Shanghai Hangxin technology sharing 𞓜 overview of safety characteristics of acm32 MCU

With the development of Internet of things , The continuous emergence of intelligent products , Information security has also attracted increasing attention . therefore , General safety MCU Products also came into being , Can better help customers strengthen security in their product design , help IoT The application of innovation .

This paper will introduce Shanghai Hangxin in detail ACM32 MCU Safety features of .

1

Secure launch and security update

Shanghai air core MCU Provide reference implementation of security startup and security update , See the corresponding software package for details . Secure startup and security update use the hardware security characteristics of the chip to ensure that the startup code and updated firmware are not tampered with , The boot entry is unique .

2

Storage protection

Storage protection is mainly to protect the code and data in the storage area from tampering and illegal acquisition , It mainly needs to resist three attacks , Software attacks 、 Non intrusive attacks and intrusive attacks .

• Software attack mainly includes accessing data through debugging port , Software vulnerabilities and buffer overflow ;

•  Non intrusive attacks mainly include program and data errors caused by fault injection , And bypass attacks to obtain sensitive information ;

•  Intrusive attack is mainly to detect internal signals by opening the cover or directly through the test instrument ;

Against these attacks , The chip mainly deals with it from five aspects , Including storage area access control 、 Storage address scrambling 、 Data encryption, integrity verification and environment detection .

The storage area access control includes read protection (RDP), Write protect (WRP), Proprietary code read protection (PCROP), Storage area permission control and secure storage area .

See 《ACM32- Online programmer 》：http://www.aisinochip.com/index.php/product/detail/id/44.html

•  Read protection (RDP) It's the whole picture Flash Read protection , Protects embedded firmware code , Avoid copying 、 Reverse engineering 、 Use debugging tools to read out or other intrusion attacks . The protection function can be downloaded by the user Flash After code , Set by the user when downloading firmware .

 

eflash start-up ： Check to indicate from eflash start-up , Unselected means from Boot Pattern ;

SWD Can make ： Check to enable SWD function , Unchecked means that SWD function ;

Read protection configuration lock ： After checking , Will lock “eflash start-up ” and “SWD Can make ” Set up , It cannot be changed after it takes effect ; Otherwise, if it is not selected, it will not be locked .

Check or deselect the item to be configured , Click on “ To configure ” To operate , Operation is completed , Will be in “ Send display area ” Display the operation results , Reset or power on again .

notes ： This configuration may affect SWD perhaps BOOT function , Please operate carefully .

•  Write protect (WRP) Used to protect designated areas Flash data , Prevent data from being maliciously updated or erased . Write protection can be applied to Flash Memory space specified in the .

 

Write protect (WRP) after , The corresponding area will not be erased , The chip wipe command will not be used .

In the area to be configured , Input “ Initial address ” and “ Operation length ”, Check “ To configure ” Button , Click on “ Can make / prohibit ” To operate , Operation is completed , Will be in “ Send display area ” Display the operation results , Reset or power on again .

If the operating range exceeds eflash Maximum length , Or the addresses of the two areas to be enabled overlap , Will be an error .

notes ： Can make / After prohibition , Write the corresponding... Immediately NVR, Read the settings configured for operation , However, it can take effect only after reset or power on again .

•  Proprietary code read protection (PCROP) Used to protect designated areas Flash Code , Protect proprietary code from end-user code 、 Modified or read by debugger tools or malicious code .

 

PCROP After enabling , The selected area can only execute , Cannot read and erase , The chip wipe command will not be used .

In the area to be configured , Input “ Initial address ” and “ Operation length ”, Check “ To configure ” Button , Click on “ Can make / prohibit ” To operate , Operation is completed , Will be in “ Send display area ” Display the operation results , Reset or power on again .

If the operating range exceeds eflash Maximum length , Or the addresses of the two areas to be enabled overlap , Will be an error .

notes ： prohibit PCROP After area , At this time, the reading configuration is still the setting before prohibition , Need to put SWD Enable to close , Reset or power on again can take effect .

•  The kernel uses its own permissions to control the storage area MPU unit , This unit can be divided into several region, Every region You can set different access properties , With the kernel User and Privilege Pattern , It can realize the access control of sensitive data , So that sensitive data can not be obtained by malicious code . This isolation can effectively reduce the risk of software vulnerabilities .

•  A secure storage area can be used to protect specific programs , The size of the secure storage area can be configured , This section of the register can be opened through the safe storage area during the operation of the program , When protection is enabled, you cannot access any of its contents again .

 

In the area to be configured , Input “ Operation length ”, Click on “ Can make / prohibit ” To operate , Operation is completed , Will be in “ Send display area ” Display the operation results , Reset or power on again . If the operating range exceeds eflash Maximum length , Will be an error .

notes ： Can make / After prohibition , Write the corresponding... Immediately NVR, Read the settings configured for operation , However, it can take effect only after reset or power on again .

Store data encryption , Address scrambling is mainly for on-chip FLASH and SRAM Encrypted storage of data on , And the stored address is also crosstalk . For the case that some codes and data need to be placed in off chip memory , The company also has some series with OTFDEC（On The Fly DECryption） Hardware ,OTFDEC The module is connected to the bus OSPI Between , External data can be decrypted in real time Flash Ciphertext codes and data on , Just set the corresponding area 、 Key, etc ,OTFDEC You can automatically decrypt the accessed ciphertext data , No additional software is required to decrypt , There is no need to load the decrypted data into the internal RAM, Can directly run off chip Flash Encryption code on .OTFDEC The module also supports encryption , But not real-time encryption , The data is first encrypted to RAM in , Need to add RAM The ciphertext in is written back to the outside FLASH.

Storage data integrity check is mainly to check the data in the storage area , It can effectively resist fault injection attack .

Environment detection is mainly to detect whether the working voltage of the chip is in the normal range , If it is not within the normal operating range, an alarm will be given , To resist voltage fault injection attacks .

3

Cryptography algorithm engine

Shanghai air core MCU All series have HASH,AES,TRNG and CRC Hardware modules . Call the corresponding API Function can use the corresponding algorithm function , Effectively meet the password requirements in data transmission and integrity verification .

4

Intrusion protection

Intrusion protection is that the chip can detect the physical intrusion and delete the sensitive data in the backup register , So as to protect chip sensitive data from theft . This function mainly consists of RTC And backup register complete .

The backup register is in the backup domain . These registers are not affected by standby mode wake-up or system reset operation . Only when an intrusion event is detected and the backup domain is reset , These registers will be reset .

RTC Support two external IO Intrusion detection , And can record the intrusion time . And you need to enter the private key to allow RTC Register for write operations , Prevent attackers from tampering with RTC register .

5

Life cycle management

Life cycle management mainly aims at some security risks that may exist from chip test and development to chip use , For example, calling test or debugging interface to obtain data illegally . Specific corresponding functions include test mode prohibition ,JTAG Prohibition and 128 Bit unique serial number .

•  The test mode prohibits ： Disable the test mode after the chip test is completed , The test mode of the chip cannot be returned to the customer , In this way, the attacker cannot obtain sensitive data through the test interface ;

• JTAG prohibit ： When reading protection (RDP) Set up Level 1 When above , Will be JTAG Function prohibition , This makes it impossible for attackers to obtain sensitive data through the debugging interface ;

• 128 Bit unique serial number ：128 Bit unique serial number is bound to the factory serial number of the chip LOT/WAFER ID And coordinates, etc . This serial number is unique and cannot be copied , Developers can bind the application to the serial number of the chip , In this way, the chip of each downloaded application can not be copied . The administrator needs to control the serial number of each chip , This is convenient for product positioning and tracking , Prevent replication of security products .

6

Safe production

Safe production is mainly to ensure that the code or data burned by the third-party factory will not be stolen, tampered with and overproduced .

For safety production , Shanghai Hangxin provides a set of safe solutions , Whole process code encryption burning , With dynamic check code （ The dynamic check code is bound with the unique serial number of the chip ）, And you can burn and count , Carry out production control , Avoid overproduction . And support online / Offline burning , Deliver and update firmware remotely , On the premise of ensuring the security of firmware, it is very convenient for customers to burn firmware .