吐了,好tm难懂
Remote attestation is a method by which a host (client) authenticates it’s hardware and software configuration to a remote host (server). The goal of remote attestation is to enable a remote system (challenger) to determine the level of trust in the integrity of platform of another system (attestator). The architecture for remote attestation consists of two major components: Integrity measurement architecture and remote attestation protocol.
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.
A trusted computing base (TCB) refers to all of a computer system’s hardware, firmware and software components that combine to provide the system with a secure environment.
问题:secure the FPGA-based accelerator
- purely cryptographic solution like homomorphic encryption is expensive.
- traditional cryptographic libraries depend on a large trusted computing base (TCB), suffering from potentially malicious employees.
- CPU-based trusted execution environment (TEE) like SGX and TrustZone. However, it’s harden and security method like cryptography is evolving; different compute and communication pattern requires different level of protection; SGX bugs.
- CPU-based TEE can’t be used on FPGA.
现有TEE for FPGA的问题
- direct physical attacks
- require fundamental hardware changes
- address isolated challenges
- rely on CPU TEE
ShEF, hardware-based bespoke security and customizable acceleration.
Decouple from CPU TEE and don’t trust CPU TEE and the software running on CPU;
Customization 保证给unique accelerator 提供合适的security mechanism,仅提供right levels of protection节约资源。
ShEF 组成:
-
ShEF boot process centers (softwre security kernel)
- load accelerator to a known and trusted state on the FPGA
- attest the state
- secure the ports
-
ShEF shield:
- communicate with host software and protects data through customizable soft-logic engines.
贡献:
-
确定cloud FPGA TEE 要求
-
实现了first comprehensive and customizable TEE在cloud FPGA
-
Protocol enable TEE building block including secure boot and remote attestation
-
Customizability
conventional FPGA security mechnisms:仅加载签名的bitstream; 加密bitstream; 防止FPGA被篡改。
SPB(security processor block) can access AES key and public ECDSA/RSA key. Developer 用AES key加密或者用RSA私钥签名,SPB用于解密或者验证。SPB能够监控tampering.
A lack of asymmetric keys: 其他设备不能access to FPGA利用AES key,所以FPGA TEE需要在top of the AES key上建立hardware root of trust 和remote attestation protocol.
Presence of an untrusted shell: In CPU, enclave can access secure hardware bypassing the untrusted OS. But in FPGA, the fabric is spatially shared with the untrusted Shell logic.
Lack of secure and flexible I/O: 不同加速器需要不同的off-chip I/O security requirement. Current work on FPGA security ignore the lack of secure I/O as a result of the Shell. 也没有给不同加速器提供不同安全机制。
-
four parties: (注意单双钥)
-
manufacturer: device key(AES密钥 对称), asymmetric public/private device key pair (RSA公私钥)
- private key put on SPB and encryption by AES
- register and publish public device key
-
IP vendor: accelerator I/O connect to ShEF Shield. ShEF secures I/O and isolated execution. symmetric bitstream encryption key. **asymmetric ** Shield Encryption Key.
- develop an IP
- 用private Shield Encryption Key嵌入Shield模块再整体编译为partial bitstream,再用Bitstream Encryption Key加密变成encrypted partial bitstream
accelerator bitstream相同,Data Owner的 Shield Encryption Key不同,用于attestation
-
Data Owner:
-
FPGA instance from CSP
-
FPGA driver reset FPGA (secure boot process)
注意security kernel是soft CPU
-
SPB firmware boots the ShEF Security Kernel from external storage onto a dedicated Security Kernel Processor executing. 把ShEF的security Kernel 加载到Security Kernel Processor (reserved hardened CPU on FPGA or a static bitstream containing a soft CPU)
-
perform remote attestation with Data Owner and IP Vendor. FPGA device, SK,and accelerator partial bitstream are authentic.
-
- CSP先用SK加载Shell,
- SK receives the accelerator Bitstream Encryption Key from IP Vendor and decrypt and load the accelerator onto FPGA,
- connecting it to the Shell interface via partial reconfiguration.
-
Data Owner生成symmetric Data Encryption Key 加密敏感输入数据,用IP Vendor的public Shield Encryption Key 加密Data Encryption Key, 生成Load Key. Load Key负责把Data Encryption Key供给ShEF shield module.
-
Data Owner通过不安全的ShEF host program untrusted host CPU to accelerator.
host program 把Load Key和加密数据传给FPGA,ShEF Shield使用private Shield Encryption Key解密得到Data Encryption Keys解密数据。输出再用DEK加密传给Data Owner.
-
-
secure boot
-
Security enabling TEE building blocks:作为FPGA 当前启动方式的补充
-
BootROM decrypts the SPB firmware using the AES device key and hand off the boot process to it.
-
secure boot
H ( S e c K r n l ) H(SecKrnl) H(SecKrnl) signed by D e v i c e K e y p r i v DeviceKey_{priv} DeviceKeypriv: A t t e s t K e y p r i v , p u b AttestKey_{priv,pub} AttestKeypriv,pub
certification: σ S e c K r n l = S i g n D e v i c e K e y ( H ( S e c K r n l ) , A t t e s t K e y p u b ) \sigma_{SecKrnl} = Sign_{DeviceKey}(H(SecKrnl), AttestKey_{pub}) σSecKrnl=SignDeviceKey(H(SecKrnl),AttestKeypub)
Security Kernel private memory stores A t t e s t K e y p r i v , p u b AttestKey_{priv,pub} AttestKeypriv,pub和 σ S e c K r n l \sigma_{SecKrnl} σSecKrnl.
-
remote attestation
- Data Owner generates an ephemeral Data Encryption Key
- IP Vendor validate the authenticity of FPGA device and bitstream
- Security Kernel receives the Bitstream Key required to load the accelerator
-
-
Secure Storage and I/O
-
IP Vendor provides the public Shield Encryption Key to the Data Owner
-
Data Owner generates Data Encryption Key
$Load Key = Enc_{ShieldEncKey}(DataEncKey) $
Data Owner encrypts sensitive input data with Data Encryption Key.
Load Key send to FPGA Shield and get Data Encryption Key.
注意这块是在上个环节Security Kernel 收到了Bitstream Key. Decrypt accelerator bitstream and get private Shield Encryption Key.
-
ShEF shield
突发burst是指的是同一行中相邻的存储单元连续进行数据传输的方式,只需要给出读写命令和开始地址,就就开始读/写一定长度的数据,地址自动递增。
-
Shield is a RTL module that provides isolated execution and secure I/O and storage by interpsing on ports between the accelerator and Shell.
-
register interface provides authenticated encryption. Data from host program will be decrypts and authenticates before stroing into the accelerators’s plaintext register.
-
Cryptographic engines: encryption(AES) and authentication(HMAC/PAMC)
-
Chunk size: chunk size specifies the granularity of each authenticated encryption chunk
-
On-chip buffers: store decrypted and authenticated plaintext data and their address ranges
-
Advanced integrity verification: Merkle Trees over counter to prevent replay attacks
问题:secure the FPGA-based accelerator
存在问题:现有加密算法计算复杂,依赖CPU的library, 不同应用的安全需求不同,CPU的TEE不能直接在FPGA运行。
现有FPGA加速器现有用于accelerator TEE存在问题:不能防御direct physical attacks, require fundamental hardware changes, address isolated challenges, rely on external CPU TEE, ignore Shell(cloud FPGA logic 不可信的操作系统)
解决方案:
ShEF: 由secure boot, configurable remote attestation process, Shield logic for run-time isolation execution组成。
ShEF boot process center构建chain of trust,保证accelerator加载到FPGA安全位置,remote attestation process,保证敏感端口如JTAG安全。
ShEF shield 与host software通信,通过soft-logic engine保护加速器敏感数据。高度可定制,根据需求分配资源。
摘要:
问题:public cloud process sensitive data.
Solution: ShEF trusted execution environment for cloud-based reconfigurable accelerator.
ShEF allow secure execution under a threat model (The system can be attacked.)
Secure boot and remote attestation process
Shield component provides secure access to data while the accelerator is in use.
1.introduction
问题:data leak shows a vulnerability in any layer of the stack can result in exposure of highly-sensitive information.
现有方案:cryptographic solution e.g. homomorphic encryption (HE,同态加密),但HE计算复杂,传统加密算法libraries仍然依赖于TCB(trusted computing base)
基于CPU 的TEE(trusted execution environment)如Intel SGX 和 ARM Trustzone,存在密码学不断发展、不同应用需要安全性不同,SGX有安全漏洞,基于CPU的TEE不能直接在FPGA上运行
问题:远程FPGA的安全执行重要,FPGA用于加速器
现有用于accelerator TEE存在问题:不能防御direct physical attacks, require fundamental hardware changes, address isolated challenges, rely on external CPU TEE, ignore Shell(cloud FPGA logic 不可信的操作系统)
本文设计了ShEF, hardware-based bespoke security and customizable acceleration.
Decouple from CPU TEE and don’t trust CPU TEE and the software running on CPU;
Customization 保证给unique accelerator 提供合适的security mechanism,仅提供right levels of protection节约资源。
ShEF 两部分组成:
ShEF boot process center构建chain of trust,保证accelerator加载到FPGA安全位置,远程证明状态,保证敏感端口如JTAG安全。
ShEF shield 与host software通信,通过soft-logic engine保护加速器敏感数据。高度可定制,根据需求分配资源。
贡献:
- 确定cloud FPGA TEE 要求
- 实现了first comprehensive and customizable TEE在cloud FPGA
- Protocol enable TEE building block including secure boot and remote attestation
- Customizability
2.background
2.1TEE
介绍了TEE的工作流程和功能
Secure boot extend trust by cryptographically measuring each component during boot
Remote attestation process: integrity measurement.
Secure storage and I/O
Insolated execution
FPGA的TEE也需要可定制
2.2conventional FPGA security mechanisms
Security processor block(SPB): 保证only developer-signed bitstreams can be loaded; bitstreams are encrypted to prevent reverse-engineering; FPGA can detect and respond to physical tampering.
SPB包括 ASE key (对称)和the hash of a public ECDSA or RSA key(非对称)
部署前嵌入密钥,采用AES加密或者ECDSA/RSA私钥签名,然后再SPB中进行解密(AES)或者认证(public key hash),SPB最终监视篡改。
2.3remote FPGA as a Service
Design time : Accelerator I/O接到shell的interfaces,
Deployment time: 动态program chosen bitstream onto the remaining reconfigurable region。
Once programmed, host CPU 启动加速器并数据传输。
2.4 challenges for secure and customized computing
A lack of asymmetric keys: build a hardware root-of-trust and remote attestation protocol on top of the available AES key.
Presence of an untrusted shell: In CPU, enclave can access secure hardware bypassing the untrusted OS. But in FPGA, the fabric is spatially shared with the untrusted Shell logic.
Lack of secure and flexible I/O: 不同加速器需要不同的off-chip I/O security requirement. Current work on FPGA security ignore the lack of secure I/O as a result of the Shell. 也没有给不同加速器提供不同安全机制。
2.5 Threat model
7.Related work
CPU enclave
Accelerator enclaves
FPGA security
8.conclusion
Secure boot; configurable remote attestation process; Shield logic for run-time isolation execution
https://www.cnblogs.com/dhcn/p/12795777.html
完整性挑战协议:
用于挑战者与平台之间传输数据,最主要的数据就是ML和TPM Aggregate,该协议通过TPM和密码学理论保证传输的数据是机密的、完整的。该协议号称能够阻止:1)重放攻击;2)篡改攻击;3)假面攻击。
目前该部分现在通常称为“远程证实”。
303
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
