External authenticated non-volatile memory with lifecycle management for state protection in trusted computing

Abstract

Contemporary processor ASICs for embedded devices often include a trusted execution environment (TrEE) typically realized using a secure, isolated processing mode. TrEEs are used for implementing security services. The isolation can be complete with on-board RAM and ROM reserved for the exclusive use of these environments, but ASICs that also include non-volatile memory (NVM) are not readily available or cost-effective. This makes it difficult to deploy security services where persistent storage of state is critical to security. One solution is to use external authenticated non-volatile memory (EANVM), e.g. in a different ASIC. This introduces the need for a key management scheme for pairing and secure communication between the processor and the EANVM unit. Design of such a key management scheme needs to allow for lifecycle management requirements such as field-replacement of EANVM units and testability, both of newly fabricated as well as field-returned units. In this paper we identify the requirements for lifecycle management of an EANVM which can be used by a TrEE for securing its state persistently. We then present a hardware design that meets both the usual security requirements as well as the lifecycle management requirements simultaneously. Although the design can constitute its own chip, it is intended to be added to a secondary ASIC on the device, one that already has NVM for other reasons (e.g. to store configuration parameters persistently), but has a few tens of NVM cells to spare for this design. Consequently, our design offers an inexpensive way for state protection for TrEEs. © 2010 Springer-Verlag.