Trusted Compute Engine

Overview

Trusted Compute Engine (TCE) protects device confidential data and provides inherent guarantees of secure software execution, primarily by ensuring that code and data has not been tampered with, and that programs execute exactly as coded by the developer. The TCE has both hardware and software components.

TCE Hardware

The hardware consists of:

  • An open, auditable CPU core with security extensions.
  • A unique private key (i.e. hardware root of trust) which never leaves the TCE and is protected from sophisticated hardware hacking.
  • Secure storage of keys and configuration data, such that they can never leave the TCE.
  • A secure boot ROM which is impossible to bypass
  • An enforcement engine which:
        1. Computes the hash signature of software modules (code + data) before and after each execution;
        2. Verifies the hash signature of the software module to ensure that it has not been tampered with before each execution;
        3. Prevents software modules from accessing the data or code of other modules;
        4. Enforces single defined points of entry and exit so that code cannot be bypassed or hijacked for malicious purposes.
  • A cryptographic processor for encryption, decryption & hash computation
  • Encryption of code & data in external memory (to prevent reverse engineering) and digital signing functions.
  • A Virtual Machine accelerator that provides for secure, isolated execution of decentralized applications.

TCE Software

The TCE software provides the following:

  • A strict partition between trusted (security critical) code and normal code
  • Managed execution of applications
  • The bootloader, OS and device drivers specific to the device hardware
  • A Virtual Machine (VM) for running decentralized applications
  • Secure communications with other devices in the network
  • A trusted kernel for secure system functions including, management of trusted applets, attestation (providing cryptographic proof that the device contains an exact version of a specified software module)
  • Secure upgrade and messaging between trusted applets and between trusted applets and regular applications
  • TCE hardware drivers

Other Components

Other components can be included within the trusted hardware boundary and TCB (Trusted Code Base) to support specific use cases. For example, a GPS receiver can be included in the trust boundary to provide trusted location and time. Or I/O for a display, keypad or fingerprint reader can be included in the trust boundary to provide a "trusted path" (secure HMI).

Security Functions

The TCE provides the following security functions:

  • Hardware root of trust
  • Secure boot
  • Secure storage
  • Attestation
  • Isolation
  • External memory data sealing
  • Cryptographic operation acceleration (encryption, decryption, hash generation & verification, key generation)
  • True random number generation
  • Rollback protection
  • Secure firmware upgrade
  • Secure debug
  • Secure code decryption
  • Continuous, runtime secure code integrity protection & verification
  • Continuous, runtime secure data encryption, decryption & integrity protection
  • Control flow enforcement
  • Tamper detection with key zeroization
  • Physical presence input
  • Trusted location (with GPS receiver IP core)
  • Trusted time (with GPS receiver IP core)