Security
Root of Trust RT-630
The Rambus Root of Trust RT-630 (formerly the CryptoManager RT-630) is a fully programmable hardware security core offering security-by-design for cloud, AI/ML as well as general purpose semiconductor applications. It protects against a wide range of hardware and software attacks through state-of-the-art anti-tamper and security techniques.
As cloud and AI/ML applications evolve, device and system architects face a growing array of security threats. Across applications, one constant is the need for a hardware root of trust-based security implementation. The Rambus RT-630 is the ideal security co-processor for these markets. It employs a custom 32-bit RISC-V siloed and layered secure co-processor, along with dedicated secure memories. The RT-630 also features a number of high-capability cryptographic accelerators such as AES (all modes), HMAC, SHA-2 (all modes), RSA up to 4096 bits, ECC up to 521 bits, a NIST-compliant Random Bit Generator, AXI Multi Issue Out-of-Order, and Fast DMA capability. Additional algorithms such as SHA-3, Poly1305 & ChaCha and OSCCA SM2-3-4 are available as optional HW crypto accelerators. Satisfying use cases such as identity management, attestation, and secure boot, the RT-630 is ideally suited for cloud and AI/ML applications where FIPS 140-2 and 140-3 compliance is required and security is a priority.
Contact
Product Brief
Security in the ARM Ecosystem
Building security in an SoC aiming to meet the goals set by the ARM Platform Security Architecture (PSA) is a complex matter. This is compounded by the complexity of modern-day SoCs comprising multiple processors, security domains and security levels. The Rambus root of trust provides a solid foundation for the SoC security architecture ticking ‘all the boxes’ for reaching the security goals, while offering extensive support for effective integration into a complex TrustZone-based SoC infrastructure.How the Root of Trust Works
The Root of Trust is an independent hardware security co-processor design for integration into semiconductor devices, offering secure execution of user applications, tamper detection and protection, and secure storage and handling of keys and security assets. The Root of Trust offers chipmakers a siloed approach to security; while located on the same silicon as the main processor, the secure processing core is physically separated. A layered security approach enforces access to crypto modules, memory ranges, I/O pins, and other resources, and assures critical keys are available through hardware only with no access by software. The Rambus Root of Trust supports all common main processor architectures, including ARM, RISC-V, x86 and others.
The Rambus Root of Trust supports multi-tenant deployments by offering true multiple root of trust capabilities. Each individual secure application can be assigned its own unique keys, meaning permissions and access levels are set completely independent of others. Secure applications are siloed from each other, ensuring the best approach to security. OEMs can determine access levels and permissions for each and all processes operating within the secure processor.
Dedicated FPGA configuration
The RT-630 is available in a FPGA configuration, targeting to be synthesized in programmable logic. This configuration is designed to map optimally (for max utilization and max frequency) into an FPGA fabric and connect either to on-board or external CPUs. In addition, the design is expanded with an additional OTP emulation model to overcome the lack of (or limitation of) true nonvolatile one-time programmable memory in certain FPGA families. This module allows storing secure assets in external flash in a secure way.
Secure Applications
Included with the RT-630 Hardware Root of Trust are a series of standard secure applications (“containers”) to speed development, including secure boot, identity management, HSM reference, and others. A container development kit (CSDK) is also included to allow the development of custom containers for specific use cases.
The Road to Post Quantum Cryptography
Quantum computing offers the promise of tremendous leaps in processing power over current digital computers. But for the public-key cryptography algorithms used today for e-commerce, mobile payments, media streaming, digital signatures and more, quantum computing represents an existential event. Quantum computers may be able to break the widely used RSA and ECC (Elliptic-Curve Cryptography) algorithms in as little as days. Learn about our solutions and recommendations to ready customers for a post-quantum world.
Solution Offerings
Superior Security
- Hardware root of trust built on a custom 32-bit RISC-V processor
- Secure in-core processing and industry-leading anti-tamper protections
- Built-in tamper detection and resistance to side-channel attacks (configuration-dependent)
- Multi-layered security model provides protection of all components in the core
- FIPS 140-2 & 140-3 CAVP certified
- FIPS 140-2 & 140-3 CMVP certified
Enhanced Flexibility
- 3rd-party applications run securely within trusted boundary, each with its own assigned security permissions
- Complete development environment allows OEMs and users to easily develop secure applications (”containers”); standard use case application containers provided
- Support for secure provisioning of keys and firmware at manufacturing or in the field
- Support for multiple roots of trust within a single secure core
Security Models
- Hierarchical privilege
- Secure key management policy
- Hardware-enforced isolation/access control/protection
- Error management policy
Cryptographic Accelerators
- Includes AES, HMAC, RSA, ECC, RBG (configuration-dependent)
Security Modules
- Canary logic for protection against glitching and overclocking
- Secure key derivation and key transport
- Life cycle management
- Secure test and debug
- Feature management
Complete Documentation
- Hardware integration guide
- Hardware and software reference manuals
- Programming guides
Tools and Scripts
- Verilog for synthesis and simulation
- All scripts and support files needed for standard EDA tool flows integration deliverables
Integration Deliverables
- Complete verification test bench and comprehensive set of test vectors
- Container-authoring software
- Boot loader and firmware, including secure RTOS and security monitor
- HLOS APIs for accessing capabilities
- Complete development environment, including compiler, assembler, debugger, simulator, reference code
Secure Applications Deliverables
- QEMU implementation (source code)
- Implementation of HLOS or ASIC components (source code)
- Sample application demonstrating usage of Secure Application
- Documentation
- Software Architecture
- HLOS Programmer’s Guide
- Developer’s Guide
- API Guide
- Integration Guide
| Secure Application | Description |
|---|---|
| Linux Secure Boot | Implements secure boot for Linux OS, secured by the Root of Trust co-processor |
| Linux Secure FOTA | Implements secure Firmware Over the Air (FOTA) updates for Linux OS |
| ASIC Secure Boot | Uses the Root of Trust co-processor to assist in the secure boot process of ASICs and FPGAs |
| Secure Data Storage | Uses the Root of Trust co-processor to protect user credentials or biometric templates |
| Open SSL Hardening | Hardens the OpenSSL crypto operations via the Root of Trust secure co-processor |
| Reference HSM | Implements a basic HSM supporting AES, HMAC, SHA256, ECDSA, X.509 certificates and secure storage |
| Unique ID Generator | Creates a Root of Trust unique ID and stores it in the Root of Trust NVM (Non Volatile Memory) |
Full Disk Encryption of Solid State Drives and Root of Trust
File encryption, file system encryption and full disk encryption (FDE) are methods offered by the industry to allow users to protect their data stored on non-volatile storage devices, such as Solid State Disks (SSD). The main feature of FDE is to protect stored system and user date from unauthorized reading, writing, alteration, moving or rolling back. However, extended security features are key to securing FDE implementation.