Secure Containers Jan 2015 www.imgtec.com Imagination Technologies HGI Dec, 2014 p1
What are we protecting? Sensitive assets belonging to the user and the service provider Network Monitor unauthorized access, misuse, modification, or denial of a network-accessible resources Application Operating System Platform Original manufacturer; anti-cloning Application / OS Platform Authenticity Runtime Integrity Data Extranet Data Intranet Secret key, digital certificates Attack Surface Area control execution, view, copy, print, and altering Imagination Technologies HGI Dec, 2014 p2
Platform Security Open Everything, Smart Everything, Internet of Everything Problem Mobile Devices, Home Gateways, in vehicle infotainments, etc, increasing require security Solutions Trusted Execution Environment (TEE) Secure Element (SE) Trusted Platform Module (TPM) Implementation Closed proprietary by SoC manufacturer Two World (Secure and Normal) Secure Hypervisor Imagination Technologies HGI Dec, 2014 p3
Security Implementation Next generation platforms demand multiple secure data-flows User Space H/W + TPM Layered Two Worlds Normal World Secure World Platform Virtualization VM 0 TEE VM n Hypervisor Reduced Attack Surface Area Single Client Customized Security at a cost Inflexible Proprietary Security schemes Single Client Single TEE Secure Apps coexist in Secure World Restricted scalability in multi-core Multi-Client Multiple TEEs All Secure Apps in own VM Fully scalable in multi-core Imagination Technologies HGI Dec, 2014 p4
Scalable Security- Hardware Virtualization Secure Root is the secure hypervisor/kernel access-rights controlled by Root Scalable Supports many s (CPU & GPU pairs) SoC virtualization support Virtualized GIC (interrupt controller) and IOMMU Bus transactions to other IP include ID Benefits Ease of use - no modification required to OS Reliability corrupted/crashed OS1 cannot affect OS2 Performance intelligent resource allocation Heterogeneous GPU operation Secure/non-Secure OS/Apps App App App App OS1 OS2 App Hypervisor/Secure Kernel MIPS core H/W supported Virtualization s -ID Root TPM ------- Boot ROM Imagination Technologies HGI Dec, 2014 p5
True Isolation Benefits Secure Extranet TEE Secure Intranet Mature, proven technology used in networking and Compute H/W Firewall high level of security OpenWRT Secure App s Crypto 3 rd Party Containers Secure services can only affect their container Not the overall system Highest flexibility and performance Multiple Secure Domains IP protection provided through system partitioning Software Hardware Secure OS IPC Hypervisor MIPS, PowerVR Heterogeneous Platform Offloads Secure Boot DRAM WAN LAN Imagination Technologies HGI Dec, 2014 p6
True Isolation Benefits Secure Extranet TEE Secure Intranet Mature, proven technology used in networking and Compute H/W Firewall high level of security OpenWRT Secure App s Crypto 3 rd Party Containers Secure services can only affect their container Not the overall system Highest flexibility and performance Multiple Secure Domains IP protection provided through system partitioning Software Hardware Secure OS IPC Hypervisor MIPS, PowerVR Heterogeneous Platform Offloads Secure Boot DRAM WAN LAN Imagination Technologies HGI Dec, 2014 p7
True Isolation Benefits Secure Extranet TEE Secure Intranet Mature, proven technology used in networking and Compute H/W Firewall high level of security Broadband App s Secure App s Crypto LAN App s Secure services can only affect their container Not the overall system Highest flexibility and performance Multiple Secure Domains IP protection provided through system partitioning Software Hardware Secure OS IPC Hypervisor MIPS, PowerVR Heterogeneous Platform Offloads Secure Boot DRAM WAN LAN Imagination Technologies HGI Dec, 2014 p8
Security no longer a CPU bound problem Secure Containers - Isolate concurrent flows Licensing Terms and IP Separation Partitioning of incompatible licensing terms Proprietary vs open source Security and Robustness Isolate critical software Reduction in application testing and certification S/W H/W VMn User -------- Kernel VM3 User -------- Kernel CPU Cluster VM2 User -------- Kernel User -------- Kernel Secure Hypervisor MMU Coherent Fabric SoC VM1 Network layers Offloads (Crypto, IP, etc) I/O vgpu 1 GPU Cluster MMU vgpu 2 Increase Privilege Memory Memory X Secure Domains Protected Partitions Imagination Technologies HGI Dec, 2014 p9 X TPM ------- Boot ROM
Summary Virtualization is indispensable to the future of embedded system design A secure Hypervisor is the foundation of a Secure and Reliable embedded system A virtualized environment offers flexible software management Virtualization provides Hardware firewall-grade security Scalability Reliability Total cost of ownership is dramatically reduced MIPS Virtualization is the right technology for the secure digital world Imagination Technologies HGI Dec, 2014 p10
Thank you www.imgtec.com Imagination Technologies HGI Dec, 2014 p11