The companies behind Google’s OpenTitan project recently announced the commercial availability of what they called the world’s first chip with open-source hardware security baked directly into it.
While OpenTitan will be the first commercial-grade chip on the market modeled on Linux and other open-source software, Dominic Rizzo, one of the founders of OpenTitan, said he’s confident it will not be the last. Under development for half a decade and based on OpenTitan’s discrete “Earl Grey” chip design taped out in mid-2023, the chip is designed to be a universally accessible hardware root of trust (RoT).
The milestone shows that the concept of open source is not inherently incompatible with silicon, said Rizzo, now CEO of zeroRISC, a startup building a secure embedded operating system (OS) that can take advantage of the OpenTitan hardware RoT and the firmware that will run on top of it. “It’s not proprietary, and it’s not a test chip, but it’s going to be a very high-volume security chip,” he told Electronic Design.
In its capacity as the hardware RoT, the chip is designed to make sure that the hardware in a system, and software running on it, remains in their intended, trustworthy state. It ensures components in a system boot securely using only authorized, verifiable code. And it’s hardened against fault injection and other physical attacks on the hardware, which is relevant to many of the tiny devices comprising the Internet of Things (IoT).
The concept of open silicon has been gaining ground in the semiconductor industry lately, largely due to the rapid growth of the open RISC-V instruction set architecture (ISA). The RISC-V ISA acts as the interface that the software uses to communicate with the processor’s hardware. Companies can adopt it to develop CPU cores or other IP without being limited by the same constraints as Arm or other architectures. The “Ibix” CPU at the heart of the OpenTitan chip is itself based on RISC-V.
Even though the underlying architecture is open to all, most companies are building CPU cores and other IP based on RISC-V themselves behind closed doors, using it as any other tool in the toolbox.
But according to Russo, the companies and other partners behind the OpenTitan project are taking the concept of open hardware a step further by building the chip itself and the IP inside as a collective.
“Silicon Commons”: Designing Chips Out in the Open
Google launched OpenTitan in 2019, building on the development of its own in-house hardware RoT, called Titan. Besides the formal partners in the project, including a wide range of semiconductor firms and academic partners, the OpenTitan chip was developed by a large and growing community of independent coders and other contributors worldwide. The project is supported and maintained by lowRISC, a neutral, independent non-profit.
While it was based on the same principles behind Linux and other efforts in open-source software, OpenTitan presented unique difficulties. Designing a modern chip is a large, enormously complex engineering problem that can take several years and as many as thousands of engineers to tackle. Rizzo said the high cost of hardware development relative to software also raises the difficulty level.
The inability to update or upgrade the underlying hardware after it’s manufactured adds to the complexity. “There are huge risks with silicon,” said Rizzo. “You sort of get one shot with it, and it works, or it doesn’t.”
The other problem is related to personnel. Many of the engineers with experience in the world of open-source software aren’t as familiar with the traditional “waterfall” model of hardware design. In contrast, many hardware engineers that are in the best position to contribute to OpenTitan and other open chip designs aren’t as clued into the ins and outs of open-source product development.
To navigate these potential risks, lowRISC and the other companies behind OpenTitan worked out a framework for building open-source silicon called Silicon Commons. The model merges the tenets of open-source software development such as continuous integration (CI) with a commercial approach to chip design. For lowRISC CEO Gavin Ferris, the new chip marks the first time anyone has been able to make “open-source silicon work in the same way as open-source software.”
The model sets out stringent rules for documentation so that third-party companies and engineers can dive in and start contributing to the chip’s development as soon as possible. Silicon Commons also mandates the use of standard interfaces whereby different types of IP can be integrated or removed from the final blueprint of the silicon chip, and it sets out quality standards backed by rigorous testing and verification.
The approach also defines the roles and responsibilities of all companies and other partners in the project so that they can make decisions and evaluate potential improvements to the chip as a group.
“The development process was open, and problems are solved in a collaborative way in the open-source repository,” Rizzo told Electronic Design. “The way it worked is we spent years building out a high-quality, open-source ecosystem of digital IP. But while OpenTitan is open source, it’s a very practical, non-ideological type of open source where we make open what it’s feasible to make open.”
He added, “When it comes to getting the chip out the door, that’s where the open-source rubber meets the proprietary road.” Though the most differentiated IP in the new OpenTitan chip is open, he said the group spent the final stages of the development process working with chip companies to fill in the blanks with proprietary IP that would have been more trouble than it was worth to build from the ground up.
Open hardware such as Raspberry Pi and Arduino is becoming more widely used in the commercial market. But open-source chip design was a largely untested concept before Google launched OpenTitan.
Rizzo said it was critical to choose a technology that would be worth it for the companies and other partners to invest in over the long term. He added that it made sense to focus on hardware security since it’s relevant to virtually every electronic device and embedded system, and it’s possible for OpenTitan to differentiate itself. “Building a secure microcontroller is significantly harder than building a general-purpose MCU.”
“Everyone wants to be able to buy off-the-shelf components they can trust and that they can verify they can trust,” said Rizzo. “Having hardware that handles the basics of security is valuable from that perspective.”
The Root of Trust: The Heart of Hardware Security
Traditional security starts in the OS. But OpenTitan and other chips in its class are vital because the most pernicious and stealthy attacks target the firmware beneath it and the hardware further down.
The hardware RoT contains all cryptographic keys in a system. Since the code is inaccessible and verifiable, it’s inherently trusted. The rest of the system can trust that the hardware and software that runs on top of it remains secure, and that it hasn’t been manipulated. As a result, the RoT acts as the foundation for the secure operations of the system, and it underpins the secure-boot process.
The 32-bit CPU core at the heart of OpenTitan is complemented by specific building blocks for hardware security and hardened accelerator cores for different types of cryptography.
In any case, OpenTitan is not in a class by itself. While they’re all developed under lock and key, many other chips currently on the market can act as the hardware RoT in a system or that integrate the RoT into a CPU such as Microsoft’s Pluton security processor. But the companies behind OpenTitan contend that its open-to-all design process makes it much harder to compromise.
The IP inside the OpenTitan chip is transparent, said Rizzo, meaning that anyone can inspect and evaluate it for security vulnerabilities and potential improvements can be tested and verified before incorporating them into the register-transfer-level (RTL) code of the chip. He said more transparency makes OpenTitan more trustworthy since it means mistakes are more likely to be noticed and the evolution of the underlying silicon can be traced over the long term.
While the silicon RoT can be used in server motherboards and computer peripherals as well as PCs, smartphones, and other consumer hardware, he said OpenTitan could make the biggest difference in under-secured IoT devices. “The IoT is a challenging space for security, and it feels as if it’s not being solved where security needs to start, which is inside the silicon, the hardware.”
While zeroRISC is not in the business of selling the OpenTitan chip itself, it’s partnering closely with other companies that contributed to OpenTitan to supply it to customers through an early-access program.
Besides the discrete hardware RoT, the OpenTitan project also announced that it’s developing a secure silicon subsystem that will give anyone the ability to integrate OpenTitan as a building block in third-party SoCs and chiplets. OpenTitan’s first secure execution environment, code-named “Darjeeling,” and another on-chip subsystem with support for secure external flash, called “Chai,” are in development. The startup said it plans to put out a development kit for the OpenTitan RoT, too.
Is There a Future for Open-Source Chip Design?
While OpenTitan is the world’s first commercial open-source chip, Rizzo is confident many more are coming. He said OpenTitan is valuable in the world of hardware security, but it could be even more valuable as a blueprint for the next generation of open-source chips.
Though it will probably never be as widespread in the electronics industry as open-source software is in the technology industry, Rizzo said he sees the concept of open silicon expanding to encompass many different types of chips and even other types of IP. The concept, he added, may even present a potential solution to the constant pains in modern chip design, including the rapidly increasing costs.
He explained that open-source silicon could help save companies money by allowing them to reuse building blocks instead of independently building proprietary versions of the same IP for every SoC, expanding the role that third-party IP plays today. The approach could reduce the complexity of the chip design as well, giving engineers more time to focus on differentiating themselves in other areas.
“I really think open-source silicon is going to become as sticky as something like Linux,” said Rizzo.
Read more articles in the TechXchange: RISC-V: The Instruction-Set Alternative and Embedded Open-Source Solutions.