Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 2390b1b6299fb1e57e6d9a94c287ce1c0b322376 / . / meta-arm / meta-arm-bsp / documentation / corstone1000 / software-architecture.rst
blob: a17f1b8a68091605321fb67a59322613e34d667f [file] [log] [blame]
Patrick Williams2390b1b2022-11-03 13:47:49 -0500[diff] [blame^]1..
2 # Copyright (c) 2022, Arm Limited.
3 #
4 # SPDX-License-Identifier: MIT
5
6######################
7Software architecture
8######################
9
10
11*****************
12ARM corstone1000
13*****************
14
15ARM corstone1000 is a reference solution for IoT devices. It is part of
16Total Solution for IoT which consists of hardware and software reference
17implementation.
18
19Corstone1000 software plus hardware reference solution is PSA Level-2 ready
20certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_).
21More information on the corstone1000 subsystem product and design can be
22found at:
23`Arm corstone1000 Software`_ and `Arm corstone1000 Technical Overview`_.
24
25This readme explicitly focuses on the software part of the solution and
26provides internal details on the software components. The reference
27software package of the platform can be retrieved following instructions
28present in the user-guide document.
29
30***************
31Design Overview
32***************
33
34The software architecture of corstone1000 platform is a reference
35implementation of Platform Security Architecture (`PSA`_) which provides
36framework to build secure IoT devices.
37
38The base system architecture of the platform is created from three
39different tyes of systems: Secure Enclave, Host and External System.
40Each subsystem provides different functionality to overall SoC.
41
42
43.. image:: images/CorstoneSubsystems.png
44 :width: 720
45 :alt: CorstoneSubsystems
46
47
48The Secure Enclave System, provides PSA Root of Trust (RoT) and
49cryptographic functions. It is based on an Cortex-M0+ processor,
50CC312 Cryptographic Accelerator and peripherals, such as watchdog and
51secure flash. Software running on the Secure Enclave is isolated via
52hardware for enhanced security. Communication with the Secure Encalve
53is achieved using Message Hnadling Units (MHUs) and shared memory.
54On system power on, the Secure Enclaves boots first. Its software
55comprises of two boot loading stages, both based on mcuboot, and
56TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
57Secure Enclave follows Firmware Framework for M class
58processor (`FF-M`_) specification.
59
60The Host System is based on ARM Cotex-A35 processor with standardized
61peripherals to allow for the booting of a Linux OS. The Cortex-A35 has
62the TrustZone technology that allows secure and non-secure security
63states in the processor. The software design in the Host System follows
64Firmware Framework for A class procseeor (`FF-A`_) specification.
65The boot process follows Trusted Boot Base Requirement (`TBBR`_).
66The Host Subsystem is taken out of reset by the Secure Enclave system
67during its final stages of the initialization. The Host subsystem runs
68FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS
69(`OPTEE-OS`_) in the secure world, and u-boot(`u-boot repo`_) and
70linux (`linux repo`_) in the non-secure world. The communication between
71non-secure and the secure world is performed via FF-A messages.
72
73An external system is intended to implement use-case specific
74functionality. The system is based on Cortex-M3 and run RTX RTOS.
75Communictaion between external system and Host(cortex-A35) is performed
76using MHU as transport mechanism and rpmsg messaging system.
77
78Overall, the corstone1000 architecture is designed to cover a range
79of Power, Performance, and Area (PPA) applications, and enable extension
80for use-case specific applications, for example, sensors, cloud
81connectivitiy, and edge computing.
82
83*****************
84Secure Boot Chain
85*****************
86
87For the security of a device, it is essential that only authorized
88software should run on the device. The corstone1000 boot uses a
89Secure Boot Chain process where an already authenticated image verifies
90and loads the following software in the chain. For the boot chain
91process to work, the start of the chain should be trusted, forming the
92Root of Trust (RoT) of the device. The RoT of the device is immutable in
93nature and encoded into the device by the device owner before it
94is deployed into the field. In Corstone1000, the BL1 image of the secure
95enclave and content of the CC312 OTP (One Time Programmable) memory
96forms the RoT. The BL1 image exists in ROM (Read Only Memory).
97
98.. image:: images/SecureBootChain.png
99 :width: 870
100 :alt: SecureBootChain
101
102It is a lengthy chain to boot the software on corstone1000. On power on,
103the secure enclave starts executing BL1 code from the ROM which is the RoT
104of the device. Authentication of an image involves the steps listed below:
105
106- Load image from flash to dynamic RAM.
107- The public key present in the image header is validated by comparing with the hash. Depending on the image, the hash of the public key is either stored in the OTP or part of the software which is being already verfied in the previous stages.
108- The image is validated using the public key.
109
110In the secure enclave, BL1 authenticates the BL2 and passes the execution
111control. BL2 authenticates the initial boot loader of the host (Host BL2)
112and TF-M. The execution control is now passed to TF-M. TF-M being the run
113time executable of secure enclaves initializes itself and, in the end,
114brings the host CPU out of rest. The host follows the boot standard defined
115in the `TBBR`_ to authenticate the secure and non-secure software.
116
117***************
118Secure Services
119***************
120
121corstone1000 is unique in providing a secure environment to run a secure
122workload. The platform has Trustzone technology in the Host subsystem but
123it also has hardware isolated secure enclave environment to run such secure
124workloads. In corstone1000, known Secure Services such as Crypto, Protected
125Storage, Internal Trusted Storage and Attestation are available via PSA
126Functional APIs in TF-M. There is no difference for a user communicating to
127these services which are running on a secure enclave instead of the
128secure world of the host subsystem. The below diagram presents the data
129flow path for such calls.
130
131
132.. image:: images/SecureServices.png
133 :width: 930
134 :alt: SecureServices
135
136
137The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition
138managed by OPTEE which forwards such calls to the secure enclave. The
139solution relies on OpenAMP which uses shared memory and MHU interrupts as
140a doorbell for communication between two cores. corstone1000 implements
141isolation level 2. Cortex-M0+ MPU (Memory Protection Unit) is used to implement
142isolation level 2.
143
144For a user to define its own secure service, both the options of the host
145secure world or secure encalve are available. It's a trade-off between
146lower latency vs higher security. Services running on a secure enclave are
147secure by real hardware isolation but have a higher latency path. In the
148second scenario, the services running on the secure world of the host
149subsystem have lower latency but virtual hardware isolation created by
150Trustzone technology.
151
152
153**********************
154Secure Firmware Update
155**********************
156
157Apart from always booting the authorized images, it is also essential that
158the device only accepts the authorized images in the firmware update
159process. corstone1000 supports OTA (Over the Air) firmware updates and
160follows Platform Security Firmware Update sepcification (`FWU`_).
161
162As standardized into `FWU`_, the external flash is divided into two
163banks of which one bank has currently running images and the other bank is
164used for staging new images. There are four updatable units, i.e. Secure
165Enclave's BL2 and TF-M, and Host's FIP (Firmware Image Package) and Kernel
166Image. The new images are accepted in the form of a UEFI capsule.
167
168
169.. image:: images/ExternalFlash.png
170 :width: 690
171 :alt: ExternalFlash
172
173
174The Metadata Block in the flash has the below firmware update state machine.
175TF-M runs an OTA service that is responsible for accepting and updating the
176images in the flash. The communication between the UEFI Capsule update
177subsystem and the OTA service follows the same data path explained above.
178The OTA service writes the new images to the passive bank after successful
179capsule verification. It changes the state of the system to trial state and
180triggers the reset. Boot loaders in Secure Enclave and Host read the Metadata
181block to get the information on the boot bank. In the successful trial stage,
182the acknowledgment from the host moves the state of the system from trial to
183regular. Any failure in the trial stage or system hangs leads to a system
184reset. This is made sure by the use of watchdog hardware. The Secure Enclave's
185BL1 has the logic to identify multiple resets and eventually switch back to the
186previous good bank. The ability to revert to the previous bank is crucial to
187guarantee the availability of the device.
188
189
190.. image:: images/SecureFirmwareUpdate.png
191 :width: 430
192 :alt: SecureFirmwareUpdate
193
194
195
196******************************
197UEFI Runtime Support in u-boot
198******************************
199
200Implementation of UEFI boottime and runtime APIs require variable storage.
201In corstone1000, these UEFI variables are stored in the Protected Storage
202service. The below diagram presents the data flow to store UEFI variables.
203The u-boot implementation of the UEFI subsystem uses the FF-A driver to
204communicate with the SMM Service in the secure world. The backend of the
205SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS
206calls are forwarded to the secure enclave as explained above.
207
208
209.. image:: images/UEFISupport.png
210 :width: 590
211 :alt: UEFISupport
212
213
214***************
215References
216***************
217`ARM corstone1000 Search`_
218`Arm security features`_
219
220--------------
221
222*Copyright (c) 2022, Arm Limited. All rights reserved.*
223
224.. _Arm corstone1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
225.. _Arm corstone1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
226.. _Arm corstone1000 Search: https://developer.arm.com/search#q=corstone-1000
227.. _Arm security features: https://www.arm.com/architecture/security-features/platform-security
228.. _linux repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
229.. _FF-A: https://developer.arm.com/documentation/den0077/latest
230.. _FF-M: https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4&hash=3BFD6F3E687F324672F18E5BE9F08EDC48087C93
231.. _FWU: https://developer.arm.com/documentation/den0118/a/
232.. _OPTEE-OS: https://github.com/OP-TEE/optee_os
233.. _PSA: https://www.psacertified.org/
234.. _PSA L2 Ready: https://www.psacertified.org/products/corstone-1000/
235.. _SRIR cert: https://armkeil.blob.core.windows.net/developer/Files/pdf/certificate-list/arm-systemready-ir-certification-arm-corstone-1000.pdf
236.. _TBBR: https://developer.arm.com/documentation/den0006/latest
237.. _TF-M: https://www.trustedfirmware.org/projects/tf-m/
238.. _Trusted Services: https://www.trustedfirmware.org/projects/trusted-services/
239.. _u-boot repo: https://github.com/u-boot/u-boot.git