SlideShare ist ein Scribd-Unternehmen logo
1 von 15
Downloaden Sie, um offline zu lesen
MARCH2018
PRODUCTPRODUCTPRODUCTPRODUCT PRESENTATIONPRESENTATIONPRESENTATIONPRESENTATION
MICRMICRMICRMICR ADVANCEDTECHNOLOGIESADVANCEDTECHNOLOGIESADVANCEDTECHNOLOGIESADVANCEDTECHNOLOGIES
CYRILLE FLEURY
SECURE DATA PATH ON I.MX8M
SECURE DATA PATH
OVERVIEW
3
What is a Secure Data Path in IPTV* context
IPTV SDP: Protect video and audio content, and prevent unauthorized redistribution
of digital media and restrict the ways consumers can copy content : DRM (Digital
Rights Management)
SDP provides confidence, ensuring attackers can’t intercept data:
• Isolate REE (Rich Execution Environment) Operating System from sensitive data
(video, audio , keys, credentials, provisioning …), and use TEE (Trusted
Execution Environment) Operating System to secure data.
*IPTV: Internet Protocal TeleVision : delivery of multimedia content over internet protocol
I.MX8M is adding an additional security level :
• Isolate the TEE Operating System. So Even if TEE is compromised, CPU in
secure mode can’t access the data.
4
i.MX8M : New voice and video processing applications processor
•Arm based processor
•Dedicated hardware for security
•Video quality with full 4K UltraHD resolution and HDR (Dolby
Vision, HDR10, and HLG)
•Highest levels of pro audio fidelity with more than 20 audio
channels each @384KHz
•DSD512 audio capability
•Optimized for fanless operation, low thermal system cost and
long battery life
•Flexible memory options
•The newest high-speed interfaces for flexible connectivity
•Fully supported on NXP’s 10 and 15-year Longevity Program
5
i.MX8M SDP (Secure Data Path) at a glance
• High Assurance Boot (On Chip ROM with tamper detection). Authenticated and Encrypted boot
• ARM TrustZone and the Central Security Unit (CSU) split the processing between non-secure world
running the rich OS, and the secure world running the trusted stack (ATF/OP-TEE from Linaro)
• Application CPU cores won’t have physical access to decrypted video memory buffers
RDC (Resource Domain Controller) to isolate CPU, VPU, GPU, DCSS(Display Controller Sub System)
and memory buffers, using dedicated hardware
• CAAM (Cryptographic Acceleration and Assurance Module) to accelerate and isolate cryptographic
operations, using dedicated hardware
• SNVS (Secure Non-Volatile Storage) and 32 KB of Secure RAM (tamper detection)
The i.MX8M security subsystem is configured in a way that only hardware components involved in the decoding and
the rendering of the stream have access to the decrypted data:
6
Secure Data Path on i.MX8M
RDC: Resource Domain Controller
• Assignment of cores and bus masters to a resource domain (4 domains, 27 bus masters)
• Peripherals and memory regions assigned right accesses based on domain IDs (118 Peripherals, 52
memory regions)
• Memory read/write access controls for each resource domain and region (up to 8 regions per domains)
RDC the SDP gatekeeper
Use a configuration set at boot (within ATF)
Registers locked till next reset
7
Cryptographic Acceleration and Assurance Module (CAAM):
• The chip's cryptographic acceleration and offloading hardware. It supports AES, 3DES, RSA, Elliptic curve, MD5, SHA-1, SHA-
224, SHA-256, SHA-384, SHA-512, MAC, ARC four, PKHA and more
• Random number generator NIST-Compliant
• CAAM is TrustZone aware
Secure Data Path on i.MX8M
Secure Non-Volatile Storage (SNVS):
• Secure real-time clock (RTC)
• Security sensor detection of physical attacks using temperature/voltage/frequency detection, Immediate erasure of internal memory in
event of tamper detection
• 64-bit Monotonic Counter
• Protect sensitive data, such as private keys, DRM keys, and proprietary software
On chip Secure RAM (32 KB) for CAAM:
• Bus attribute-based access controls for resource domain and TrustZone support
• Auto-Erasure and access restrictions upon tamper
• Secure access partitioning based on R/W
• Private bus with CAAM
8
SECURE VIDEO PATH
OVERVIEW
CPU
DCSS **
Encoded and
Encrypted data
Encoded and
Encrypted video
Encoded and
decrypted
video
Decoded and
decrypted
video
RDC Domain 0
CAAM
RDC Domain 1
VPU
RDC Domain 2 RDC Domain 3
GPU *
Bitstream buffer 1 TrustZone
Bitstream buffer 2
TrustZone DPB
Buffer
Secure Video Path on i.MX8M
R/W access to registers only, not DDR memory
* GPU not mandatory, to be used
if video texturing is needed
CPU RW, CAAM R VPU RW, DCSS R, GPU RVPU R, CAAM W
** DCSS: Display Controller Sub System: to source up to three display buffers, on the fly composition (3 scalers, PIP) and drive display using HDMI 2.0a with HDCP 2.2
10
ANDROID SECURE VIDEO
PATH
11
i.MX8M Android – DRM
• The DRM support is integrated in the Android framework in
such a way that should require no modification for the android
application
• The Stagefright media playback application provided by
Android has access to the DRM implementation through the
media Framework as shown on the left schematic
• The i.MX8M implementation limits as much as possible
changes to minimize the API modification between the different
android software block and not break existing application
making use of those services. Only one change in Android
code, and no API change :
ACodecBufferChannel::queueInputBuffer
• Modification consists to add a shared memory to let media
meta data accessible by CPU:
- clear media data from Widevine/PlayReady servers are
managed by shared memory (ex video slice headers)
- encrypted data are managed by ION buffers
https://source.android.com/devices/drm
12
i.MX8M Android - Secure video playback – Buffer allocation
• Stagefright Multimedia framework allocate Secure Video output Memory through a NativeWindow’s API set_usage() with
“GRALLOC_USAGE_PROTECTED” flag
• Gralloc HAL use ION secure Heap to allocate the Secure Video Output Memory
• Stagefright MM framework queues the secure video output memory through a native window’s API queueBuffer(), which is same as non-secure Video
• Hardware composer HAL(HWC) renders the Layer to DCSS secure output, which is with “GRALLOC_USAGE_PROTECTED” usage
https://wiki.linaro.org/BenjaminGaignard/ion
NXP is actively working with Linaro Home Group to implement and promote this strategy for
PlayReady and Widevine DRM
13
i.MX8M Android SVP - OpenMaxIL Impact
• None Secure Video Path
CPU can’t access
CPU R/W
VPU
CPU configure VPU
Encrypted and Clear Video data
Decoded Video data
Decrypted
and clear
Video data
CPU Decrypt
• Secure Video Path (ION/RDC/CAAM)
VPU
CPU configure VPU
Encrypted and Clear Video data
Decoded Video dataCAAM
clear Video
data
Shared Mem
Encoded
Video data
ION
CPU Copy
CPU Copy
14
i.MX8M Android SVP – Crypto PlugIn impact
Shared Memory R&W by CPU
Decrypted data ION buffer heap 4, RDC protected, CPU can’t read
VPU
CPU
Decoded data
ION buffer heap 2.
RDC protected CPU can’t access.
SubSample 1 SubSample n
Decrypted and Clear data, free CPU access
Num of
Bytes
Clear
Num of
Bytes
Crypted
Num of
Bytes
Clear
Num of
Bytes
Crypted
Num of
Bytes
Clear
Num of
Bytes
Crypted
SubSample 1
clear data
SubSample 2 …
SubSample 2
clear data
SubSample n
clear data
SubSample 1
decrypted data
SubSample 2
decrypted data
SubSample n
decrypted data
Configure VPU Driver
ssize_t PlayReadyCryptoPlugin::decrypt(
bool secure, // secure=1 use Secure Data Path
const uint8_t key[16], const uint8_t iv[16],
Mode mode, // kMode_Unencrypted or not
const Pattern &,
const void *srcPtr,
const SubSample * subSamples, size_t numSubSamples,
void *dstPtr,
AString * errorDetailMsg)
Free cpu access
SubSample 1
clear data
Image Boundary/slice header: https://yumichan.net/video-processing/video-compression/introduction-to-h264-nal-unit/
copy
decrypt
15
Q & A

Weitere ähnliche Inhalte

Was ist angesagt?

TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded  - SFO17-304Demystifying Security Root of Trust Approaches for IoT/Embedded  - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Linaro
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareHKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareLinaro
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareHKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareLinaro
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverLinaro
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
The ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devicesThe ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devicesMender.io
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEELinaro
 

Was ist angesagt? (20)

TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded  - SFO17-304Demystifying Security Root of Trust Approaches for IoT/Embedded  - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom Board
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareHKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareHKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platform
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driver
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
The ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devicesThe ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devices
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEE
 

Ähnlich wie HKG18-113- Secure Data Path work with i.MX8M

Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
Ott Streaming Protocols and DRM
Ott Streaming Protocols and DRMOtt Streaming Protocols and DRM
Ott Streaming Protocols and DRMASIMYILDIZ
 
3.5 switcher , multiplexer , recorder and storage
3.5 switcher , multiplexer , recorder and storage3.5 switcher , multiplexer , recorder and storage
3.5 switcher , multiplexer , recorder and storageNader Elmansi
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Introduction to CPSA
Introduction to CPSAIntroduction to CPSA
Introduction to CPSAfullhouseweb
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overviewSajid Marwat
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAEsecuritysytem
 
Security Consideration for Set-top box SoC
Security Consideration for Set-top box SoCSecurity Consideration for Set-top box SoC
Security Consideration for Set-top box SoCWesley Li
 
MPLAB® Harmony Ecosystem
MPLAB® Harmony EcosystemMPLAB® Harmony Ecosystem
MPLAB® Harmony EcosystemDesign World
 
CCTV UAE, DVR CCTV Camera, 4channel DVR UAE
CCTV UAE, DVR CCTV Camera, 4channel DVR UAECCTV UAE, DVR CCTV Camera, 4channel DVR UAE
CCTV UAE, DVR CCTV Camera, 4channel DVR UAEsecuritysytem
 
DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...
DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...
DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...Bitmovin Inc
 
Luxriot video management system (vms)
Luxriot video management system (vms)Luxriot video management system (vms)
Luxriot video management system (vms)Phil Stewkesbury
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIORebekah Rodriguez
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5   session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5   session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...ST_World
 
Video Server
Video ServerVideo Server
Video Servernnmaurya
 
RISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V International
 

Ähnlich wie HKG18-113- Secure Data Path work with i.MX8M (20)

Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
 
Ott Streaming Protocols and DRM
Ott Streaming Protocols and DRMOtt Streaming Protocols and DRM
Ott Streaming Protocols and DRM
 
3.5 switcher , multiplexer , recorder and storage
3.5 switcher , multiplexer , recorder and storage3.5 switcher , multiplexer , recorder and storage
3.5 switcher , multiplexer , recorder and storage
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Introduction to CPSA
Introduction to CPSAIntroduction to CPSA
Introduction to CPSA
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overview
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAE
 
Security Consideration for Set-top box SoC
Security Consideration for Set-top box SoCSecurity Consideration for Set-top box SoC
Security Consideration for Set-top box SoC
 
produse Evertz
produse Evertzproduse Evertz
produse Evertz
 
MPLAB® Harmony Ecosystem
MPLAB® Harmony EcosystemMPLAB® Harmony Ecosystem
MPLAB® Harmony Ecosystem
 
Secure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-VSecure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-V
 
Sdl cctv sms v_ 2.0
Sdl cctv sms v_ 2.0Sdl cctv sms v_ 2.0
Sdl cctv sms v_ 2.0
 
CCTV UAE, DVR CCTV Camera, 4channel DVR UAE
CCTV UAE, DVR CCTV Camera, 4channel DVR UAECCTV UAE, DVR CCTV Camera, 4channel DVR UAE
CCTV UAE, DVR CCTV Camera, 4channel DVR UAE
 
DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...
DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...
DRM Workflows: How to Provide Protected Content to Desktop, Mobile, TVs, & St...
 
Luxriot video management system (vms)
Luxriot video management system (vms)Luxriot video management system (vms)
Luxriot video management system (vms)
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5   session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5   session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
 
Video Server
Video ServerVideo Server
Video Server
 
RISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmware
 

Mehr von Linaro

Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloDeep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloLinaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaArm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaLinaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraHuawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraLinaro
 
Bud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaBud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaLinaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018Linaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018Linaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...Linaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Linaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Linaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineLinaro
 
HKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteHKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteLinaro
 
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopHKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineLinaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allHKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allLinaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorLinaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMUHKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMULinaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation Linaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootLinaro
 
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...Linaro
 

Mehr von Linaro (20)

Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloDeep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaArm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraHuawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
 
Bud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaBud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qa
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
 
HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
 
HKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteHKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening Keynote
 
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopHKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP Workshop
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allHKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
 
HKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMUHKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMU
 
HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
 
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
 

Kürzlich hochgeladen

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Kürzlich hochgeladen (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

HKG18-113- Secure Data Path work with i.MX8M

  • 3. 3 What is a Secure Data Path in IPTV* context IPTV SDP: Protect video and audio content, and prevent unauthorized redistribution of digital media and restrict the ways consumers can copy content : DRM (Digital Rights Management) SDP provides confidence, ensuring attackers can’t intercept data: • Isolate REE (Rich Execution Environment) Operating System from sensitive data (video, audio , keys, credentials, provisioning …), and use TEE (Trusted Execution Environment) Operating System to secure data. *IPTV: Internet Protocal TeleVision : delivery of multimedia content over internet protocol I.MX8M is adding an additional security level : • Isolate the TEE Operating System. So Even if TEE is compromised, CPU in secure mode can’t access the data.
  • 4. 4 i.MX8M : New voice and video processing applications processor •Arm based processor •Dedicated hardware for security •Video quality with full 4K UltraHD resolution and HDR (Dolby Vision, HDR10, and HLG) •Highest levels of pro audio fidelity with more than 20 audio channels each @384KHz •DSD512 audio capability •Optimized for fanless operation, low thermal system cost and long battery life •Flexible memory options •The newest high-speed interfaces for flexible connectivity •Fully supported on NXP’s 10 and 15-year Longevity Program
  • 5. 5 i.MX8M SDP (Secure Data Path) at a glance • High Assurance Boot (On Chip ROM with tamper detection). Authenticated and Encrypted boot • ARM TrustZone and the Central Security Unit (CSU) split the processing between non-secure world running the rich OS, and the secure world running the trusted stack (ATF/OP-TEE from Linaro) • Application CPU cores won’t have physical access to decrypted video memory buffers RDC (Resource Domain Controller) to isolate CPU, VPU, GPU, DCSS(Display Controller Sub System) and memory buffers, using dedicated hardware • CAAM (Cryptographic Acceleration and Assurance Module) to accelerate and isolate cryptographic operations, using dedicated hardware • SNVS (Secure Non-Volatile Storage) and 32 KB of Secure RAM (tamper detection) The i.MX8M security subsystem is configured in a way that only hardware components involved in the decoding and the rendering of the stream have access to the decrypted data:
  • 6. 6 Secure Data Path on i.MX8M RDC: Resource Domain Controller • Assignment of cores and bus masters to a resource domain (4 domains, 27 bus masters) • Peripherals and memory regions assigned right accesses based on domain IDs (118 Peripherals, 52 memory regions) • Memory read/write access controls for each resource domain and region (up to 8 regions per domains) RDC the SDP gatekeeper Use a configuration set at boot (within ATF) Registers locked till next reset
  • 7. 7 Cryptographic Acceleration and Assurance Module (CAAM): • The chip's cryptographic acceleration and offloading hardware. It supports AES, 3DES, RSA, Elliptic curve, MD5, SHA-1, SHA- 224, SHA-256, SHA-384, SHA-512, MAC, ARC four, PKHA and more • Random number generator NIST-Compliant • CAAM is TrustZone aware Secure Data Path on i.MX8M Secure Non-Volatile Storage (SNVS): • Secure real-time clock (RTC) • Security sensor detection of physical attacks using temperature/voltage/frequency detection, Immediate erasure of internal memory in event of tamper detection • 64-bit Monotonic Counter • Protect sensitive data, such as private keys, DRM keys, and proprietary software On chip Secure RAM (32 KB) for CAAM: • Bus attribute-based access controls for resource domain and TrustZone support • Auto-Erasure and access restrictions upon tamper • Secure access partitioning based on R/W • Private bus with CAAM
  • 9. CPU DCSS ** Encoded and Encrypted data Encoded and Encrypted video Encoded and decrypted video Decoded and decrypted video RDC Domain 0 CAAM RDC Domain 1 VPU RDC Domain 2 RDC Domain 3 GPU * Bitstream buffer 1 TrustZone Bitstream buffer 2 TrustZone DPB Buffer Secure Video Path on i.MX8M R/W access to registers only, not DDR memory * GPU not mandatory, to be used if video texturing is needed CPU RW, CAAM R VPU RW, DCSS R, GPU RVPU R, CAAM W ** DCSS: Display Controller Sub System: to source up to three display buffers, on the fly composition (3 scalers, PIP) and drive display using HDMI 2.0a with HDCP 2.2
  • 11. 11 i.MX8M Android – DRM • The DRM support is integrated in the Android framework in such a way that should require no modification for the android application • The Stagefright media playback application provided by Android has access to the DRM implementation through the media Framework as shown on the left schematic • The i.MX8M implementation limits as much as possible changes to minimize the API modification between the different android software block and not break existing application making use of those services. Only one change in Android code, and no API change : ACodecBufferChannel::queueInputBuffer • Modification consists to add a shared memory to let media meta data accessible by CPU: - clear media data from Widevine/PlayReady servers are managed by shared memory (ex video slice headers) - encrypted data are managed by ION buffers https://source.android.com/devices/drm
  • 12. 12 i.MX8M Android - Secure video playback – Buffer allocation • Stagefright Multimedia framework allocate Secure Video output Memory through a NativeWindow’s API set_usage() with “GRALLOC_USAGE_PROTECTED” flag • Gralloc HAL use ION secure Heap to allocate the Secure Video Output Memory • Stagefright MM framework queues the secure video output memory through a native window’s API queueBuffer(), which is same as non-secure Video • Hardware composer HAL(HWC) renders the Layer to DCSS secure output, which is with “GRALLOC_USAGE_PROTECTED” usage https://wiki.linaro.org/BenjaminGaignard/ion NXP is actively working with Linaro Home Group to implement and promote this strategy for PlayReady and Widevine DRM
  • 13. 13 i.MX8M Android SVP - OpenMaxIL Impact • None Secure Video Path CPU can’t access CPU R/W VPU CPU configure VPU Encrypted and Clear Video data Decoded Video data Decrypted and clear Video data CPU Decrypt • Secure Video Path (ION/RDC/CAAM) VPU CPU configure VPU Encrypted and Clear Video data Decoded Video dataCAAM clear Video data Shared Mem Encoded Video data ION CPU Copy CPU Copy
  • 14. 14 i.MX8M Android SVP – Crypto PlugIn impact Shared Memory R&W by CPU Decrypted data ION buffer heap 4, RDC protected, CPU can’t read VPU CPU Decoded data ION buffer heap 2. RDC protected CPU can’t access. SubSample 1 SubSample n Decrypted and Clear data, free CPU access Num of Bytes Clear Num of Bytes Crypted Num of Bytes Clear Num of Bytes Crypted Num of Bytes Clear Num of Bytes Crypted SubSample 1 clear data SubSample 2 … SubSample 2 clear data SubSample n clear data SubSample 1 decrypted data SubSample 2 decrypted data SubSample n decrypted data Configure VPU Driver ssize_t PlayReadyCryptoPlugin::decrypt( bool secure, // secure=1 use Secure Data Path const uint8_t key[16], const uint8_t iv[16], Mode mode, // kMode_Unencrypted or not const Pattern &, const void *srcPtr, const SubSample * subSamples, size_t numSubSamples, void *dstPtr, AString * errorDetailMsg) Free cpu access SubSample 1 clear data Image Boundary/slice header: https://yumichan.net/video-processing/video-compression/introduction-to-h264-nal-unit/ copy decrypt