Start with a two-core PowerPC. Add a secure boot microcontroller. That’s what CPU Technology did with its Acalis CPU872 secure, multicore microcontroller designed for applications needing hardware-based security (Fig. 1).
There’s nothing special about the PowerPC cores used in the chip, which is good. They are stock cores with 256 kbytes of L2 cache and 64-bit floating-point support designed to run stock applications. The key is the boot process and the secure boot microcontroller.
This secure microcontroller boots from an encrypted serial flash and then loads additional encrypted boot code for the PowerPC into the on-chip 4-Mbyte DRAM before allowing the PowerPC cores to run. The starting code is secure as a result, and that’s the root of security on any system.
SPLITTING THE DIFFERENCE
The Acalis layered approach employs secure boot, secure on-chip memory, an isolated processor with a secure message passing interface, and firewalled I/O. Of course, a secure boot is just the start of the process, which is also used with the Trusted Platform Module (TPM) approach common on many systems today, but this is just the start of the Acalis security features. This approach can be extended throughout a system as well.
The other part of the problem is keeping things safe, and that’s more easily done if there are limits to the areas of compromise. In this case, CPU Technology isolated one of the two 64-bit PowerPC 440 cores. It communicates only with the other core using a dedicated and secure message passing interface that acts as a hardware firewall. The I/O processor must handle all peripheral exchanges for the secure processor.
The communication channels that the peripheral processor has may be secure but it doesn’t matter, since communication over insecure channels is a common requirement where authenticated or encrypted data can be employed. The use of embedded DRAM with error-correction code (ECC) means the secure application cannot be compromised from outside.
Each PowerPC core has its own 64-bit DDR2 interface with ECC support for off-chip memory as well. An external zeroization signal can force a reset as well as a clearing of all memory should an external breach be detected. Of course, hardware encryption is part of the mix.
The I/O processor has access to Gigabit Ethernet, five 10-Gbit/s express interfaces, an I2C interface, and multiple general-purpose I/O (GPIO) pins. Each PowerPC core is augmented with its own stream processors and direct memory access (DMA) engines.
Secure computing is becoming more important in regular applications, not just in high-security environments. So, the Acalis chip will likely be showing up in more places that a conventional micro is currently being employed. The CPU872 secure, multicore microcontrollers are built at IBM’s Trusted Foundry. The micro comes in a 31- by 31-mm, 899-ball ballgrid array (BGA). Typical power draw is 8 W (Fig. 2).
An evaluation board and development software are also available, including a secure JTAG backchannel into the chip via an FPGA. This permits secure, Ethernet based debugging during software development.