feature article
Subscribe Now

Security Processors Made Easy

Synopsys ARC SEM Subsystem Does the Dirty Work

“I don’t pay to have my dirty work done for me. I do it myself.” – Ted Nugent

Security experts are like proctologists: you wouldn’t want the job but you’re glad they’re around when you need one.

So let’s all give a (gloved) hand to the engineers at Synopsys for doing what the rest of us don’t want to do: creating a secure microprocessor island for SoC development. The hardy souls at Synopsys’s IP clinic have made it easier for the rest of us to secure newly developed chips against the scourge of backdoors, invasive probing, password sniffing, overflows, viruses, and various other communicable diseases.

All this new hardware surrounds the company’s existing ARC SEM secure-processor core, announced last year. The processor was a good start; the new support logic finishes the job. It surrounds the CPU core with security-enhanced memory controllers, buses, crypto accelerators, tamper-proof NVRAM, and more subtle shielding tricks to guard against an array of known (and potentially unknown) attack vectors. If you liked the idea of using the secured ARC SEM processor, you’ll like the packaged subsystem even better.

To recap, the SEM (which presumably stands for Secure Embedded Microprocessor) is a 32-bit RISC CPU that’s been tweaked to make it harder for miscreants to hack. All instructions execute in the same number of cycles, so you can’t monitor software routines to glean useful timing data. Many circuits deliberately inject RF noise, so you can’t remotely monitor their activity. Address, instruction, and data buses are all scrambled so you can’t reverse-engineer the code. And some activities invoke small but random delays, so you can’t observe their goings-on. You get the idea.

In addition to all that, ARC processors have always allowed designers to add their own hardware instructions and/or execution units. These are normally created to enhance performance or to execute some truly obscure or application-specific operation that a normal CPU wouldn’t be equipped to handle. But custom instructions also aid security. Bad guys can’t disassemble an instruction they’ve never seen. Some Synopsys customers add instructions to the CPU precisely because they complicate third-party observation.

Synopsys isn’t the only company to offer security-enhanced processors. In fact, this isn’t even their first one. MIPS, ARM, Cypress, and other CPU vendors have all rolled out hacker-resistant CPU designs boasting roughly the same set of features. Tortuga Logic even sells a security-enhancement tool set for developers. Security is a big thing these days.

The new security subsystem – remarkably, Synopsys hasn’t given it a catchy name – is aimed at fairly high-end, high-risk devices. “This is overkill for a smart lightbulb,” says marketing manager Rich Collins. It’s intended more for passports, embedded SIM cards, energy meters, and industrial equipment. That’s not because Synopsys believes its new subsystem is expensive; just because they think it’s that good.

Showing off the processor’s extensibility, Synopsys allows you to dial in the type of cryptographic acceleration you want. You get your choice of three flavors: all-software, software/hardware swirl, and all-hardware hardcore. In the all-software mode, your crypto work is done… well… all in software, this courtesy of Synopsys’s acquisition of Elliptic Technologies two years ago. The mixed-mode approach uses ARC’s signature party trick of adding custom instructions to the processor, although this time they’re ready-made Synopsys IP specifically for crypto acceleration. Finally, the all-hardware approach uses dedicated hardwired logic blocks for both symmetric (AES, CBC, CTR, etc.) and asymmetric (PKA-RSA and -ECC) algorithms.

As you’d expect, there are size, speed, and power tradeoffs for these choices. But that’s the point: you get to decide. Synopsys says the all-hardware approach is about 12 times faster than all-software, but it nearly doubles the processor’s gate count. The hardware/software mix is, not surprisingly, about in the middle, at about 7 times faster and one-third bigger than the code-based approach.

Buried somewhere beneath all this armor is a ridiculously small processor. The ARC SEM110 (the basic CPU) and SEM120D (with DSP extensions) employ just a three-stage pipeline – fetch, decode, execute – which is about the simplest design possible. In actual silicon, the CPU measures about 0.01 mm2 – a rounding error for most SoC designs. (An ARM Cortex-A9 CPU is about 100x larger.)

There’s something about security hardware that makes me think of a Saturn V rocket. That huge launch vehicle weighed 6.2 million pounds and stood 36 stories tall, yet only the very tip of it – barely big enough for three men to squeeze into and scarcely visible from the ground – made it to the moon and back. Approximately 99.8 percent of the mass of the beast was disposable support infrastructure, there to get that last 0.2 percent to its destination.

Similarly, Synopsys’s secure processor IP is a whole lot of anti-hacker logic wrapped around a very small and simple CPU. Only a tiny percentage of the logic does any actual work; it seems like the remaining 99% is there to thwart bad guys.

That is, if you define “work” as moving data in and out of registers, performing arithmetic operations, and making Boolean logic decisions. You know, computer stuff. But if your definition of work more broadly encompasses guarding against side-channel attacks, obfuscating operations, sidestepping exploits, and interfering with reverse-engineering, then it’s all good.

Leave a Reply

featured blogs
Dec 1, 2023
Why is Design for Testability (DFT) crucial for VLSI (Very Large Scale Integration) design? Keeping testability in mind when developing a chip makes it simpler to find structural flaws in the chip and make necessary design corrections before the product is shipped to users. T...
Nov 27, 2023
See how we're harnessing generative AI throughout our suite of EDA tools with Synopsys.AI Copilot, the world's first GenAI capability for chip design.The post Meet Synopsys.ai Copilot, Industry's First GenAI Capability for Chip Design appeared first on Chip Design....
Nov 6, 2023
Suffice it to say that everyone and everything in these images was shot in-camera underwater, and that the results truly are haunting....

featured video

TDK CLT32 power inductors for ADAS and AD power management

Sponsored by TDK

Review the top 3 FAQs (Frequently Asked Questions) regarding TDK’s CLT32 power inductors. Learn why these tiny power inductors address the most demanding reliability challenges of ADAS and AD power management.

Click here for more information

featured paper

Power and Performance Analysis of FIR Filters and FFTs on Intel Agilex® 7 FPGAs

Sponsored by Intel

Learn about the Future of Intel Programmable Solutions Group at intel.com/leap. The power and performance efficiency of digital signal processing (DSP) workloads play a significant role in the evolution of modern-day technology. Compare benchmarks of finite impulse response (FIR) filters and fast Fourier transform (FFT) designs on Intel Agilex® 7 FPGAs to publicly available results from AMD’s Versal* FPGAs and artificial intelligence engines.

Read more

featured chalk talk

How IO-Link® is Enabling Smart Factory Digitization -- Analog Devices and Mouser Electronics
Safety, flexibility and sustainability are cornerstone to today’s smart factories. In this episode of Chalk Talk, Amelia Dalton and Shasta Thomas from Analog Devices discuss how Analog Device’s IO-Link is helping usher in a new era of smart factory automation. They take a closer look at the benefits that IO-Link can bring to an industrial factory environment, the biggest issues facing IO-Link sensor and master designs and how Analog Devices ??can help you with your next industrial design.
Feb 2, 2023
36,479 views