A Flexible Architecture for Systematic Implementation of SoC Security Policies

Abstract

Modern SoC designs incorporate several policies to protect sensitive assets from unauthorized access. The policies affect multiple design blocks, and may involve subtle interactions between hardware, firmware, and software. This makes it difficult for SoC designers to implement these policies, and system validators to ensure adherence. Associated problems include complexity in upgrading these policies, IP reuse for systems targeted for markets with differing requirement, and consequent increase in design time and time-to-market. In this paper, we address this important problem by developing a generic, flexible architectural framework for implementing arbitrary policies in SoC designs. Our architecture has several distinctive features: (1) it relies on a dedicated, centralized, firmware-upgradable plug-and-play IP block that can implement diverse policies; (2) it interfaces with individual IP blocks through their security wrapper, which exploits and extends test/debug wrappers; (3) it implements a policy as firmware code following existing policy languages; (4) it can implement any policy as long as relevant observable and controllable signals from the constituent IPs are accessible through the wrappers; and (5) it realizes a low-overhead communication link between wrappers of IP blocks and the centralized, dedicated controller. The approach builds on and extends the recent work on developing a centralized infrastructure IP for SoC security, referred to as IIPS, that interface with IP blocks using their boundary scan based wrappers. While this architecture is generic and independent of policy types, we provide case studies with several common policies to show the flexibility and extendibility of the architecture. We also evaluate its viability in terms of overhead in area and power.