount of
+
persistent secret data (like a device-specific symmetric key)
+
and to cryptographic accelerator primitives.
+
 
+
 
+
[http://www.trusted-logic.com/spip.php?rubrique6&from=15]
+
 
+
[[File:sheme.gif]]
+
[[File:2007_06-nokia-figure-2.gif]]
+
[[File:arch_1.jpg]]
+
 
+
# ROM to store the program code or a mechanism by which the integrity of code uploaded to the secure environment can be validated (code signing).
+
# a shielded location (secure RAM) for the loaded state, as well as for run-time data.
+
# an isolated execution environment (TrEE) for the program code with access to the shielded data location.
+
# a device-specific, persistent secret to seed the RTS. The confidentiality (access control) of the secret can e.g. be bound to the secure environment itself.
+
# a simple (I/O) library for use in the isolated environment, including cryptographic primitives and random number generation necessary for a MTM.1
+
 
+
== Definitions ==
+
  
 
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"
 
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"
! Abbreviation
+
! Normal World
! Meaning
+
! Secure World
 
|-
 
|-
| '''AKI'''
+
| 32Kb on-chip ROM
| Attestation Identity Key
+
| 64Kb on-chip Secure ROM
 
|-
 
|-
| '''EK'''
+
| 32Kb on-chip SRAM
| Endorcement Key
+
| 32Kb on-chip Secure SRAM
|-  
+
| '''DAA'''
+
| Direct Anonymous Attestation
+
|-
+
| '''DRTM'''
+
| Dynamic Root of Trust Management
+
|-
+
| '''MTM'''
+
| Mobile Trusted Module
+
|-
+
| '''RIM'''
+
| Reference Integrity Metric
+
|-
+
| '''RTE'''
+
| Root of Trust for Enforcement
+
|-
+
| '''RTR'''
+
| Root of Trust for Reporting
+
|-
+
| '''RTS'''
+
| Root of Trust for Storage
+
|-
+
| '''RTV'''
+
| Root of Trust for Verification
+
|-
+
| '''RVAI'''
+
| Root Verification Authority Information
+
|-
+
| '''SRK'''
+
| Storage Root Key, is used to protect local data (keys e.g)
+
 
|}
 
|}
  
 +
== [[Secure Services]] ==
  
'''Listing 1''': Structure for symmetric SRK
+
OMAP3430 have various number of secure services
 
+
<syntaxhighlight lang="c" line>
+
// 128 bits key length                       
+
#define SRK KEYLENGTH 16 
+
                                                 
+
typedef struct tdTPM KEY SRK {
+
  TPM STRUCT VER ver;
+
  TPM KEY USAGE keyUsage;
+
  TPM KEY FLAGS keyFlags;
+
  TPM AUTH DATA USAGE authDataUsage;
+
  TPM KEY PARMS algorithmParms;
+
  TPM SECRET usageAuth;
+
  UINT32 PCRInfoSize;
+
  TPM PCR INFO pcrInfo;
+
  BYTE symKey[SRK KEYLENGTH];
+
} TPM KEY SRK;
+
// Size of TPM KEY SRK in bytes: 123
+
</syntaxhighlight>
+
 
+
'''Listing 2''': Structure for loaded asymmetric key
+
 
+
<syntaxhighlight lang="c" line>
+
typedef struct tdTPM KEY LOADED {
+
TPM STRUCT VER ver;
+
TPM KEY USAGE keyUsage;
+
TPM KEY FLAGS keyFlags;
+
TPM AUTH DATA USAGE authDataUsage;
+
TPM KEY PARMS algorithmParms;
+
TPM KEY PARMS algorithmParms;
+
UINT32 PCRInfoSize;
+
UINT32 PCRInfoSize;
+
TPM PCR INFO pcrInfo;
+
TPM STORE ASYMKEY keyData;
+
} TPM KEY LOADED;
+
// Size of TPM KEY LOADED in bytes: 551
+
</syntaxhighlight>
+
 
+
'''COMPRESSED STRUCTURES'''
+
 
+
<syntaxhighlight lang="c" line>
+
typedef struct tdTPM PCR ATTRIBUTES {
+
  BOOL pcrReset;
+
} TPM PCR ATTRIBUTES;
+
 
+
// Size of TPM PCR ATTRIBUTES in bytes: 1
+
typedef struct tdTPM PERMANENT FLAGS {
+
  TPM STRUCTURE TAG tag;
+
  BOOL disable;
+
  BOOL FIPS;
+
 
+
  BOOL readSRKPub;
+
} TPM PERMANENT FLAGS;
+
 
+
// Size of TPM PERMANENT FLAGS in bytes: 5
+
typedef struct tdTPM STCLEAR FLAGS {
+
  TPM STRUCTURE TAG tag;
+
  BOOL deactivated;
+
} TPM STCLEAR FLAGS;
+
 
+
// Size of TPM STCLEAR FLAGS in bytes: 3
+
typedef struct tdTPM STANY FLAGS {
+
  TPM STRUCTURE TAG tag;
+
  BOOL postInitialise;
+
} TPM STANY FLAGS;
+
 
+
// Size of TPM STANY FLAGS in bytes: 3
+
#define TPM SESSIONS 2
+
typedef struct tdTPM STANY DATA {
+
  TPM STRUCTURE TAG tag;
+
  TPM SESSION DATA sessions[TPM SESSIONS];
+
} TPM STANY DATA;
+
 
+
// Size of TPM STANY DATA in bytes: 98
+
#define TPM NUM COUNTER 1
+
#define TPM NUM PCR 16
+
 
+
typedef struct tdTPM PERMANENT DATA {
+
  TPM STRUCTURE TAG tag;
+
  BYTE revMajor;
+
  BYTE revMinor;
+
  TPM NONCE tpmProof;
+
  TPM KEY srk;
+
  TPM COUNTER VALUE monotonicCounter[TPM NUM COUNTER];
+
  TPM PCR ATTRIBUTES pcrAttrib[TPM NUM PCR];
+
} TPM PERMANENT DATA;
+
 
+
// Size of TPM PERMANENT DATA in bytes: 173
+
typedef struct tdTPM STCLEAR DATA {
+
  TPM STRUCTURE TAG tag;
+
  TPM COUNT ID countID;
+
  TPM PCRVALUE PCR[TPM NUM PCR];
+
} TPM STCLEAR DATA;
+
// Size of TPM STCLEAR DATA in bytes: 326
+
</syntaxhighlight>
+
 
+
Software Emulators:
+
# MTM Emulator - http://mtm.nrsec.com/
+
# TroUserS http://trousers.sourceforge.net/ (http://sourceforge.net/projects/trousers/)
+
# http://tpm-emulator.berlios.de/
+
 
+
=== Useful literarure ===
+
 
+
# '''Patent description''' with nice graphics [http://www.faqs.org/patents/app/20090320110]
+
 
+
# '''M-Shield description'''[http://droid-developers.org/files/m-shield/NRCTR2007015.pdf]
+
 
+
# '''MCM Specification''' [http://droid-developers.org/files/m-shield/87852F33-1D09-3519-AD0C0F141CC6B10D.pdf]
+
 
+
# '''Trusted Mobile Reference Architecture''' [http://droid-developers.org/files/m-shield/644597BE-1D09-3519-AD5ADDAFA0B539D2.pdf]
+
 
+
# '''MTM Use cases''' [http://droid-developers.org/files/m-shield/6443B207-1D09-3519-AD3180491A6DF1F5.pdf]
+
 
+
=== Other Staff (needed to be cleared) ===
+
 
+
Work history
+
Motorola June 2005 to the present
+
Senior Software Engineer
+
 
+
tags: c • stracore • tms320c55x+
+
How would you describe your time at Motorola?
+
 
+
    1. Implementation of Alternate Linear Output Equalizer (ALOE) for GSM handsets.
+
    Tools: Code Composer Studio (CCS), Freescale code warrior simulation tool.
+
    Language: TMS320C55x+ Algebraic Assembly, STARCORE ASSEMBLY
+
    Description: The ALOE algorithm is aimed at improving co-channel performance of the handset over the conventional GSM equalizers. The new algorithm gives 13 dB improvements over the conventional MLSE method.
+
    The implementation of this algorithm involved the coding in TMS320C55x+ Algebraic Assembly using CCS tool. And implementation is targeted to have lesser MIPS and better precision results. The algorithm testing is done with legacy starcore reference code.
+
 
+
    2. Implementation of G728 speech codec with FIXED POINT, 32/16 bit data paths.
+
    Tools: Freescale code warrior simulation tool.
+
    Language: C, STARCORE ASSEMBLY
+
    Description: The G728 speech codec adhering to the ITUT standards is implemented using fixed point 16 bit and 32 bit data paths. The 16 bit fixed point data path is bit complaint with ITUT standard provided testvectors.The work involved is implementation, integration and Testing of entire G728 codec of 32 bit and 16 bit precisions and analysis with fixed point arithmetic using C language. And then porting the C code to the STARCORE architecture and also porting to starcore assembly to meet the MIPS criterion. The code is implemented in C and then star core assembly coded to meet MIPS criterion.
+
 
+
    3. Development and Testing of Sync Detection, AFC, and sensitivity improvement algorithms.
+
    Tools: Matlab Freescale code warrior simulation tool.
+
    Language: C, STARCORE ASSEMBLY
+
    Description: The IDEN (similar to GSM) system has RF modem part which has Transmitter and Receiver. The Receiver is to demodulate the received Quad QAM data into in-Phase and Quadrature symbols, by applying sub channel demodulation, time synchronization, automatic frequency control, pilot interpolation and data decoding algorithms.
+
    The work involved implementation of AFC using the 1st order loop and synchronization using WLS algorithm and sensitivity improvement algorithm using 4-F Doppler mutipath fading modeling .The implementation of all these algorithms are on C, and STARCORE ASSEMBLY using the freescale code warrior tools....
+
   
+
 
+
RNG, DES/3DESx2, SHA1/MD5x2, AESx2, Fast PKA (Safenet EIP-29), e-fuse
+
 
+
On-Chip Memory:
+
96 Kbytes ROM, 64 Kbytes SRAM
+
 
+
M-Shield Hardware Security Technology
+
 
+
Integrated into TI's OMAP and OMAP-Vox platforms, M-Shield hardware security technology is a complete infrastructure for mobile platform robustness that includes:
+
 
+
    * Hardware cryptographic accelerators and randon number generator
+
    * Public key infrastructure with secure on-chip keys (e-fuse)
+
    * Secure booting and flashing
+
    * Secure access/restriction to all chip peripherals and memories
+
    * Secure DMA transfers
+
    * Hardware-based countermeasures against software attacks and cloning
+
    * Secure protection of debug, trace, and test capabilities
+
    * Hardware-reinforced secure execution and storage environment (Secure Environment) embedding:
+
          o A Secure State Machine
+
          o Secure RAM for sensitive authorized application execution and secure data storage
+
          o Secure ROM with 100+ accessible by authorized applications (Protected Applications)
+
          o Secure storage mechanism
+
 
+
M-Shield hardware security technology is operating system-independent and not sensitive to software attacks. And once it is available, ARM® TrustZone™ hardware extensions will be incorporated and strengthened.
+
M-Shield Software Security Technology
+
 
+
M-shield software security technology is the key software-based security element of OMAP Platforms and OMAP-Vox devices, built on top of and strengthened by M-Shield Hardware technology. This software security encompasses:
+
 
+
    * Secure signing and flashing tools
+
    * IMEI and SIMlock protection software on OMAP-Vox devices
+
    * Toolkits for development and signature of protected applications running in a secure environment
+
    * Security Middleware Component with associated Protected Applications and SDKs
+
    * Security packs to strengthen HLOS security
+
 
+
Additionally, the M-shield Security Middleware Component (SMC) provides sets of standard APIs that solve the problems of de-fragmentation and porting complexity:
+
  
    * Software reuse across platform generations as APIs on current platforms can continue to be utilized
+
== [[Trust Zone]] ==
    * SMC APIs are compatible with ARM® TrustZone™ software APIs
+
          o Applications can call specific secure services ported on SMC using ARM TrustZone API
+
          o Applications can use secure storage and standard PKCS#11 APIs for cryptography
+
          o Native secure services can use standard PKCS#11 APIs
+
          o Interpreted secure services can use GlobalPlatform GPD/STIP mobile profile standard APIs
+
    * Applications developed on TI's M-shield mobile security technology today will run binary compatible on devices incorporating an ARM core with TrustZone hardware extensions
+
    * Services developed today using ARM TrustZone software API will run on TI devices with M-Shield mobile security technology
+
  
Some info about eFuse in OMAP - http://elinux.org/OMAP_Power_Management/SmartReflex
+
See [[Trust Zone]] page for details
  
All Secure ROM soultion based on Synopsys products http://www.synopsys.com/Tools/SLD/CapsuleModule/vp_ti_ss.pdf
 
  
http://www.freepatentsonline.com/y2005/0228980.html
+
[[Category:Security]]

Latest revision as of 20:36, 4 February 2012

Introduction

Security of Motorola Droid-family phones based on two important technologies:

  • eFuse cells for one-time blowing to increment counter for security purposes
  • M-Shield protection, solution from Texas Instruments special for cellular networks (similar as SecureShield from Quallcomm)
  • L3 firewall protection for managing mandatory access for devices in OMAP SoC

eFuse

L3 firewall

M-Shield

This is an extended implementation of MTM (Mobile Trusted Module) of Trusted Computing Group, based on reference design of MTM, and embedded into OMAP chip. Also it support TrustZone ARM technology. It's located on it's own ROM/RAM and in M-Shield only software emulation - see TrustZone specification. Both, Secure and Insecure world are running on one core. From insecure world it's called by the SMC ARM instruction. Here all info about SMC module: Secure Monitor

OMAP3430

Normal World Secure World
32Kb on-chip ROM 64Kb on-chip Secure ROM
32Kb on-chip SRAM 32Kb on-chip Secure SRAM

Secure Services

OMAP3430 have various number of secure services

Trust Zone

See Trust Zone page for details