Articles

July 02,2020

Why a True Hardware PUF is more Reliable as RoT

By Evans Yang (VP of eMemory and PUFsecurity)

In the digital era, industrial product technologies, commercial know-how, and artificial intelligence (AI) assets are stored in one chip of every electronic device. This essential information has become a target for hackers seeking to violate the rights of individuals and enterprises. Consequently, the issue of chip security has become critical. From the moment a system is turned on, the chip vital to security should run a system check on overall hardware and software to assure that there has been no tampering. To do so, a built-in security verification process must guard against malicious programs and codes and prevent the theft of valuable secrets inside the chip.

In line with the theme of security, this article will highlight the importance of chip-security operations and the relationship between the root of trust and chip security. This paper will also analyze the advantages and disadvantages of “root of trust with software algorithms” and “root of trust for pure hardware” as the basis of chip security.

Chip security starts with safe boot

Before the security measures safeguarding a chip even start operating, it is important to ensure that all chip functions are normal. The secure boot process is designed for a security check and is used to confirm that the chip’s internal operation is using native, legal software or operating systems and that other related circuit configurations have not been tampered with. After confirmation of these basic requirements and the security of the operating environment, the chip can then be activated.

In general, a secure boot process follows these steps:

  1. At startup, the system will read the pre-existing root key in the chip to check and verify the integrity of the secret key by comparing it with a certificate.
  2. Next, the system will check the integrity of the boot code by comparing the key with the certificate and signature.
  3. If the startup code or the image file have been encrypted and protected, after verification and before startup, the system will use the encryption key to decrypt the protected information
  4. After decryption, the system will run the startup code to load the basic settings of the chip and establish a safe operating environment.
  5. After confirming that the chip setting is secure, the system will verify that the operating system is genuine. If it is verified, the chip can officially start its operations.

In short, a secure boot will read the pre-stored key and confirm the native integrity of the boot code. Without this procedure, the chip may accidentally run a malicious code after being subjected to an attack. With a root key that can be absolutely trusted, it is easier to perform a series of verification processes that can help avoid risk. Hence, the pre-stored root key is the most important component in any secure boot process. It is therefore vital for the key to have characteristics that are not easily hacked. The next section will focus on root of trust....more