Illustration 145370080 Jian Fan5370080 5fcfa4b8622b4

Managing Hardware Root of Trust for Multiple Serial Devices

Dec. 14, 2020

The Mach-NX platform developed by Lattice Semiconductor can protect one or more serial memory devices used to boot systems.

William G. Wong

Related To: Lattice Semiconductor

What you’ll learn

How to secure the boot process.
How Lattice Sentry protects serial memory-based solutions.
Where Mach-NX fits into the solution.

A hardware root of trust (HRoT) is the basis for most secure computer systems. This typically includes secure key storage and hardware to use these keys to verify the contents of memory before host processors can run a program. Some systems incorporate the HRoT into the processor chip, but many rely on off-chip systems to provide such security.

Lattice Semiconductor’s Mach-NX secure FPGA platform is an off-chip solution that’s able to manage one or more serial memory devices. It allows a single system to handle complex, multichip systems in an integrated fashion. The Lattice Sentry system, initially available on the MaxhX03D FPGA, now works with the Mach-NX chips.

The Mach-NX is an FPGA with a number of hard blocks, including a secure enclave (Fig. 1). It has a configurable platform firmware resiliency (PFR) that supports elliptic curve cryptography (ECC) to detect unauthorized changes in serial memory managed by the chip. The PFR is NIST 800-193 compliant.

1. The Mach-NX is an FPGA with a secure enclave and RISC-V processor. The FPGA allows custom interfaces to be built to securely manage a range of secure serial memories.

The chip utilizes a hard RISC-V core with its own dual flash memory. The dual memory allows it to handle its own over-the-air (OTA) updates.

A cryptographically secure immutable ID also is included. By handling its own secure boot, the chip is able to manage the booting of external devices that utilize serial memories (Fig. 2). The Mach-NX can just monitor the memory path or sit between the serial memory and its matching host. In the latter case, it checks the memory before the host can even use it. Likewise, this allows the chip to handle OTA updates independent of the host.

2. The Mach-NX implements Lattice Sentry support, which can track or protect serial devices used to boot processors and RAM-based FPGAs.

The Mach-NX will start the boot process using its own internal memory. It can then check the contents of each serial memory before allowing the matching host to boot. Updates also could be performed at this point. This approach allows the host to utilize the memory as needed, even making changes while the Mach-NX makes sure any changes that would affect the boot process are flagged. Subsequently, the application running on the RISC-V core can determine what should be done. This might involve loading a known-good copy of the contents for the serial memory or preventing the host from booting.

Serial memory interfaces are managed by the Mach-NX’s FPGA. Thus, a single chip can handle different configurations and interfaces. The Lattice Propel Design Environment facilitates creation of an FPGA configuration.

The Mach-NX is designed to prevent various attacks on its content and operation. Because it’s able to operate on its own and maintain secure operations, the chip can be used within Lattice SupplyGuard, which is a secure supply-chain management system also announced earlier. The keys contained in the Mach-NX allow it to manage ownership and features as a product is moved from production to sales and to a customer. This helps prevent unauthorized grey-market production.

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form.

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below.

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence.