Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
RISC-V 30906 hex five multi_zone iot firmware
1. MultiZone® IoT Firmware
The quick and safe way to build secure IoT
applications with any RISC-V processor
Cesare Garlati – Hex Five Security
Sandro Pinto – Hex Five Security
2. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Market requirements
― Consumer products: high volume / low cost
― Battery operated: small processor / limited ram & rom
Building Secure IoT Devices Is Challenging
Resource-constrained
MCUs (no MMU)
100’ of KB of 3rd party
untrusted code base
No RISC-V specs for
TrustZone®-like TEE
Basic IoT requirements
― SW foundation: multitask RTOS, peripherals drivers, ...
― Connectivity libraries: tcp/ip, dhcp, dns, sntp, mqtt, ...
― Security libraries: TLS, ECC, PKI, RoT, TEE, ...
Advanced IoT requirements
― New IoT regulations, access to commercial clouds, ...
― Secure boot, remote updates, OTA provisioning, ...
3. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Complete IoT stack that shields trusted applications from untrusted 3rd party libraries
Provides secure access to any IoT clouds, secure boot, remote firmware updates, ...
Works with any RISC-V processor: no need for proprietary TrustZone-like HW
Rapid development: pre-integrated TEE, TCP/IP, TLS/ECC, FreeRTOS, GCC, Eclipse
Built-in Trusted Execution Environment providing up to 4 separated HW/SW “worlds”
Commercial open source license: no GPL contamination, no royalties, $$ per design
MultiZone® IoT Firmware
4. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
MultiZone® IoT Firmware Architecture
MultiZone Trusted Execution Environment (TEE)
Any RISC-V 32-bit or 64-bit with ‘U’ extension
‘M’ mode
‘U’ Mode
‘U’ Mode HW Drivers
Zone ...
RTOS
or
bare metal app
PMP HW
HW Drivers
Zone #3
RTOS
or
bare metal app
HW Drivers
Zone #2
RTOS
or
bare metal app
ETHERNET driver
Zone #1
MQTT Lib
TLS Lib
TCP Lib
PMP
PMP
5. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
Secure access to commercial IoT clouds
Customer needs MQTT, TLS,
ECC, mutual authentication
optimized for RISC-V devices
Customer is concerned about
backdoors and lack of
separation in 3rd party software
Customer can’t afford time,
cost and the technology risk of
a complete system redesign
MultiZone provides built-in secure
connectivity to commercial cloud
providers like AWS, Azure, etc
MultiZone provides four separated
execution environments, hardware
enforced, software defined
MultiZone can retrofit existing
hardware and software, works out-
of-the-box, and it is available now
6. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
Remote firmware updates
Product must comply with new
IoT regulation requiring remote
firmware updates - OTA
Customer is concerned about
time, cost, and security risk of
developing a DIY solution
Customer is concerned about
the vendor lock-in inherent in
commercial cloud services
MultiZone provides high-grade
security OTA updates via open
standard MQTT and TLS protocols
MultiZone is commercial-grade,
available immediately, and built
from the ground up for security
MultiZone remote firmware updates
work with any commercial or private
IoT cloud
7. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
Real-time monitoring and device management
Customer needs real-time
monitoring, remote updates,
and device management
Customer can’t absorb the
recurring cost of commercial
web services – i.e. AWS, Azure
Project economics can’t justify
the addition of expensive IoT
modules to the BOM
MultiZone provides secure
bidirectional access to/from the
device via standard MQTT protocol
MultiZone works with public and
private clouds – i.e. OEM owned
PKI and backend infrastructure
MultiZone can retrofit existing
hardware, no need to redesign for
additional 3rd party IoT modules
8. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Download and build the MultiZone Eclipse project
Flash the MultiZone Firmware to the ARTY FPGA board
Connect to public or private IoT cloud
Remotely deploy individual applications
Remotely control the operations of a small robotic arm
Connect a local terminal to asses security and separation
MultiZone® Reference Application – Live Demo
Cloud
Private: MQTT
broker, Commercial:
AWS, ...
MQTT
TLS ECC
UART
GPIO
9. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
How To Get Started
Hardware
Artix-7 35T FPGA Evaluation Kit http://www.xilinx.com/products/boards-and-
kits/arty.html
Olimex debug head ARM-USB-TINY-H
http://www.olimex.com/Products/ARM/JTAG/ARM-USB-TINY-H/
OWI Robot (optional) http://owirobot.com/robotic-arm-edge/
Software
Eclipse IDE CDT http://www.eclipse.org/cdt/
Hex Five X300 SoC bitstream http://github.com/hex-five/multizone-fpga
MultiZone Firmware https://github.com/hex-five/multizone-iot-firmware
Documentation
https://github.com/hex-five/multizone-iot-firmware/blob/master/manual.pdf
10. MultiZone Security
MultiZone Security is the quick and safe way to add security and separation to billions of IoT
devices. MultiZone can retrofit existing hardware. If you don’t have TrustZone, or if you require finer
granularity than one trusted area, you can take advantage of high security separation without the
need for a redesign – see http://hex-five.com
11. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
MultiZone® IoT Firmware – Data Sheet
Stack Component Features Size License
Reference Hardware
Digilent ARTY7 35T FPGA
Hex Five X300 SoC IP
RISC-V core RV32ACIMU 4-way i-cahe 65MHz
Ethernet: Xilinx EthernetLite Ethernet core
Apache 2.0 license
permissive
commercial use ok
IDE & Toolchain
• Eclipse IDE + openOCD debug
• GNU GCC, GDB, …
GCC multi-lib rv32, rv32e, rv64, GDB, openOCD
Hex Five pre-built GCC binaries (optional)
Hex Five pre-built OpenOCD binaries (optional)
GNU General Public License version 3
TCP/IP library
LWIP 2.1.1
Hex Five security extensions
IP, ICMP, UDP, TCP, ARP, DHCP, DNS, SNTP, MQTT
Light weight single threaded execution
Fully integrated with SSL stack
40KB ROM
16KB RAM
Modified BSD
permissive
commercial use ok
SSL library
mbed TLS 2.23.0
Hex Five secure configuration
TLSv1.2, Cipher TLS_AES_128_GCM_SHA256
ECC: prime256v1, Private Key NIST CURVE: P-256
Mutual authentication, Cert expiration verification, TLS large fragment
64KB ROM
32KB RAM
Apache 2.0 license
permissive
commercial use ok
Real Time OS (optional)
FreeRTOS 10.3.0
Hex Five integration with TEE
Secure unprivileged execution of kernel, tasks, and interrupt handlers
No memory shared with TCP/IP and SSL library code
No memory shared with other applications running in separate zones
32KB ROM
16KB RAM
MIT open source license
permissive
commercial use ok
Trusted Execution Environment
MultiZone Security TEE 2.0
RISC-V secure DMA extension
RISC-V shared PLIC extension
4 separated Trusted Execution Environments (zones) enforced via PMP
8 memory-mapped resources per zone – i.e. ram, rom, i/o, uart, gpio, eth, …
Secure inter-zone messaging – no shared memory, no buffers, no stack, etc
Protected user-mode interrupt handlers mapped to zones – plic / clint
4KB ROM
4KB RAM
Free for evaluation,
commercial license priced per design –
perpetual, no royalties, no GPL
contamination
Minimal Attack Surface
(compare with TrustZone Secure Firmware)
4KB RAM
4KB ROM
12. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
MultiZone Security TEE Feature List
Formally verifiable TCB ~2KB, minimal attack surface, no dynamic data
structures like stack, hype, and buffers. TCB equivalent to less than
10,000 lines of code – assuming 10-4 defects per lines of code ratio.
Zero trust Completely self-contained runtime, no dependencies from
libraries and other runtime components including C runtime, linker
scripts, and kernel-mode drivers.
Sealed runtime, pre-built driven by statically defined user-defined
policies, that doesn’t require or even expose to the developer any other
interface than the policy configuration file itself.
Isolation of executable code (text segments) to ensure that user
programs run in unprivileged mode so that they can’t compromise the
overall system integrity – including drivers and IRQ handlers.
Isolation of data (data segments) and memory-mapped peripherals
(typically I/O) via a hardware unit that prevents access outside statically
defined security boundaries.
Isolation of interrupts so that interrupt handlers are mapped to the
respective zone context and executed at a reduced level of privilege,
unable to compromise the isolation model.
Isolation of hardware components including all cores, bus masters,
DMA, interrupt controllers, and caches in heterogeneous systems
where deterministic and OOO come together in a single SoC.
Pre-emptive temporal separation mechanism to ensure that any single
thread can’t cause a denial of service by indefinitely holding processing
cycles. This is a must for safety-critical applications.
Secure inter-zone communications infrastructure to allow inter-zone
data transfers without relying on shared memory resources such as
buffers, stack, and heap.
Secure inter-processor communications infrastructure to allow zones
running on the secure core(s) to send/receive data to/from other low-
criticality/non-secure core – i.e. protected split buffers.
Soft timer facility to multiplex the underlying single hardware timer
functionality and make it available to each zone independently from the
others.
Wait for interrupt functionality to allow transparent support for system
suspend and low-power states. This is a must for battery-operated
devices and low-latency deterministic applications .
Trap & Emulate functionality for secure execution of privileged
instructions. Allows porting of existing application code originally
designed to operate in a single unprotected memory space.
Secure boot 2-stage boot loader to verify the integrity and authenticity
of runtime and policies. Should boot the whole system to configure and
lock separation policies for all hardware components.
Toolchain extension cross-platform command line fully integrated with
toolchain and IDE, to combine and configure the zones binaries and to
produce the signed firmware image for the secure boot of the system.
Open source API to expose runtime micro-services such as messaging
and process scheduling. Optional helper wrappers to reduce system
calls overhead. Free and open permissive license.
13. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
MultiZone TEE Vs Arm TrustZone
Patent pending US 16450826, PCT US1938774 - Configuring, Enforcing, And Monitoring Separation Of Trusted Execution Environments.
Arm and TrustZone are registered trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
TrustZone: Two Domains Hardcoded in Silicon
Cortex-M23/M33
MPC
Memory
OS
Apps
Normal World
MPC
Periphera
ls
Arm Trusted
Firmware-M
Trusted Apps
Secure World
NS
Bit
SAU/IDAU
U-Thread
mode
P-Thread
mode
TZ-M HW
MultiZone: Multiple Domains Defined In Software
MultiZone TEE
RISC-V 32-bit or 64-bit
PMP
OS
Apps
Zone #1 Zone #2
Trusted
OS
Trusted
Apps
PMP HW
Machine
mode
User Mode
Memory
Periphera
ls
Zone #3 Zone #4
App App
User Mode
14. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
Fit new functionality into limited RAM and ROM
Customer is struggling to fit
large 3rd party libraries into
limited RAM and ROM
Product economics don’t justify
platform upgrade and hardware
redesign
Product economics don’t justify
platform upgrade and firmware
redesign
MultiZone is lightweight and built
from the ground up for resource
constrained MCUs – 4KB RAM ROM
MultiZone can retrofit existing MCUs
– no need for hardware redesign
MultiZone runs unmodified binaries
– no need for software redesign
15. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
Permissive open source software (no GPL)
Product needs security libraries
– i.e. TLS, ECC
Customer IP can’t risk “GPL
contamination”
Customer can’t afford
expensive commercial libraries
MultiZone includes pre-integrated
open source libraries providing TLS
1.2, ECC, MQTT, ...
MultiZone is GPL free. Its open
source components are distributed
under permissive licensing
MultiZone commercial license is
conveniently priced per design –
perpetual, no royalties ever
16. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
Multitenant applications
Customer needs the equivalent
of an App Store to provision
and run 3rd party IoT services
The device must run physically
separated, remotely deployed,
untrusted 3rd party applications
Customer can’t afford cost and
security risk of multicore, MMU-
based, Linux capable hardware
MultiZone provides up to 4+
physically separated application
environments – no interference
MultiZone provides remote
deployment of individual apps via
MQTT / TLS / ECC protocols
MultiZone works with the lightweight
PMP built into RISC-V MCUs – no
need for Linux & multi-coreCPUs
17. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
Safety-critical applications
Product must comply with
safety critical regulations – i.e.
medical devices, automotive
Customers needs to shield
critical functionality from 100’s
of KB of untrusted 3rd party sw
Customer looking for low-cost
alternatives to proprietary RTOS
and hypervisors
MultiZone guarantees non
interference and spatial and
temporal separation of programs
MultiZone provides high-grade
security and separation for up to 8
execution environments
MultiZone offers a simple
convenient license priced per
customer’s design – no royalties
18. MultiZone is a registered trademark of Hex Five Security, Inc. – Patent pending US 16450826, PCT US1938774
Cortex-M and TrustZone are registered trademarks of Arm Limited
Use case
RISC-V alternative to a TrustZone design
Product needs a mechanism to
separate critical functionality
from untrusted software
Functional requirements
mandate finer granularity than
one “secure world”
Customer is concerned about
time, cost, and technology risk
of a complete system redesign
MultiZone provides hardware
enforced separation via Physical
Memory Protection (PMP)
MultiZone provides 4+ “secure
words” to separate multiple 3rd
party components
MultiZone can retrofit standard
RISC-V hardware and software. No
system redesign is required.
19. MultiZone® Security
MultiZone Security is the quick and safe way to add security and separation to billions of IoT
devices. MultiZone can retrofit existing hardware. If you don’t have TrustZone, or if you require finer
granularity than one trusted area, you can take advantage of high security separation without the
need for a redesign – see http://hex-five.com