feature article
Subscribe Now

Security Processors Made Easy

Synopsys ARC SEM Subsystem Does the Dirty Work

“I don’t pay to have my dirty work done for me. I do it myself.” – Ted Nugent

Security experts are like proctologists: you wouldn’t want the job but you’re glad they’re around when you need one.

So let’s all give a (gloved) hand to the engineers at Synopsys for doing what the rest of us don’t want to do: creating a secure microprocessor island for SoC development. The hardy souls at Synopsys’s IP clinic have made it easier for the rest of us to secure newly developed chips against the scourge of backdoors, invasive probing, password sniffing, overflows, viruses, and various other communicable diseases.

All this new hardware surrounds the company’s existing ARC SEM secure-processor core, announced last year. The processor was a good start; the new support logic finishes the job. It surrounds the CPU core with security-enhanced memory controllers, buses, crypto accelerators, tamper-proof NVRAM, and more subtle shielding tricks to guard against an array of known (and potentially unknown) attack vectors. If you liked the idea of using the secured ARC SEM processor, you’ll like the packaged subsystem even better.

To recap, the SEM (which presumably stands for Secure Embedded Microprocessor) is a 32-bit RISC CPU that’s been tweaked to make it harder for miscreants to hack. All instructions execute in the same number of cycles, so you can’t monitor software routines to glean useful timing data. Many circuits deliberately inject RF noise, so you can’t remotely monitor their activity. Address, instruction, and data buses are all scrambled so you can’t reverse-engineer the code. And some activities invoke small but random delays, so you can’t observe their goings-on. You get the idea.

In addition to all that, ARC processors have always allowed designers to add their own hardware instructions and/or execution units. These are normally created to enhance performance or to execute some truly obscure or application-specific operation that a normal CPU wouldn’t be equipped to handle. But custom instructions also aid security. Bad guys can’t disassemble an instruction they’ve never seen. Some Synopsys customers add instructions to the CPU precisely because they complicate third-party observation.

Synopsys isn’t the only company to offer security-enhanced processors. In fact, this isn’t even their first one. MIPS, ARM, Cypress, and other CPU vendors have all rolled out hacker-resistant CPU designs boasting roughly the same set of features. Tortuga Logic even sells a security-enhancement tool set for developers. Security is a big thing these days.

The new security subsystem – remarkably, Synopsys hasn’t given it a catchy name – is aimed at fairly high-end, high-risk devices. “This is overkill for a smart lightbulb,” says marketing manager Rich Collins. It’s intended more for passports, embedded SIM cards, energy meters, and industrial equipment. That’s not because Synopsys believes its new subsystem is expensive; just because they think it’s that good.

Showing off the processor’s extensibility, Synopsys allows you to dial in the type of cryptographic acceleration you want. You get your choice of three flavors: all-software, software/hardware swirl, and all-hardware hardcore. In the all-software mode, your crypto work is done… well… all in software, this courtesy of Synopsys’s acquisition of Elliptic Technologies two years ago. The mixed-mode approach uses ARC’s signature party trick of adding custom instructions to the processor, although this time they’re ready-made Synopsys IP specifically for crypto acceleration. Finally, the all-hardware approach uses dedicated hardwired logic blocks for both symmetric (AES, CBC, CTR, etc.) and asymmetric (PKA-RSA and -ECC) algorithms.

As you’d expect, there are size, speed, and power tradeoffs for these choices. But that’s the point: you get to decide. Synopsys says the all-hardware approach is about 12 times faster than all-software, but it nearly doubles the processor’s gate count. The hardware/software mix is, not surprisingly, about in the middle, at about 7 times faster and one-third bigger than the code-based approach.

Buried somewhere beneath all this armor is a ridiculously small processor. The ARC SEM110 (the basic CPU) and SEM120D (with DSP extensions) employ just a three-stage pipeline – fetch, decode, execute – which is about the simplest design possible. In actual silicon, the CPU measures about 0.01 mm2 – a rounding error for most SoC designs. (An ARM Cortex-A9 CPU is about 100x larger.)

There’s something about security hardware that makes me think of a Saturn V rocket. That huge launch vehicle weighed 6.2 million pounds and stood 36 stories tall, yet only the very tip of it – barely big enough for three men to squeeze into and scarcely visible from the ground – made it to the moon and back. Approximately 99.8 percent of the mass of the beast was disposable support infrastructure, there to get that last 0.2 percent to its destination.

Similarly, Synopsys’s secure processor IP is a whole lot of anti-hacker logic wrapped around a very small and simple CPU. Only a tiny percentage of the logic does any actual work; it seems like the remaining 99% is there to thwart bad guys.

That is, if you define “work” as moving data in and out of registers, performing arithmetic operations, and making Boolean logic decisions. You know, computer stuff. But if your definition of work more broadly encompasses guarding against side-channel attacks, obfuscating operations, sidestepping exploits, and interfering with reverse-engineering, then it’s all good.

Leave a Reply

featured blogs
Jun 18, 2021
It's a short week here at Cadence CFD as we celebrate the Juneteenth holiday today. But CFD doesn't take time off as evidenced by the latest round-up of CFD news. There are several really... [[ Click on the title to access the full blog on the Cadence Community sit...
Jun 17, 2021
Learn how cloud-based SoC design and functional verification systems such as ZeBu Cloud accelerate networking SoC readiness across both hardware & software. The post The Quest for the Most Advanced Networking SoC: Achieving Breakthrough Verification Efficiency with Clou...
Jun 17, 2021
In today’s blog episode, we would like to introduce our newest White Paper: “System and Component qualifications of VPX solutions, Create a novel, low-cost, easy to build, high reliability test platform for VPX modules“. Over the past year, Samtec has worked...
Jun 14, 2021
By John Ferguson, Omar ElSewefy, Nermeen Hossam, Basma Serry We're all fascinated by light. Light… The post Shining a light on silicon photonics verification appeared first on Design with Calibre....

featured video

Kyocera Super Resolution Printer with ARC EV Vision IP

Sponsored by Synopsys

See the amazing image processing features that Kyocera’s TASKalfa 3554ci brings to their customers.

Click here for more information about DesignWare ARC EV Processors for Embedded Vision

featured paper

Choose a high CMTI gate driver that cuts your SiC switch dead-time

Sponsored by Maxim Integrated

As GaN and SiC FETs begin to replace MOSFET and IGBT technologies in power switching applications, this paper discusses the key considerations when selecting an isolated gate driver. Maxim explains the importance of CMTI and propagation delay skew and presents an isolated gate driver IC ideal for use with these new power transistors.

Click to read more

Featured Chalk Talk

Intel NUC Elements

Sponsored by Mouser Electronics and Intel

Intel Next Unit of Computing (NUC) compute elements are small-form-factor barebone computer kits and components that are perfect for a wide variety of system designs. In this episode of Chalk Talk, Amelia Dalton chats with Kristin Brown of Intel System Product Group about pre-engineered solutions from Intel that can provide the appropriate level of computing power for your next design, with a minimal amount of development effort from your engineering team.

Click here for more information about Intel NUC 8 Compute Element (U-Series)