Every day, millions of new devices get connected to the Internet of Things (IoT), and without a proper secure-by-design approach, these devices add unnecessary risk and liability for network operators, OEMs and end users. These devices are typically low cost and always on, and as a result they are very attractive targets for hackers looking to steal data or cause calamity to surrounding infrastructure, such as the power grid in the Ukraine. IoT device manufacturers cannot ignore security when they bring products to market.
But ensuring security can hinge on other product decisions, such as which semiconductors govern the operation and intelligence of such products. Today’s IoT devices often use one or more MCUs or FPGAs to control the system and process data. FPGAs have the benefits of high I/O counts, low latency and process parallelization, while MCUs have an ease of use when it comes to porting libraries and APIs from one device to another. Many MCUs and FPGAs do not address security at all, or do so only as an afterthought. This leads to vulnerabilities, as sensitive information is often stored in unprotected, non-volatile memory, open to an attack. Today’s devices need secure MCUs or FPGAs to protect the sensitive data they transport and the valuable IP that is stored in flash. And they also need to prevent cloning and counterfeiting of the devices themselves.
So, product managers must balance the trade-offs among MCU advantages, FPGA advantages and security. Or do they?
Have your cake, eat it too – and add ice cream
Actually, they can have all three. It is possible to have the security rooted in hardware that is required to build IoT devices, combined with the beneficial attributes of both an FPGA and an MCU. These features are enabled within GOWIN Semiconductor’s new and innovative product, SecureFPGA. SecureFPGA combines the programmable fabric of an FPGA with a fully integrated SoC, based on an Arm Cortex-M3. GOWIN SecureFPGA is the only IC product that contains an FPGA, MCU and a hardware root of trust at the power and size suitable for cost-effective edge applications. Furthermore, it offers a security library based on its hardware root of trust for device identification, secure boot, key generation, firmware signing and data encryption by using Intrinsic ID’s BroadKey-Pro for adding SRAM PUF (Physical Unclonable Function) technology. Compared to other solutions, SecureFPGA makes it easier and quicker to deploy essential security features.
SRAM PUF technology is based on the physical characteristics of a chip to secure an unclonable device identity. Since these characteristics are uncontrollable, the physical properties cannot be copied or cloned. The keys derived from SRAM PUFs are never stored, but only regenerated when they are needed. BroadKey-Pro creates a security solution rooted in the hardware of the device. It allows devices to authenticate to the network and to other devices, set up secure connections, and even protect valuable IP and sensitive information on the IoT device itself.
A similar case is true for edge-computing applications requiring hardware acceleration. FPGAs are good at applications such as imaging, graphics rendering or artificial intelligence requiring high throughput and multiple computations to be performed at the same time. In these cases, an MCU still provides high value in providing serial control of these acceleration blocks. Using the BroadKey-Pro security library, users can protect IP, provide unique device identification and encrypt data.
SecureFPGA is also very useful in server applications as a security management device. Servers often have many large ICs on the motherboard such as processors, larger FPGAs and ASICs. Many of these devices utilize external SPI flash to hold instruction and configuration data, which can be hacked or cloned if they are not monitored by a security engine. In these applications, SecureFPGA performs secure boot of each of these independent systems by validating firmware signatures in each SPI flash prior to these larger ICs powering up to validate that all ICs are running genuine firmware.
So SecureFPGA is the perfect solution to combine the strengths of MCUs and FPGAs with strong security rooted in the hardware of the chip. This new and innovative product family has the right balance of features for use in resource-constrained IoT devices, edge-computing platforms and server environments.