From 1941a22007418fcaf052f0d709e0e3bd355b44ab Mon Sep 17 00:00:00 2001 From: Daniel Jobson Date: Wed, 20 Nov 2024 15:36:27 +0100 Subject: [PATCH] Doc: move implementation details of RAM scrambling to RAM core --- hw/application_fpga/README.md | 26 +++++--------------------- hw/application_fpga/core/ram/README.md | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/hw/application_fpga/README.md b/hw/application_fpga/README.md index 5b6caaaf..47cc9c23 100644 --- a/hw/application_fpga/README.md +++ b/hw/application_fpga/README.md @@ -75,7 +75,10 @@ The memory is cleared by firmware before an application is loaded. The application RAM is available to use by firmware and applications. -MC: Is the scrambling here now? +The RAM core also implements (from the view of the CPU) transparent +RAM address and data scrambling. This scrambling is applied to make it +harder to extract application and application data from a memory dump +directly from the memory cores. ## `rom` @@ -132,21 +135,7 @@ should make it infeasible to improve asset extraction by observing multiple memory dumps from the same TKey device. The attack should also not directly scale to multiple TKey devices. -The memory protection is based on two separate mechanisms: - -1. Address randomisation -2. Address dependent data randomization - -The address randomization is implemented by XORing the CPU address -with the contents of the ADDR\_RAM\_ADDR\_RAND register in the tk1 -core. The result is used as the RAM address - -The data randomization is implemented by XORing the data written to the -RAM with the contents of the ADDR\_RAM\_DATA\_RAND register in the tk1 -core as well as XORing with the CPU address. This means that the same -data written to two different addresses will be scrambled differently. -The same pair or XOR operations is also performed on the data read out -from the RAM. +The RAM address and data scrambling is done in de RAM core. The memory protection is setup by the firmware. Access to the memory protection controls is disabled for applications. Before the memory @@ -168,11 +157,6 @@ setup the memory protection: 6. Receive the application sent from the client and write it in sequence into RAM. -Future TKey devices may implement a more secure ASLR mechanism, and -use real encryption (for example PRINCE) for memory content -protection. From the application point of view such a change will be -transparent. - ## `touch_sense` Provide touch sensor events to software. diff --git a/hw/application_fpga/core/ram/README.md b/hw/application_fpga/core/ram/README.md index f29ce768..4cf9d5f2 100644 --- a/hw/application_fpga/core/ram/README.md +++ b/hw/application_fpga/core/ram/README.md @@ -23,6 +23,22 @@ ram_data_rand inputs as seeds for the scrambling mechanism. When data is read out it is descrambled before sent out on the read_data output port. The scrambling functionality does not add latency. +The memory protection is based on two separate mechanisms: + +1. Address randomisation +2. Address dependent data randomization + +The address randomization is implemented by XORing the RAM address +with the contents of the ADDR\_RAM\_ADDR\_RAND register in the tk1 +core. The result is used as the RAM address. + +The data randomization is implemented by XORing the data written to +the RAM with the contents of the ADDR\_RAM\_DATA\_RAND register in the +tk1 core as well as XORing with the CPU address. This means that the +same data written to two different addresses will be scrambled +differently. The same pair or XOR operations is also performed on the +data read out from the RAM. + Note: the scrambling mechanism is NOT a cryptographically secure function. Even if it was, a 32 bit key would be too short to add any security.