Ben Levine, Sr. Director, Product Marketing, Cryptography Products Division, recently penned an article in Embedded Computing Design Magazine letting SoC and system designers know that “isolation among applications in some security processors is dicey at best. It’s best to take the right security processor route with multiple roots of trust and complete application isolation”
He goes on to say that designers are presented with a variety of security processor brands. However, most follow virtually the same chip architecture. It’s best characterized as basically having two domains, one is non-secure, while the other is secure with a single bit dividingthe secure from the non-secure domain.
Different applications from different entities — where an entity may be the SoC vendor, device OEM, service provider, end user or other participant in the ecosystem of the device — may be running in the same secure domain, he adds. “However, they are not isolated from one another and they may be able to access not only their own keys, but also keys form other applications. Hardware partitioning isn’t between the different entities; it’s only between secure and non-secure.”
Levine explains to his readers it’s best to consider a hardware security core like the CryptoManager Root of Trust that has many domains or multiple roots of trust. In this case, there is a separate security domain for every entity. And those security domains are completely separated from each other using strong hardware security. Security assets like keys and hardware resources are completely isolated.
Each entity has its own set of signed applications in this architecture, he explains. When the hardware security core switches from one application to another then all the context is flushed from the core. No data, keys, or other information persist when it switches from one application to the other.
“The only exception is the ability to pass messages between the different applications, if that is explicitly desired by the application writer. This ensures that no context can be shared between different entities,” Levine explains.
Furthermore, he says that security assets are thus completely and securely assigned to specific entities so that there is by default no overlap, meaning different entities cannot be allowed to access the same resources. However, overlap is acceptable if assignments are properly made.
In closing, Levine says, “One poorly written or malicious application can compromise the security of all other applications in that SoC. The bottom line is to avoid each application from being vulnerable to a malicious attack and simultaneously maintain complete trust among all the applications running on that SoC.”