Why Chips Need Protection Against Physical Attacks

Welcome FPGA engineers to join the official WeChat technical group.

Recently,ARM released a series of IPs to protect chips from physical attacks. This series expands Arm’s security IP product portfolio, providing physical security for all IoT products. These new IP products are marked with the letter “P” representing physical security, including: Cortex-M35P processor and a new set of security IPs capable of counteracting side-channel attacks (CryptoIsland-300P and CryptoCell-312P).

This article will explore how Cortex-M35P, with its advantages and features, provides protection against physical attacks and tampering for the widely supported and user-friendly Cortex-M processors, thus offering opportunities for your products to enter new markets.

Main Advantages of Cortex-M35P

Cortex-M35P is the first Armv8-M processor to offer physical tamper resistance, enabling the processor core to achieve payment-grade or telecom-grade security certification more easily and quickly. Cortex-M35P also features a multi-layered security architecture, combining software protection through Arm TrustZone technology with physical protection from the SecurCore series processors. Cortex-M35P extends Arm’s security product portfolio, adhering to Arm’s PSA platform security architecture principles.

Make Your Design More Confident Make Protection More Flexible Accelerate Your Product Success
Provide mature, battle-tested, widely supported security technologies. Offer various advanced physical security features for your choice. A rich IP product and robust ecosystem support can effectively reduce product development costs.
• Built on proven, market-adaptive technologies deployed in billions of SecurCore processors. • Utilizing TrustZone technology, supported in billions of Cortex-A based devices. • Reusing existing knowledge on the same programmer model deployed by millions of Cortex-M developers. • Strengthening market adaptability for the widely familiar Cortex-M series without compromising performance. • Providing high flexibility and optional features for advanced functionality (including signal processing). • Higher security (Lockstep, configurable parity, observability), enabling faster and lower-cost deployment of system security features. • Optimized within our comprehensive Arm security solutions portfolio. • Easily upgrade from Cortex-M33 processor. • Reuse existing software built on Cortex-M devices. • Supported by the world’s leading embedded ecosystem, gaining access to the largest open knowledge base globally.

Why Prevent Physical Attacks?

We encounter more and more devices in our daily lives—such as at home, workplaces, hospitals, industrial sites, and urban spaces—some of which are connected and some are not. Many of these devices store valuable personal information, making them targets for physical attacks. From a cost perspective, these attacks have become more feasible due to the deployment and existence of simple data collection tools. We are increasingly witnessing physical attacks, such as side-channel attacks, becoming part of the standard security threat model. The main concern regarding physical attacks comes from the ripple effects of the attack (the harm caused), where an attacker can extract source code and identify vulnerabilities from attacking a single device, leading to larger-scale cyberattacks.

TechRepublic BGU Senior Lecturer Yossi Oren summarized in his IoT security blog: “You only need to gain physical access once—once you purchase a copy of a device or a model of a camera and successfully attack it in the lab—you will have all the information needed to remotely attack the same device or model.”

We use an analogy to explain why we need to develop Cortex-M35P: it’s like protecting your house; since you have valuable items inside, it’s crucial to ensure all entrances are secured while also considering the difficulty of a thief entering through a specific entrance.

Why Chips Need Protection Against Physical Attacks

Figure 1: Protecting device security is like protecting a house—the security strength depends only on the weakest link!

For example, if a thief wants to break in through a small window on the top floor, they may need a ladder and some special tools to succeed. Because this is cumbersome and difficult, you might think that the small window on the top floor wouldn’t be the thief’s first choice for entry, and thus you believe your valuables are protected. However, if there are very valuable items in the house, or if it is easy to access the small window on the top floor, then the thief might manage to get in.

This concept also applies to the Internet of Things. Arm has a wide range of security combinations to defend against various entry points, and now Arm is strengthening protection against physical attacks. The development of Cortex-M35P is aimed at meeting the needs of the embedded and IoT markets requiring market adaptability. Now, any Cortex-M developer facing physical security project requirements can upgrade to this latest Cortex-M processor without losing all previous development investments.

Furthermore, this processor can match with other components in the Arm IP product portfolio to form a powerful and comprehensive security solution, thereby accelerating time to market. Developers can benefit from Arm’s extensive ecosystem, which offers the widest range of development tools, compilers, debuggers, operating systems, and software middleware, effectively saving time and costs.

Physical Attacks Related to Other Attack Types

As the attack surface continues to grow and the scale of the Internet of Things (IoT) increases exponentially, it can be challenging to determine how to protect your next-generation devices based on the current situation during product design planning. To understand and address this situation, Arm describes security by modeling four different types of attack targets: communication, product lifecycle, software attacks, and physical attacks, as shown in Figure 2. The risks faced by devices depend on the value of the applications and data. Many devices need to consider more system-level attacks, such as attacks on the underlying software, which can be adequately protected using the isolation provided by Arm TrustZone. However, there are also other types of user products that need to consider more complex attack risks, such as various risks of physically attacking chips.

Why Chips Need Protection Against Physical Attacks

Figure 2: Assessing threat coefficients for four different types of security attacks.

Which attacks need to be prevented depends on which physical attacks you believe pose a sufficient threat to your product. The recommendation of Arm’s PSA platform security architecture is: security always begins with analysis, which refers to analyzing using threat modeling programs. Through threat modeling, you can assess the security of your device and predict how it may be hacked or exploited. If the security field is still relatively unfamiliar to you, threat modeling may seem daunting, so Arm has created three completely free threat model examples.

After assessing the device and its threats, the next important task is to take appropriate measures to protect your device. Arm recommends using a layered security approach, implementing different levels of protection for your device using the right countermeasure combinations.

Arm has expanded a series of IPs to address all types of security threats, as shown in the figure above. When physical attacks are deemed to pose a sufficient risk, you can choose to use processors with mitigations against physical attacks. Cortex-M35P offers a solution that combines software isolation and physical security to help designers achieve a higher level of system security, defending against both physical and software attacks. You may decide to use hardware-accelerated encryption mechanisms to counter side-channel attacks (SCA)—and CryptoIsland-300P and CryptoCell-312P are precisely designed to assist in this area.

Arm Cortex-M35P’s

Why Chips Need Protection Against Physical Attacks

1. Physical Protection

When the value of protected assets is sufficiently high, hackers have enough motivation to physically attack devices. Cortex-M35P offers multiple dedicated components to protect devices from such attacks.

Cortex-M35P includes several security features to prevent physical attacks. Among them, “indiscriminate timing” ensures that the cycle count of any instruction operation is constant, thereby preventing information leakage. Users can specify whether to activate this feature.

Another example is 100% parity coverage. Each flip-flop in the processor is protected with configurable parity, allowing detection of random errors or intentional error injections.

2. Instruction Cache

Integrated cache improves performance when fetching instructions from embedded Flash memory.

Flash typically cannot provide RAM-level access times, which is a common performance bottleneck. This issue can be resolved by activating the optional internal cache. The information stored in the cache is also protected from physical attacks.

3. TrustZone: The Foundation of System Security

TrustZone enhances the protection of information security-sensitive functions within the system. It not only provides software isolation for code, memory, and I/O but also meets common requirements of embedded applications: real-time, deterministic response, minimal context-switching overhead, and ease of software development.

The Cortex-M35P processor with TrustZone features two security states—secure and non-secure states, along with some characteristics related to both states, as shown in Figure 3:

Why Chips Need Protection Against Physical Attacks

Figure 3: Additional security states of Armv8-M.

4. Memory Protection Unit (MPU) for Task Isolation

Improving software reliability and system security can be achieved by restricting each module—allowing it to access only the specific memory areas necessary for completing its functions. This protection, as a complement to TrustZone, prevents accidental access to critical data. Each secure area can have its dedicated MPU, and these two MPUs can have completely different numbers of regions.

This optional MPU is programmable, providing up to 16 regions for both secure and non-secure states. In a multitasking environment, the operating system can reprogram the MPU and update memory access permissions for different tasks during task context switches; for example, user tasks may be granted permission to access only certain application data and specific peripherals. In this way, the MPU can protect all other memory and peripherals from damage or unauthorized access, significantly enhancing system reliability.

Why Chips Need Protection Against Physical Attacks

Memory region setup is more straightforward.

The internal protection architecture of Cortex-M35P is built on the “protected memory system architecture (PMSA)” version 8. This version defines the scope by comparing with base addresses and end addresses, unlike the previous scheme that required “addresses to be aligned to powers of 2.” Each region consists of a base starting address, ending address, access permissions, and memory attributes. As a result, you can cover the target range using just one region without the need to concatenate multiple regions aligned to different sizes as in the past. This greatly simplifies software development: reducing programming steps and context-switching time, encouraging users to use the MPU more frequently than before.

5. Scalable Coprocessor Interface

For specific applications, dedicated computing can be very effective. While achieving this extended computing capability, it is also crucial to maintain all the advantages of the world-leading ecosystem—namely, the widest selection of development tools, compilers, debuggers, operating systems, and middleware.

The Cortex-M35P processor includes an optional dedicated bus interface for integrating tightly coupled accelerator hardware. For frequently used compute-intensive operations, this interface provides a mechanism to enhance general-purpose computing capabilities through custom processing hardware. Most importantly, it does not disrupt the ecosystem. This interface controls and data signals, supporting up to 8 coprocessors, and provides information about processor privileges and security states, as well as instruction types, associated registers, and operation fields.

6. Digital Signal Processing (DSP) Extensions

To accelerate software development, Arm also provides free DSP libraries in the CMSIS project. This library includes a range of digital filters, transforms, and mathematical functions (like matrices), supporting a variety of data types. CMSIS aims to be an open-source project, with development versions released via GitHub.

The optional integer DSP extensions add 85 instructions. In most cases, DSP instructions can improve program performance by three times on average, enhancing the performance of all applications centered on digital signal control.

7. Single-Precision Floating Point Unit (FPU)

The optional FPv5 single-precision floating point extension includes an additional 16 64-bit registers. This extension adds 45 single-precision floating point instructions compatible with IEEE754-2008. Using floating point instructions typically improves average performance by 10 times compared to equivalent software libraries. The FPU is included in a separate power domain, allowing it to be powered down when not enabled or in use.

In summary, physical attacks are one of several potential attacks on embedded or IoT devices. Arm’s PSA platform security architecture provides the necessary security levels for designers to assess during the threat modeling process to adopt appropriate countermeasure combinations. Physical attacks are becoming increasingly simple and inexpensive, making advanced chip protection technologies essential. However, physical security design is often complex.

Today, Arm’s new physical security IP suite offers market adaptability to any developer. The Arm Cortex-M35P processor provides efficient security solutions against software and physical attacks through TrustZone technology and anti-tampering features. In combination with Arm CryptoCell IP, Arm CryptoIsland IP, or specialized custom encryption solutions, and supported by the Arm ecosystem, any developer working on embedded or IoT solutions can ensure they have a strong trusted foundation for secure IoT deployment—because market adaptability is already in place.

Why Chips Need Protection Against Physical Attacks

Welcome communication engineers and FPGA engineers to follow the public account.

Why Chips Need Protection Against Physical Attacks

FPGA WeChat Technical Group

Welcome everyone to join the national FPGA WeChat technical group, where there is a group of engineers who love technology, and here you can discuss technology together!

Why Chips Need Protection Against Physical Attacks

Press and hold to join the national FPGA technical group.

FPGA IP core services: Various high-quality IP core service providers, with guaranteed service! If you have needs, you can contact the group owner directly!

FPGA technical group platform self-operated:Xilinx Altera Micron, Samsung, Hynix, ADI TI ST NXP and other brand advantages distributors, welcome everyone to send model lists whenever needed, and we will provide you with the most competitive quotes as soon as possible!Prices are more than 5% lower than your original supplier! Welcome to inquire-directly send your needs to the group owner!

Official thanks from FPGA technical group brand: Xilinx, Intel (Altera), Microsemi (Actel), Lattice, Vantis, Quicklogic, Lucent, etc.

Leave a Comment